From 54188b2c8a2898a9032e8f5d4df42783900a48d3 Mon Sep 17 00:00:00 2001
From: Philip Miglinci <pmig@glasskube.com>
Date: Thu, 21 May 2026 16:12:21 +0200
Subject: [PATCH] feat: introduce non-personalized service accounts

Adds a ServiceAccount principal type that lives alongside UserAccount.
Service accounts are non-interactive identities admins create within a
vendor org (and optionally scoped to a customer org). Each can hold any
number of access tokens that authenticate against the existing
"AccessToken: distr-..." header path, so SDK and client code do not
change.

Backend
- New ServiceAccount and ServiceAccountAccessToken tables (migration
  100) with vendor/customer-org scoping.
- internal/types/service_account.go, internal/db/service_account*.go,
  internal/mapping/service_account.go, api/service_account.go.
- AuthInfo gains CurrentServiceAccountID. SimpleAuthInfo carries a
  serviceAccountID, DbAuthInfo a *ServiceAccount.
- FromServiceAccountAuthKey + UnifiedAuthKeyAuthenticator try user-PAT
  lookup first, fall back to SA-token lookup. Wired into both
  Authentication and ArtifactsAuthentication so OCI registry works.
- BlockServiceAccount middleware for routes that must reject SA tokens.
- /api/v1/service-accounts CRUD + per-SA /tokens, admin-only via
  RequireAdmin + BlockSuperAdmin + BlockServiceAccount. Customer-org
  scoping enforced in handlers and middleware.

Frontend
- SDK ServiceAccount types.
- ServiceAccountsService + ServiceAccountsComponent (table below users
  on both vendor and customer-users pages, admin-only).
- ServiceAccountDetailComponent at /users/service-accounts/:id for
  inline name/role edit and token management.
- Extracted AccessTokensTableComponent shared between the personal PAT
  page and the SA detail page (removes duplication).

Docs
- website/.../integrations/service-account.md describing creation,
  admin gating, customer scoping, and curl/OCI usage.
---
 api/service_account.go                        |  41 +++
 .../access-tokens-table.component.html        | 141 ++++++++++
 .../access-tokens-table.component.ts          | 107 ++++++++
 .../access-tokens/access-tokens.component.ts  | 107 +-------
 frontend/ui/src/app/app-logged-in.routes.ts   |   6 +
 .../customers/customer-users.component.html   |   3 +
 .../customers/customer-users.component.ts     |   5 +-
 .../users/vendors/vendor-users.component.ts   |  18 +-
 .../service-account-detail.component.html     |  80 ++++++
 .../service-account-detail.component.ts       |  91 +++++++
 .../service-accounts.component.html}          | 111 +++-----
 .../service-accounts.component.ts             | 109 ++++++++
 .../app/services/service-accounts.service.ts  |  49 ++++
 internal/auth/authentication.go               |  11 +-
 internal/authn/authinfo/authinfo.go           |   4 +
 internal/authn/authinfo/db.go                 |  37 ++-
 internal/authn/authinfo/service_account.go    |  53 ++++
 internal/authn/authinfo/simple.go             |   4 +
 internal/context/data.go                      |  11 +
 internal/context/main.go                      |   1 +
 internal/db/service_account.go                | 175 +++++++++++++
 internal/db/service_account_access_token.go   | 133 ++++++++++
 .../handlers/service_account_access_tokens.go | 113 +++++++++
 internal/handlers/service_accounts.go         | 240 ++++++++++++++++++
 internal/mapping/service_account.go           |  26 ++
 internal/middleware/middleware.go             |  12 +
 .../sql/100_service_accounts.down.sql         |   3 +
 .../sql/100_service_accounts.up.sql           |  25 ++
 internal/routing/routing.go                   |   1 +
 internal/types/service_account.go             |  32 +++
 sdk/js/docs/README.md                         |   3 +
 .../interfaces/CreateServiceAccountRequest.md |  25 ++
 .../interfaces/PatchServiceAccountRequest.md  |  19 ++
 sdk/js/docs/interfaces/ServiceAccount.md      |  37 +++
 sdk/js/src/types/index.ts                     |   1 +
 sdk/js/src/types/service-account.ts           |  20 ++
 .../docs/docs/integrations/service-account.md |  64 +++++
 37 files changed, 1739 insertions(+), 179 deletions(-)
 create mode 100644 api/service_account.go
 create mode 100644 frontend/ui/src/app/access-tokens/access-tokens-table.component.html
 create mode 100644 frontend/ui/src/app/access-tokens/access-tokens-table.component.ts
 create mode 100644 frontend/ui/src/app/service-accounts/service-account-detail.component.html
 create mode 100644 frontend/ui/src/app/service-accounts/service-account-detail.component.ts
 rename frontend/ui/src/app/{access-tokens/access-tokens.component.html => service-accounts/service-accounts.component.html} (60%)
 create mode 100644 frontend/ui/src/app/service-accounts/service-accounts.component.ts
 create mode 100644 frontend/ui/src/app/services/service-accounts.service.ts
 create mode 100644 internal/authn/authinfo/service_account.go
 create mode 100644 internal/db/service_account.go
 create mode 100644 internal/db/service_account_access_token.go
 create mode 100644 internal/handlers/service_account_access_tokens.go
 create mode 100644 internal/handlers/service_accounts.go
 create mode 100644 internal/mapping/service_account.go
 create mode 100644 internal/migrations/sql/100_service_accounts.down.sql
 create mode 100644 internal/migrations/sql/100_service_accounts.up.sql
 create mode 100644 internal/types/service_account.go
 create mode 100644 sdk/js/docs/interfaces/CreateServiceAccountRequest.md
 create mode 100644 sdk/js/docs/interfaces/PatchServiceAccountRequest.md
 create mode 100644 sdk/js/docs/interfaces/ServiceAccount.md
 create mode 100644 sdk/js/src/types/service-account.ts
 create mode 100644 website/src/content/docs/docs/integrations/service-account.md

diff --git a/api/service_account.go b/api/service_account.go
new file mode 100644
index 000000000..868f2af08
--- /dev/null
+++ b/api/service_account.go
@@ -0,0 +1,41 @@
+package api
+
+import (
+	"time"
+
+	"github.com/distr-sh/distr/internal/types"
+	"github.com/google/uuid"
+)
+
+type ServiceAccountResponse struct {
+	ID                     uuid.UUID         `json:"id"`
+	CreatedAt              time.Time         `json:"createdAt"`
+	Name                   string            `json:"name"`
+	AccountRole            types.AccountRole `json:"accountRole"`
+	CustomerOrganizationID *uuid.UUID        `json:"customerOrganizationId,omitempty"`
+}
+
+type CreateServiceAccountRequest struct {
+	Name                   string            `json:"name"`
+	AccountRole            types.AccountRole `json:"accountRole"`
+	CustomerOrganizationID *uuid.UUID        `json:"customerOrganizationId,omitempty"`
+}
+
+type PatchServiceAccountRequest struct {
+	Name        *string            `json:"name"`
+	AccountRole *types.AccountRole `json:"accountRole"`
+}
+
+type ServiceAccountIDRequest struct {
+	ServiceAccountID string `json:"-" path:"serviceAccountId"`
+}
+
+type ServiceAccountAccessTokenIDRequest struct {
+	ServiceAccountID string `json:"-" path:"serviceAccountId"`
+	TokenID          string `json:"-" path:"tokenId"`
+}
+
+type CreateServiceAccountAccessTokenRequest struct {
+	ExpiresAt *time.Time `json:"expiresAt"`
+	Label     *string    `json:"label"`
+}
diff --git a/frontend/ui/src/app/access-tokens/access-tokens-table.component.html b/frontend/ui/src/app/access-tokens/access-tokens-table.component.html
new file mode 100644
index 000000000..809579414
--- /dev/null
+++ b/frontend/ui/src/app/access-tokens/access-tokens-table.component.html
@@ -0,0 +1,141 @@
+<div class="bg-white dark:bg-gray-800 relative shadow-md sm:rounded-lg overflow-hidden">
+  <div
+    class="flex flex-col md:flex-row items-stretch md:items-center md:space-x-3 space-y-3 md:space-y-0 justify-between mx-4 py-4 dark:border-gray-700">
+    <div></div>
+    <div
+      class="w-full md:w-auto flex flex-col md:flex-row space-y-2 md:space-y-0 items-stretch md:items-center justify-end md:space-x-3 flex-shrink-0">
+      <button
+        (click)="openDrawer(createTokenDrawer)"
+        type="button"
+        class="w-full md:w-auto flex items-center justify-center py-2 px-4 text-sm font-medium text-gray-900 focus:outline-none bg-white rounded-lg border border-gray-200 hover:bg-gray-100 hover:text-primary-700 focus:z-10 focus:ring-4 focus:ring-gray-200 dark:focus:ring-gray-700 dark:bg-gray-800 dark:text-white dark:border-gray-600 dark:hover:text-white dark:hover:bg-gray-700">
+        <fa-icon [icon]="faPlus" class="text-gray-500 dark:text-gray-400 mr-2" />
+        Create token
+      </button>
+    </div>
+  </div>
+
+  @if (createdToken(); as t) {
+    <div
+      class="p-4 mx-4 mb-4 text-sm text-green-800 rounded-lg bg-green-50 dark:bg-gray-700 dark:text-green-400"
+      role="alert">
+      <p>
+        {{ keyDisplayText() }}
+        <code class="select-all" data-ph-mask-text="true">{{ t.key }}</code>
+        <app-clip class="mx-2" [clip]="t.key" />
+      </p>
+      <p>
+        <strong>Important:</strong>
+        This is the only time you will be able to see this token, so please make sure to note it down before closing
+        this page.
+      </p>
+    </div>
+  }
+
+  <div class="overflow-x-auto">
+    <table class="w-full text-sm text-left text-gray-500 dark:text-gray-400">
+      <thead
+        class="border-t border-gray-200 dark:border-gray-600 text-xs text-gray-700 uppercase bg-gray-100 dark:bg-gray-700 dark:text-gray-400">
+        <tr>
+          <th scope="col" class="p-4">Label</th>
+          <th scope="col" class="p-4">Creation Date</th>
+          <th scope="col" class="p-4">Expires</th>
+          <th scope="col" class="p-4">Last Used</th>
+          <th scope="col" class="p-4"></th>
+        </tr>
+      </thead>
+      <tbody>
+        @for (token of accessTokens$ | async; track token.id) {
+          <tr class="border-t border-gray-200 dark:border-gray-600 hover:bg-gray-100 dark:hover:bg-gray-700">
+            <td class="px-4 py-3">{{ token.label }}</td>
+            <td class="px-4 py-3">{{ token.createdAt | date: 'medium' }}</td>
+            <td class="px-4 py-3">
+              @if (token.expiresAt; as d) {
+                {{ d | date }}
+                @if (isExpired(token)) {
+                  (expired)
+                }
+              } @else {
+                never
+              }
+            </td>
+            <td class="px-4 py-3">
+              @if (token.lastUsedAt; as d) {
+                {{ d | relativeDate }}
+              } @else {
+                never
+              }
+            </td>
+            <td
+              class="px-4 py-3 font-medium text-gray-900 whitespace-nowrap dark:text-white flex justify-end space-x-2">
+              <button
+                type="button"
+                aria-label="Delete"
+                (click)="deleteAccessToken(token)"
+                class="py-2 px-3 text-red-700 hover:text-white border border-red-700 hover:bg-red-800 focus:ring-4 focus:outline-none focus:ring-red-300 font-medium rounded-lg text-sm text-center dark:border-red-500 dark:text-red-500 dark:hover:text-white dark:hover:bg-red-600 dark:focus:ring-red-900">
+                <fa-icon [icon]="faTrash" class="h-4 w-4" />
+              </button>
+            </td>
+          </tr>
+        } @empty {
+          <tr>
+            <td class="px-4 py-6 text-center text-gray-500 dark:text-gray-400" colspan="5">No tokens yet.</td>
+          </tr>
+        }
+      </tbody>
+    </table>
+  </div>
+</div>
+
+<ng-template #createTokenDrawer>
+  <div
+    animate.enter="animate-fly-in-right"
+    animate.leave="animate-fly-out-right"
+    class="h-screen p-4 overflow-y-auto bg-white w-80 dark:bg-gray-800"
+    tabindex="-1">
+    <h5 class="inline-flex items-center mb-6 text-sm font-semibold text-gray-500 uppercase dark:text-gray-400">
+      {{ drawerTitle() }}
+    </h5>
+    <button
+      type="button"
+      (click)="hideDrawer()"
+      class="text-gray-400 bg-transparent hover:bg-gray-200 hover:text-gray-900 rounded-lg text-sm p-1.5 absolute top-2.5 right-2.5 inline-flex items-center dark:hover:bg-gray-600 dark:hover:text-white">
+      <fa-icon [icon]="faXmark" class="w-5 h-5" />
+      <span class="sr-only">Close menu</span>
+    </button>
+    <form [formGroup]="editForm" (ngSubmit)="createAccessToken()">
+      <div class="space-y-4">
+        <div>
+          <label for="access-token-label" class="block mb-2 text-sm font-medium text-gray-900 dark:text-white">
+            Label
+          </label>
+          <input
+            formControlName="label"
+            autotrim
+            type="text"
+            id="access-token-label"
+            class="bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-primary-600 focus:border-primary-600 block w-full p-2.5 dark:bg-gray-700 dark:border-gray-600 dark:placeholder-gray-400 dark:text-white dark:focus:ring-primary-500 dark:focus:border-primary-500"
+            placeholder="Label this token" />
+        </div>
+        <div>
+          <label for="access-token-expires" class="block mb-2 text-sm font-medium text-gray-900 dark:text-white">
+            Expires At
+          </label>
+          <input
+            formControlName="expiresAt"
+            type="date"
+            id="access-token-expires"
+            class="bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-primary-600 focus:border-primary-600 block w-full p-2.5 dark:bg-gray-700 dark:border-gray-600 dark:placeholder-gray-400 dark:text-white dark:focus:ring-primary-500 dark:focus:border-primary-500" />
+        </div>
+        <div class="flex justify-center w-full pb-4 space-x-4 sm:mt-0">
+          <button
+            type="submit"
+            [disabled]="editFormLoading()"
+            class="text-white w-full inline-flex items-center justify-center bg-primary-700 hover:bg-primary-800 focus:ring-4 focus:outline-none focus:ring-primary-300 font-medium rounded-lg text-sm px-5 py-2.5 text-center dark:bg-primary-600 dark:hover:bg-primary-700 dark:focus:ring-primary-800">
+            <fa-icon [icon]="faPlus" class="me-2" />
+            Create
+          </button>
+        </div>
+      </div>
+    </form>
+  </div>
+</ng-template>
diff --git a/frontend/ui/src/app/access-tokens/access-tokens-table.component.ts b/frontend/ui/src/app/access-tokens/access-tokens-table.component.ts
new file mode 100644
index 000000000..0915363ff
--- /dev/null
+++ b/frontend/ui/src/app/access-tokens/access-tokens-table.component.ts
@@ -0,0 +1,107 @@
+import {OverlayModule} from '@angular/cdk/overlay';
+import {AsyncPipe, DatePipe} from '@angular/common';
+import {Component, inject, input, signal, TemplateRef} from '@angular/core';
+import {FormControl, FormGroup, ReactiveFormsModule} from '@angular/forms';
+import {AccessToken, AccessTokenWithKey, CreateAccessTokenRequest} from '@distr-sh/distr-sdk';
+import {FaIconComponent} from '@fortawesome/angular-fontawesome';
+import {faPlus, faTrash, faXmark} from '@fortawesome/free-solid-svg-icons';
+import dayjs from 'dayjs';
+import {firstValueFrom, Observable, startWith, Subject, switchMap} from 'rxjs';
+import {isExpired, RelativeDatePipe} from '../../util/dates';
+import {ClipComponent} from '../components/clip.component';
+import {AutotrimDirective} from '../directives/autotrim.directive';
+import {DialogRef, OverlayService} from '../services/overlay.service';
+import {ToastService} from '../services/toast.service';
+
+export interface AccessTokenStore {
+  list(): Observable<AccessToken[]>;
+  create(request: CreateAccessTokenRequest): Observable<AccessTokenWithKey>;
+  delete(id: string): Observable<void>;
+}
+
+@Component({
+  selector: 'app-access-tokens-table',
+  imports: [
+    AsyncPipe,
+    AutotrimDirective,
+    ClipComponent,
+    DatePipe,
+    FaIconComponent,
+    OverlayModule,
+    ReactiveFormsModule,
+    RelativeDatePipe,
+  ],
+  templateUrl: './access-tokens-table.component.html',
+})
+export class AccessTokensTableComponent {
+  public readonly store = input.required<AccessTokenStore>();
+  public readonly drawerTitle = input<string>('Create access token');
+  public readonly keyDisplayText = input<string>('Your access token:');
+
+  protected readonly faPlus = faPlus;
+  protected readonly faTrash = faTrash;
+  protected readonly faXmark = faXmark;
+  protected readonly isExpired = isExpired;
+
+  private readonly overlay = inject(OverlayService);
+  private readonly toast = inject(ToastService);
+
+  private readonly refresh$ = new Subject<void>();
+  protected readonly accessTokens$ = this.refresh$.pipe(
+    startWith(0),
+    switchMap(() => this.store().list())
+  );
+
+  protected readonly editForm = new FormGroup({
+    label: new FormControl('', {nonNullable: true}),
+    expiresAt: new FormControl('', {nonNullable: true}),
+  });
+  protected editFormLoading = signal(false);
+  protected createdToken = signal<AccessTokenWithKey | null>(null);
+  protected drawer: DialogRef<void> | null = null;
+
+  public openDrawer(template: TemplateRef<unknown>) {
+    this.hideDrawer();
+    this.editForm.patchValue({
+      label: '',
+      expiresAt: dayjs()
+        .add(dayjs.duration({days: 30}))
+        .format('YYYY-MM-DD'),
+    });
+    this.drawer = this.overlay.showDrawer(template);
+  }
+
+  public hideDrawer() {
+    this.drawer?.dismiss();
+  }
+
+  public async createAccessToken() {
+    this.editFormLoading.set(true);
+    const request: CreateAccessTokenRequest = {};
+    if (this.editForm.value.label) {
+      request.label = this.editForm.value.label;
+    }
+    if (this.editForm.value.expiresAt) {
+      request.expiresAt = new Date(this.editForm.value.expiresAt);
+    }
+    try {
+      this.createdToken.set(await firstValueFrom(this.store().create(request)));
+      this.toast.success('Token created');
+      this.hideDrawer();
+      this.refresh$.next();
+    } finally {
+      this.editFormLoading.set(false);
+    }
+  }
+
+  public async deleteAccessToken(accessToken: AccessToken) {
+    if (await firstValueFrom(this.overlay.confirm(`Really delete token '${accessToken.label}'?`))) {
+      try {
+        await firstValueFrom(this.store().delete(accessToken.id!));
+        this.refresh$.next();
+      } catch {
+        // toast handled globally
+      }
+    }
+  }
+}
diff --git a/frontend/ui/src/app/access-tokens/access-tokens.component.ts b/frontend/ui/src/app/access-tokens/access-tokens.component.ts
index 6179e6ea1..e3358c1cc 100644
--- a/frontend/ui/src/app/access-tokens/access-tokens.component.ts
+++ b/frontend/ui/src/app/access-tokens/access-tokens.component.ts
@@ -1,102 +1,19 @@
-import {OverlayModule} from '@angular/cdk/overlay';
-import {AsyncPipe, DatePipe} from '@angular/common';
-import {Component, inject, TemplateRef} from '@angular/core';
-import {FormControl, FormGroup, ReactiveFormsModule} from '@angular/forms';
-import {AccessToken, AccessTokenWithKey, CreateAccessTokenRequest} from '@distr-sh/distr-sdk';
-import {FaIconComponent} from '@fortawesome/angular-fontawesome';
-import {faClipboard, faMagnifyingGlass, faPlus, faTrash, faXmark} from '@fortawesome/free-solid-svg-icons';
-import dayjs from 'dayjs';
-import {firstValueFrom, startWith, Subject, switchMap} from 'rxjs';
-import {isExpired, RelativeDatePipe} from '../../util/dates';
-import {ClipComponent} from '../components/clip.component';
-import {AutotrimDirective} from '../directives/autotrim.directive';
+import {Component, inject} from '@angular/core';
 import {AccessTokensService} from '../services/access-tokens.service';
-import {DialogRef, OverlayService} from '../services/overlay.service';
-import {ToastService} from '../services/toast.service';
+import {AccessTokensTableComponent} from './access-tokens-table.component';
 
 @Component({
   selector: 'app-access-tokens',
-  imports: [
-    ReactiveFormsModule,
-    FaIconComponent,
-    AsyncPipe,
-    DatePipe,
-    AutotrimDirective,
-    OverlayModule,
-    RelativeDatePipe,
-    ClipComponent,
-  ],
-  templateUrl: './access-tokens.component.html',
+  imports: [AccessTokensTableComponent],
+  template: `<section class="bg-gray-50 dark:bg-gray-900 p-3 sm:p-5 antialiased">
+    <div class="mx-auto max-w-screen-2xl px-4 lg:px-12">
+      <app-access-tokens-table
+        [store]="accessTokens"
+        drawerTitle="Create a Personal Access Token"
+        keyDisplayText="Your Personal Access Token:" />
+    </div>
+  </section>`,
 })
 export class AccessTokensComponent {
-  protected readonly faMagnifyingGlass = faMagnifyingGlass;
-  protected readonly faTrash = faTrash;
-  protected readonly faPlus = faPlus;
-  protected readonly faXmark = faXmark;
-  protected readonly faClipboard = faClipboard;
-
-  private readonly accessTokens = inject(AccessTokensService);
-  private readonly refresh$ = new Subject<void>();
-  protected readonly accessTokens$ = this.refresh$.pipe(
-    startWith(0),
-    switchMap(() => this.accessTokens.list())
-  );
-
-  private readonly toast = inject(ToastService);
-
-  private readonly overlay = inject(OverlayService);
-  protected drawer: DialogRef<void> | null = null;
-
-  protected readonly editForm = new FormGroup({
-    label: new FormControl('', {nonNullable: true}),
-    expiresAt: new FormControl('', {nonNullable: true}),
-  });
-
-  protected editFormLoading = false;
-  protected createdToken: AccessTokenWithKey | null = null;
-
-  public openDrawer(template: TemplateRef<unknown>) {
-    this.hideDrawer();
-    this.editForm.patchValue({
-      label: '',
-      expiresAt: dayjs()
-        .add(dayjs.duration({days: 30}))
-        .format('YYYY-MM-DD'),
-    });
-    this.drawer = this.overlay.showDrawer(template);
-  }
-
-  public hideDrawer() {
-    this.drawer?.dismiss();
-  }
-
-  public async createAccessToken() {
-    this.editFormLoading = true;
-    const request: CreateAccessTokenRequest = {};
-    if (this.editForm.value.label) {
-      request.label = this.editForm.value.label;
-    }
-    if (this.editForm.value.expiresAt) {
-      request.expiresAt = new Date(this.editForm.value.expiresAt);
-    }
-    try {
-      this.createdToken = await firstValueFrom(this.accessTokens.create(request));
-      this.toast.success('token created');
-      this.hideDrawer();
-      this.refresh$.next();
-    } finally {
-      this.editFormLoading = false;
-    }
-  }
-
-  public async deleteAccessToken(accessToken: AccessToken) {
-    if (await firstValueFrom(this.overlay.confirm(`Really delete token '${accessToken.label}'?`))) {
-      try {
-        await firstValueFrom(this.accessTokens.delete(accessToken.id!));
-        this.refresh$.next();
-      } catch (e) {}
-    }
-  }
-
-  protected readonly isExpired = isExpired;
+  protected readonly accessTokens = inject(AccessTokensService);
 }
diff --git a/frontend/ui/src/app/app-logged-in.routes.ts b/frontend/ui/src/app/app-logged-in.routes.ts
index d1b8f7ccc..704814ef8 100644
--- a/frontend/ui/src/app/app-logged-in.routes.ts
+++ b/frontend/ui/src/app/app-logged-in.routes.ts
@@ -198,6 +198,12 @@ export const routes: Routes = [
         component: VendorUsersComponent,
         canActivate: [requiredRoleGuard('admin')],
       },
+      {
+        path: 'users/service-accounts/:serviceAccountId',
+        loadComponent: () =>
+          import('./service-accounts/service-account-detail.component').then((m) => m.ServiceAccountDetailComponent),
+        canActivate: [requiredRoleGuard('admin')],
+      },
       {
         path: 'secrets',
         component: SecretsPage,
diff --git a/frontend/ui/src/app/components/users/customers/customer-users.component.html b/frontend/ui/src/app/components/users/customers/customer-users.component.html
index ffab91346..e5ab4bb65 100644
--- a/frontend/ui/src/app/components/users/customers/customer-users.component.html
+++ b/frontend/ui/src/app/components/users/customers/customer-users.component.html
@@ -60,3 +60,6 @@
     </div>
   </div>
 </section>
+@if (auth.hasRole('admin')) {
+  <app-service-accounts [customerOrganizationId]="customerOrganizationId()" />
+}
diff --git a/frontend/ui/src/app/components/users/customers/customer-users.component.ts b/frontend/ui/src/app/components/users/customers/customer-users.component.ts
index f223bb4fb..8cdb5813e 100644
--- a/frontend/ui/src/app/components/users/customers/customer-users.component.ts
+++ b/frontend/ui/src/app/components/users/customers/customer-users.component.ts
@@ -5,15 +5,18 @@ import {ActivatedRoute, RouterLink} from '@angular/router';
 import {FontAwesomeModule} from '@fortawesome/angular-fontawesome';
 import {faBoxesStacked, faChevronDown} from '@fortawesome/free-solid-svg-icons';
 import {combineLatest, map, startWith, Subject, switchMap} from 'rxjs';
+import {ServiceAccountsComponent} from '../../../service-accounts/service-accounts.component';
+import {AuthService} from '../../../services/auth.service';
 import {CustomerOrganizationsService} from '../../../services/customer-organizations.service';
 import {UsersService} from '../../../services/users.service';
 import {UsersComponent} from '../users.component';
 
 @Component({
   templateUrl: './customer-users.component.html',
-  imports: [UsersComponent, RouterLink, FontAwesomeModule, OverlayModule],
+  imports: [UsersComponent, ServiceAccountsComponent, RouterLink, FontAwesomeModule, OverlayModule],
 })
 export class CustomerUsersComponent {
+  protected readonly auth = inject(AuthService);
   protected readonly faBoxesStacked = faBoxesStacked;
   protected readonly faChevronDown = faChevronDown;
 
diff --git a/frontend/ui/src/app/components/users/vendors/vendor-users.component.ts b/frontend/ui/src/app/components/users/vendors/vendor-users.component.ts
index 8c5432f77..8dc9d50d4 100644
--- a/frontend/ui/src/app/components/users/vendors/vendor-users.component.ts
+++ b/frontend/ui/src/app/components/users/vendors/vendor-users.component.ts
@@ -1,23 +1,27 @@
 import {Component, inject} from '@angular/core';
 import {toSignal} from '@angular/core/rxjs-interop';
 import {map, startWith, Subject, switchMap} from 'rxjs';
+import {ServiceAccountsComponent} from '../../../service-accounts/service-accounts.component';
 import {AuthService} from '../../../services/auth.service';
 import {UsersService} from '../../../services/users.service';
 import {UsersComponent} from '../users.component';
 
 @Component({
   template: `<section class="bg-gray-50 dark:bg-gray-900 p-3 sm:p-5 antialiased">
-    <div class="mx-auto max-w-screen-2xl px-4 lg:px-12">
-      <div class="bg-white dark:bg-gray-800 relative shadow-md sm:rounded-lg overflow-hidden">
-        <app-users (refresh)="refresh$.next()" [users]="users() ?? []" />
+      <div class="mx-auto max-w-screen-2xl px-4 lg:px-12">
+        <div class="bg-white dark:bg-gray-800 relative shadow-md sm:rounded-lg overflow-hidden">
+          <app-users (refresh)="refresh$.next()" [users]="users() ?? []" />
+        </div>
       </div>
-    </div>
-  </section>`,
-  imports: [UsersComponent],
+    </section>
+    @if (auth.hasRole('admin')) {
+      <app-service-accounts />
+    }`,
+  imports: [UsersComponent, ServiceAccountsComponent],
 })
 export class VendorUsersComponent {
   private readonly usersService = inject(UsersService);
-  private readonly auth = inject(AuthService);
+  protected readonly auth = inject(AuthService);
   protected readonly refresh$ = new Subject<void>();
   protected readonly users = toSignal(
     this.refresh$.pipe(
diff --git a/frontend/ui/src/app/service-accounts/service-account-detail.component.html b/frontend/ui/src/app/service-accounts/service-account-detail.component.html
new file mode 100644
index 000000000..50f675616
--- /dev/null
+++ b/frontend/ui/src/app/service-accounts/service-account-detail.component.html
@@ -0,0 +1,80 @@
+<section class="bg-gray-50 dark:bg-gray-900 p-3 sm:p-5 antialiased">
+  <div class="mx-auto max-w-screen-2xl px-4 lg:px-12 space-y-6">
+    <a
+      routerLink="/users"
+      class="inline-flex items-center text-sm font-medium text-primary-700 hover:underline dark:text-primary-500">
+      <fa-icon [icon]="faArrowLeft" class="mr-2" />
+      Back to users
+    </a>
+
+    @if (serviceAccount(); as sa) {
+      <div class="bg-white dark:bg-gray-800 shadow-md sm:rounded-lg p-6">
+        @if (!editing()) {
+          <div class="flex items-start justify-between">
+            <div>
+              <h1 class="text-2xl font-semibold text-gray-900 dark:text-white">{{ sa.name }}</h1>
+              <p class="text-sm text-gray-500 dark:text-gray-400 mt-1">
+                Role: <span class="font-medium">{{ sa.accountRole | titlecase }}</span>
+              </p>
+              <p class="text-xs text-gray-400 mt-1">Created {{ sa.createdAt | date: 'medium' }}</p>
+            </div>
+            <button
+              type="button"
+              (click)="startEdit()"
+              class="py-2 px-4 text-sm font-medium text-gray-900 focus:outline-none bg-white rounded-lg border border-gray-200 hover:bg-gray-100 hover:text-primary-700 focus:z-10 focus:ring-4 focus:ring-gray-200 dark:focus:ring-gray-700 dark:bg-gray-800 dark:text-white dark:border-gray-600 dark:hover:text-white dark:hover:bg-gray-700">
+              Edit
+            </button>
+          </div>
+        } @else {
+          <form [formGroup]="editForm" (ngSubmit)="saveEdit()" class="space-y-4">
+            <div>
+              <label for="sa-edit-name" class="block mb-2 text-sm font-medium text-gray-900 dark:text-white">
+                Name
+              </label>
+              <input
+                formControlName="name"
+                autotrim
+                type="text"
+                id="sa-edit-name"
+                class="bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-primary-600 focus:border-primary-600 block w-full p-2.5 dark:bg-gray-700 dark:border-gray-600 dark:text-white" />
+            </div>
+            <div>
+              <label for="sa-edit-role" class="block mb-2 text-sm font-medium text-gray-900 dark:text-white">
+                Role
+              </label>
+              <select
+                formControlName="accountRole"
+                id="sa-edit-role"
+                class="bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-primary-600 focus:border-primary-600 block w-full p-2.5 dark:bg-gray-700 dark:border-gray-600 dark:text-white">
+                <option value="read_only">Read only</option>
+                <option value="read_write">Read write</option>
+                <option value="admin">Admin</option>
+              </select>
+            </div>
+            <div class="flex justify-end space-x-2">
+              <button
+                type="button"
+                (click)="cancelEdit()"
+                class="py-2 px-4 text-sm font-medium text-gray-900 bg-white rounded-lg border border-gray-200 hover:bg-gray-100 dark:bg-gray-800 dark:text-white dark:border-gray-600 dark:hover:bg-gray-700">
+                Cancel
+              </button>
+              <button
+                type="submit"
+                [disabled]="editLoading() || editForm.invalid"
+                class="text-white inline-flex items-center justify-center bg-primary-700 hover:bg-primary-800 focus:ring-4 focus:outline-none focus:ring-primary-300 font-medium rounded-lg text-sm px-5 py-2.5 text-center dark:bg-primary-600 dark:hover:bg-primary-700">
+                Save
+              </button>
+            </div>
+          </form>
+        }
+      </div>
+
+      <app-access-tokens-table
+        [store]="tokenStore"
+        drawerTitle="Create service account token"
+        keyDisplayText="New service account token:" />
+    } @else {
+      <div class="text-gray-500 dark:text-gray-400">Loading service account…</div>
+    }
+  </div>
+</section>
diff --git a/frontend/ui/src/app/service-accounts/service-account-detail.component.ts b/frontend/ui/src/app/service-accounts/service-account-detail.component.ts
new file mode 100644
index 000000000..1f43b87b3
--- /dev/null
+++ b/frontend/ui/src/app/service-accounts/service-account-detail.component.ts
@@ -0,0 +1,91 @@
+import {DatePipe, TitleCasePipe} from '@angular/common';
+import {Component, computed, inject, signal} from '@angular/core';
+import {toSignal} from '@angular/core/rxjs-interop';
+import {FormControl, FormGroup, ReactiveFormsModule, Validators} from '@angular/forms';
+import {ActivatedRoute, RouterLink} from '@angular/router';
+import {AccountRole} from '@distr-sh/distr-sdk';
+import {FaIconComponent} from '@fortawesome/angular-fontawesome';
+import {faArrowLeft} from '@fortawesome/free-solid-svg-icons';
+import {firstValueFrom, startWith, Subject, switchMap} from 'rxjs';
+import {AccessTokensTableComponent, AccessTokenStore} from '../access-tokens/access-tokens-table.component';
+import {AutotrimDirective} from '../directives/autotrim.directive';
+import {ServiceAccountsService} from '../services/service-accounts.service';
+import {ToastService} from '../services/toast.service';
+
+@Component({
+  selector: 'app-service-account-detail',
+  imports: [
+    AccessTokensTableComponent,
+    AutotrimDirective,
+    DatePipe,
+    FaIconComponent,
+    ReactiveFormsModule,
+    RouterLink,
+    TitleCasePipe,
+  ],
+  templateUrl: './service-account-detail.component.html',
+})
+export class ServiceAccountDetailComponent {
+  protected readonly faArrowLeft = faArrowLeft;
+
+  private readonly route = inject(ActivatedRoute);
+  private readonly service = inject(ServiceAccountsService);
+  private readonly toast = inject(ToastService);
+
+  protected readonly serviceAccountId = computed(() => this.route.snapshot.paramMap.get('serviceAccountId') ?? '');
+
+  private readonly refreshSA$ = new Subject<void>();
+  protected readonly serviceAccount = toSignal(
+    this.refreshSA$.pipe(
+      startWith(0),
+      switchMap(() => this.service.get(this.serviceAccountId()))
+    )
+  );
+
+  protected readonly tokenStore: AccessTokenStore = {
+    list: () => this.service.listTokens(this.serviceAccountId()),
+    create: (request) => this.service.createToken(this.serviceAccountId(), request),
+    delete: (tokenId) => this.service.deleteToken(this.serviceAccountId(), tokenId),
+  };
+
+  protected readonly editForm = new FormGroup({
+    name: new FormControl<string>('', {nonNullable: true, validators: [Validators.required]}),
+    accountRole: new FormControl<AccountRole>('read_write', {nonNullable: true}),
+  });
+  protected editLoading = signal(false);
+  protected editing = signal(false);
+
+  public startEdit() {
+    const sa = this.serviceAccount();
+    if (!sa) {
+      return;
+    }
+    this.editForm.reset({name: sa.name, accountRole: sa.accountRole});
+    this.editing.set(true);
+  }
+
+  public cancelEdit() {
+    this.editing.set(false);
+  }
+
+  public async saveEdit() {
+    const sa = this.serviceAccount();
+    if (!sa || this.editForm.invalid) {
+      return;
+    }
+    this.editLoading.set(true);
+    try {
+      await firstValueFrom(
+        this.service.patch(sa.id, {
+          name: this.editForm.value.name,
+          accountRole: this.editForm.value.accountRole,
+        })
+      );
+      this.toast.success('Service account updated');
+      this.editing.set(false);
+      this.refreshSA$.next();
+    } finally {
+      this.editLoading.set(false);
+    }
+  }
+}
diff --git a/frontend/ui/src/app/access-tokens/access-tokens.component.html b/frontend/ui/src/app/service-accounts/service-accounts.component.html
similarity index 60%
rename from frontend/ui/src/app/access-tokens/access-tokens.component.html
rename to frontend/ui/src/app/service-accounts/service-accounts.component.html
index 7b03fb2e5..e25609130 100644
--- a/frontend/ui/src/app/access-tokens/access-tokens.component.html
+++ b/frontend/ui/src/app/service-accounts/service-accounts.component.html
@@ -1,84 +1,60 @@
-<!-- Start block -->
 <section class="bg-gray-50 dark:bg-gray-900 p-3 sm:p-5 antialiased">
   <div class="mx-auto max-w-screen-2xl px-4 lg:px-12">
     <div class="bg-white dark:bg-gray-800 relative shadow-md sm:rounded-lg overflow-hidden">
       <div
         class="flex flex-col md:flex-row items-stretch md:items-center md:space-x-3 space-y-3 md:space-y-0 justify-between mx-4 py-4 dark:border-gray-700">
-        <div></div>
+        <h2 class="text-lg font-semibold text-gray-900 dark:text-white px-2">Service Accounts</h2>
         <div
           class="w-full md:w-auto flex flex-col md:flex-row space-y-2 md:space-y-0 items-stretch md:items-center justify-end md:space-x-3 flex-shrink-0">
           <button
-            (click)="openDrawer(manageApplicationDrawer)"
+            (click)="openCreateDrawer(createDrawer)"
             type="button"
-            id="createTokenButton"
             class="w-full md:w-auto flex items-center justify-center py-2 px-4 text-sm font-medium text-gray-900 focus:outline-none bg-white rounded-lg border border-gray-200 hover:bg-gray-100 hover:text-primary-700 focus:z-10 focus:ring-4 focus:ring-gray-200 dark:focus:ring-gray-700 dark:bg-gray-800 dark:text-white dark:border-gray-600 dark:hover:text-white dark:hover:bg-gray-700">
             <fa-icon [icon]="faPlus" class="text-gray-500 dark:text-gray-400 mr-2" />
-            Create token
+            Create service account
           </button>
         </div>
       </div>
-
-      @if (createdToken; as t) {
-        <div
-          class="p-4 mb-4 text-sm text-green-800 rounded-lg bg-green-50 dark:bg-gray-800 dark:text-green-400"
-          role="alert">
-          <p>
-            Your Personal Access Token:
-            <code class="select-all" data-ph-mask-text="true">{{ t.key }}</code>
-            <app-clip class="mx-2" [clip]="t.key" />
-          </p>
-          <p>
-            <strong>Important:</strong>
-            This is the only time you will be able to see this token, so please make sure to note it down before closing
-            this page.
-          </p>
-        </div>
-      }
       <div class="overflow-x-auto">
         <table class="w-full text-sm text-left text-gray-500 dark:text-gray-400">
           <thead
             class="border-t border-gray-200 dark:border-gray-600 text-xs text-gray-700 uppercase bg-gray-100 dark:bg-gray-700 dark:text-gray-400">
             <tr>
-              <th scope="col" class="p-4">Label</th>
-              <th scope="col" class="p-4">Creation Date</th>
-              <th scope="col" class="p-4">Expires</th>
-              <th scope="col" class="p-4">Last Used</th>
+              <th scope="col" class="p-4">Name</th>
+              <th scope="col" class="p-4">Role</th>
+              <th scope="col" class="p-4">Created</th>
               <th scope="col" class="p-4"></th>
             </tr>
           </thead>
           <tbody>
-            @for (token of accessTokens$ | async; track token.id) {
+            @for (sa of serviceAccounts$ | async; track sa.id) {
               <tr class="border-t border-gray-200 dark:border-gray-600 hover:bg-gray-100 dark:hover:bg-gray-700">
-                <td class="px-4 py-3">{{ token.label }}</td>
-                <td class="px-4 py-3">{{ token.createdAt | date: 'medium' }}</td>
-                <td class="px-4 py-3">
-                  @if (token.expiresAt; as d) {
-                    {{ d | date }}
-                    @if (isExpired(token)) {
-                      (expired)
-                    }
-                  } @else {
-                    never
-                  }
-                </td>
-                <td class="px-4 py-3">
-                  @if (token.lastUsedAt; as d) {
-                    {{ d | relativeDate }}
-                  } @else {
-                    never
-                  }
-                </td>
+                <td class="px-4 py-3 font-medium text-gray-900 dark:text-white">{{ sa.name }}</td>
+                <td class="px-4 py-3">{{ sa.accountRole | titlecase }}</td>
+                <td class="px-4 py-3">{{ sa.createdAt | date: 'medium' }}</td>
                 <td
                   class="px-4 py-3 font-medium text-gray-900 whitespace-nowrap dark:text-white flex justify-end space-x-2">
+                  <a
+                    [routerLink]="['/users/service-accounts', sa.id]"
+                    class="py-2 px-3 text-primary-700 hover:text-white border border-primary-700 hover:bg-primary-800 focus:ring-4 focus:outline-none focus:ring-primary-300 font-medium rounded-lg text-sm text-center dark:border-primary-500 dark:text-primary-500 dark:hover:text-white dark:hover:bg-primary-600 dark:focus:ring-primary-900">
+                    <fa-icon [icon]="faKey" class="h-4 w-4 mr-1" />
+                    Manage tokens
+                  </a>
                   <button
                     type="button"
                     aria-label="Delete"
-                    (click)="deleteAccessToken(token)"
+                    (click)="delete(sa)"
                     class="py-2 px-3 text-red-700 hover:text-white border border-red-700 hover:bg-red-800 focus:ring-4 focus:outline-none focus:ring-red-300 font-medium rounded-lg text-sm text-center dark:border-red-500 dark:text-red-500 dark:hover:text-white dark:hover:bg-red-600 dark:focus:ring-red-900">
                     <fa-icon [icon]="faTrash" class="h-4 w-4" />
                   </button>
                 </td>
               </tr>
+            } @empty {
+              <tr>
+                <td class="px-4 py-6 text-center text-gray-500 dark:text-gray-400" colspan="4">
+                  No service accounts yet.
+                </td>
+              </tr>
             }
           </tbody>
         </table>
@@ -87,18 +63,14 @@
   </div>
 </section>
 
-<ng-template #manageApplicationDrawer>
+<ng-template #createDrawer>
   <div
     animate.enter="animate-fly-in-right"
     animate.leave="animate-fly-out-right"
-    id="manage-application-drawer"
     class="h-screen p-4 overflow-y-auto bg-white w-80 dark:bg-gray-800"
-    tabindex="-1"
-    aria-labelledby="drawer-right-label">
-    <h5
-      id="drawer-label"
-      class="inline-flex items-center mb-6 text-sm font-semibold text-gray-500 uppercase dark:text-gray-400">
-      Create a Personal Access Token
+    tabindex="-1">
+    <h5 class="inline-flex items-center mb-6 text-sm font-semibold text-gray-500 uppercase dark:text-gray-400">
+      Create a service account
     </h5>
     <button
       type="button"
@@ -107,32 +79,33 @@
       <fa-icon [icon]="faXmark" class="w-5 h-5" />
       <span class="sr-only">Close menu</span>
     </button>
-    <form [formGroup]="editForm" (ngSubmit)="createAccessToken()">
+    <form [formGroup]="createForm" (ngSubmit)="create()">
       <div class="space-y-4">
         <div>
-          <label for="label" class="block mb-2 text-sm font-medium text-gray-900 dark:text-white">Label</label>
+          <label for="sa-name" class="block mb-2 text-sm font-medium text-gray-900 dark:text-white">Name</label>
           <input
-            formControlName="label"
+            formControlName="name"
             autotrim
             type="text"
-            id="label"
+            id="sa-name"
             class="bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-primary-600 focus:border-primary-600 block w-full p-2.5 dark:bg-gray-700 dark:border-gray-600 dark:placeholder-gray-400 dark:text-white dark:focus:ring-primary-500 dark:focus:border-primary-500"
-            placeholder="Label your PAT" />
+            placeholder="ci-bot" />
         </div>
         <div>
-          <label for="expiresAt" class="block mb-2 text-sm font-medium text-gray-900 dark:text-white">Expires At</label>
-          <input
-            formControlName="expiresAt"
-            type="date"
-            id="expiresAt"
-            class="bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-primary-600 focus:border-primary-600 block w-full p-2.5 dark:bg-gray-700 dark:border-gray-600 dark:placeholder-gray-400 dark:text-white dark:focus:ring-primary-500 dark:focus:border-primary-500"
-            placeholder="Label your PAT" />
+          <label for="sa-role" class="block mb-2 text-sm font-medium text-gray-900 dark:text-white">Role</label>
+          <select
+            formControlName="accountRole"
+            id="sa-role"
+            class="bg-gray-50 border border-gray-300 text-gray-900 text-sm rounded-lg focus:ring-primary-600 focus:border-primary-600 block w-full p-2.5 dark:bg-gray-700 dark:border-gray-600 dark:placeholder-gray-400 dark:text-white dark:focus:ring-primary-500 dark:focus:border-primary-500">
+            <option value="read_only">Read only</option>
+            <option value="read_write">Read write</option>
+            <option value="admin">Admin</option>
+          </select>
         </div>
-
         <div class="flex justify-center w-full pb-4 space-x-4 sm:mt-0">
           <button
             type="submit"
-            [disabled]="editFormLoading"
+            [disabled]="createLoading || createForm.invalid"
             class="text-white w-full inline-flex items-center justify-center bg-primary-700 hover:bg-primary-800 focus:ring-4 focus:outline-none focus:ring-primary-300 font-medium rounded-lg text-sm px-5 py-2.5 text-center dark:bg-primary-600 dark:hover:bg-primary-700 dark:focus:ring-primary-800">
             <fa-icon [icon]="faPlus" class="me-2" />
             Create
diff --git a/frontend/ui/src/app/service-accounts/service-accounts.component.ts b/frontend/ui/src/app/service-accounts/service-accounts.component.ts
new file mode 100644
index 000000000..8e916e649
--- /dev/null
+++ b/frontend/ui/src/app/service-accounts/service-accounts.component.ts
@@ -0,0 +1,109 @@
+import {OverlayModule} from '@angular/cdk/overlay';
+import {AsyncPipe, DatePipe, TitleCasePipe} from '@angular/common';
+import {Component, inject, input, TemplateRef} from '@angular/core';
+import {toObservable} from '@angular/core/rxjs-interop';
+import {FormControl, FormGroup, ReactiveFormsModule, Validators} from '@angular/forms';
+import {RouterLink} from '@angular/router';
+import {AccountRole, CreateServiceAccountRequest, ServiceAccount} from '@distr-sh/distr-sdk';
+import {FaIconComponent} from '@fortawesome/angular-fontawesome';
+import {faKey, faPlus, faTrash, faXmark} from '@fortawesome/free-solid-svg-icons';
+import {combineLatest, firstValueFrom, map, startWith, Subject, switchMap} from 'rxjs';
+import {AutotrimDirective} from '../directives/autotrim.directive';
+import {DialogRef, OverlayService} from '../services/overlay.service';
+import {ServiceAccountsService} from '../services/service-accounts.service';
+import {ToastService} from '../services/toast.service';
+
+@Component({
+  selector: 'app-service-accounts',
+  imports: [
+    AsyncPipe,
+    AutotrimDirective,
+    DatePipe,
+    FaIconComponent,
+    OverlayModule,
+    ReactiveFormsModule,
+    RouterLink,
+    TitleCasePipe,
+  ],
+  templateUrl: './service-accounts.component.html',
+})
+export class ServiceAccountsComponent {
+  public readonly customerOrganizationId = input<string | undefined>();
+
+  protected readonly faPlus = faPlus;
+  protected readonly faTrash = faTrash;
+  protected readonly faXmark = faXmark;
+  protected readonly faKey = faKey;
+
+  private readonly service = inject(ServiceAccountsService);
+  private readonly overlay = inject(OverlayService);
+  private readonly toast = inject(ToastService);
+
+  private readonly refresh$ = new Subject<void>();
+  private readonly customerOrganizationId$ = toObservable(this.customerOrganizationId);
+  protected readonly serviceAccounts$ = combineLatest([
+    this.refresh$.pipe(
+      startWith(0),
+      switchMap(() => this.service.list())
+    ),
+    this.customerOrganizationId$,
+  ]).pipe(map(([sas, customerOrgId]) => this.filterByCustomer(sas, customerOrgId)));
+
+  protected drawer: DialogRef<void> | null = null;
+  protected createLoading = false;
+
+  protected readonly createForm = new FormGroup({
+    name: new FormControl<string>('', {nonNullable: true, validators: [Validators.required]}),
+    accountRole: new FormControl<AccountRole>('read_write', {nonNullable: true, validators: [Validators.required]}),
+  });
+
+  public openCreateDrawer(template: TemplateRef<unknown>) {
+    this.hideDrawer();
+    this.createForm.reset({name: '', accountRole: 'read_write'});
+    this.drawer = this.overlay.showDrawer(template);
+  }
+
+  public hideDrawer() {
+    this.drawer?.dismiss();
+  }
+
+  public async create() {
+    if (this.createForm.invalid) {
+      return;
+    }
+    this.createLoading = true;
+    try {
+      const request: CreateServiceAccountRequest = {
+        name: this.createForm.value.name!,
+        accountRole: this.createForm.value.accountRole!,
+      };
+      if (this.customerOrganizationId()) {
+        request.customerOrganizationId = this.customerOrganizationId();
+      }
+      await firstValueFrom(this.service.create(request));
+      this.toast.success('Service account created');
+      this.hideDrawer();
+      this.refresh$.next();
+    } finally {
+      this.createLoading = false;
+    }
+  }
+
+  public async delete(sa: ServiceAccount) {
+    if (await firstValueFrom(this.overlay.confirm(`Really delete service account '${sa.name}'?`))) {
+      try {
+        await firstValueFrom(this.service.delete(sa.id));
+        this.refresh$.next();
+      } catch {
+        // toast handled globally
+      }
+    }
+  }
+
+  private filterByCustomer(sas: ServiceAccount[], customerOrgId: string | undefined): ServiceAccount[] {
+    if (customerOrgId) {
+      return sas.filter((sa) => sa.customerOrganizationId === customerOrgId);
+    }
+    return sas.filter((sa) => !sa.customerOrganizationId);
+  }
+}
diff --git a/frontend/ui/src/app/services/service-accounts.service.ts b/frontend/ui/src/app/services/service-accounts.service.ts
new file mode 100644
index 000000000..546373abf
--- /dev/null
+++ b/frontend/ui/src/app/services/service-accounts.service.ts
@@ -0,0 +1,49 @@
+import {HttpClient} from '@angular/common/http';
+import {inject, Injectable} from '@angular/core';
+import {
+  AccessToken,
+  AccessTokenWithKey,
+  CreateAccessTokenRequest,
+  CreateServiceAccountRequest,
+  PatchServiceAccountRequest,
+  ServiceAccount,
+} from '@distr-sh/distr-sdk';
+import {Observable} from 'rxjs';
+
+@Injectable({providedIn: 'root'})
+export class ServiceAccountsService {
+  private readonly baseUrl = '/api/v1/service-accounts';
+  private readonly httpClient = inject(HttpClient);
+
+  public list(): Observable<ServiceAccount[]> {
+    return this.httpClient.get<ServiceAccount[]>(this.baseUrl);
+  }
+
+  public get(id: string): Observable<ServiceAccount> {
+    return this.httpClient.get<ServiceAccount>(`${this.baseUrl}/${id}`);
+  }
+
+  public create(request: CreateServiceAccountRequest): Observable<ServiceAccount> {
+    return this.httpClient.post<ServiceAccount>(this.baseUrl, request);
+  }
+
+  public patch(id: string, request: PatchServiceAccountRequest): Observable<ServiceAccount> {
+    return this.httpClient.patch<ServiceAccount>(`${this.baseUrl}/${id}`, request);
+  }
+
+  public delete(id: string): Observable<void> {
+    return this.httpClient.delete<void>(`${this.baseUrl}/${id}`);
+  }
+
+  public listTokens(serviceAccountId: string): Observable<AccessToken[]> {
+    return this.httpClient.get<AccessToken[]>(`${this.baseUrl}/${serviceAccountId}/tokens`);
+  }
+
+  public createToken(serviceAccountId: string, request: CreateAccessTokenRequest): Observable<AccessTokenWithKey> {
+    return this.httpClient.post<AccessTokenWithKey>(`${this.baseUrl}/${serviceAccountId}/tokens`, request);
+  }
+
+  public deleteToken(serviceAccountId: string, tokenId: string): Observable<void> {
+    return this.httpClient.delete<void>(`${this.baseUrl}/${serviceAccountId}/tokens/${tokenId}`);
+  }
+}
diff --git a/internal/auth/authentication.go b/internal/auth/authentication.go
index 016cbdb40..4dcea277c 100644
--- a/internal/auth/authentication.go
+++ b/internal/auth/authentication.go
@@ -18,8 +18,9 @@ import (
 	"go.uber.org/zap"
 )
 
-// Authentication supports Bearer (classic JWT) and AccessToken (PAT) headers and uses authinfo.DbAuthenticator
-// to verify the token against the database, thereby ensuring the user exists in the database.
+// Authentication supports Bearer (classic JWT) and AccessToken (PAT or service-account token)
+// headers and uses authinfo.DbAuthenticator to verify the token against the database, thereby
+// ensuring the user or service account exists in the database.
 var Authentication = authn.New(
 	authn.Chain4(
 		token.NewExtractor(token.WithExtractorFuncs(token.FromHeader("Bearer"))),
@@ -30,7 +31,7 @@ var Authentication = authn.New(
 	authn.Chain4(
 		token.NewExtractor(token.WithExtractorFuncs(token.FromHeader("AccessToken"))),
 		authkey.Authenticator(),
-		authinfo.AuthKeyAuthenticator(),
+		authinfo.UnifiedAuthKeyAuthenticator(),
 		authinfo.DbAuthenticator(),
 	),
 )
@@ -54,10 +55,10 @@ var ArtifactsAuthentication = authn.New(
 			token.WithErrorHeaders(http.Header{"WWW-Authenticate": []string{"Basic realm=\"Distr\""}}),
 		),
 		authn.Alternative[string, authinfo.AuthInfoWithOrganization](
-			// Authenticate UserAccount with PAT
+			// Authenticate UserAccount with PAT or service account token
 			authn.Chain4(
 				authkey.Authenticator(),
-				authinfo.AuthKeyAuthenticator(),
+				authinfo.UnifiedAuthKeyAuthenticator(),
 				authinfo.DbAuthenticator(),
 				authinfo.DropUser(),
 			),
diff --git a/internal/authn/authinfo/authinfo.go b/internal/authn/authinfo/authinfo.go
index 744640d24..04a9f47a4 100644
--- a/internal/authn/authinfo/authinfo.go
+++ b/internal/authn/authinfo/authinfo.go
@@ -13,6 +13,10 @@ type AuthInfo interface {
 	CurrentCustomerOrgID() *uuid.UUID
 	CurrentUserEmailVerified() bool
 	IsSuperAdmin() bool
+	// CurrentServiceAccountID returns the ID of the calling service account, or nil when the
+	// caller is a human user. Service-account-backed AuthInfo has CurrentUserID() == uuid.Nil and
+	// CurrentUserEmail() == "".
+	CurrentServiceAccountID() *uuid.UUID
 	Token() any
 }
 
diff --git a/internal/authn/authinfo/db.go b/internal/authn/authinfo/db.go
index 35a70aafa..8f077709d 100644
--- a/internal/authn/authinfo/db.go
+++ b/internal/authn/authinfo/db.go
@@ -13,8 +13,9 @@ import (
 
 type DbAuthInfo struct {
 	AuthInfo
-	user *types.UserAccount
-	org  *types.Organization
+	user           *types.UserAccount
+	org            *types.Organization
+	serviceAccount *types.ServiceAccount
 }
 
 func (a DbAuthInfo) CurrentUser() *types.UserAccount {
@@ -25,8 +26,40 @@ func (a DbAuthInfo) CurrentOrg() *types.Organization {
 	return a.org
 }
 
+func (a DbAuthInfo) CurrentServiceAccount() *types.ServiceAccount {
+	return a.serviceAccount
+}
+
 func DbAuthenticator() authn.Authenticator[AuthInfo, AuthInfoWithUserAndOrganization] {
 	fn := func(ctx context.Context, a AuthInfo) (AuthInfoWithUserAndOrganization, error) {
+		if saID := a.CurrentServiceAccountID(); saID != nil {
+			if a.CurrentOrgID() == nil {
+				return nil, authn.ErrBadAuthentication
+			}
+			sa, err := db.GetServiceAccountByID(ctx, *saID, *a.CurrentOrgID())
+			if errors.Is(err, apierrors.ErrNotFound) {
+				return nil, authn.ErrBadAuthentication
+			} else if err != nil {
+				return nil, err
+			}
+			org, err := db.GetOrganizationByID(ctx, *a.CurrentOrgID())
+			if errors.Is(err, apierrors.ErrNotFound) {
+				return nil, authn.ErrBadAuthentication
+			} else if err != nil {
+				return nil, err
+			}
+			return &DbAuthInfo{
+				AuthInfo: &SimpleAuthInfo{
+					organizationID:         a.CurrentOrgID(),
+					customerOrganizationID: sa.CustomerOrganizationID,
+					accountRole:            &sa.AccountRole,
+					serviceAccountID:       &sa.ID,
+					rawToken:               a.Token(),
+				},
+				org:            org,
+				serviceAccount: sa,
+			}, nil
+		}
 		if a.CurrentOrgID() != nil {
 			// Super admins: skip membership check, just verify user and org exist
 			if a.IsSuperAdmin() {
diff --git a/internal/authn/authinfo/service_account.go b/internal/authn/authinfo/service_account.go
new file mode 100644
index 000000000..3c5c5bd7f
--- /dev/null
+++ b/internal/authn/authinfo/service_account.go
@@ -0,0 +1,53 @@
+package authinfo
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"github.com/distr-sh/distr/internal/apierrors"
+	"github.com/distr-sh/distr/internal/authkey"
+	"github.com/distr-sh/distr/internal/authn"
+	"github.com/distr-sh/distr/internal/db"
+)
+
+// FromServiceAccountAuthKey resolves an access token to a service-account-backed AuthInfo.
+// The resulting AuthInfo has CurrentServiceAccountID() set, while CurrentUserID() returns uuid.Nil
+// and CurrentUserEmail() returns "".
+func FromServiceAccountAuthKey(ctx context.Context, token authkey.Key) (AuthInfo, error) {
+	at, err := db.GetServiceAccountAccessTokenByKeyUpdatingLastUsed(ctx, token)
+	if err != nil {
+		if errors.Is(err, apierrors.ErrNotFound) {
+			err = fmt.Errorf("%w: %w", authn.ErrBadAuthentication, err)
+		}
+		return nil, err
+	}
+	return &SimpleAuthInfo{
+		serviceAccountID:       &at.ServiceAccount.ID,
+		organizationID:         &at.ServiceAccount.OrganizationID,
+		customerOrganizationID: at.ServiceAccount.CustomerOrganizationID,
+		accountRole:            &at.ServiceAccount.AccountRole,
+		rawToken:               token,
+	}, nil
+}
+
+// ServiceAccountAuthKeyAuthenticator returns an Authenticator that resolves an access key
+// to a service-account-backed AuthInfo.
+func ServiceAccountAuthKeyAuthenticator() authn.Authenticator[authkey.Key, AuthInfo] {
+	return authn.AuthenticatorFunc[authkey.Key, AuthInfo](FromServiceAccountAuthKey)
+}
+
+// UnifiedAuthKeyAuthenticator resolves an access key against the user PAT table first, and
+// falls back to the service-account token table if no user-PAT match is found.
+func UnifiedAuthKeyAuthenticator() authn.Authenticator[authkey.Key, AuthInfo] {
+	return authn.AuthenticatorFunc[authkey.Key, AuthInfo](
+		func(ctx context.Context, token authkey.Key) (AuthInfo, error) {
+			if info, err := FromAuthKey(ctx, token); err == nil {
+				return info, nil
+			} else if !errors.Is(err, authn.ErrBadAuthentication) {
+				return nil, err
+			}
+			return FromServiceAccountAuthKey(ctx, token)
+		},
+	)
+}
diff --git a/internal/authn/authinfo/simple.go b/internal/authn/authinfo/simple.go
index 3a556ebb8..c0c7fc3a8 100644
--- a/internal/authn/authinfo/simple.go
+++ b/internal/authn/authinfo/simple.go
@@ -13,6 +13,7 @@ type SimpleAuthInfo struct {
 	emailVerified          bool
 	accountRole            *types.AccountRole
 	isSuperAdmin           bool
+	serviceAccountID       *uuid.UUID
 	rawToken               any
 }
 
@@ -37,6 +38,9 @@ func (i *SimpleAuthInfo) CurrentAccountRole() *types.AccountRole { return i.acco
 // IsSuperAdmin implements AuthInfo.
 func (i *SimpleAuthInfo) IsSuperAdmin() bool { return i.isSuperAdmin }
 
+// CurrentServiceAccountID implements AuthInfo.
+func (i *SimpleAuthInfo) CurrentServiceAccountID() *uuid.UUID { return i.serviceAccountID }
+
 // Token implements AuthInfo.
 func (i *SimpleAuthInfo) Token() any { return i.rawToken }
 
diff --git a/internal/context/data.go b/internal/context/data.go
index 37f6c3a44..9b6fc730b 100644
--- a/internal/context/data.go
+++ b/internal/context/data.go
@@ -137,3 +137,14 @@ func GetRequestIPAddress(ctx context.Context) string {
 func WithRequestIPAddress(ctx context.Context, address string) context.Context {
 	return context.WithValue(ctx, ctxKeyIPAddress, address)
 }
+
+func WithServiceAccount(ctx context.Context, sa *types.ServiceAccount) context.Context {
+	return context.WithValue(ctx, ctxKeyServiceAccount, sa)
+}
+
+func GetServiceAccount(ctx context.Context) *types.ServiceAccount {
+	if sa, ok := ctx.Value(ctxKeyServiceAccount).(*types.ServiceAccount); ok {
+		return sa
+	}
+	panic("no ServiceAccount found in context")
+}
diff --git a/internal/context/main.go b/internal/context/main.go
index 790f515b7..b8ad61fb0 100644
--- a/internal/context/main.go
+++ b/internal/context/main.go
@@ -31,6 +31,7 @@ const (
 	ctxKeyLicenseKey
 	ctxKeyPrometheusCollector
 	ctxKeyS3Client
+	ctxKeyServiceAccount
 )
 
 func GetDb(ctx context.Context) queryable.Queryable {
diff --git a/internal/db/service_account.go b/internal/db/service_account.go
new file mode 100644
index 000000000..aa70c5586
--- /dev/null
+++ b/internal/db/service_account.go
@@ -0,0 +1,175 @@
+package db
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"github.com/distr-sh/distr/internal/apierrors"
+	internalctx "github.com/distr-sh/distr/internal/context"
+	"github.com/distr-sh/distr/internal/types"
+	"github.com/google/uuid"
+	"github.com/jackc/pgerrcode"
+	"github.com/jackc/pgx/v5"
+	"github.com/jackc/pgx/v5/pgconn"
+)
+
+const serviceAccountOutputExpr = `
+	sa.id, sa.created_at, sa.organization_id, sa.customer_organization_id, sa.name, sa.account_role
+`
+
+func CreateServiceAccount(ctx context.Context, sa *types.ServiceAccount) error {
+	db := internalctx.GetDb(ctx)
+	rows, err := db.Query(
+		ctx,
+		fmt.Sprintf(
+			`INSERT INTO ServiceAccount AS sa (organization_id, customer_organization_id, name, account_role)
+			VALUES (@orgId, @customerOrgId, @name, @accountRole)
+			RETURNING %s`,
+			serviceAccountOutputExpr,
+		),
+		pgx.NamedArgs{
+			"orgId":         sa.OrganizationID,
+			"customerOrgId": sa.CustomerOrganizationID,
+			"name":          sa.Name,
+			"accountRole":   sa.AccountRole,
+		},
+	)
+	if err != nil {
+		if pgerr := (*pgconn.PgError)(nil); errors.As(err, &pgerr) && pgerr.Code == pgerrcode.UniqueViolation {
+			return fmt.Errorf("service account %q can not be created: %w", sa.Name, apierrors.ErrAlreadyExists)
+		}
+		return fmt.Errorf("could not create service account: %w", err)
+	}
+	if res, err := pgx.CollectExactlyOneRow(rows, pgx.RowToStructByName[types.ServiceAccount]); err != nil {
+		return fmt.Errorf("could not create service account: %w", err)
+	} else {
+		*sa = res
+		return nil
+	}
+}
+
+func UpdateServiceAccount(ctx context.Context, sa *types.ServiceAccount) error {
+	db := internalctx.GetDb(ctx)
+	rows, err := db.Query(
+		ctx,
+		fmt.Sprintf(
+			`UPDATE ServiceAccount AS sa
+			SET name = @name, account_role = @accountRole
+			WHERE id = @id AND organization_id = @orgId
+			RETURNING %s`,
+			serviceAccountOutputExpr,
+		),
+		pgx.NamedArgs{
+			"id":          sa.ID,
+			"orgId":       sa.OrganizationID,
+			"name":        sa.Name,
+			"accountRole": sa.AccountRole,
+		},
+	)
+	if err != nil {
+		if pgerr := (*pgconn.PgError)(nil); errors.As(err, &pgerr) && pgerr.Code == pgerrcode.UniqueViolation {
+			return fmt.Errorf("service account %q can not be updated: %w", sa.Name, apierrors.ErrAlreadyExists)
+		}
+		return fmt.Errorf("could not update service account: %w", err)
+	}
+	if res, err := pgx.CollectExactlyOneRow(rows, pgx.RowToStructByName[types.ServiceAccount]); err != nil {
+		if errors.Is(err, pgx.ErrNoRows) {
+			return apierrors.ErrNotFound
+		}
+		return fmt.Errorf("could not update service account: %w", err)
+	} else {
+		*sa = res
+		return nil
+	}
+}
+
+func DeleteServiceAccount(ctx context.Context, id, orgID uuid.UUID) error {
+	db := internalctx.GetDb(ctx)
+	cmd, err := db.Exec(
+		ctx,
+		`DELETE FROM ServiceAccount WHERE id = @id AND organization_id = @orgId`,
+		pgx.NamedArgs{"id": id, "orgId": orgID},
+	)
+	if err != nil {
+		return fmt.Errorf("could not delete service account: %w", err)
+	}
+	if cmd.RowsAffected() == 0 {
+		return apierrors.ErrNotFound
+	}
+	return nil
+}
+
+func GetServiceAccountsByOrgID(ctx context.Context, orgID uuid.UUID) ([]types.ServiceAccount, error) {
+	db := internalctx.GetDb(ctx)
+	rows, err := db.Query(
+		ctx,
+		fmt.Sprintf(
+			`SELECT %s
+			FROM ServiceAccount sa
+			WHERE sa.organization_id = @orgId AND sa.customer_organization_id IS NULL
+			ORDER BY sa.name`,
+			serviceAccountOutputExpr,
+		),
+		pgx.NamedArgs{"orgId": orgID},
+	)
+	if err != nil {
+		return nil, fmt.Errorf("could not query service accounts: %w", err)
+	}
+	if result, err := pgx.CollectRows(rows, pgx.RowToStructByName[types.ServiceAccount]); err != nil {
+		return nil, fmt.Errorf("could not map service accounts: %w", err)
+	} else {
+		return result, nil
+	}
+}
+
+func GetServiceAccountsByCustomerOrgID(
+	ctx context.Context,
+	customerOrgID uuid.UUID,
+) ([]types.ServiceAccount, error) {
+	db := internalctx.GetDb(ctx)
+	rows, err := db.Query(
+		ctx,
+		fmt.Sprintf(
+			`SELECT %s
+			FROM ServiceAccount sa
+			WHERE sa.customer_organization_id = @customerOrgId
+			ORDER BY sa.name`,
+			serviceAccountOutputExpr,
+		),
+		pgx.NamedArgs{"customerOrgId": customerOrgID},
+	)
+	if err != nil {
+		return nil, fmt.Errorf("could not query service accounts: %w", err)
+	}
+	if result, err := pgx.CollectRows(rows, pgx.RowToStructByName[types.ServiceAccount]); err != nil {
+		return nil, fmt.Errorf("could not map service accounts: %w", err)
+	} else {
+		return result, nil
+	}
+}
+
+func GetServiceAccountByID(ctx context.Context, id, orgID uuid.UUID) (*types.ServiceAccount, error) {
+	db := internalctx.GetDb(ctx)
+	rows, err := db.Query(
+		ctx,
+		fmt.Sprintf(
+			`SELECT %s
+			FROM ServiceAccount sa
+			WHERE sa.id = @id AND sa.organization_id = @orgId`,
+			serviceAccountOutputExpr,
+		),
+		pgx.NamedArgs{"id": id, "orgId": orgID},
+	)
+	if err != nil {
+		return nil, fmt.Errorf("could not query service account: %w", err)
+	}
+	if result, err := pgx.CollectExactlyOneRow(rows, pgx.RowToStructByName[types.ServiceAccount]); err != nil {
+		if errors.Is(err, pgx.ErrNoRows) {
+			return nil, apierrors.ErrNotFound
+		}
+		return nil, fmt.Errorf("could not map service account: %w", err)
+	} else {
+		return &result, nil
+	}
+}
diff --git a/internal/db/service_account_access_token.go b/internal/db/service_account_access_token.go
new file mode 100644
index 000000000..2de374de9
--- /dev/null
+++ b/internal/db/service_account_access_token.go
@@ -0,0 +1,133 @@
+package db
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"github.com/distr-sh/distr/internal/apierrors"
+	"github.com/distr-sh/distr/internal/authkey"
+	internalctx "github.com/distr-sh/distr/internal/context"
+	"github.com/distr-sh/distr/internal/types"
+	"github.com/google/uuid"
+	"github.com/jackc/pgx/v5"
+)
+
+const (
+	serviceAccountAccessTokenOutputExpr = `
+	tok.id, tok.created_at, tok.expires_at, tok.last_used_at, tok.label, tok.key, tok.service_account_id
+`
+	serviceAccountAccessTokenWithServiceAccountOutputExpr = serviceAccountAccessTokenOutputExpr + `,
+	(` + serviceAccountOutputExpr + `) AS service_account
+`
+)
+
+func CreateServiceAccountAccessToken(ctx context.Context, token *types.ServiceAccountAccessToken) error {
+	db := internalctx.GetDb(ctx)
+	rows, err := db.Query(
+		ctx,
+		fmt.Sprintf(
+			`INSERT INTO ServiceAccountAccessToken AS tok (label, expires_at, key, service_account_id)
+			VALUES (@label, @expiresAt, @key, @serviceAccountId)
+			RETURNING %s`,
+			serviceAccountAccessTokenOutputExpr,
+		),
+		pgx.NamedArgs{
+			"label":            token.Label,
+			"expiresAt":        token.ExpiresAt,
+			"key":              token.Key[:],
+			"serviceAccountId": token.ServiceAccountID,
+		},
+	)
+	if err != nil {
+		return fmt.Errorf("could not create service account token: %w", err)
+	}
+	if res, err := pgx.CollectExactlyOneRow(
+		rows,
+		pgx.RowToStructByName[types.ServiceAccountAccessToken],
+	); err != nil {
+		return fmt.Errorf("could not create service account token: %w", err)
+	} else {
+		*token = res
+		return nil
+	}
+}
+
+func DeleteServiceAccountAccessToken(ctx context.Context, id, serviceAccountID uuid.UUID) error {
+	db := internalctx.GetDb(ctx)
+	cmd, err := db.Exec(
+		ctx,
+		`DELETE FROM ServiceAccountAccessToken WHERE id = @id AND service_account_id = @serviceAccountId`,
+		pgx.NamedArgs{"id": id, "serviceAccountId": serviceAccountID},
+	)
+	if err != nil {
+		return fmt.Errorf("could not delete service account token: %w", err)
+	}
+	if cmd.RowsAffected() == 0 {
+		return apierrors.ErrNotFound
+	}
+	return nil
+}
+
+func GetServiceAccountAccessTokens(
+	ctx context.Context,
+	serviceAccountID uuid.UUID,
+) ([]types.ServiceAccountAccessToken, error) {
+	db := internalctx.GetDb(ctx)
+	rows, err := db.Query(
+		ctx,
+		fmt.Sprintf(
+			`SELECT %s
+			FROM ServiceAccountAccessToken tok
+			WHERE tok.service_account_id = @serviceAccountId
+			ORDER BY tok.created_at DESC`,
+			serviceAccountAccessTokenOutputExpr,
+		),
+		pgx.NamedArgs{"serviceAccountId": serviceAccountID},
+	)
+	if err != nil {
+		return nil, fmt.Errorf("could not query service account tokens: %w", err)
+	}
+	if result, err := pgx.CollectRows(rows, pgx.RowToStructByName[types.ServiceAccountAccessToken]); err != nil {
+		return nil, fmt.Errorf("could not map service account tokens: %w", err)
+	} else {
+		return result, nil
+	}
+}
+
+func GetServiceAccountAccessTokenByKeyUpdatingLastUsed(
+	ctx context.Context,
+	key authkey.Key,
+) (*types.ServiceAccountAccessTokenWithServiceAccount, error) {
+	db := internalctx.GetDb(ctx)
+	rows, err := db.Query(
+		ctx,
+		fmt.Sprintf(
+			`WITH updated AS (
+				UPDATE ServiceAccountAccessToken
+				SET last_used_at = now()
+				WHERE key = @key AND (expires_at IS NULL OR expires_at > now())
+				RETURNING *
+			)
+			SELECT %s FROM updated tok
+			INNER JOIN ServiceAccount sa ON sa.id = tok.service_account_id
+			`,
+			serviceAccountAccessTokenWithServiceAccountOutputExpr,
+		),
+		pgx.NamedArgs{"key": key[:]},
+	)
+	if err != nil {
+		return nil, fmt.Errorf("error querying service account token: %w", err)
+	}
+	if result, err := pgx.CollectExactlyOneRow(
+		rows,
+		pgx.RowToStructByName[types.ServiceAccountAccessTokenWithServiceAccount],
+	); err != nil {
+		if errors.Is(err, pgx.ErrNoRows) {
+			err = apierrors.ErrNotFound
+		}
+		return nil, fmt.Errorf("could not get service account token: %w", err)
+	} else {
+		return &result, nil
+	}
+}
diff --git a/internal/handlers/service_account_access_tokens.go b/internal/handlers/service_account_access_tokens.go
new file mode 100644
index 000000000..5658343f6
--- /dev/null
+++ b/internal/handlers/service_account_access_tokens.go
@@ -0,0 +1,113 @@
+package handlers
+
+import (
+	"errors"
+	"net/http"
+
+	"github.com/distr-sh/distr/api"
+	"github.com/distr-sh/distr/internal/apierrors"
+	"github.com/distr-sh/distr/internal/authkey"
+	internalctx "github.com/distr-sh/distr/internal/context"
+	"github.com/distr-sh/distr/internal/db"
+	"github.com/distr-sh/distr/internal/mapping"
+	"github.com/distr-sh/distr/internal/types"
+	"github.com/getsentry/sentry-go"
+	"github.com/google/uuid"
+	"github.com/oaswrap/spec/adapter/chiopenapi"
+	"github.com/oaswrap/spec/option"
+	"go.uber.org/zap"
+)
+
+func ServiceAccountAccessTokensRouter(r chiopenapi.Router) {
+	r.WithOptions(option.GroupTags("Service Account Tokens"))
+
+	r.Get("/", listServiceAccountAccessTokensHandler).
+		With(option.Description("List access tokens for a service account")).
+		With(option.Request(api.ServiceAccountIDRequest{})).
+		With(option.Response(http.StatusOK, []api.AccessToken{}))
+
+	r.Post("/", createServiceAccountAccessTokenHandler).
+		With(option.Description("Create a new access token for a service account")).
+		With(option.Request(struct {
+			api.ServiceAccountIDRequest
+			api.CreateServiceAccountAccessTokenRequest
+		}{})).
+		With(option.Response(http.StatusCreated, api.AccessTokenWithKey{}))
+
+	r.Delete("/{tokenId}", deleteServiceAccountAccessTokenHandler).
+		With(option.Description("Delete an access token of a service account")).
+		With(option.Request(api.ServiceAccountAccessTokenIDRequest{}))
+}
+
+func listServiceAccountAccessTokensHandler(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	log := internalctx.GetLogger(ctx)
+	sa := internalctx.GetServiceAccount(ctx)
+
+	tokens, err := db.GetServiceAccountAccessTokens(ctx, sa.ID)
+	if err != nil {
+		log.Error("failed to list service account tokens", zap.Error(err))
+		sentry.GetHubFromContext(ctx).CaptureException(err)
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	RespondJSON(w, mapping.List(tokens, mapping.ServiceAccountAccessTokenToDTO))
+}
+
+func createServiceAccountAccessTokenHandler(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	log := internalctx.GetLogger(ctx)
+	sa := internalctx.GetServiceAccount(ctx)
+
+	body, err := JsonBody[api.CreateServiceAccountAccessTokenRequest](w, r)
+	if err != nil {
+		return
+	}
+
+	key, err := authkey.NewKey()
+	if err != nil {
+		log.Warn("error creating token key", zap.Error(err))
+		sentry.GetHubFromContext(ctx).CaptureException(err)
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	token := types.ServiceAccountAccessToken{
+		ExpiresAt:        body.ExpiresAt,
+		Label:            body.Label,
+		ServiceAccountID: sa.ID,
+		Key:              key,
+	}
+	if err := db.CreateServiceAccountAccessToken(ctx, &token); err != nil {
+		log.Warn("error creating service account token", zap.Error(err))
+		sentry.GetHubFromContext(ctx).CaptureException(err)
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	w.WriteHeader(http.StatusCreated)
+	RespondJSON(w, mapping.ServiceAccountAccessTokenToDTO(token).WithKey(token.Key))
+}
+
+func deleteServiceAccountAccessTokenHandler(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	log := internalctx.GetLogger(ctx)
+	sa := internalctx.GetServiceAccount(ctx)
+
+	tokenID, err := uuid.Parse(r.PathValue("tokenId"))
+	if err != nil {
+		http.NotFound(w, r)
+		return
+	}
+	if err := db.DeleteServiceAccountAccessToken(ctx, tokenID, sa.ID); err != nil {
+		if errors.Is(err, apierrors.ErrNotFound) {
+			http.NotFound(w, r)
+			return
+		}
+		log.Warn("error deleting service account token", zap.Error(err))
+		sentry.GetHubFromContext(ctx).CaptureException(err)
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	w.WriteHeader(http.StatusNoContent)
+}
diff --git a/internal/handlers/service_accounts.go b/internal/handlers/service_accounts.go
new file mode 100644
index 000000000..8dd6f8fb0
--- /dev/null
+++ b/internal/handlers/service_accounts.go
@@ -0,0 +1,240 @@
+package handlers
+
+import (
+	"errors"
+	"net/http"
+
+	"github.com/distr-sh/distr/api"
+	"github.com/distr-sh/distr/internal/apierrors"
+	"github.com/distr-sh/distr/internal/auth"
+	internalctx "github.com/distr-sh/distr/internal/context"
+	"github.com/distr-sh/distr/internal/db"
+	"github.com/distr-sh/distr/internal/mapping"
+	"github.com/distr-sh/distr/internal/middleware"
+	"github.com/distr-sh/distr/internal/types"
+	"github.com/getsentry/sentry-go"
+	"github.com/google/uuid"
+	"github.com/oaswrap/spec/adapter/chiopenapi"
+	"github.com/oaswrap/spec/option"
+	"go.uber.org/zap"
+)
+
+func ServiceAccountsRouter(r chiopenapi.Router) {
+	r.WithOptions(option.GroupTags("Service Accounts"))
+	r.Use(
+		middleware.RequireOrgAndRole,
+		middleware.RequireAdmin,
+		middleware.BlockSuperAdmin,
+		middleware.BlockServiceAccount,
+	)
+
+	r.Get("/", listServiceAccountsHandler).
+		With(option.Description("List all service accounts")).
+		With(option.Response(http.StatusOK, []api.ServiceAccountResponse{}))
+
+	r.Post("/", createServiceAccountHandler).
+		With(option.Description("Create a new service account")).
+		With(option.Request(api.CreateServiceAccountRequest{})).
+		With(option.Response(http.StatusCreated, api.ServiceAccountResponse{}))
+
+	r.Route("/{serviceAccountId}", func(r chiopenapi.Router) {
+		r.Use(serviceAccountMiddleware)
+
+		r.Get("/", getServiceAccountHandler).
+			With(option.Description("Get a service account")).
+			With(option.Request(api.ServiceAccountIDRequest{})).
+			With(option.Response(http.StatusOK, api.ServiceAccountResponse{}))
+
+		r.Patch("/", patchServiceAccountHandler).
+			With(option.Description("Update a service account")).
+			With(option.Request(struct {
+				api.ServiceAccountIDRequest
+				api.PatchServiceAccountRequest
+			}{})).
+			With(option.Response(http.StatusOK, api.ServiceAccountResponse{}))
+
+		r.Delete("/", deleteServiceAccountHandler).
+			With(option.Description("Delete a service account")).
+			With(option.Request(api.ServiceAccountIDRequest{}))
+
+		r.Route("/tokens", ServiceAccountAccessTokensRouter)
+	})
+}
+
+func listServiceAccountsHandler(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	log := internalctx.GetLogger(ctx)
+	auth := auth.Authentication.Require(ctx)
+
+	var sas []types.ServiceAccount
+	var err error
+	if customerOrgID := auth.CurrentCustomerOrgID(); customerOrgID != nil {
+		sas, err = db.GetServiceAccountsByCustomerOrgID(ctx, *customerOrgID)
+	} else {
+		sas, err = db.GetServiceAccountsByOrgID(ctx, *auth.CurrentOrgID())
+	}
+	if err != nil {
+		log.Error("failed to list service accounts", zap.Error(err))
+		sentry.GetHubFromContext(ctx).CaptureException(err)
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	RespondJSON(w, mapping.List(sas, mapping.ServiceAccountToAPI))
+}
+
+func createServiceAccountHandler(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	log := internalctx.GetLogger(ctx)
+	auth := auth.Authentication.Require(ctx)
+
+	body, err := JsonBody[api.CreateServiceAccountRequest](w, r)
+	if err != nil {
+		return
+	}
+
+	if _, err := types.ParseAccountRole(string(body.AccountRole)); err != nil {
+		http.Error(w, "invalid accountRole", http.StatusBadRequest)
+		return
+	}
+	if body.Name == "" {
+		http.Error(w, "name is required", http.StatusBadRequest)
+		return
+	}
+
+	customerOrgID := body.CustomerOrganizationID
+	if callerCustomerOrgID := auth.CurrentCustomerOrgID(); callerCustomerOrgID != nil {
+		if customerOrgID != nil && *customerOrgID != *callerCustomerOrgID {
+			http.Error(w, "cannot create service account outside your customer organization", http.StatusForbidden)
+			return
+		}
+		customerOrgID = callerCustomerOrgID
+	} else if customerOrgID != nil {
+		co, err := db.GetCustomerOrganizationByID(ctx, *customerOrgID)
+		if errors.Is(err, apierrors.ErrNotFound) || (err == nil && co.OrganizationID != *auth.CurrentOrgID()) {
+			http.Error(w, "customer organization does not exist", http.StatusBadRequest)
+			return
+		} else if err != nil {
+			log.Error("failed to get customer organization", zap.Error(err))
+			sentry.GetHubFromContext(ctx).CaptureException(err)
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+	}
+
+	sa := types.ServiceAccount{
+		OrganizationID:         *auth.CurrentOrgID(),
+		CustomerOrganizationID: customerOrgID,
+		Name:                   body.Name,
+		AccountRole:            body.AccountRole,
+	}
+	if err := db.CreateServiceAccount(ctx, &sa); err != nil {
+		if errors.Is(err, apierrors.ErrAlreadyExists) {
+			http.Error(w, "a service account with this name already exists", http.StatusConflict)
+			return
+		}
+		log.Error("failed to create service account", zap.Error(err))
+		sentry.GetHubFromContext(ctx).CaptureException(err)
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	w.WriteHeader(http.StatusCreated)
+	RespondJSON(w, mapping.ServiceAccountToAPI(sa))
+}
+
+func getServiceAccountHandler(w http.ResponseWriter, r *http.Request) {
+	sa := internalctx.GetServiceAccount(r.Context())
+	RespondJSON(w, mapping.ServiceAccountToAPI(*sa))
+}
+
+func patchServiceAccountHandler(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	log := internalctx.GetLogger(ctx)
+	sa := internalctx.GetServiceAccount(ctx)
+
+	body, err := JsonBody[api.PatchServiceAccountRequest](w, r)
+	if err != nil {
+		return
+	}
+
+	if body.Name != nil {
+		if *body.Name == "" {
+			http.Error(w, "name cannot be empty", http.StatusBadRequest)
+			return
+		}
+		sa.Name = *body.Name
+	}
+	if body.AccountRole != nil {
+		if _, err := types.ParseAccountRole(string(*body.AccountRole)); err != nil {
+			http.Error(w, "invalid accountRole", http.StatusBadRequest)
+			return
+		}
+		sa.AccountRole = *body.AccountRole
+	}
+
+	if err := db.UpdateServiceAccount(ctx, sa); err != nil {
+		if errors.Is(err, apierrors.ErrAlreadyExists) {
+			http.Error(w, "a service account with this name already exists", http.StatusConflict)
+			return
+		} else if errors.Is(err, apierrors.ErrNotFound) {
+			http.NotFound(w, r)
+			return
+		}
+		log.Error("failed to update service account", zap.Error(err))
+		sentry.GetHubFromContext(ctx).CaptureException(err)
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	RespondJSON(w, mapping.ServiceAccountToAPI(*sa))
+}
+
+func deleteServiceAccountHandler(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	log := internalctx.GetLogger(ctx)
+	auth := auth.Authentication.Require(ctx)
+	sa := internalctx.GetServiceAccount(ctx)
+
+	if err := db.DeleteServiceAccount(ctx, sa.ID, *auth.CurrentOrgID()); err != nil {
+		if errors.Is(err, apierrors.ErrNotFound) {
+			http.NotFound(w, r)
+			return
+		}
+		log.Error("failed to delete service account", zap.Error(err))
+		sentry.GetHubFromContext(ctx).CaptureException(err)
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	w.WriteHeader(http.StatusNoContent)
+}
+
+func serviceAccountMiddleware(h http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ctx := r.Context()
+		auth := auth.Authentication.Require(ctx)
+		log := internalctx.GetLogger(ctx)
+
+		saID, err := uuid.Parse(r.PathValue("serviceAccountId"))
+		if err != nil {
+			http.NotFound(w, r)
+			return
+		}
+		sa, err := db.GetServiceAccountByID(ctx, saID, *auth.CurrentOrgID())
+		if errors.Is(err, apierrors.ErrNotFound) {
+			http.NotFound(w, r)
+			return
+		} else if err != nil {
+			log.Warn("error getting service account", zap.Error(err))
+			sentry.GetHubFromContext(ctx).CaptureException(err)
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+		// A customer admin may only act on SAs scoped to their own customer org.
+		if callerCustomerOrgID := auth.CurrentCustomerOrgID(); callerCustomerOrgID != nil {
+			if sa.CustomerOrganizationID == nil || *sa.CustomerOrganizationID != *callerCustomerOrgID {
+				http.NotFound(w, r)
+				return
+			}
+		}
+		h.ServeHTTP(w, r.WithContext(internalctx.WithServiceAccount(ctx, sa)))
+	})
+}
diff --git a/internal/mapping/service_account.go b/internal/mapping/service_account.go
new file mode 100644
index 000000000..f1af77621
--- /dev/null
+++ b/internal/mapping/service_account.go
@@ -0,0 +1,26 @@
+package mapping
+
+import (
+	"github.com/distr-sh/distr/api"
+	"github.com/distr-sh/distr/internal/types"
+)
+
+func ServiceAccountToAPI(sa types.ServiceAccount) api.ServiceAccountResponse {
+	return api.ServiceAccountResponse{
+		ID:                     sa.ID,
+		CreatedAt:              sa.CreatedAt,
+		Name:                   sa.Name,
+		AccountRole:            sa.AccountRole,
+		CustomerOrganizationID: sa.CustomerOrganizationID,
+	}
+}
+
+func ServiceAccountAccessTokenToDTO(t types.ServiceAccountAccessToken) api.AccessToken {
+	return api.AccessToken{
+		ID:         t.ID,
+		CreatedAt:  t.CreatedAt,
+		ExpiresAt:  t.ExpiresAt,
+		LastUsedAt: t.LastUsedAt,
+		Label:      t.Label,
+	}
+}
diff --git a/internal/middleware/middleware.go b/internal/middleware/middleware.go
index 274d7c7e0..7c1a6c39c 100644
--- a/internal/middleware/middleware.go
+++ b/internal/middleware/middleware.go
@@ -231,6 +231,18 @@ func BlockSuperAdmin(handler http.Handler) http.Handler {
 	return http.HandlerFunc(fn)
 }
 
+func BlockServiceAccount(handler http.Handler) http.Handler {
+	fn := func(w http.ResponseWriter, r *http.Request) {
+		ctx := r.Context()
+		if a, err := auth.Authentication.Get(ctx); err == nil && a.CurrentServiceAccountID() != nil {
+			http.Error(w, "service accounts cannot perform this action", http.StatusForbidden)
+			return
+		}
+		handler.ServeHTTP(w, r)
+	}
+	return http.HandlerFunc(fn)
+}
+
 func FeatureFlagMiddleware(feature types.Feature) func(handler http.Handler) http.Handler {
 	return func(handler http.Handler) http.Handler {
 		fn := func(w http.ResponseWriter, r *http.Request) {
diff --git a/internal/migrations/sql/100_service_accounts.down.sql b/internal/migrations/sql/100_service_accounts.down.sql
new file mode 100644
index 000000000..2abdb05f3
--- /dev/null
+++ b/internal/migrations/sql/100_service_accounts.down.sql
@@ -0,0 +1,3 @@
+DROP TABLE ServiceAccountAccessToken;
+
+DROP TABLE ServiceAccount;
diff --git a/internal/migrations/sql/100_service_accounts.up.sql b/internal/migrations/sql/100_service_accounts.up.sql
new file mode 100644
index 000000000..f46e54caf
--- /dev/null
+++ b/internal/migrations/sql/100_service_accounts.up.sql
@@ -0,0 +1,25 @@
+CREATE TABLE ServiceAccount (
+  id                       UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  created_at               TIMESTAMP NOT NULL DEFAULT current_timestamp,
+  organization_id          UUID NOT NULL REFERENCES Organization(id) ON DELETE CASCADE,
+  customer_organization_id UUID REFERENCES CustomerOrganization(id) ON DELETE CASCADE,
+  name                     TEXT NOT NULL,
+  account_role             ACCOUNT_ROLE NOT NULL,
+  UNIQUE (organization_id, customer_organization_id, name)
+);
+
+CREATE INDEX fk_ServiceAccount_organization_id ON ServiceAccount(organization_id);
+CREATE INDEX fk_ServiceAccount_customer_organization_id ON ServiceAccount(customer_organization_id);
+
+CREATE TABLE ServiceAccountAccessToken (
+  id                 UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  created_at         TIMESTAMP NOT NULL DEFAULT current_timestamp,
+  expires_at         TIMESTAMP,
+  last_used_at       TIMESTAMP,
+  label              TEXT,
+  key                BYTEA UNIQUE NOT NULL,
+  service_account_id UUID NOT NULL REFERENCES ServiceAccount(id) ON DELETE CASCADE
+);
+
+CREATE INDEX ServiceAccountAccessToken_key ON ServiceAccountAccessToken(key);
+CREATE INDEX fk_ServiceAccountAccessToken_service_account_id ON ServiceAccountAccessToken(service_account_id);
diff --git a/internal/routing/routing.go b/internal/routing/routing.go
index e0bb92af6..8a909ebfa 100644
--- a/internal/routing/routing.go
+++ b/internal/routing/routing.go
@@ -175,6 +175,7 @@ func ApiRouter(
 					r.Route("/organization", handlers.OrganizationRouter)
 					r.Route("/organizations", handlers.OrganizationsRouter)
 					r.Route("/secrets", handlers.SecretsRouter)
+					r.Route("/service-accounts", handlers.ServiceAccountsRouter)
 					r.Route("/settings", handlers.SettingsRouter)
 					r.With(middleware.ProFeature).Route("/support-bundles", handlers.SupportBundlesRouter)
 					r.Route("/tutorial-progress", handlers.TutorialsRouter)
diff --git a/internal/types/service_account.go b/internal/types/service_account.go
new file mode 100644
index 000000000..0213bb7c8
--- /dev/null
+++ b/internal/types/service_account.go
@@ -0,0 +1,32 @@
+package types
+
+import (
+	"time"
+
+	"github.com/distr-sh/distr/internal/authkey"
+	"github.com/google/uuid"
+)
+
+type ServiceAccount struct {
+	ID                     uuid.UUID   `db:"id"`
+	CreatedAt              time.Time   `db:"created_at"`
+	OrganizationID         uuid.UUID   `db:"organization_id"`
+	CustomerOrganizationID *uuid.UUID  `db:"customer_organization_id"`
+	Name                   string      `db:"name"`
+	AccountRole            AccountRole `db:"account_role"`
+}
+
+type ServiceAccountAccessToken struct {
+	ID               uuid.UUID   `db:"id"`
+	CreatedAt        time.Time   `db:"created_at"`
+	ExpiresAt        *time.Time  `db:"expires_at"`
+	LastUsedAt       *time.Time  `db:"last_used_at"`
+	Label            *string     `db:"label"`
+	Key              authkey.Key `db:"key"`
+	ServiceAccountID uuid.UUID   `db:"service_account_id"`
+}
+
+type ServiceAccountAccessTokenWithServiceAccount struct {
+	ServiceAccountAccessToken
+	ServiceAccount ServiceAccount `db:"service_account"`
+}
diff --git a/sdk/js/docs/README.md b/sdk/js/docs/README.md
index cec7dd463..478add000 100644
--- a/sdk/js/docs/README.md
+++ b/sdk/js/docs/README.md
@@ -19,6 +19,7 @@
 - [ApplicationVersionResource](interfaces/ApplicationVersionResource.md)
 - [BaseModel](interfaces/BaseModel.md)
 - [CreateAccessTokenRequest](interfaces/CreateAccessTokenRequest.md)
+- [CreateServiceAccountRequest](interfaces/CreateServiceAccountRequest.md)
 - [CreateSupportBundleCommentRequest](interfaces/CreateSupportBundleCommentRequest.md)
 - [CreateSupportBundleRequest](interfaces/CreateSupportBundleRequest.md)
 - [CreateSupportBundleResponse](interfaces/CreateSupportBundleResponse.md)
@@ -37,6 +38,8 @@
 - [Named](interfaces/Named.md)
 - [OrganizationBranding](interfaces/OrganizationBranding.md)
 - [PatchApplicationRequest](interfaces/PatchApplicationRequest.md)
+- [PatchServiceAccountRequest](interfaces/PatchServiceAccountRequest.md)
+- [ServiceAccount](interfaces/ServiceAccount.md)
 - [SidebarLink](interfaces/SidebarLink.md)
 - [SupportBundle](interfaces/SupportBundle.md)
 - [SupportBundleComment](interfaces/SupportBundleComment.md)
diff --git a/sdk/js/docs/interfaces/CreateServiceAccountRequest.md b/sdk/js/docs/interfaces/CreateServiceAccountRequest.md
new file mode 100644
index 000000000..f0198c72c
--- /dev/null
+++ b/sdk/js/docs/interfaces/CreateServiceAccountRequest.md
@@ -0,0 +1,25 @@
+[**@distr-sh/distr-sdk**](../README.md)
+
+---
+
+[@distr-sh/distr-sdk](../README.md) / CreateServiceAccountRequest
+
+# Interface: CreateServiceAccountRequest
+
+## Properties
+
+### accountRole
+
+> **accountRole**: [`AccountRole`](../type-aliases/AccountRole.md)
+
+---
+
+### customerOrganizationId?
+
+> `optional` **customerOrganizationId?**: `string`
+
+---
+
+### name
+
+> **name**: `string`
diff --git a/sdk/js/docs/interfaces/PatchServiceAccountRequest.md b/sdk/js/docs/interfaces/PatchServiceAccountRequest.md
new file mode 100644
index 000000000..9c0bf266d
--- /dev/null
+++ b/sdk/js/docs/interfaces/PatchServiceAccountRequest.md
@@ -0,0 +1,19 @@
+[**@distr-sh/distr-sdk**](../README.md)
+
+---
+
+[@distr-sh/distr-sdk](../README.md) / PatchServiceAccountRequest
+
+# Interface: PatchServiceAccountRequest
+
+## Properties
+
+### accountRole?
+
+> `optional` **accountRole?**: [`AccountRole`](../type-aliases/AccountRole.md)
+
+---
+
+### name?
+
+> `optional` **name?**: `string`
diff --git a/sdk/js/docs/interfaces/ServiceAccount.md b/sdk/js/docs/interfaces/ServiceAccount.md
new file mode 100644
index 000000000..571141852
--- /dev/null
+++ b/sdk/js/docs/interfaces/ServiceAccount.md
@@ -0,0 +1,37 @@
+[**@distr-sh/distr-sdk**](../README.md)
+
+---
+
+[@distr-sh/distr-sdk](../README.md) / ServiceAccount
+
+# Interface: ServiceAccount
+
+## Properties
+
+### accountRole
+
+> **accountRole**: [`AccountRole`](../type-aliases/AccountRole.md)
+
+---
+
+### createdAt
+
+> **createdAt**: `string`
+
+---
+
+### customerOrganizationId?
+
+> `optional` **customerOrganizationId?**: `string`
+
+---
+
+### id
+
+> **id**: `string`
+
+---
+
+### name
+
+> **name**: `string`
diff --git a/sdk/js/src/types/index.ts b/sdk/js/src/types/index.ts
index f976811bf..9ded9ac89 100644
--- a/sdk/js/src/types/index.ts
+++ b/sdk/js/src/types/index.ts
@@ -6,5 +6,6 @@ export * from './customer-organization';
 export * from './deployment';
 export * from './deployment-target';
 export * from './organization-branding';
+export * from './service-account';
 export * from './support-bundle';
 export * from './user-account';
diff --git a/sdk/js/src/types/service-account.ts b/sdk/js/src/types/service-account.ts
new file mode 100644
index 000000000..9196bcf8b
--- /dev/null
+++ b/sdk/js/src/types/service-account.ts
@@ -0,0 +1,20 @@
+import {AccountRole} from './user-account';
+
+export interface ServiceAccount {
+  id: string;
+  createdAt: string;
+  name: string;
+  accountRole: AccountRole;
+  customerOrganizationId?: string;
+}
+
+export interface CreateServiceAccountRequest {
+  name: string;
+  accountRole: AccountRole;
+  customerOrganizationId?: string;
+}
+
+export interface PatchServiceAccountRequest {
+  name?: string;
+  accountRole?: AccountRole;
+}
diff --git a/website/src/content/docs/docs/integrations/service-account.md b/website/src/content/docs/docs/integrations/service-account.md
new file mode 100644
index 000000000..5ad2a7922
--- /dev/null
+++ b/website/src/content/docs/docs/integrations/service-account.md
@@ -0,0 +1,64 @@
+---
+title: Service Accounts
+description: Create non-personalized service accounts to authenticate CI/CD pipelines and other automation with Distr.
+slug: docs/integrations/service-account
+sidebar:
+  order: 5
+---
+
+A **service account** is a non-personalized identity that authenticates automation (CI/CD pipelines, infrastructure
+tooling, webhook receivers, scripts) against the Distr API. Unlike a Personal Access Token, a service account is not
+tied to any human user, can hold multiple access tokens, and cannot log in to the web interface.
+
+Service accounts are the recommended way to authenticate machines and automation:
+
+- They survive employee turnover — you do not lose access when a user leaves.
+- Each service account has its own role, so you can grant least-privilege access per integration.
+- A service account can hold several tokens at once, so you can rotate without downtime.
+- Tokens authenticate against the same `Authorization: AccessToken distr-…` header as PATs, so SDK and client code does
+  not change.
+
+Only **administrators** can create, edit, delete, or manage tokens for service accounts.
+
+## Creating a service account
+
+1. In the sidebar, open **Users**. Below the users table you will see a **Service Accounts** section.
+2. Click **Create service account**.
+3. Enter a descriptive name (for example `ci-bot`) and choose the role the service account should have within the
+   organization. The role controls what the automation is allowed to do — pick the least-privilege role that works.
+4. Click **Create**. The new service account appears in the table.
+
+For customer-scoped automation (running inside a customer organization), open that customer's detail page and create
+the service account from the **Service Accounts** table there. The token of that service account will only see
+resources scoped to that customer.
+
+## Managing access tokens
+
+A service account does not have a token until you create one. Click **Manage tokens** on its row to open the
+service-account detail page.
+
+1. Click **Create token**, give the token a label (for example `github-actions`) and an optional expiry date.
+2. Click **Create**. The token is shown **once** at the top of the page. Copy it now and store it in your secret store
+   (GitHub Secrets, Vault, etc.) — you cannot retrieve it again.
+3. Repeat as needed. A service account can hold any number of active tokens.
+
+To revoke a token, click the trash icon on its row. Any automation using that token will receive `401 Unauthorized` on
+the next request.
+
+## Using a service account token
+
+Service account tokens authenticate exactly like Personal Access Tokens. Set the `Authorization` header to
+`AccessToken distr-…`:
+
+```bash
+curl -H "Authorization: AccessToken distr-xxxxxxxxxxxxxx" https://app.distr.sh/api/v1/deployment-targets
+```
+
+For OCI registry access (`docker login`, `helm registry login`), use the token as the password and any non-empty string
+as the username — same as a PAT.
+
+## Limits
+
+- Service accounts can be created and managed by users with the `admin` role only.
+- A service account cannot manage other service accounts, change its own role, or be used to log into the web UI.
+- Service accounts do not count toward your organization's user-seat quota.