sdk.serviceAccounts.* and sdk.oidcTrusts.*. See Node SDK.
Service accounts
List service accounts
org:service-accounts scope (token: platform:orgs:service-accounts:read).
Create service account
| Parameter | Type | Required | Description |
|---|---|---|---|
name | body | Yes | Display name for the service account |
role_id | body | Yes | Role granting the account its scopes |
org:service-accounts scope (token: platform:orgs:service-accounts:write).
Update service account
| Parameter | Type | Description |
|---|---|---|
name | body | New display name |
role_id | body | New role |
org:service-accounts scope.
Delete service account
org:service-accounts scope.
OIDC trusts
A trust binds an(issuer, subject) pair to a service account. When a request presents an OIDC token whose issuer and subject match, the platform mints a Synthetiq token for that service account.
List OIDC trusts
org:trusts scope (token: platform:orgs:trusts:read).
Create OIDC trust
| Parameter | Type | Required | Description |
|---|---|---|---|
user_id | body | Yes | Service account the trust authenticates as |
issuer_url | body | Yes | OIDC issuer (e.g. https://token.actions.githubusercontent.com) |
subject | body | Yes | Exact subject claim to match (e.g. repo:org/repo:ref:refs/heads/main) |
description | body | No | Human-readable label |
jwks | body | No | Static JWKS, for issuers without a discovery endpoint |
subject is the security boundary — keep it exact (a specific repo and ref), never a wildcard.
Authentication: Organization member + org:trusts scope (token: platform:orgs:trusts:write).
Update OIDC trust
issuer_url, subject, user_id, and/or description.
Authentication: Organization member + org:trusts scope.
Delete OIDC trust
org:trusts scope.
See also
- CLI equivalents:
synthetiq service-accountandsynthetiq trust - BYOI Service Account setup