Create Service Account
Mint a service account token. The plaintext token is returned exactly once.
Authorizations
Bearer authentication header of the form Bearer <token>, where <token> is your auth token.
Body
Machine identity name (lowercase slug), e.g. 'claude-code' or 'github-actions'
63Scopes granted to the token, as {scope, effect} objects (the shared RBAC write shape; token scopes are grants, so only effect='allow' is accepted). Defaults to run and read scopes: agents:run, teams:run, workflows:run, sessions:read
Days until the token expires (default: 90)
1 <= x <= 3650Mint a non-expiring token. Must be set explicitly; overrides expires_in_days.
Required to grant privileged scopes: any write or delete action, the admin scope, or any service_accounts scope. Privileged tokens must be deliberate, never accidental.
Response
Successful Response
Returned once, at creation. The token is never retrievable again.
The user_id attached to runs made with this token, e.g. 'sa:claude-code'
First characters of the token, for display only
The plaintext token. Shown exactly once - store it securely now.
The user this account belongs to; None for workspace-level accounts. Distinct from created_by, which records who minted the token.
Scopes granted to the token, in the shared RBAC read shape