Service Accounts

Service accounts are non-user actors used with headless clients where no user is physically present to perform a standard identity provider authentication flow. They are commonly used for managing access from servers, machines, IoT devices, or other non-user machines to your Resources.

Service accounts behave like any other actor in Firezone -- they can be added to Groups and Policies to gain access to Resources. Unlike users, however, service accounts must be managed manually and are never synced from your identity provider.

Creating a service account

To create a service account:

1. Navigate to Actors -> Add Actor in your Firezone admin portal
2. Select Service Account as the type
3. Set an appropriate expiration for the initial token
4. Copy and store the token somewhere safe -- it will only be shown once

The token can then be used with any Firezone Client that supports headless mode operation.

Managing tokens

Service account tokens authenticate directly to the Firezone API using long-lived, multi-owner tokens. A single token can be used by multiple headless clients simultaneously, making them ideal for fleets of machines that need the same access.

Service account tokens are managed entirely in the Firezone admin portal and are not affected by identity provider configuration or session lifetime settings.

Adding tokens

You can add multiple tokens to a service account. This is useful for rotating tokens or providing separate tokens to different systems.

To add a token:

1. Navigate to Actors in the left sidebar of your Firezone admin portal
2. Click the service account you wish to add a token for
3. Click the hamburger menu (three vertical dots) in the top right corner
4. Select Add Token from the dropdown menu

Revoking tokens

Tokens can be revoked at any time from the service account's detail page. Click the trash icon next to the token you wish to revoke.