Service accounts
A service account is a non-human ConnectedId (a machine identity in an org), backed by a generated user and its own role. Base path: /api/org/{slug}/service-accounts (authenticated).
| Method · Route | Purpose | Source |
|---|---|---|
POST / | Create a service account (Name, Scopes[], Description?) | ServiceAccountEndpoints.cs:22 |
GET / | List service accounts | :122 |
What POST / does
Section titled “What POST / does”- Creates a dedicated user (
{name}@service.{orgSlug}) to satisfy the identity FK. - Creates a
ConnectedId(TriggeredBy="ServiceAccount",MembershipType=Member). - Creates a dedicated role (
svc-{name}-{id8}). - Adds each requested scope to that role (creating the
Permissioncatalog entry if new). - Assigns the role to the service account (snapshotting permissions).
So a service account’s permissions flow through the same RBAC model as human members — see Roles & permissions and Permission scopes. Service accounts are excluded from the MembershipType derivation (they keep an explicit type — see Connected ID).