> ## Documentation Index
> Fetch the complete documentation index at: https://braintrust.dev/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Online scoring service accounts in project ACLs

export const plans_0 = "Any"

export const deployments_0 = "Any"

export const data_plane_version_0 = undefined

export const use_case_0 = "Use case - Auditing project access and encountering unknown user IDs or ForbiddenErrors when resolving the bt:async_scoring online scoring service account"

<Note>
  **Applies to:**

  * Plan - {plans_0}
  * Deployment - {deployments_0}
  * {data_plane_version_0}
  * {use_case_0}
</Note>

## Summary

**Goal:** Understand and identify auto-created online scoring service accounts during project access audits.

**Features:** ACL endpoint, bt:async\_scoring role, service account user type, ForbiddenError handling.

## What is the bt:async\_scoring service account

Each project that uses online scoring automatically gets a dedicated service account. This account has `user_type: service_account` and is a real user record in Braintrust, but it is not a human user and has no login.

The service account is granted the `bt:async_scoring` role on the project via an ACL row. This role allows Braintrust to mint short-lived credentials for running online scoring.

* **Role name:** `bt:async_scoring`
* **Role ID:** `d25ef5a8-...`
* **Purpose:** Service role for async/online scoring

## Identifying service accounts in an access audit

### Step 1: List all ACLs for a project

```
GET /v1/acl?object_type=project&object_id=<PROJECT_ID>
```

Look for rows where `role_id = d25ef5a8-...`. The `user_id` on that row is the auto-created service account for that project.

### Step 2: Confirm the role

```
GET /v1/role/d25ef5a8-c1e0-4834-a1c7-b82ce7d4b82a
```

This returns the `bt:async_scoring` role definition.

## ForbiddenError on user resolution

Owners and admins will see a `ForbiddenError` when attempting to resolve a service account user ID via the `/user` endpoint:

```
ForbiddenError: Missing read access to user id <user_id>, or the user does not exist
```

This is expected. Service account users are not resolvable by human users, including Owners.