Service accounts in Crowd Data Center

Atlassian Data Center documentation

On this page

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

A service account is a special kind of Data Center account that isn't associated with a person. It accesses Crowd via OAuth 2.0 authorisation and doesn’t require a password to log in.

It lets you manage the identities of services, integrations, script users, and apps for your Data Center instance. You can manage a service account the same way you manage a user account.

As part of the Crowd 7.0 release, you can create and manage service accounts for Crowd via REST APIs. In the future, this will be possible for Crowd and other products, via a user interface.

Create a service account via the UI

Starting with Crowd 7.1, you can use your user interface (UI) to manage service accounts, making it easier to create, update, delete, and manage credentials without relying on the REST API. You can now access all core service account management features directly in the UI. Service accounts created before Crowd 7.1 are also fully supported and can you can manage them through the new interface

Explore how to create a service account via the UI

Endpoints supported by Crowd

Crowd 7.0 introduces support for service accounts as a way to interact with Crowd without the need for user contexts, such as for scripting, background jobs, or other automated tasks.

Authorization for service accounts is handled via OAuth 2.0 client credentials. At the moment the following REST endpoints are available for service accounts:

  1. Groups membership

  2. Group Admin (except Search administered groups as there is no current user context)

  3. User Admin (except Search users as there is no current user context)

Create a service account in Crowd

You can create service accounts from within your Data Center product. When it’s created, we generate a Client ID and Client secret for OAuth 2.0 authorisation.

Note, the only scope currently available is APPLICATION.

To create a service account in Crowd, use:

POST {crowd_url}/rest/service-accounts/latest/service-accounts

{ "displayName": "Brand new service account", "scopes": ["APPLICATION"], "expiryDuration": 2592000, "description": "This is my new service account for accessing Crowd" }


Parameters

  • displayName (String) → The name of the service account.

  • scopes (Array of Strings) → At the moment the scope must be APPLICATION otherwise it will not have access to any of Crowd’s endpoints.

  • expiryDuration (integer in seconds) → duration of credential validity before a credential rotation is required. After the specified number of seconds have passed the credentials for the Service Account will have to be regenerated (see below for more the credential handling). This duration has a maxmium limit of 2 years.

  • description (String) → description of the service account.


Response:

{ "id": 1179649, "active": true, "name": "service-account-35b67653-f18d-4cad-bc0e-f2834859643c", "displayName": "Brand new service account", "description": "random description", "resourceRestrictions": [], "authMethods": [ { "type": "OAuth2", "id": "89efcc0f-8fb5-4d91-98e1-3d20bdc4ec74", "clientId": "de2782fd6ff6dbd09bf8ed4082cf203c", "clientSecret": "5a6f7f83958b110419fb90bd2bb119a8b12fb431bd79b68f2c7ed01eae5e8c6f", "lastRotatedAt": "2025-07-31T12:51:37.500Z", "expiryDuration": 2592000, "expiryDate": "2025-08-30T12:51:37.500Z", "expirySoon": false, "author": "admin", "scopes": [ "APPLICATION" ] } ] }


Return fields:

Besides the fields submitted, here is what's returned:

  • id → The unique identifier for the Service Account

  • active → Whether the Service Account is currently being used, or has been archived.

  • name → The unique name of the Service Account. Used in places such as auditing.

  • resourceRestrictions → These restrictions are not applicable within Crowd and can be ignored

  • authMethods → At the moment only OAuth2 is supported and represents a configuration to be used by the external service. The credentials found here should be used to interact with Crowd viaOAuth2

    • id → the unique identifier for the OAuth2 configuration

    • clientId → the clientId of the OAuth2 configuration that should be used to generate an access token. This value will be required to generate an access token.

    • clientSecret → the clientSecret of theOAuth2 configuration. This value will be required to generate an access token.

    • lastRotatedAt → When the clientId/clientSecret was last updated at.

    • expiryDate → When the set of clientId/clientSecret will expire.

    • author → The user that generated this Service Account

Manage a service account in Crowd

Once a service account is created, you can update account details, or rotate account credentials.

Update service account details

To update account details, use:

PUT {crowd_url}/rest/service-accounts/latest/service-accounts/{id}

{ "displayName": "a new display name", "description": "a new description" }

If you want to modify other fields like expiryDuration, you'll have to archive and generate a new service account.

Rotate service account credentials

For security purposes, service account credentials have a limited expiration date (max duration of 2 years).

To rotate credentials:

  1. Check the clientId of the current OAuth2 credential being used by the Service Account and make a POST request to the following endpoint:
    POST {{crowd_url}}/rest/oauth2/latest/rotate/{clientId}

  2. Using the OAuth2 id2, make a GET request to fetch the credentials with the following endpoint and update the OAuth2 credentials in your service account application: 
    GET {{crowd_url}}/rest/oauth2/latest/client/{oAuth2ConfigId}

    { "id": "cf1b543a-de85-473f-9813-b83c86387936", "clientId": "9693b2e52647e3664e3e1e15b135e035", "clientSecret": {someSecret}, "name": "service-account-edcee821-62af-43d6-8c15-91f9c41d6fc2", "redirects": [], "supportedGrantTypes": [ "client_credentials" ], "userKey": "admin", "scope": "APPLICATION", "rotatedClientId": "a226d78aa6b31a54ec8702a14b6de89e", "rotatedClientSecret": {someRotatedSecret}", "expiryDuration": 2592000 }


Parameters

  • clientId → the current client id that should be used in your oAuth2 configuration

  • clientSecret → the current client secret that should be used in your oAuth2 configuration

  • rotatedClientId → the old client id. If you have an application using this ID you should update it with the clientId

  • rotatedClientSecret → the old client secret. If you have an application using this secret you should update it with clientSecret as this is an old value

Search for a service account in Crowd

To search for a service account, use:

GET {crowd_url}/rest/service-accounts/latest/service-accounts/?start=0&limit=25&active=true

Note, this endpoint also supports pagination and active filtering via query params. By default the start value is 0 with a limit of 25 and set active to true.

Archive a service account in Crowd

We don't support the deleting of service accounts, but you can archive them.

This action can’t be undone. The OAuth 2.0 client and all tokens obtained from the OAuth 2.0 server using the client associated with this service account are also deleted.

To archive a service account, use:

DELETE {crowd_url}/rest/service-accounts/latest/service-accounts/{id}


Last modified on Oct 2, 2025

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.