Skip to main content

Service Accounts

Service Accounts

Service accounts offer a protected and standardized method of authenticating machine-to-machine communication between services protected by Pomerium.


Before you begin, confirm you are in the correct Namespace. A service account can only be used in the Namespace it was created in, including its children Namespaces.

  1. From the main menu, select Service Accounts under CONFIGURE. Click the + ADD SERVICE ACCOUNT button:

    The Service Accounts page

  2. Service accounts can be unique and exist only for Pomerium, or impersonate directory users from your IdP.

    Give the user a unique ID, or select an existing user to impersonate. Consider referencing the Namespace you're creating it under, for easier reference later. Optionally set an expiration date:

    Adding a unique service account

    The user ID set here corresponds to the User criteria when editing a policy.

  3. After you click Submit, the modal presents the JSON web token (JWT) for the service account. Temporarily save it somewhere secure, as you will not be able to view it again:

    Service Account Added

    This JWT must be added to your application configuration to enable direct communication.

  4. Edit or create policies to give the service account access to the internal service:

    An example policy for a service account

    An example policy for a service account in the policy builder