Service principal cannot create access token

You cannot create a token on behalf of a service principal with the API when token usage is disabled.

Written by rakesh.parija

Last published at: July 1st, 2022


You are trying to create a token on behalf of a service principal, using /2.0/token-management/on-behalf-of/tokens in the REST API but are getting a PERMISSION_DENIED error.

"error_code": "PERMISSION_DENIED",
"message": "User xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx does not have permission to use tokens."


This happens when the service principals are assigned to a user group that has token usage disabled.


Your workspace admin should enable token usage for the user group that contains the service principals.



You should create separate user groups for service principals and users who need token access and those who don't. This limits access only to those who need it and doesn't provide token access to all users in your workspace.

Enable token usage via the UI

  1. Click Settings in the left hand menu.
  2. Click Admin Console.
  3. Click the Workspace settings tab.
  4. Click Permission Settings in the Personal Access Tokens field.
    Workspace settings tab in the Admin Console screenshot.
  5. Add the groups that need token access in the Token Usage window.
    Permission Settings for Token Usage pop up window screenshot.
  6. Remove any groups that should not have token access.
  7. Click Save to apply the changes and close the window.

Enable token usage via the REST API

  • Review the token permissions API settings.
  • Use this sample code to update the token permissions.
  • Replace the following values in the sample code before running it on your local machine:
    • <admin-access-token> - Admin personal access token.
    • <user-group-name> - The name of the user group to grant token access permission. You can add multiple group entries if needed.
    • <workspace-url> - Replace this value with your Workspace URL.
curl --location --request PATCH 'https://<workspace-url>/api/2.0/preview/permissions/authorization/tokens'; \
--header 'Authorization: Bearer <admin-access-token>' \
--header 'Content-Type: application/json' \
--data-raw '{
  "access_control_list": [
      "group_name": "<user-group-name>",
      "permission_level": "CAN_USE"
      "group_name": "<user-group-name>",
      "permission_level": "CAN_USE"



This sample code only allows you to add token permissions via the API. It does not allow you to delete them. To delete token permissions via the API you must replace the token permissions for the entire workspace API using PUT instead of PATCH. Review the token permissions API settings for more details.

Was this article helpful?