Skip to main content
Use a service account when a shared integration needs to query Rootprint without borrowing a human user’s credential. Common examples include dashboards, scheduled queries, AI agents, and incident automation. Service account keys are read-only query API keys. They use the rpk_ prefix, grant logs: read, and work on the same query endpoints as personal API keys. They do not ingest logs. Use an ingest API key from Settings → API keys for POST /api/ingest/ndjson and POST /v1/logs.
Rootprint creates service accounts as regular non-admin users. They can query indexes with Public visibility. They cannot query Admins or Hidden indexes.

Pick the right credential

NeedUse
A log shipper writes NDJSON or OTLP logsIngest API key from Settings → API keys
A script or AI agent acts as youPersonal API key from Settings → Profile
A shared integration owns its own identityService account key from Settings → Service accounts

Create a service account

  1. Sign in as an admin.
  2. Open Settings → Service accounts.
  3. Click Create service account.
  4. Enter a display name such as grafana-prod.
  5. Click Create.

Create a key

  1. In Settings → Service accounts, find Service account keys.
  2. Click Create key.
  3. Choose the service account.
  4. Enter a key name such as grafana-integration.
  5. Click Create key.
  6. Copy the key value before closing the dialog.
Rootprint shows the full key only once. The key list keeps a short starting fragment and the last-used timestamp so you can identify active clients later.

Use the key

Send the key in the Authorization header.
Search an index with the same header.

Revoke access

Revoke one key when a client no longer needs access. Delete the service account when you want to revoke every key owned by that account. Clients using a revoked key receive 401 responses.