Service Accounts
System accounts for automated operations and API access
Service accounts are special user accounts that represent non-human actors. They're used for system operations, automated workflow triggers, and API authentication.
Types of Service Accounts
Base Service Account
Every organization has one base service account created automatically. This account:
- Has full administrative permissions
- Is used for internal system operations
- Cannot be deleted or modified
- Handles automated triggers (webhooks, emails, schedules)
The base service account ensures workflows can run even when triggered by external events with no specific user context.
API Key Service Accounts
When you create an API key, a corresponding service account is automatically created. This account:
- Has the same permissions as the API key
- Is named after the API key's nickname
- Is automatically deleted when the API key is revoked
- Appears in audit logs for API-initiated actions
This provides accountability—you can trace API actions back to specific keys.
Viewing Service Accounts
Service accounts appear in Settings Members when you enable the filter:
- Go to Members
- Toggle Show service members
- Service accounts appear with a bot icon badge
You'll see:
- Base Service Account — The organization's root service account
- API Key accounts — One for each active API key, showing the key's nickname
Identifying Service Accounts
Service accounts are visually distinguished:
| Indicator | Meaning |
|---|---|
| Bot icon on avatar | This is a service account |
| "Base Service Account" badge | The organization's root account |
| "API Key" badge | Associated with an API key |
Restrictions
Service accounts have special restrictions:
- Cannot modify roles — Service account permissions are set directly, not via roles
- Cannot remove via UI — Service accounts are managed through their source (API keys or system)
- Cannot log in — Service accounts don't have passwords or SSO access
How Service Accounts Are Used
Workflow Triggers
When a workflow runs from an automated trigger, the base service account is used:
- Webhook triggers — External systems calling your webhook URL
- Email triggers — Incoming emails starting workflows
- Scheduled triggers — Time-based workflow execution
- EDI triggers — Incoming EDI transactions
API Authentication
When an API key authenticates a request, its service account is used:
- The service account's permissions determine what the API can do
- Actions appear in audit logs attributed to the service account
- Revoking the API key deletes the service account
Audit Trail
Service account actions appear in logs with full attribution:
- Base service account actions show as "Service Account"
- API key service account actions show the API key's nickname
- You can filter logs to see all automated/API activity
If you see unexpected activity, check which API key's service account performed it. This helps identify which integration or script is responsible.
Managing Service Accounts
Base Service Account
The base service account is managed automatically:
- Created when your organization is created
- Cannot be modified or deleted
- Always has full permissions
API Key Service Accounts
Managed through API keys:
- Created automatically when you create an API key
- Permissions match the API key's permissions
- Deleted automatically when you revoke the API key
To change an API key service account's permissions, create a new API key with the desired permissions and revoke the old one.
Security Considerations
- Monitor API key usage — Check "last used" dates to identify unused keys
- Use descriptive names — API key nicknames become service account names in logs
- Minimal permissions — Give API keys only the permissions they need
- Revoke unused keys — This also removes the associated service account