> ## Documentation Index
> Fetch the complete documentation index at: https://docs.agno.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Create Service Account

> Mint a service account token. The plaintext token is returned exactly once.



## OpenAPI

````yaml post /service-accounts
openapi: 3.1.0
info:
  title: Agno API Reference
  description: The all-in-one, private, secure agent platform that runs in your cloud.
  version: 2.7.2
servers: []
security: []
paths:
  /service-accounts:
    post:
      tags:
        - Service Accounts
      summary: Create Service Account
      description: >-
        Mint a service account token. The plaintext token is returned exactly
        once.
      operationId: create_service_account_service_accounts_post
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ServiceAccountCreate'
      responses:
        '201':
          description: Successful Response
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ServiceAccountCreateResponse'
        '422':
          description: Validation Error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/HTTPValidationError'
      security:
        - HTTPBearer: []
components:
  schemas:
    ServiceAccountCreate:
      properties:
        name:
          type: string
          maxLength: 63
          title: Name
          description: >-
            Machine identity name (lowercase slug), e.g. 'claude-code' or
            'github-actions'
        scopes:
          anyOf:
            - items:
                $ref: '#/components/schemas/ScopeItem'
              type: array
            - type: 'null'
          title: Scopes
          description: >-
            Scopes granted to the token, as {scope, effect} objects (the shared
            RBAC write shape; token scopes are grants, so only effect='allow' is
            accepted). Defaults to run and read scopes: agents:run, teams:run,
            workflows:run, sessions:read
        expires_in_days:
          anyOf:
            - type: integer
              maximum: 3650
              minimum: 1
            - type: 'null'
          title: Expires In Days
          description: 'Days until the token expires (default: 90)'
          default: 90
        never_expires:
          type: boolean
          title: Never Expires
          description: >-
            Mint a non-expiring token. Must be set explicitly; overrides
            expires_in_days.
          default: false
        allow_privileged_scopes:
          type: boolean
          title: Allow Privileged Scopes
          description: >-
            Required to grant privileged scopes: any write or delete action, the
            admin scope, or any service_accounts scope. Privileged tokens must
            be deliberate, never accidental.
          default: false
      type: object
      required:
        - name
      title: ServiceAccountCreate
    ServiceAccountCreateResponse:
      properties:
        id:
          type: string
          title: Id
        name:
          type: string
          title: Name
        principal:
          type: string
          title: Principal
          description: >-
            The user_id attached to runs made with this token, e.g.
            'sa:claude-code'
        user_id:
          anyOf:
            - type: string
            - type: 'null'
          title: User Id
          description: >-
            The user this account belongs to; None for workspace-level accounts.
            Distinct from created_by, which records who minted the token.
        token_prefix:
          type: string
          title: Token Prefix
          description: First characters of the token, for display only
        scopes:
          items:
            $ref: '#/components/schemas/ScopeSchema'
          type: array
          title: Scopes
          description: Scopes granted to the token, in the shared RBAC read shape
        created_at:
          type: integer
          title: Created At
        expires_at:
          anyOf:
            - type: integer
            - type: 'null'
          title: Expires At
        last_used_at:
          anyOf:
            - type: integer
            - type: 'null'
          title: Last Used At
        revoked_at:
          anyOf:
            - type: integer
            - type: 'null'
          title: Revoked At
        created_by:
          anyOf:
            - type: string
            - type: 'null'
          title: Created By
        token:
          type: string
          title: Token
          description: The plaintext token. Shown exactly once - store it securely now.
      type: object
      required:
        - id
        - name
        - principal
        - token_prefix
        - created_at
        - token
      title: ServiceAccountCreateResponse
      description: Returned once, at creation. The token is never retrievable again.
    HTTPValidationError:
      properties:
        detail:
          items:
            $ref: '#/components/schemas/ValidationError'
          type: array
          title: Detail
      type: object
      title: HTTPValidationError
    ScopeItem:
      properties:
        scope:
          type: string
          title: Scope
          description: Scope string, e.g. 'agents:*:run'
        effect:
          type: string
          enum:
            - allow
            - deny
          title: Effect
          description: '''allow'' or ''deny'''
          default: allow
      type: object
      required:
        - scope
      title: ScopeItem
      description: >-
        Write shape for one scope grant: the canonical RBAC payload for every
        scope-bearing API.


        Endpoints that take scopes accept these objects only (a bare string is a
        validation

        error). ``effect`` is constrained here so every consumer rejects typos
        at the model

        layer; whether ``deny`` is *semantically* legal stays per-endpoint
        (roles support

        deny rules, service-account tokens are pure grants and reject it).
    ScopeSchema:
      properties:
        id:
          anyOf:
            - type: string
            - type: 'null'
          title: Id
          description: >-
            Scope id (always null here; kept for shape parity with the cloud
            RBAC API, which addresses scopes individually)
        raw:
          type: string
          title: Raw
          description: Original scope string, e.g. 'agents:*:run'
        namespace:
          type: string
          title: Namespace
          description: Resource namespace, e.g. 'agents'
        sub_namespace:
          anyOf:
            - type: string
            - type: 'null'
          title: Sub Namespace
          description: Specific resource id or wildcard '*'
        permission:
          type: string
          title: Permission
          description: Action, e.g. 'read' / 'run' / 'write'
        value:
          type: string
          title: Value
          description: '''allow'' or ''deny'''
          default: allow
      type: object
      required:
        - raw
        - namespace
        - permission
      title: ScopeSchema
      description: >-
        Read shape for one scope: the parsed RBAC payload shared by every
        scope-bearing API.


        Mirrors the cloud RBAC scope shape ({raw, namespace, sub_namespace,
        permission, value})

        so a frontend renders scopes from any AgentOS API with one integration.
    ValidationError:
      properties:
        loc:
          items:
            anyOf:
              - type: string
              - type: integer
          type: array
          title: Location
        msg:
          type: string
          title: Message
        type:
          type: string
          title: Error Type
        input:
          title: Input
        ctx:
          type: object
          title: Context
      type: object
      required:
        - loc
        - msg
        - type
      title: ValidationError
  securitySchemes:
    HTTPBearer:
      type: http
      scheme: bearer

````