Introduction to Service Accounts
When users leave an organization, their access tokens are revoked. If these tokens are being used for machine-to-machine communication, the communication is disrupted on revocation of the tokens. To avoid such disruptions, you can use service accounts.
A service account is a special user in an organization. Service account users are the only users who can use the OAuth credential flow. In such a case, the callers can obtain an access token; provided they have a client ID and a client secret.
Features of a Service Account
-
As an organization owner, you can create a service account user. You can also designate existing users in the organization as service account users.
-
You can invite a service account user to any of your domain subscriptions. In such a case, the service account user occupies a seat on the subscription just like a normal user.
-
You can use a service account non-interactively in scripts. Only a service account user can generate OAuth access tokens by using client credentials to authenticate. Normal users must use the web UI to generate the first OAuth access token.
-
You can invite up to five service account users per organization by default. To invite more service account users, contact the TIBCO Support team.
-
A service account user might also be an owner as long as there is at least one other owner who is not a service account user.
-
Operations that are performed on service account users in a parent organization are not synced with the child organizations even when the sync-user setting is set to true.
-
When a child organization is created, the user is inherited as a normal user. Privileges of the service account user are not inherited. The child organization owner must manually assign such users as service account users.
-
Service account users can be redesignated as normal users. All other roles, privileges, and OAuth tokens are left untouched.
Example: How to use a Service Account
-
In the Service accounts section on the Settings tab, designate a user as a service account.
-
In the OAuth client registration section on the Settings tab, have this user sign in and register an OAuth client. Note down the client's credentials. You get to see the credentials only once when the client is generated.
-
In your code, use Client Credential Flow to obtain a token. In the JSON response, note for how long the token is valid in seconds. You can get this value in the expires_in parameter. For more information, see Client-Credential Flow.
-
As long as the token is valid, you can make calls to TIBCO Cloud by using the following header:
Authorization: Bearer ACTUAL-ACCESS-TOKEN