Service accounts
Service accounts let an organization create credentials for server-side API clients without tying those credentials to a human user. A service account has long-lived client credentials. API clients exchange those credentials for short-lived opaque access tokens, then use the access tokens to call protected CrewAI Platform API endpoints.Create a service account
- Open Settings in your organization.
- Open Service Accounts.
- In the Create service account form, enter a descriptive name, such as
Production automation. - Optionally enter a description.
- Click Create service account.
- Copy the generated Client ID and Client secret from the credentials dialog.
- Store the client secret in the secret storage system your organization uses for server-side credentials.
Rotate a client secret
Rotate a service account to generate a new client secret.- Open Settings in your organization.
- Open Service Accounts.
- Click View details for the service account.
- Click Rotate.
- Copy the new Client secret from the credentials dialog.
- Store the new secret in the secret storage system your organization uses for server-side credentials.
If you lose the secret
CrewAI stores only a one-way digest of the client secret. The original secret cannot be recovered. If you lose the secret, rotate the service account to generate a new one.Get an access token
Use the OAuth 2.0 client credentials flow to exchange a service account’sclient_id and client_secret for an access token.
The token endpoint is not versioned:
Authorization header value is Basic <base64(client_id:client_secret)>.
Call the API with an access token
Send the access token as a bearer token when calling protected Platform API endpoints:Cache access tokens
Access tokens are short-lived. The token response includesexpires_in, which tells clients how many seconds the issued token remains valid. CrewAI currently issues service account access tokens with a 3600-second lifetime.
Clients should cache and reuse an access token until it is close to expiration. Do not call /oauth/token before every API request.
The token endpoint is rate-limited to protect the authentication service and to encourage token reuse. If a client receives a rate-limit response, it should back off and reuse a cached token if one is still valid.
Token request errors
/oauth/token returns OAuth 2.0-style errors, not the CrewAI API data / errors envelope.
Example:
/api/v1/... resource endpoints continue to return CrewAI API error envelopes.
Missing, expired, revoked, or invalid bearer tokens return 401 Unauthorized with a WWW-Authenticate: Bearer header.
Revoke a service account
Revoke a service account when it should no longer be used.- Open Settings in your organization.
- Open Service Accounts.
- Click View details for the service account.
- Click Revoke.
- Optionally enter a reason.
- Confirm the revocation.
