website/src/app/kb/authenticate/service-accounts/readme.mdx
import Alert from "@/components/DocsAlert"; import SupportOptions from "@/components/SupportOptions"; import PlanBadge from "@/components/PlanBadge";
<PlanBadge plans={["starter", "team", "enterprise"]}>
Service accounts are non-user actors used with headless clients where no user is physically present to perform a standard identity provider authentication flow. They are commonly used for managing access from servers, machines, IoT devices, or other non-user machines to your Resources.
Service accounts behave like any other actor in Firezone -- they can be added to Groups and Policies to gain access to Resources. Unlike users, however, service accounts must be managed manually and are never synced from your identity provider.
To create a service account:
Actors -> Add Actor in your Firezone admin portalService Account as the typeThe token can then be used with any Firezone Client that supports headless mode operation.
Service account tokens authenticate directly to the Firezone API using long-lived, multi-owner tokens. A single token can be used by multiple headless clients simultaneously, making them ideal for fleets of machines that need the same access.
Service account tokens are managed entirely in the Firezone admin portal and are not affected by identity provider configuration or session lifetime settings.
<Alert color="warning"> Service account tokens have a default lifetime of **365 days**. Choose an appropriate expiration based on your security requirements. </Alert>You can add multiple tokens to a service account. This is useful for rotating tokens or providing separate tokens to different systems.
To add a token:
Actors in the left sidebar of your Firezone admin portalAdd Token from the dropdown menuTokens can be revoked at any time from the service account's detail page. Click the trash icon next to the token you wish to revoke.
<SupportOptions />