Service Accounts
Service accounts enable programmatic access to your APIs without user credentials. Use them for server-to-server communication, CI/CD pipelines, and automated scripts.
What Are Service Accounts?
Unlike regular user accounts, service accounts:
- Are not tied to any specific user
- Are created at the API level
- Support multiple secrets with configurable expiration
Creating a Service Account
- Sign in to the Developer Portal
- Navigate to your API
- Go to Team → Service Accounts
- Click Create Service Account
Managing Secrets
Each service account can have multiple secrets:
| Property | Description |
|---|---|
| Client ID | Unique identifier for the service account |
| Client Secret | The secret used for authentication |
| Expiration | Default 2 years from creation (optional) |
| Status | Can be enabled or disabled |
tip
Create multiple secrets to enable rotation without downtime. Disable old secrets before deleting them.
Getting a Bearer Token
To authenticate, POST your credentials to the authentication endpoint:
const response = await fetch('https://system.restapi.com/System/UserAccount', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify({
clientId: 'your-client-id',
clientSecret: 'your-client-secret',
}),
});
const { token } = await response.json();
Using the Token
Include the bearer token in subsequent API requests:
const data = await fetch('https://eu.restapi.com/your-api/your-collection', {
headers: {
'Authorization': `Bearer ${token}`,
},
});
Complete Example
async function fetchData() {
// 1. Get bearer token
const authResponse = await fetch('https://system.restapi.com/System/UserAccount', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify({
clientId: process.env.RESTAPI_CLIENT_ID,
clientSecret: process.env.RESTAPI_CLIENT_SECRET,
}),
});
const { token } = await authResponse.json();
// 2. Make authenticated API request
const dataResponse = await fetch('https://eu.restapi.com/my-api/products', {
headers: {
'Authorization': `Bearer ${token}`,
},
});
return dataResponse.json();
}
Best Practices
- Store secrets securely — Use environment variables, not code
- Rotate secrets regularly — Create new secrets before old ones expire
- Use least privilege — Grant only the access each service account needs
- Monitor usage — Review service account activity in the portal
- Disable unused accounts — Remove or disable accounts that are no longer needed
Security Considerations
warning
Never commit client secrets to source control. Use environment variables or a secrets manager.
Service account secrets should be treated like passwords:
- Don't share them in plain text
- Don't log them
- Rotate them if they may have been exposed