Service Accounts
Service Accounts
API v0 only. Service account tokens work exclusively with the Credal API v0. They are not accepted by API v1, which uses OAuth 2.0 for authentication.
Service accounts are currently in beta. Contact your Credal representative or support@credal.ai to enable them for your organization.
A service account is a dedicated, non-human identity for machine-to-machine access to the Credal API. Instead of sharing a static organization-wide API key, create a service account for each integration—such as an ingestion pipeline or internal tool—grant only the permissions it needs, and mint scoped, expiring, and individually revocable tokens.
Service accounts always act as themselves. Unlike legacy API keys, a service account token never impersonates a human user. Every API call runs with the service account’s own permissions, and every action is attributed to the service account in your audit logs.
How it works
- An organization admin creates a service account with a name and an email address on your organization’s domain, such as
ingestion-bot@yourcompany.com. - The admin grants the service account access like any other user, including collection permissions, agent deployments, and IdP group membership. The service account can only access what it has explicitly been granted.
- The admin mints one or more tokens for the service account. Each token has a name, a set of scopes, and an expiration date.
- Your integration calls the v0 API with the token in the
Authorizationheader.
Create a service account and token
Organization admins manage service accounts from Service Accounts in the Credal web app.
Create a service account
Provide a display name and an email address. The email domain must match your organization’s domain. If you want integration permissions to sync to the service account, use an address that corresponds to its identity in your IdP or source systems.
Create a token
Select the service account, then provide:
The token is displayed exactly once at creation time and is never shown again. Copy it immediately and store it in a secrets manager. Tokens look like:
If a token is compromised or no longer needed, revoke it from the same page. Revocation takes effect immediately. Deleting a service account revokes all of its tokens.
Scopes
Scopes control which API surfaces a token may call. They are layered on top of the service account’s own permissions: a token can never read data its service account has not been granted, regardless of scope. A token with no scopes cannot call any scoped endpoint.
Grant only the scopes each integration needs.
Authentication
Store the token in an environment variable instead of hard-coding it:
Pass the token as a Bearer token in the Authorization header of every request:
Service accounts always act as themselves. Do not send user impersonation fields such as userEmail or uploadAsUserEmail; requests containing them are rejected with a 400 response.
Send a message to an agent
This endpoint requires the agent:message scope. The agent must have API access enabled and be deployed to the service account, just as it would be for a human user. agentId is required, and userEmail must be omitted.
A successful response looks like:
To continue a conversation, pass the conversationId from a previous response in your next request:
Upload a file to the catalog
This endpoint requires the catalog:write scope. Send the file as multipart/form-data. documentExternalId is required and identifies the document in your system; uploading again with the same ID updates the document. Omit uploadAsUserEmail because the document is uploaded as the service account.
A successful response returns the Credal document ID:
Errors
Error responses have this shape:
Best practices
- Use one service account per integration. This keeps permissions minimal and audit trails clear.
- Grant the fewest scopes that work. A token for an ingestion job needs
catalog:write, notagent:message. - Set short expirations and rotate tokens. Mint a new token before the old one expires, deploy it, then revoke the old token.
- Store tokens in a secrets manager. The plaintext token is shown only once and cannot be recovered; it can only be revoked and reissued.
- Never send impersonation fields. Service accounts act as themselves, so
userEmailanduploadAsUserEmailare rejected.