Skip to content

Service Users and API Tokens

Service users allow users to create dedicated tokens for programmatic access to the UbiOps API, for example for creating deployment requests in your own scripts and code. Service users are not able to login to UbiOps. Users can configure permissions for each service user to limit what it can access by assigning roles just like normal users.

Creating a Service user

Start by going to Users & permissions in the sidebar, then navigate to the API Tokens tab. Here you can click the [+] Add button to create a new service user. You don't have to provide an email address, just the name of the user. You may want to set an expiry date for the token. After this date the token becomes invalid. If you don't set an expiry date, the token will never expire.

Copy the service token from the pop-up and store it somewhere safe, you will never be able to retrieve this token again.

Add service user


Service users are not defined in a project on default. You have to create them like any other user.

If a service user token is lost, the token for that service user may be reset. The old token becomes invalid.

Service user permissions

Permissions and roles for service users work just like they do for normal users. See Permissions and roles for more information. The user needs the roles.assignments.create permission to be able to assign roles to service users.

Service users are meant to interact with UbiOps programmatically and are defined on project level. Therefore, they are not allowed to have permissions regarding 'Roles' and 'Users' and they cannot perform actions on 'Organization' level. A user is therefore not able to assign roles that have one or multiple of these permissions.

Service users can also be used to allow websites or browser based applications to access the UbiOps API. For more information about these Cross-Origin Requests, see Cross-Origin Requests.

Default role service users

There is one default Service users-role available and it's the service-user-project-admin role. This role contains all permissions a regular project-admin has. If you want stricter permissions for a service user, you can create a custom role and assign it to the service user, just like any other user.