> ## Documentation Index
> Fetch the complete documentation index at: https://docs.rootprint.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Service accounts

> Create non-human accounts and API keys for integrations that need read-only access to Rootprint logs.

Use a service account when a shared integration needs to query Rootprint without borrowing a human user's credential. Common examples include dashboards, scheduled queries, AI agents, and incident automation.

Service account keys are read-only query API keys. They use the `rpk_` prefix, grant `logs: read`, and work on the same query endpoints as personal API keys. They do not ingest logs. Use an ingest API key from **Settings → API keys** for `POST /api/ingest/ndjson` and `POST /v1/logs`.

<Note>
  Rootprint creates service accounts as regular non-admin users. They can query indexes with
  **Public** visibility. They cannot query **Admins** or **Hidden** indexes.
</Note>

## Pick the right credential

| Need                                       | Use                                                      |
| ------------------------------------------ | -------------------------------------------------------- |
| A log shipper writes NDJSON or OTLP logs   | Ingest API key from **Settings → API keys**              |
| A script or AI agent acts as you           | Personal API key from **Settings → Profile**             |
| A shared integration owns its own identity | Service account key from **Settings → Service accounts** |

## Create a service account

1. Sign in as an admin.
2. Open **Settings → Service accounts**.
3. Click **Create service account**.
4. Enter a display name such as `grafana-prod`.
5. Click **Create**.

## Create a key

1. In **Settings → Service accounts**, find **Service account keys**.
2. Click **Create key**.
3. Choose the service account.
4. Enter a key name such as `grafana-integration`.
5. Click **Create key**.
6. Copy the key value before closing the dialog.

Rootprint shows the full key only once. The key list keeps a short starting fragment and the last-used timestamp so you can identify active clients later.

## Use the key

Send the key in the `Authorization` header.

```bash theme={"theme":"github-light"}
curl 'https://your-rootprint-host/api/indexes' \
  -H 'Authorization: Bearer rpk_abcdef0123456789...'
```

Search an index with the same header.

```bash theme={"theme":"github-light"}
curl 'https://your-rootprint-host/api/indexes/otel-logs-v0_9/logs?q=severity_text:ERROR&limit=50' \
  -H 'Authorization: Bearer rpk_abcdef0123456789...'
```

## Revoke access

Revoke one key when a client no longer needs access. Delete the service account when you want to revoke every key owned by that account. Clients using a revoked key receive `401` responses.

## Related

* [Query logs with API keys](/api/query-logs)
* [API reference](/api/overview)
* [Manage indexes](/configuration/manage-indexes)
