Skip to main content
Applies to:
  • Plan -
  • Deployment -

Summary

Goal: Understand and identify auto-created online scoring service accounts during project access audits. Features: ACL endpoint, bt:async_scoring role, service account user type, ForbiddenError handling.

What is the bt:async_scoring service account

Each project that uses online scoring automatically gets a dedicated service account. This account has user_type: service_account and is a real user record in Braintrust, but it is not a human user and has no login. The service account is granted the bt:async_scoring role on the project via an ACL row. This role allows Braintrust to mint short-lived credentials for running online scoring.
  • Role name: bt:async_scoring
  • Role ID: d25ef5a8-...
  • Purpose: Service role for async/online scoring

Identifying service accounts in an access audit

Step 1: List all ACLs for a project

GET /v1/acl?object_type=project&object_id=<PROJECT_ID>
Look for rows where role_id = d25ef5a8-.... The user_id on that row is the auto-created service account for that project.

Step 2: Confirm the role

GET /v1/role/d25ef5a8-c1e0-4834-a1c7-b82ce7d4b82a
This returns the bt:async_scoring role definition.

ForbiddenError on user resolution

Owners and admins will see a ForbiddenError when attempting to resolve a service account user ID via the /user endpoint: 
ForbiddenError: Missing read access to user id <user_id>, or the user does not exist
This is expected. Service account users are not resolvable by human users, including Owners.