List service accounts (integration + API-key) in the organization.

GET

/v1/service-accounts

• Production
• Staging
• Local

Parameters

Query Parameters

page_size

integer | null format: int64

page

integer | null format: int64

query

string | null

Freetext ILIKE across first_name, last_name, and email.

kind

array | null

Restrict to integration SAs, credential SAs, or both (default).

roles

array | null

Role UUIDs — matches SAs holding any of the listed roles.

created_after

string | null format: date-time

Inclusive lower bound on users.created_date.

created_before

string | null format: date-time

Inclusive upper bound on users.created_date.

Responses

200

List service accounts in the organization

object

service_accounts

required

Array

A service account belonging to the organization. Covers both integration service accounts (jira / wiz / etc. — created automatically when an integration is configured) and credential service accounts (created through POST /v1/oauth/clients). Unlike [OrganizationMember], service accounts have no last_login.

object

email

required

string

first_name

required

string

icon

Relative path to the user’s avatar endpoint, e.g. "users/{id}/avatar?v={hash}". None when the user has no avatar.

string | null

id

required

string format: uuid

last_name

required

string

allowed_ips

IP allowlist enforced on token exchange. Populated only for credential SAs.

array | null

client_id

Public OAuth client ID (arm_sa_…). Populated only for credential SAs.

string | null

created_by_user

One of:

null

null

object

The admin user who provisioned this credential SA, resolved from oauth_client.created_by and batch-loaded so the table can render a chip without an extra round-trip per row. Populated only for credential SAs whose creator still exists in the org.

object

email

required

string

first_name

required

string

icon

Relative path to the user’s avatar endpoint, e.g. "users/{id}/avatar?v={hash}". None when the user has no avatar.

string | null

id

required

string format: uuid

last_name

required

string

created_date

required

string format: date-time

deactivated_date

Soft-deactivation timestamp from organization_user.deactivated_date. None means the SA is currently active. The unified Service Accounts page uses this to render disabled rows alongside active ones.

string | null format: date-time

expires_at

Hard expiry on the credential. Populated only for credential SAs.

string | null format: date-time

kind

required

Primary discriminator on a service account.

Wire format is SCREAMING_SNAKE_CASE (INTEGRATION, CREDENTIAL) so the values read as constants. The DB enum (organization_user_kind) is snake_case and is translated via the From impl in organization.rs.

string

Allowed values: INTEGRATION CREDENTIAL

last_used

Most-recent successful token exchange. Populated only for credential SAs.

string | null format: date-time

oauth_client_id

Internal oauth_client.id. Populated only for credential SAs. The UI uses this to address PATCH/DELETE /v1/oauth/clients/{id}. Distinct from client_id (the public arm_sa_… string used at token-exchange time).

string | null format: uuid

revoked_at

When the credential was administratively revoked. Populated only for credential SAs; mirrors deactivated_date once revoked.

string | null format: date-time

roles

required

Roles held by this SA. Empty for integration SAs; populated from role_user_org for credential SAs.

Array<string>

total

required

integer

401

Unauthorized

500

Internal server error