Service accounts overview (Beta)
  • 21 Nov 2022
  • 4 Minutes to read
  • Dark
    Light

Service accounts overview (Beta)

  • Dark
    Light

Service accounts are non-user accounts created by admins that can access Airtable's APIs

Enterprise customers can create these service accounts, add them to bases and workspaces,  and use them to connect to external services and integrations. Service accounts do not have a logged-in experience and are not billed accounts.

Introduction

Plan availabilityEnterprise
Permissions

Enterprise admin permissions are needed to use service accounts as described in the article below

Platform(s)Web/Browser
Related reading

API developer documentation


Service accounts in the Admin Panel

Enterprise admins can manage service accounts from the Admin Panel—granting them access to workspaces and bases. 

NOTE
Service accounts can’t log into the UI, are not billed as users, and can be managed and deleted by admins.

Service accounts are designed to set up API integrations—using a personal access token or by authorizing an OAuth integration—independent of any specific user at your enterprise, enabling the integration to continue working even if a user departs your organization.


Creating & deleting service accounts

From the User's section of the Admin Panel, admins can create, delete, edit, and grant admin access to individual service accounts. All service account profiles feature the user's name, last date used, created at date/time, and created by field.

To create a service account:

  1. Visit your Admin Panel and select Users from the side menu.
  2. Select the Service accounts tab. 
  3. Click Create service account
  4. Assign your service account a name and email address.

After creating an account, it is always available under the Service accounts section of the User's panel.

To delete a service account:

  1. Visit your Admin Panel and select Users from the side menu.
  2. Select the Service accounts tab. 
  3. Select the name of the service account you want to delete.
  4. Click to the right of the Created field. 
  5.  Select Delete service account and click Delete

Deleting in bulk is also supported via the checkboxes to the left of the service accounts.


Service account details

The Admin Panel's service accounts tab allows you to view new or previously created service accounts. And by selecting an individual account, you can review that account's unique information and permissions. 


Workspaces & bases overview 

Within the service account details page, the Workspaces and Bases tabs allow admins to:

  • View which workspaces and bases individual service accounts can access.
  • Give or revoke a service account's access to specific workspaces and bases.


Creating & managing personal access tokens

To create personal access tokens:

  1. Visit your Admin Panel and select Users from the side menu. 
  2. Select the Service accounts tab.
  3. Select the name of the account you want to view. 
  4. Click Personal access tokens
  5. Click Create personal access token and name the token. 
  6. Grant the personal access token base-specific permissions and resources.

To manage personal access tokens:

  1. Navigate to the Service accounts details page (see above).
  2. Click to the right of the Date created field. 
  3. Choose between Edit token, Regenerate token, or Delete token


Managing integrations

Service accounts can be used when authorizing new OAuth integrations. Enterprise admins must choose between authorizing themselves or as service accounts in their enterprise.

Once an integration has been authorized as a service account you can manage the integration via the Enterprise Admin Panel:

  1. Visit your Admin Panel and select Users from the side menu.
  2. Select the Service accounts tab.
  3. Select the name of the account you want to view.
  4. Click Third-party integrations.
  5. Click to the right of the Date created field for the integration you wish to manage. 
  6. Click Edit permissions to choose between:
    1. Revoking access for the integration entirely.
    2. Or changing the resources the integration can access.


Downloading service accounts CSVs

Service account CSVs include:

  • User IDs
  • User first names 
  • User emails 
  • Account types 
  • Activity time stamps
  • Date and time joined (UTC)

To download a service account CSV:

  1. Visit your Admin Panel and select Users from the side menu. 
  2. Click CSV next to the Create service account button.


FAQs

Why is an email required for a service account?

Emails allow service accounts to be invited to bases and workspaces through a unique identifier, allowing critical emails to be delivered to the address associated with the account.

We recommend setting up a mailing list or using an existing email followed by a plus (+). Many email providers route pluses to the same email address (for example, example+serviceAccount@example.com will, on many email providers, route messages to example@example.com).  

Is there a limit to how many service accounts I can create?

Yes, service accounts are limited to 30 per Enterprise plan by default. If you want to raise the default limit, get in touch  with support or your account executive.

Can admins log into the Airtable user interface with a service account?

No, while service accounts are associated with unique emails, admins can't log into the Airtable UI. As a result, we do not require that the email is validated. However, we require that all associated emails exist on your enterprise domain (i.e., an @yourenterprise.com email address).

Can a service account from my enterprise generate personal access tokens with access to bases or workspaces outside my enterprise account?

Yes. However, the service account still needs access to that base or workspace before being able to grant access through a personal access token. These bases and workspaces will not appear in the enterprise admin panel but can be selected when creating personal access tokens or managing integrations.

Can a service account from a different enterprise use personal access tokens to access my enterprise’s bases or workspaces?

Yes, but these can be restricted by the API access enterprise control described in the personal access token documentation. In addition, because the account is external, you cannot see the individual personal access tokens created on the account.

Where can I find service accounts owned by different enterprises that have access to my resources?

Service accounts owned by a different enterprise—with access to your enterprises' workspaces or bases—are listed under the Users tab. They are tagged as service accounts but are managed the same as any other external user.


Was this article helpful?