Service Accounts for Programmatic Access
The service account is a special type of non-human client that is granted limited access to your organization's resources. VGS utilizes scoped service accounts for authenticating to services via OAuth 2.0.
VGS service accounts can also be used to manage automated workflows, such as creating a Git-driven change management flow.
Available Scopes
Permissions to the resources of your organization are controlled by assigning the scopes to the service account.
Currently, there are the following scopes that you can assign to the service account:
aliases:delete
Allow the client to remove VGS aliases from a vault
aliases:read
Allow the client to read the the entire vault data object using a VGS alias
aliases:write
Allow the client to create new aliases in a vault
access-logs:read
Allows to read tenant access logs
cards:read
Allow the client to read card data. A service account with only this permission will not have access to the PAN and CVC fields
cards:read-pci
Allow the client to read the PCI-sensitive PAN and CVC fields when fetching card details
cards:write
Allow the client to create and update card objects
credentials:write
Allows full management of vault credentials
network-tokens:read
Ability to get network token status of an enrolled card
network-tokens:write
Ability to enroll cards into network tokens and perform lifecycle actions
organizations:read
Allows reading basic organization details such as activation, status, name and user permissions list
organization-users:read
Allows client to read the list of organization users and their assigned roles
routes:read
Allows read access to all routes
routes:write
Allows access to all routes operations
vaults:read
Allows reading vault details such as name and identifier
vaults:write
Allows to create vault and update vault
Last updated