Using Service Accounts to Access Itential Cloud APIs

  • Updated on Oct 7, 2025
  • Published on Nov 7, 2024
Prev Next

Service accounts let third-party services and applications call Itential Cloud APIs without using user credentials. Service accounts use the OAuth2 Client Credentials grant type to access Itential Cloud APIs.

Before you begin

To manage service accounts, you need the service-accounts:read and service-accounts:write roles.

To grant a user the right to manage service accounts, you must enable these roles in the groups whose users want to have manage service accounts.

For information on how to configure groups for role access, see Managing Users & Groups.

About service accounts

Service accounts provide API access to a specific product in your Itential Cloud account. If you have multiple products or environments, create a separate service account for each product. This approach improves security by isolating application access and preventing unintended API access.

Create a new service account

To create a new service account:

  1. Go to Administration → Service Accounts from the sidebar.

  2. Click +New Service Account.

  3. Give the service account a unique name and optional description.

  4. Select the product to protect.

  5. Click Create.

  6. Click Download Client Keys to download your client credentials (client_id and client_secret). A CSV file downloads to your local system. Save it for future reference.

  7. Click Continue.

  8. The newly created service account, along with its Roles and Groups will appear in the list of Service Accounts.


    Create New Service Account

Protect your keys

Store your client keys securely. If you lose them, you must regenerate new keys. The previous keys can't be recovered. Share client keys only through secure, encrypted channels.

Regenerate client keys

If you lose your client keys, regenerate new credentials. This invalidates the previous client_id and client_secret values.

To regenerate client keys:

  1. On the Service Accounts page, click the service account you want to regenerate keys for.
  2. Click the more (â‹®) menu in the upper-right corner and select View and Edit Details.
  3. Click Regenerate Client Keys to create a new Client ID and Client Secret. The new client keys display.
  4. Click Download Client Keys to save a copy to your local system.
  5. Click Save to apply the new client keys. A confirmation message appears when the new keys are saved.

Assign roles to service accounts

To assign roles directly to a service account:

  1. On the Service Accounts page, click the desired service account.
  2. Select the Roles tab.
  3. Select the roles the service account needs for Itential Platform APIs.
  4. Click Save.

Only roles applicable to the service account's product appear in the list.

Associate groups with service accounts

You can associate a group to a service account by following these steps:

  1. On the Service Accounts page, click the desired service account.
  2. Select the Groups tab.
    Select the groups to associate with the service account.
  3. Click Save.

Groups can contain roles from different products. The service account only inherits roles that match its assigned product.

Enable or disable service accounts

To enable or disable a service account, use the toggle switch next in the Enabled column next the service account name in the Service Accounts table. Applications can't access APIs using credentials from a disabled service account.

Delete service accounts

To delete a service account:

  1. On the Service Accounts page, click the desired service account.
  2. Click the more (â‹®) menu in the upper-right corner and select Delete Service Account.
  3. Click Delete in the confirmation modal.

The service account is removed and its credentials are automatically invalidated.