--- title: Service accounts description: PingOne Advanced Identity Cloud provides service accounts to let you request access tokens for most REST API endpoints; for example, you may need an access token to use the REST API endpoint /openidm/managed/alpha_user to get a list of identities. component: pingoneaic page_id: pingoneaic:tenants:service-accounts canonical_url: https://docs.pingidentity.com/pingoneaic/tenants/service-accounts.html keywords: ["Authorization", "REST API", "User Interface", "Setup & Configuration", "Scripts", "Service Account"] page_aliases: ["release-notes:rapid-channel/service-accounts.adoc"] section_ids: manage-service-accounts: Manage service accounts service-account-scopes: Service account scopes scopes-for-am-and-idm-apis: Scopes for AM and IDM APIs in Advanced Identity Cloud scopes-for-identity-cloud-environment-apis: Scopes for Advanced Identity Cloud environment APIs scopes-for-idc-name-apis-under-development: Scopes for Advanced Identity Cloud APIs under development scopes-for-add-on-capability-apis: Scopes for add-on capability APIs restricted-scopes: Restricted scopes get-an-access-token-using-a-service-account: Get an access token using a service account manage-service-accounts-using-the-ui: Manage service accounts using the admin console view-service-accounts: View service accounts create-a-new-service-account: Create a new service account modify-a-service-account: Modify a service account regenerate-a-key-for-a-service-account: Regenerate a key for a service account delete-a-service-account: Delete a service account --- # Service accounts PingOne Advanced Identity Cloud provides service accounts to let you request access tokens for most REST API endpoints; for example, you may need an access token to use the REST API endpoint `/openidm/managed/alpha_user` to get a list of identities. You create a new service account in the Advanced Identity Cloud admin console, which provides you with credentials (a service account ID and a private key). You use the credentials to obtain an access token from a built-in OAuth 2.0 public client using the JWT profile for OAuth 2.0 authorization grant flow. You can then use the access token as a bearer token in the `Authorization` HTTP header for each API request. ## Manage service accounts A tenant administrator can manage service accounts in these ways: * To use the Advanced Identity Cloud admin console, learn more in [Manage service accounts using the admin console](#manage-service-accounts-using-the-ui). * To use the Advanced Identity Cloud REST API with a tenant administrator access token, learn more in the article [A scripted approach for creating and using service accounts in PingOne Advanced Identity Cloud](https://community.forgerock.com/t/a-scripted-approach-for-creating-and-using-service-accounts-in-forgerock-identity-cloud). Only a tenant administrator account has the privileges to create, modify, or delete service accounts. You create service accounts in each environment; they are not promotable. ## Service account scopes When you create a service account, you choose which scopes it can grant to the access tokens it creates. You should always choose the minimum number of scopes needed. ### Scopes for AM and IDM APIs in Advanced Identity Cloud | Scope | Purpose | Reference | | ---------------- | ------------------------------- | ---------------------------------------------------------- | | `fr:am:*`   | Access to `/am/*` API endpoints | [PingAM REST API reference](../am-rest/preface.html) | | `fr:idm:*`       | Access to `/openidm/*` | [PingIDM REST API reference](../idm-rest-api/preface.html) | | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Service account access tokens granted the `fr:idm:*` scope also have access to API endpoints under the `fr:idc:esv:*` scope. However, this behavior is [deprecated](../product-information/deprecation-notices.html#esv-rest-api-using-idm-scope). | ### Scopes for Advanced Identity Cloud environment APIs | Scope | Purpose | Reference | | ------------------------------------ | ---------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ | | `fr:idc:certificate:*`   | Access to certificate API endpoints | [Manage server certificates using the API](../realms/server-certificates-api.html) | |       `fr:idc:certificate:read` | Read-only access to certificate API endpoints. Use this scope if you only need to list certificates. | | | `fr:idc:content-security-policy:*`   | Access to Content Security Policy API endpoints | [Content Security Policy](https://docs.pingidentity.com/pingoneaic/_attachments/api/#tag/Content-Security-Policy) API endpoint | | `fr:idc:cookie-domain:*`   | Full access to cookie domain API endpoints. | [Manage cookie domains using the API](../realms/cookie-domains-api.html) | | `fr:idc:custom-domain:*`   | Access to custom domain endpoints | [Custom domains](https://docs.pingidentity.com/pingoneaic/_attachments/api/#tag/Custom-Domains) API endpoint | | `fr:idc:esv:*`       | Access to ESV API endpoints | [Manage ESVs using the API](esvs-manage-api.html) | |       `fr:idc:esv:read` | Read-only access to ESV API endpoints. Use this scope if you only need to list ESVs. | | |       `fr:idc:esv:update` | Create, update, and delete access to ESV API endpoints | | |       `fr:idc:esv:restart` | Access to ESV API endpoint to restart Advanced Identity Cloud services | | | `fr:idc:promotion:*`   | Access to promotions API endpoints | [Manage self-service promotions using the API](self-service-promotions-api.html) | | `fr:idc:release:*`   | Access to release management API endpoints | [Release management](https://docs.pingidentity.com/pingoneaic/_attachments/api/#tag/Release) API endpoint | | `fr:idc:sso-cookie:*`   | Access to SSO cookie API endpoints | [SSO cookie](https://docs.pingidentity.com/pingoneaic/_attachments/api/#tag/SSO-Cookie) API endpoint | | `fr:idc:telemetry:*`       | Access to log event exporter API endpoints | [Manage log streaming using the API](audit-debug-logs-push-api.html) | ### Scopes for Advanced Identity Cloud APIs under development The following scopes grant access to API endpoints that are under development and will imminently be released to the rapid channel. | Scope | Purpose | Reference | | ---------------------- | ----------------------------------------- | --------- | | `fr:idc:analytics:*`   | Access to analytics API endpoints | | | `fr:idc:dataset:*`   | Access to dataset deletion API endpoints | | | `fr:idc:mtls:*`   | Access to mTLS (mutual TLS) API endpoints | | ### Scopes for add-on capability APIs The following scopes grant access to API endpoints in [Add-on capabilities](../product-information/add-on-capabilities.html). | Scope | Purpose | Reference | | ---------------------------------- | ------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `fr:idc:proxy-connect:*`   | Full access to Proxy Connect API endpoints. Use this scope to view, create, activate, deactivate, or delete rules. | [Manage Proxy Connect using the API](proxy-connect-api.html) | |       `fr:idc:proxy-connect:read` | Read-only access to Proxy Connect API endpoints. Use this scope if you only need to view rules. | | |       `fr:idc:proxy-connect:write` | Write access to Proxy Connect API endpoints. Use this scope to create, activate, deactivate, or delete rules. | | | `fr:iga:*`   | Access to IGA API endpoints | [Identity Governance REST API](../identity-governance/rest-api/rest-api-preface.html) | | `fr:idc:ws:admin`   | Access to WS-Federation API endpoints | Used by the Advanced Identity Cloud admin console for the [Microsoft 365](../app-management/register-a-custom-application.html#sso-microsoft-365) application. | ## Restricted scopes The following scopes are restricted, so the API endpoints under them are not accessible using a service account access token. Learn how to access API endpoints using a tenant administrator access token in the article [A scripted approach for creating and using service accounts in PingOne Advanced Identity Cloud](https://community.forgerock.com/t/a-scripted-approach-for-creating-and-using-service-accounts-in-forgerock-identity-cloud). | Scope | Purpose | Reference | | ----------------------- | ---------------------------------- | ---------------------------------------------------------------------------------------------------------------- | | `fr:idc:federation:*`   | Access to federation API endpoints | [Federation](https://docs.pingidentity.com/pingoneaic/_attachments/api/#tag/Federation-Enforcement) API endpoint | ## Get an access token using a service account To get an access token using a service account, learn more in [Authenticate to Advanced Identity Cloud REST API with access token](../developer-docs/authenticate-to-rest-api-with-access-token.html). | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can also create a script to get a service account access token within your journeys. This approach lets you use the access token in API calls in a [Scripted Decision node](https://docs.pingidentity.com/auth-node-ref/latest/scripted-decision.html) in Advanced Identity Cloud. Learn more in [Get an access token in a journey](../use-cases/use-case-access-token-for-journeys.html) for an example. | ## Manage service accounts using the admin console ### View service accounts 1. In the Advanced Identity Cloud admin console, open the TENANT menu (upper right). ![150](_images/tenant-menu.png) 2. Click Tenant settings. 3. Click Global Settings. 4. Click Service Accounts. The page displays existing service accounts for your tenant. ### Create a new service account 1. In the Advanced Identity Cloud admin console, open the TENANT menu (upper right). 2. Click Tenant settings. 3. Click Global Settings. 4. Click Service Accounts. 5. Click New Service Account. 6. Enter a Name and optional Description for the service account. 7. In the Scopes section, select the scopes that the service application can grant to an access token. Learn more in [Service account scopes](#service-account-scopes). 8. Click Save. 9. When the 'Service account successfully created!' message shows: 1. Make a note of the service account ID, found in the ID field. 2. Click Download Key to download the service account private key. | | | | - | ---------------------------------------------------------------------------------- | | | You must download the private key at this point as it will not be available again. | 10. Click Done. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | To get an access token using a service account, learn more in [Authenticate to Advanced Identity Cloud REST API with access token](../developer-docs/authenticate-to-rest-api-with-access-token.html). | ### Modify a service account 1. In the Advanced Identity Cloud admin console, open the TENANT menu (upper right). 2. Click Tenant settings. 3. Click Global Settings. 4. Click Service Accounts. 5. Click the ellipsis on the right of a service account and select Edit. 6. You can change the Name or optional Description. 7. In the Scopes section, you can change the scopes that the service application can grant to an access token. Learn more in [Service account scopes](#service-account-scopes). | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Before removing scopes that the service application can grant to an access token, make sure you identify which of your integrations are dependent upon those scopes; otherwise those integrations will fail the next time they request an access token. | 8. Click Save. ### Regenerate a key for a service account | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Before regenerating a key, make sure you identify which of your integrations are dependent upon it to sign JWTs, as all those integrations need to be updated with the new key. | 1. In the Advanced Identity Cloud admin console, open the TENANT menu (upper right). 2. Click Tenant settings. 3. Click Global Settings. 4. Click Service Accounts. 5. Click the ellipsis on the right of a service account and select Regenerate Key. 6. On the Regenerate Key dialog box, click Regenerate Key. 7. When the 'Key successfully created!' message is shown: 1. Click Download Key to download the new service account private key. | | | | - | ---------------------------------------------------------------------------------- | | | You must download the private key at this point as it will not be available again. | 8. Click Done. ### Delete a service account | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Before deleting a service account, make sure none of your integrations are dependent upon its key to sign JWTs; otherwise those integrations will fail the next time they request an access token. | 1. In the Advanced Identity Cloud admin console, open the TENANT menu (upper right). 2. Click Tenant settings. 3. Click Global Settings. 4. Click Service Accounts. 5. Click the ellipsis on the right of a service account and select Delete. 6. On the Delete Service Account page, click Delete Service Account.