> ## Documentation Index
> Fetch the complete documentation index at: https://docs.dfns.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Create a service account

> How to create a Dfns service account, assign it permissions, and use its signing key for server-to-server API access without a human user.

export const Youtube = props => {
  return <iframe className="w-full aspect-video rounded-xl" src={`https://www.youtube.com/embed/${props.videoId}`} title="YouTube video player" frameBorder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowFullScreen>
      </iframe>;
};

<Youtube videoId="PewJoozkoZM" />

Service accounts are machine users for server-to-server communication. Unlike human users who authenticate with passkeys, service accounts use a keypair to sign API requests.

## When to use a service account

Use a service account when you need to:

* Call the Dfns API from your backend server
* Run automated processes (scheduled transfers, batch operations)
* Build applications that create wallets or manage users on behalf of your organization

## Create the service account

<Steps>
  <Step title="Generate a keypair">
    Your service account needs a keypair to sign its API requests. Generate one using OpenSSL:

    ```bash theme={null}
    # Generate the private key
    openssl genrsa -out service-account.pem 2048

    # Extract the public key
    openssl pkey -in service-account.pem -pubout -out service-account.public.pem
    ```

    Keep the private key (`service-account.pem`) secure - you'll need it to sign requests.
  </Step>

  <Step title="Create the service account in the dashboard">
    1. Navigate to **Settings > Developers > Service Accounts** (direct link: [https://app.dfns.io/settings/service-accounts](https://app.dfns.io/settings/service-accounts))
    2. Click **New Service Account**
    3. Enter a name (e.g., "Backend Server" or "Trading Bot")
    4. Paste the contents of your public key file (including the `-----BEGIN PUBLIC KEY-----` and `-----END PUBLIC KEY-----` lines)
    5. Click **Create** and 🔑 sign with your passkey
  </Step>

  <Step title="Save the authentication token">
    After creation, you'll see the service account token. **Copy it immediately** - it won't be shown again.

    <Warning>
      If you lose the token, you'll need to create a new service account.
    </Warning>

    Store both the token and private key securely. Dfns recommends using a secrets manager like AWS Secrets Manager, HashiCorp Vault, or your cloud provider's equivalent.
  </Step>

  <Step title="Review permissions">
    By default, a new service account has **no permissions**. You must explicitly assign a role with the permissions it needs:

    1. Navigate to **Settings > Roles** and create a new role with only the required permissions
    2. Go back to **Settings > Developers > Service Accounts** and click on your service account
    3. Assign the dedicated role

    **Common permission sets:**

    | Use case                  | Permissions needed                                                 |
    | ------------------------- | ------------------------------------------------------------------ |
    | Create and manage wallets | `Wallets:Create`, `Wallets:Read`                                   |
    | Transfer assets           | `Wallets:Read`, `Wallets:Sign`                                     |
    | Register end users        | `Auth:Users:Create`, `Auth:Users:Read`                             |
    | Full wallet management    | `Wallets:Create`, `Wallets:Read`, `Wallets:Sign`, `Wallets:Update` |

    See the [full list of permissions](/core-concepts/roles-and-permissions#list-of-permissions) for all available options.

    <Tip>
      You can also assign a permission at creation time by passing a `permissionId` in the [Create Service Account](/api-reference/auth/create-service-account) API request body. The creating user must have the `PermissionsAssign` permission.
    </Tip>
  </Step>
</Steps>

## Service account limitations

Service accounts can perform most operations, but some actions require human interaction:

| Operation                     | Service Account | Notes                                                                           |
| ----------------------------- | --------------- | ------------------------------------------------------------------------------- |
| Create wallets                | Yes             |                                                                                 |
| Transfer assets               | Yes             | Subject to policies                                                             |
| Sign transactions             | Yes             | Subject to policies                                                             |
| Create end users              | Yes             | For delegated wallets                                                           |
| Approve policy requests       | Opt-in          | Requires `serviceAccountsCanApprove` on the approval group and staff activation |
| Create policies               | Yes             |                                                                                 |
| Create other service accounts | No              | Requires human passkey                                                          |
| Modify policies               | Yes             | But approval may require humans                                                 |

<Note>
  Service accounts can participate in [policy approvals](/core-concepts/policies#service-account-approvers) when explicitly enabled on the approval group. This feature requires activation by Dfns staff on your organization.
</Note>

## Using your service account

You now have everything needed to make API calls:

| Credential      | Purpose                                                                                               |
| --------------- | ----------------------------------------------------------------------------------------------------- |
| **Token**       | Used in the `Authorization: Bearer <token>` header                                                    |
| **Private key** | Used to sign [user action challenges](/api-reference/auth/signing-flows) for POST/PUT/DELETE requests |

See the [TypeScript SDK service account example](https://github.com/dfns/dfns-sdk-ts/tree/m/examples/sdk/service-account) for a complete implementation.

## Related

<CardGroup cols={2}>
  <Card title="Sign requests" icon="signature" href="/guides/developers/signing-requests">
    How to sign API requests with your service account
  </Card>

  <Card title="Permissions reference" icon="shield" href="/core-concepts/roles-and-permissions">
    Full list of available permissions
  </Card>
</CardGroup>