Comment on page
Free and Team plan users and Trial users have access to a Snyk user's token under their profile and can use this token to authenticate with a CI/CD, to run the CLI locally or on a build machine, and to authenticate with an IDE manually.
Service accounts are a special type of system user. Creating a service account generates an API token that is the only token associated with the service account and takes the place of standard user credentials. Snyk needs authentication in order to initiate Snyk processes.
You can set up a service account to use for automation rather than using a Snyk user's token and to help manage integrations.
You can generate single or multiple tokens on the Organization or Group levels to manage your integrations. Each service account has a unique name to make it easier to recognize. This name cannot be reused.
If you are an Enterprise user, you have a Snyk user's token under your profile. You also have access to service account tokens.
This includes, but is not limited to, scanning using a CI/CD or build system plugin and automation with the Snyk API.
If your team needs to set up a service account in GitHub, you must use GitHub Enterprise, which is available only with Snyk Enterprise accounts.
Using a service account to authenticate with an integration rather than a Snyk user's token ensures continuity when users change roles or close their personal Snyk accounts.
Use Group-level tokens to call Group API endpoints and Organization API endpoints, and to run the CLI for all Organizations in the Group.
Group roles are only for service accounts on the Group level and are limited to Enterprise accounts.
If you are an Enterprise user, use your Snyk user's token to run the CLI locally on your machine, authenticate with an IDE manually, and make an occasional API call, for example, to test the use of an endpoint.
Snyk advises against using a service account token to authenticate with an IDE.
Generate single or multiple tokens on the Group or Organization levels to manage your integrations.
Group viewers are not able to create service accounts, regardless of their Org role.
To create a Group service account, you must be a Group admin. To create an Organization service account, you must be either a Group member and Org Admin, or a Group admin.
This process describes all options. Repeat the steps to create multiple tokens for the same or any other Group or Organization.
- Log in to your account and navigate to the relevant Group and Organization that you want to manage.
- Click on Settings > Service accounts to view existing service accounts and their details.
- Click Create a service account to create a new one. The screen that loads varies depending on whether you chose a Group or an Organization.
Note that while creating a Group service account, you can choose a Group level role.
In the Service Account name field, enter a unique name for this token. Remember, this name can be used only once for tokens in the same area, either an Organization or a Group.
Service account name and role
From the Role dropdown list, select an appropriate role.
For Group service accounts, choose from the following list of roles to configure the scope of the token; Snyk recommends selecting Viewer or Admin.
- Group Viewer enables read-only access. Note that to set an API token to be read-only and unable to write to the platform, you must use a service account and set it to Group Viewer. See Snyk API token permissions users can control.
- Group Admin enables full administrator access.
- Group Member associates a service account with a group but does not grant any specific access.
For Organization service accounts, choose from the standard roles, Org Admin or Org Collaborator, or a custom role if you have set up any custom roles. See Managing permissions for the scope of the Org Admin and Org Collaborator roles.
The token is generated and displayed.
Make sure you copy this token, as you will not see it again. You can click Close and Hide once you have copied the token; whether you do or not, when you navigate away from this page, the token will no longer be visible. This is a standard security practice to keep your tokens safe.
The new token is also added to your Existing service accounts list, like the list in this example:
Existing service accounts for a Group
In addition, if you created the token for the entire Group with a Group Admin role, the token also appears in the Existing service accounts list for each of its Organizations, though it can only be edited at the Group level.
Existing accounts for an Organization
If you created the token from an Organization that is part of a Group, the token now also appears in the Existing service account list on the Group level. From that list, the Group Admin can also change the token name or delete it.
Group service accounts with Organization accounts listed
Click any of the links to update the name for a service account token:
- For Group-level tokens, from the Group level only
- For Organization-level tokens, from the relevant Organization and also from the Group level:
Update a service account name
Administrators can change token names and delete tokens.
When you delete a service account, the API token associated with it is invalidated immediately.
When an account is managed with Groups, the Organization and the Group admins can delete tokens for the Organization; only Group admins can view and manage tokens on the Group level.
Deleting a service account is the same as revoking the API token.
- Log in to your account and navigate to the Group and Organization that you want to manage.For Group tokens, navigate to the Group level. For Organization tokens, group admins can delete from either the Group or the relevant Organization; Organization admins should navigate to the relevant Organization.
- Click on Settings > Service accounts.
- Scroll to find the list of existing service accounts:
Existing service accounts for a Group
- From the list of existing tokens:
- Click the token name to navigate to change the token name and click Save.
- Click Delete to delete a token and invalidate it immediately. When prompted, click OK. Remember that you cannot re-generate the same token.