Service accounts allow you to support integrations that require the Client Credentials grant flow as defined in the IETF OAuth 2.0 Framework Specification. In this scenario, applications need a way to retrieve an OAuth 2.0 access token outside the context of any specific Procore user. OAuth 2.0 provides the Client Credentials grant type for this purpose. A unique client_id and client_secret is generated when a new service account is created. For information on implementing the Client Credentials grant flow in an application, see OAuth 2.0 Using Client Credentials on our Developer Portal.
Service accounts do not act on behalf of an existing Procore user, but rather they utilise a Directory contact that is generated automatically upon creation of the service account. Service account permissions and access are controlled by the permissions settings for the Directory contact. By default, upon initial creation a service account will have no permissions ('None') to view any data within the company it is created in. Procore administrators must manually specify elevated permissions to the service account in order for it to have access to more data. See Configure Service Account Permissions for additional information.
Things to Consider
- A service account has an auto-generated @procore.com email address which is inaccessible and cannot be used to set a password or log in to the Procore web/mobile applications.
- The Directory contact associated with a service account must not be added to any other company directory aside from the one it was originally created in. Doing so will render the service account non-functional.
- After a service account is created, the associated default email address must not be changed. Doing so will render the service account non-functional.
- Resetting the client secret will reset all permissions and project memberships for the selected service account.