Skip to content

API Keys and Service Accounts

API keys and service accounts support machine-to-machine access. They should be used only when an interactive user session is not appropriate.

API keys are tied to platform access and should be treated as secrets. An API key acts on behalf of the user who created it and carries that user’s permissions, so it is sometimes called a user API key. Use them for integrations that act with a defined platform identity.

Recommended practices:

  • Store keys in a secrets manager.
  • Rotate keys when ownership or system responsibility changes.
  • Revoke unused keys.
  • Avoid sharing a single key across unrelated integrations.

Service accounts are for trusted platform services, such as backend workers that need to call another platform service. Operators configure service accounts as part of deployment and operations.

Do not use service accounts for normal human user access. Human users should sign in through the identity provider and receive project roles.

Use a user API key when the integration should be accountable to a user or customer-managed integration identity. Use a service account when the integration is a platform service that must operate independently of a human user.