A service account is a special type of account used by software applications or services to authenticate and interact with other software systems, services, or resources. They are often used in server-to-server communication scenarios, where one system needs to access another system's resources securely and efficiently.
The Service Account feature enhances Pipefy's robustness and security by introducing an additional layer of protection. It also helps for auditing reasons, since it segregates user accounts from integration accounts, empowering users to assign dedicated accounts for automated tasks and workflow actions. Also, it provides token expiration, which brings an extra layer of security.
In Pipefy, Service Accounts use the Client Credentials grant type to generate the token.
To create a service Account:
Make sure you are a Super Admin in the organization before following those steps.
- Click on the name of your company or your profile image at the top of the page. Then, click on Members and Permissions
-
Click on the Service Accounts tab
-
Click on Create Service Account
- Enter the Account Name. This will be used to create the email address and needs to be up to 20 characters.
If you’d like, add a description. Up to 140 characters. - Define the role that this account will have on the organization.
- Define how long tokens generated for this service account will work before they expire. The minimum time is 5 minutes and the maximum is 30 days.
Important: It is not possible to change the expiration time once you created the Service Account. If you need a Service Account with a different expiration time, you need to create a new account.
To generate your token:
- Click on the Service Account on the list and get the Client ID, the Client Secret, and the token endpoint. This is sensitive information, so beware when sharing or storing it.
- Make a POST request to the token endpoint passing the grant type “client_credentials”, Client ID, and Client Secret as the body. See an example on Postman:
- The response will be your token, its expiration time (in seconds), and information about your service account.
- As long as your token is valid, this request will return the same token and only generate a new one when this one expires, but make sure to implement an expiration check on your side. We recommend the usage of common Oauth2 Libraries that already handle this by default.