Service tokens

Service tokens provide machine-to-machine authentication for specific Posit Connect capabilities. Unlike user API keys, service tokens are not tied to a user account. This makes them suitable for automated systems that must remain functional regardless of user lifecycle changes. Service tokens do not consume a license seat.

When to use service tokens

Use service tokens when the credential should survive user deactivation, role changes, or account deletion and:

• You need to authenticate System for Cross-domain Identity Management (SCIM) identity provisioning (identity:manage scope)
• You need to authenticate nameservice read access (nameservice:read scope)

Use administrator API keys when:

• You need full administrator access for a one-time or interactive task
• The calling system already authenticates as a specific user

Available scopes

Service tokens are scoped to specific capabilities and cannot be used for general Connect API access. Service tokens support the following scopes:

Scope	Description
identity:manage	Manage users and groups via SCIM
nameservice:read	Read user and group information for the nameservice

Creating a service token

Create a service token using the Connect API. You need an administrator API key to create service tokens.

Terminal

curl -X POST https://connect.example.com/__api__/v1/system/service-tokens \
  -H "Authorization: Key ADMIN-API-KEY" \
  -H "Content-Type: application/json" \
  -d '{"name": "SCIM Provisioning", "scopes": ["identity:manage"]}'

See the create service token API reference for request and response details.

Warning

The key value is only returned once at creation time. Store it securely before closing the response. If lost, delete the token and create a new one.

Using a service token

Include the token in the Authorization header as a bearer token:

Terminal

curl -H "Authorization: Bearer SERVICE-TOKEN" \
  https://connect.example.com/scim/v2/Users

Listing service tokens

Use the list service tokens endpoint to view existing tokens.

Terminal

curl -X GET https://connect.example.com/__api__/v1/system/service-tokens \
  -H "Authorization: Key ADMIN-API-KEY"

Deleting service tokens

Use the delete service tokens endpoint to delete existing tokens.

Terminal

curl -X DELETE https://connect.example.com/__api__/v1/system/service-tokens/TOKEN-GUID \
  -H "Authorization: Key ADMIN-API-KEY"

Deleting a token immediately revokes access.

Rotating a service token

To rotate a service token:

1. Create a new token with the same scope.
2. Update the consuming system with the new token value.
3. Delete the old token.

Update your consuming system before deleting the old token to avoid service interruptions.

Audit log behavior

Operations authenticated with a service token are attributed to the service token itself in audit logs, not to any user account.