Service Access Tokens Beta

Generate and manage organization and workspace-level service access tokens in RudderStack.
Available Plans
  • starter
  • growth
  • enterprise

A Service Access Token (SAT) enables applications access to RudderStack APIs, providing a flexible, secure, and centralized way for you to programmatically interact with resources and services in the platform.

info
Contact the RudderStack team to get access to this feature.

Overview

Unlike Personal Access Tokens which are tied to individual users, SATs provide centralized access to resources within an Organization or Workspace, ensuring continuity and reducing the risk of disruptions when members are removed or their roles change.

Operations performed with SATs are logged and audited against the SAT, ensuring that activities are traceable to the token rather than an individual user.

Personal Access Tokens vs. Service Access Tokens

Personal Access Tokens (PAT)Service Access Tokens (SAT)
Tied to a specific user within a workspace.Not tied to an individual user.
Used for individual tasks and testing.Used for centralized, shared access and production use cases.
Any processes dependent on the tokens will break if the user is removed from the organization or a breaking change is made to their permissions.Exist at the Organization or Workspace level, ensuring the essential workflows and pipelines using the token remain functional.
info

RudderStack recommends using:

  • SATs for your production use cases that require shared access to the services and resources across the organization or workspace.
  • PATs for testing a service/feature or personal use cases.

Service Access Token types

Organization-level SATs

Organization-level SATs are associated with the entire organization. You can use them for authenticating your SSO SCIM and the Audit Log API.

Organization-level SATs have the Org Admin permissions by default.

Workspace-level SATs

As workspace-level SATs are linked to a specific workspace, their usage is restricted to workspace-level resources (Sources, Destinations, Transformations, Tracking Plans, etc.) and APIs. This ensures they cannot interact with organization-level functionalities like audit logs or SCIM provisioning.

Generate Service Access Token

info

Note that:

  1. Go to Settings > Organization > Service Access Tokens tab.
Service Access Tokens tab in RudderStack dashboard
  1. Click the Organization or Workspace tab depending on whether you want to generate an organization-level SAT or workspace-level SAT.
  2. Click Generate new token.

You will see the below settings depending on the tab chosen in Step 2:

Assign resource permissions to SATs

info
This feature is available only in RudderStack’s Enterprise plan. See the Permissions Management guide for more information.

You can leverage RudderStack’s advanced permissions settings to set granular access controls that determine which SATs can modify (edit or delete) specific resources.

  1. Go to the resource and click the Permissions tab:
Permissions tab within a resource
  1. You will see the following options under the Who can make changes? section:

    • Members and tokens with Editor permissions: All the members and service access tokens with the Editor permissions can make changes to the resource.
    • Only people and Service Access Tokens you select: Only the specified members and access tokens can make changes to the resource.
  2. To allow edit access to specific SATs within your workspace, click Only people and Service Access Tokens you select and click the Service Access Tokens tab. Then, click Add tokens.

Add tokens option
  1. In the right sidebar, select the tokens from the dropdown and click Add tokens:
Add tokens option
info

Note that:



Questions? Contact us by email or on Slack