Showing results for 
Show  only  | Search instead for 
Did you mean: 

Use the following steps to create a service account for an application that will connect to Flexera One’s APIs. Service accounts are complimentary to refresh tokens. They can be given lesser privileges and can be decoupled from any specific user. Create a distinct service account for each application you wish to connect to Flexera One.

NOTE: The domain for any endpoints used must match the region where your org is hosted. For North America (NAM), use .com; for Europe, the Middle East, and Africa (EMEA), use .eu; for Asia Pacific (APAC), use .au.

NOTE: The ITAM Data API does not support the use of service accounts at this time.


  1. Get a refresh token from the Flexera One UI.
  2. Use the refresh token to get an access tokenStore this token in the USER_TOKEN variable .
  3. Identify the organization that the service account will exist in and save this number in the ORG_ID variable .
  4. Create a service accountUse a name appropriate for the application that will use it. You can also provide a description of how the service account will be used. Notice that the service account’s ID is returned (2263). Keep this ID at hand.
    curl -s$ORG_ID/service-accounts \     
     -H "Authorization: Bearer $USER_TOKEN" \   
    -d '{"name": "my application", "description": "Reads data from Flexera One APIs"}' -i
    HTTP/2 201 
    location: /iam/v1/orgs/1105/service-accounts/2263
  5. Show the service account.
    curl -s$ORG_ID/service-accounts/2263 \
     -H "Authorization: Bearer $USER_TOKEN" | jq
      "id": 2263,
      "name": "my application",
      "description": "Reads data from Flexera One APIs",
      "createdBy": 121456,
      "createdAt": "2023-07-10T20:28:48.531479Z",
      "updatedAt": "2023-07-10T20:28:48.531479Z",
      "kind": "iam#service-account",
      "ref": "iam#service-account:2263"
  6. Assign role(s) to the service account. The service account should be given the least permission possible to accomplish its tasks.
  7. Review the roles in the organization.
    curl -s$ORG_ID/roles \                
     -H "Authorization: Bearer $USER_TOKEN" | jq
        "id": 678907,
        "createdAt": "2020-03-20T16:18:56.542732Z",
        "name": "iam_admin",
        "capability": "iam",
        "privileges": [
        "kind": "iam#role"
  8. Identify the name of the role that should be granted (iam_admin will be used for this demonstration). See Flexera One Roles for more details on roles.
  9. Grant the role(s) to the service account. Notice the service account API returned an older ref format (iam#service-account:2263), but we use the newer ref format (ref::::iam:service-account:2263) in this API call. See resource references for more detail.
    curl -s$ORG_ID/access-rules/grant -X PUT -i \
     -H "Authorization: Bearer $USER_TOKEN" -d '{
      "role": {
        "name": "iam_admin"
      "subject": {
        "ref": "ref::::iam:service-account:2263"  
    HTTP/2 204 
  10.  Repeat this step for any number of roles which must be granted to the service account.
  11. Create a client for the service account. The client contains the service account's credentials.
    curl -s$ORG_ID/service-accounts/2263/clients \
     -H "Authorization: Bearer $USER_TOKEN" -X POST
  12. The clientId and clientSecret must be stored securely, as they are sensitive. Anyone with access to these credentials will have access to your organization. The application will need to use these in the next step. Securely load them into the application or store them in a place where the application can securely access them.
  13. Run the application. The remaining API calls are performed by the application, not the user setting up the service account. However, for this demonstration, we will perform them with curl.
  14. Get an access token. The access token is a temporary credential (see from the response that the access token expires in 3600 seconds or 1 hour). See Flexera One API Authentication for details.
    curl -X POST -d \
    "client_id=<clientId>&client_secret=<clientSecret>&grant_type=client_credentials" | jq
      "access_token": "<accessToken>",
      "expires_in": 3600,
      "token_type": "Bearer"
  15. Use the access token to call Flexera One APIs. In this example, we list the users in the org, which is permitted for the role we granted our service account (iam_admin).
    curl -s$ORG_ID/users \
     -H "Authorization: Bearer $ACCESS_TOKEN" | jq .
      "values": [
          "kind": "iam#user",
          "ref": "iam#user:111222333",
          "id": 111222333,
          "email": "",
          "firstName": "Jane",
          "lastName": "Doe",
          "createdAt": "2022-11-14T15:29:45.191995Z",
          "updatedAt": "2023-06-28T20:40:14.999786Z",
          "lastUILogin": "2023-06-28T20:40:15.705245Z",
          "lastAPILogin": "2023-01-23T19:51:56.346877Z"
  16. After the access token has expired (or is nearing expiry), repeat the previous /oidc/token API call (step 14) to get a new access token. The access token is a sensitive credential, so the application should not expose the value to be read by any user.

The application can continue using the access token to accomplish its tasks, replacing its token whenever necessary.

Was this article helpful? Yes No
100% helpful (2/2)
Level 3

Remember to edit the uri to whatever geographic instance you're using e.g.

Otherwise you'll get an 401 unauthorized error.


Version history
Last update:
‎May 03, 2024 09:50 AM
Updated by: