Skip to content

API Keys and Service Accounts

Auth Service supports API keys for machine integrations and service accounts for platform worker workflows.

API keys authenticate machine callers. They should have a clear owner, purpose, scope, expiration policy, and revocation procedure.

The governance worker service account allows scheduled and automated workflows to create declarations without an end-user session. The released flow uses the bootstrapped governance-worker service account; custom service-account creation is not a general customer self-service workflow in v0.2. The worker requires identity-provider setup, Auth Service configuration, and DID key reconciliation before automated declarations are enabled.

  • Store API secrets and service-account credentials in Kubernetes secrets or an approved secret manager.
  • Rotate credentials according to customer policy.
  • Revoke keys when integrations are removed.
  • Avoid logging plaintext keys or bearer tokens.