> ## Documentation Index > Fetch the complete documentation index at: https://docs.nscale.com/llms.txt > Use this file to discover all available pages before exploring further. # Create service account > Creates a new service account and returns an access token, The returned access token can only be read once. ## OpenAPI ````yaml /openapi/identity-openapi.yaml post /api/v1/organizations/{organizationID}/serviceaccounts openapi: 3.0.3 info: title: Identity API description: >- The Identity API provides an OIDC compliant interface for use with all official and 3rd party services and proxies. As its intended use is for multi-tenant cloud deployments, it acts as an aggregation layer for other 3rd party OIDC services, dispatching login requests to the required OIDC backend. Token introspection forms the basis of role based access control across all APIs. For security purposes, access tokens and refresh tokens are limited to a single session per client, thus if they are being consumed by a horizontally scalable platform care must be taken to ensure token rotation is handled atomically by a single process, and the tokens are distributed to each service instance synchronously. version: 1.11.0 servers: - url: https://identity.nks.europe-west4.nscale.com security: [] paths: /api/v1/organizations/{organizationID}/serviceaccounts: description: >- Allows management of service accounts. Service accounts provide long-lived access tokens for use with CLI and CI/CD tooling. At present a service account token defaults to a 90 day lifetime. Service tokens can be refreshed with an API call. parameters: - $ref: '#/components/parameters/organizationIDParameter' post: tags: - Service accounts summary: Create service account description: >- Creates a new service account and returns an access token, The returned access token can only be read once. requestBody: $ref: '#/components/requestBodies/serviceAccountCreateRequest' responses: '201': $ref: '#/components/responses/serviceAccountCreateResponse' '401': $ref: '#/components/responses/unauthorizedResponse' '403': $ref: '#/components/responses/forbiddenResponse' '500': $ref: '#/components/responses/internalServerErrorResponse' security: - oauth2Authentication: [] components: parameters: organizationIDParameter: name: organizationID in: path description: An organization ID. required: true schema: type: string requestBodies: serviceAccountCreateRequest: description: Body required to create a service account. required: true content: application/json: schema: $ref: '#/components/schemas/serviceAccountWrite' example: metadata: name: my-service-account description: A service account for doing stuff. spec: groupIDs: - 0aaba80d-67ef-4799-b6d9-59f37e2ce2ad responses: serviceAccountCreateResponse: description: A service account creation. content: application/json: schema: $ref: '#/components/schemas/serviceAccountCreate' example: metadata: id: ee45f34b-9685-40d8-8724-23c31252ca46 name: my-service-account organizationId: d4600d6e-e965-4b44-a808-84fb2fa36702 creationTime: '2024-05-31T14:11:00Z' provisioningStatus: provisioned healthStatus: healthy spec: groupIDs: - f2000047-19f8-426e-93b9-9f0a5bfa0edd status: expiry: '2025-03-14T16:10:00Z' accessToken: >- eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c unauthorizedResponse: description: Authentication failed or the access token has expired. content: application/json: schema: $ref: '#/components/schemas/error' example: error: access_denied error_description: authentication failed forbiddenResponse: description: >- Request was denied by authorization, this may be caused by the authorization token not having the required scope for an API, or the user doesn't have the necessary privileges on the provider platform. content: application/json: schema: $ref: '#/components/schemas/error' example: error: forbidden error_description: user credentials do not have the required privileges internalServerErrorResponse: description: >- An unexpected or unhandled error occurred. This may be a transient error and may succeed on a retry. If this isn't the case, please report it as an issue. content: application/json: schema: $ref: '#/components/schemas/error' example: error: server_error error_description: failed to token claim schemas: serviceAccountWrite: description: A service account creation request. type: object required: - metadata - spec properties: metadata: $ref: '#/components/schemas/resourceMetadata' spec: $ref: '#/components/schemas/serviceAccountSpec' serviceAccountCreate: description: A new service account. type: object required: - metadata - spec - status properties: metadata: $ref: '#/components/schemas/organizationScopedResourceReadMetadata' spec: $ref: '#/components/schemas/serviceAccountSpec' status: $ref: '#/components/schemas/serviceAccountStatus' error: description: Generic error message, compatible with oauth2. type: object required: - error - error_description properties: error: description: >- A terse error string expanding on the HTTP error code. Errors are based on the OAuth 2.02 specification, but are expanded with proprietary status codes for APIs other than those specified by OAuth 2.02. type: string enum: - invalid_request - server_error - access_denied - not_found - conflict - method_not_allowed - unsupported_media_type - request_entity_too_large - forbidden error_description: description: Verbose message describing the error. type: string resourceMetadata: description: Metadata required for all API resource reads and writes. required: - name properties: name: $ref: '#/components/schemas/kubernetesLabelValue' description: description: >- The resource description, this optionally augments the name with more context. type: string tags: $ref: '#/components/schemas/tagList' serviceAccountSpec: description: A service account specification. type: object required: - groupIDs properties: groupIDs: $ref: '#/components/schemas/groupIDs' organizationScopedResourceReadMetadata: description: Metadata required by organization scoped resource reads. allOf: - $ref: '#/components/schemas/resourceReadMetadata' - type: object required: - organizationId properties: organizationId: description: The organization identifier the resource belongs to. type: string serviceAccountStatus: description: A service account status. type: object required: - expiry properties: expiry: description: When the service token is due to expire. type: string format: date-time accessToken: description: >- A long lived access token that can be exchanged for an API access token. type: string kubernetesLabelValue: description: >- A valid Kubernetes label value, typically used for resource names that can be indexed in the database. type: string pattern: ^[0-9A-Za-z](?:[0-9A-Za-z-_.]{0,61}[0-9A-Za-z])?$ tagList: description: A list of tags. type: array items: $ref: '#/components/schemas/tag' groupIDs: description: A list of group IDs. type: array items: description: A group ID. type: string resourceReadMetadata: description: Metadata required by all resource reads. allOf: - $ref: '#/components/schemas/staticResourceMetadata' - type: object required: - provisioningStatus - healthStatus properties: deletionTime: description: The time the resource was deleted. type: string format: date-time provisioningStatus: $ref: '#/components/schemas/resourceProvisioningStatus' healthStatus: $ref: '#/components/schemas/resourceHealthStatus' tag: description: >- A tag mapping arbitrary names to values. These have no special meaning for any component are are intended for use by end users to add additional context to a resource, for example to categorize it. type: object required: - name - value properties: name: description: A unique tag name. type: string value: description: The value of the tag. type: string staticResourceMetadata: description: | This metadata is for resources that just exist, and don't require any provisioning and health status, but benefit from a standardized metadata format. type: object allOf: - $ref: '#/components/schemas/resourceMetadata' - type: object required: - id - creationTime properties: id: description: The unique resource ID. type: string creationTime: description: The time the resource was created. type: string format: date-time createdBy: description: The user who created the resource. type: string modifiedTime: description: The time a resource was updated. type: string format: date-time modifiedBy: description: The user who updated the resource. type: string resourceProvisioningStatus: description: The provisioning state of a resource. type: string enum: - unknown - provisioning - provisioned - deprovisioning - error resourceHealthStatus: description: The health state of a resource. type: string enum: - unknown - healthy - degraded - error securitySchemes: oauth2Authentication: description: Operation requires OAuth 2.0 bearer token authentication. type: oauth2 flows: authorizationCode: authorizationUrl: https://identity.nks.europe-west4.nscale.com/oauth2/v2/authorization tokenUrl: https://identity.nks.europe-west4.nscale.com/oauth2/v2/token scopes: {} ````