Create a Service Account
Sunset of Traditional Service Accounts
All Traditional Service Accounts will sunset on March 24, 2025.
Traditional Service Accounts were deprecated on December 9, 2021. Beginning January 21, 2025, we will no longer allow the creation of new Traditional Service Accounts. Existing Traditional Service Accounts will continue to function until March 24, 2025.
In accordance with this timeline, developers of data connection applications that currently use Traditional Service Accounts are required to update their applications to use Developer Managed Service Accounts, and customers will be required to install these updated applications before the sunset date. All data connection applications not migrated by the sunset date will cease to function. Any application listed on the Procore App Marketplace that is not using a supported method for accessing the Procore API will be removed by the sunset date. See Migrating Data Connection Applications to Use DMSAs for additional information.
Objective
To create a service account using the Company Admin tool.
Background
Service accounts allow you to support integrations that require the Client Credentials grant flow as defined in the IETF OAuth 2.0 Framework Specification. In this scenario, applications need a way to retrieve an OAuth 2.0 access token outside the context of any specific Procore user. OAuth 2.0 provides the Client Credentials grant type for this purpose. A unique client_id and client_secret is generated when a new service account is created. For information on implementing the Client Credentials grant flow in an application, see OAuth 2.0 Using Client Credentials on our Developer Portal.
Things to Consider
- Required User Permission:
- 'Admin' level permissions on the company's Admin tool.
- Access Considerations:
- A new service account consists of:
- client_id. The identifier for the service account.
- client_secret. The secret is a randomly generated code that will be used by the service account. It is only visible to you at the time the account is created. You may want to note the client_secret and then save it to a secure location should you require it in the future for reference.
Important! If for any reason you lose the client_secret, Procore recommends using the steps below to create a new service account.
- New service accounts are created without permissions ('None') by default. To change these permissions, see Configure Service Account Permissions.
- Important Company Directory Considerations:
- Once you create a service account, the associated email address must not be changed in the company directory. If you modify the service account email address, the service account will no longer be functional.
- The service account contact cannot be added to more than one company directory (just the one it was created in), or else it will stop working.
Steps
- Navigate to the Company level Admin tool.
- Under 'Company Settings', click Service Accounts.
- On the Service Accounts page, click +New.
- Specify an 'App Type'. If you will be using this service account with a specific Marketplace App, select the Marketplace option and choose the appropriate App from the dropdown list. Otherwise, select Custom.
- Enter a Name for your new service account and click Create. The client_id and client_secret for the service account are generated and are available for use in making calls to the Procore API /oauth/token endpoint.
- Configure Service Account permissions. Because the service account has no permissions at the company level when it is first created, you must set proper permissions for the service account prior to using it to access the Procore API.
Important
Bear in mind that although you may be able to generate an OAuth 2.0 access token using a service account without permissions ('None'), this token will not work for making successful calls to the Procore API. Therefore, you must set proper permissions for the service account prior to using it to access the Procore API.