Group service accounts API

  • Tier: Premium, Ultimate
  • Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated

Use this API to interact with service accounts for your groups. For more information, see Service accounts.

Prerequisites:

  • You must have administrator access to the instance, or have the Owner role for the GitLab.com group.

List all service account users

History

Lists all service account users in a specified top-level group.

Use the page and per_page pagination parameters to filter the results.

Copy to clipboard 
GET /groups/:id/service_accounts

Parameters:

AttributeTypeRequiredDescription
idinteger/stringyesThe ID or URL-encoded path of the target group.
order_bystringnoOrders list of users by username or id. Default is id.
sortstringnoSpecifies sorting by asc or desc. Default is desc.

Example request:

Shell Copy to clipboard 
curl --request GET --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/345/service_accounts"

Example response:

JSON Copy to clipboard 
[

  {
    "id": 57,
    "username": "service_account_group_345_<random_hash>",
    "name": "Service account user",
    "email": "service_account_group_345_<random_hash>@noreply.gitlab.example.com"
  },
  {
    "id": 58,
    "username": "service_account_group_346_<random_hash>",
    "name": "Service account user",
    "email": "service_account_group_346_<random_hash>@noreply.gitlab.example.com"
  }
]

Create a service account user

History

Creates a service account user in a given top-level group.

This endpoint only works on top-level groups.

Copy to clipboard 
POST /groups/:id/service_accounts

Supported attributes:

AttributeTypeRequiredDescription
idinteger/stringyesID or URL-encoded path of a top-level group.
namestringnoUser account name. If not specified, uses Service account user.
usernamestringnoUser account username. If not specified, generates a name prepended with service_account_group_.
emailstringnoUser account email. If not specified, generates an email prepended with service_account_group_. Custom email addresses require confirmation before the account is active, unless the group has a matching verified domain.

Example request:

Shell Copy to clipboard 
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/345/service_accounts" --data "email=custom_email@example.com"

Example response:

JSON Copy to clipboard 
{
  "id": 57,
  "username": "service_account_group_345_6018816a18e515214e0c34c2b33523fc",
  "name": "Service account user",
  "email": "custom_email@example.com"
}

Update a service account user

History

Updates a service account user in a given top-level group.

This endpoint only works on top-level groups.

Copy to clipboard 
PATCH /groups/:id/service_accounts/:user_id

Parameters:

AttributeTypeRequiredDescription
idinteger/stringyesThe ID or URL-encoded path of the target group.
user_idintegeryesThe ID of the service account user.
namestringnoName of the user.
usernamestringnoUsername of the user.

Example request:

Shell Copy to clipboard 
curl --request PATCH --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/345/service_accounts/57" --data "name=Updated Service Account"

Example response:

JSON Copy to clipboard 
{
  "id": 57,
  "username": "service_account_group_345_6018816a18e515214e0c34c2b33523fc",
  "name": "Updated Service Account",
  "email": "service_account_group_345_<random_hash>@noreply.gitlab.example.com"
}

Delete a service account user

History

Deletes a service account user from a given top-level group.

This endpoint only works on top-level groups.

Copy to clipboard 
DELETE /groups/:id/service_accounts/:user_id

Parameters:

AttributeTypeRequiredDescription
idinteger/stringyesThe ID or URL-encoded path of the target group.
user_idintegeryesThe ID of a service account user.
hard_deletebooleannoIf true, contributions that would usually be moved to a Ghost User are instead deleted, as well as groups owned solely by this service account user.

Example request:

Shell Copy to clipboard 
curl --request DELETE --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/345/service_accounts/181"

List all personal access tokens for a service account user

History

Lists all personal access tokens for a service account user in a top-level group.

Copy to clipboard 
GET /groups/:id/service_accounts/:user_id/personal_access_tokens

Supported attributes:

AttributeTypeRequiredDescription
idinteger/stringyesID or URL-encoded path of a top-level group.
user_idintegeryesID of service account user.
created_afterdatetime (ISO 8601)NoIf defined, returns tokens created after the specified time.
created_beforedatetime (ISO 8601)NoIf defined, returns tokens created before the specified time.
expires_afterdate (ISO 8601)NoIf defined, returns tokens that expire after the specified time.
expires_beforedate (ISO 8601)NoIf defined, returns tokens that expire before the specified time.
last_used_afterdatetime (ISO 8601)NoIf defined, returns tokens last used after the specified time.
last_used_beforedatetime (ISO 8601)NoIf defined, returns tokens last used before the specified time.
revokedbooleanNoIf true, only returns revoked tokens.
searchstringNoIf defined, returns tokens that include the specified value in the name.
sortstringNoIf defined, sorts the results by the specified value. Possible values: created_asc, created_desc, expires_asc, expires_desc, last_used_asc, last_used_desc, name_asc, name_desc.
statestringNoIf defined, returns tokens with the specified state. Possible values: active and inactive.

Example request:

Shell Copy to clipboard 
curl --request GET \
  --header "PRIVATE-TOKEN: <your_access_token>" \
  --url "https://gitlab.example.com/api/v4/groups/187/service_accounts/195/personal_access_tokens?sort=id_desc&search=token2b&created_before=2025-03-27"

Example response:

JSON Copy to clipboard 
[
    {
        "id": 187,
        "name": "service_accounts_token2b",
        "revoked": false,
        "created_at": "2025-03-26T14:42:51.084Z",
        "description": null,
        "scopes": [
            "api"
        ],
        "user_id": 195,
        "last_used_at": null,
        "active": true,
        "expires_at": null
    }
]

Example of unsuccessful responses:

  • 401: Unauthorized
  • 404 Group Not Found

Create a personal access token for a service account user

History

Creates a personal access token for an existing service account user in a given top-level group.

Copy to clipboard 
POST /groups/:id/service_accounts/:user_id/personal_access_tokens

Parameters:

AttributeTypeRequiredDescription
idinteger/stringyesID or URL-encoded path of a top-level group.
user_idintegeryesID of service account user.
namestringyesName of personal access token.
descriptionstringnoDescription of personal access token.
scopesarrayyesArray of approved scopes. For a list of possible values, see Personal access token scopes.
expires_atdatenoExpiration date of the access token in ISO format (YYYY-MM-DD). If not specified, the date is set to the maximum allowable lifetime limit.

Example request:

Shell Copy to clipboard 
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/35/service_accounts/71/personal_access_tokens" --data "scopes[]=api,read_user,read_repository" --data "name=service_accounts_token"

Example response:

JSON Copy to clipboard 
{
  "id":6,
  "name":"service_accounts_token",
  "revoked":false,
  "created_at":"2023-06-13T07:47:13.900Z",
  "scopes":["api"],
  "user_id":71,
  "last_used_at":null,
  "active":true,
  "expires_at":"2024-06-12",
  "token":"<token_value>"
}

Revoke a personal access token for a service account user

History

Revokes a personal access token for an existing service account user in a given top-level group.

This endpoint only works on top-level groups.

Copy to clipboard 
DELETE /groups/:id/service_accounts/:user_id/personal_access_tokens/:token_id

Parameters:

AttributeTypeRequiredDescription
idinteger/stringyesThe ID or URL-encoded path of the target group.
user_idintegeryesThe ID of the service account user.
token_idintegeryesThe ID of the token.

Example request:

Shell Copy to clipboard 
curl --request DELETE --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/35/service_accounts/71/personal_access_tokens/6"

If successful, returns 204: No Content.

Other possible responses:

  • 400: Bad Request if not revoked successfully.
  • 401: Unauthorized if the request is not authorized.
  • 403: Forbidden if the request is not allowed.
  • 404: Not Found if the access token does not exist.

Rotate a personal access token for a service account user

History

Rotates a personal access token for an existing service account user in a given top-level group. This creates a new token valid for one week and revokes any existing tokens.

This endpoint only works on top-level groups.

Copy to clipboard 
POST /groups/:id/service_accounts/:user_id/personal_access_tokens/:token_id/rotate

Parameters:

AttributeTypeRequiredDescription
idinteger/stringyesThe ID or URL-encoded path of the target group.
user_idintegeryesThe ID of the service account user.
token_idintegeryesThe ID of the token.
expires_atdatenoExpiration date of the access token in ISO format (YYYY-MM-DD). Introduced in GitLab 17.9. If undefined, the token expires after one week.

Example request:

Shell Copy to clipboard 
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/35/service_accounts/71/personal_access_tokens/6/rotate"

Example response:

JSON Copy to clipboard 
{
  "id":7,
  "name":"service_accounts_token",
  "revoked":false,
  "created_at":"2023-06-13T07:54:49.962Z",
  "scopes":["api"],
  "user_id":71,
  "last_used_at":null,
  "active":true,
  "expires_at":"2023-06-20",
  "token":"<token_value>"
}