Service Accounts

Limit credential scope by database and roles

When you create an account on, your personal account credentials grant you full read/write/administration access over all of the databases you own. You may, however, want to limit the scope of credentials you grant to software and services you're developing instead of using your unrestricted personal credentials. Service accounts enable you to restrict the access scope of a connection credential to a specific subset of your personal account's roles and databases.

You can create these service accounts and generate Postgres credentials/API keys in a few clicks. Once you create a service account, you can generate as many tokens and connection credentials for it as you need. You can revoke access keys or fully delete service accounts in just a couple of clicks. Each token is individually revokable if necessary and revocation will not affect other tokens or service accounts.

Single-database service accounts on the Connect tab

On your database page, you can create service accounts by going to the "Connect" tab found on the right side of the database page. The connect tab is where to go to get all the connection information you need to connect to via a database tool, an API, or other integration.

In the left pane, you can select which service account to use. Note that all service accounts that have access to this database will be shown. Your personal account credentials are also shown here, but we do not recommend using them to connect.


You can create new service accounts on the connect page by clicking "+ Create New". Any service account you create here will be limited in scope to this database only. That means credentials will only work on the current database you're viewing.


Note that, once a service account has been created, its scope cannot be expanded to additional databases. If you need to create a service account that has access to multiple databases, see the next section.

Multi-database service accounts

To create a service account that can access multiple databases, navigate to your user menu -> "Service Accounts"



In the service accounts page, you can see all service accounts you've created (including single db accounts), along with your personal account. On this page you can:

  1. create a service account
  2. delete a service account (that revokes all keys)
  3. revoke a single key
  4. revoke all keys for a service account (or your personal account)
  5. generate new keys for yourself or a service account

These generated keys can be used for database passwords or as API keys, just like those on the "Connect" tab.



Service Accounts can be created or deleted but not edited

Service accounts can never be edited—they can only be created and destroyed, just like tokens.

You can create a service account by clicking "+ Create New". A service account is composed of a name, a role, and the set of databases. A single service account cannot have multiple roles or different roles per database. Instead, create multiple service accounts if you need that.


Note that the service account may never have a higher permission level than the least permission you have on the selected databases. For example, if you want to create a service account for jmo/cooldatabase on which you're a reader, and jmo/privatedatabase on which you're a writer, the service account will be limited to reader. If you need a writer service account, remove jmo/cooldatabase.


Use APIs and SDKs for programmatic service account access

In larger deployments and at larger organizations, it's often best to automate the creation and revocation of database credentials and service accounts. You can use's API to do so. Visit to see how.

Deleting Service Accounts and Revoking Credentials

Service accounts can be deleted from the service accounts page: select the service account you'd like to delete, and then click "Delete Service Account" from the right pane. Deleting a service account will also revoke all keys associated with that service account.

To revoke all of the existing keys associated with a service account, or with your personal account, select the service/personal account with credentials you'd like to delete and then click "Revoke (N) Active Keys" (for service accounts) or "Revoke All Keys" (for a personal account).

To revoke specific keys, click "Revoke Single API Key" from the top of the service accounts page. You will then be prompted to enter the API key you'd like to revoke. Once you enter the key and click "Revoke Key," connections using that key will stop working within five minutes.