# Service Accounts for Programmatic Access The service account is a special type of non-human client that is granted limited access to your organization's resources. VGS utilizes scoped service accounts for authenticating to services via OAuth 2.0. VGS service accounts can also be used to manage automated workflows, such as creating a Git-driven[ change management flow](/vault/developer-tools/vgs-git-flow.md). ## Available Scopes Permissions to the resources of your organization are controlled by assigning the **scopes** to the service account. Currently, there are the following scopes that you can assign to the service account: | Scope | Description | | ------------------------- | ------------------------------------------------------------------------------------------------------------------------------ | | `aliases:delete` | Allow the client to remove VGS aliases from a vault | | `aliases:read` | Allow the client to read the the entire vault data object using a VGS alias | | `aliases:write` | Allow the client to create new aliases in a vault | | `access-logs:read` | Allows to read tenant access logs | | `cards:read` | Allow the client to read card data. A service account with only this permission will not have access to the PAN and CVC fields | | `cards:read-pci` | Allow the client to read the PCI-sensitive PAN and CVC fields when fetching card details | | `cards:write` | Allow the client to create and update card objects | | `credentials:write` | Allows full management of vault credentials | | `network-tokens:read` | Ability to get network token status of an enrolled card | | `network-tokens:write` | Ability to enroll cards into network tokens and perform lifecycle actions | | `organizations:read` | Allows reading basic organization details such as activation, status, name and user permissions list | | `organization-users:read` | Allows client to read the list of organization users and their assigned roles | | `routes:read` | Allows read access to all routes | | `routes:write` | Allows access to all routes operations | | `vaults:read` | Allows reading vault details such as name and identifier | | `vaults:write` | Allows to create vault and update vault | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.verygoodsecurity.com/enterprise-platform/access-management/service-accounts-for-programmatic-access.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.