Project-scoped access with service tokens

Applies to:

Summary

Goal: Create API keys with project-level permissions more restrictive than the user’s own access. Features: Service tokens with custom permission groups provide project-scoped access control independent of user permissions.

Configuration Steps

Step 1: Create a service token

Navigate to Settings → Service Tokens and create a new service token.

Step 2: Create a permission group

Go to Settings → Access Control and create a permission group that excludes production projects or includes only the projects you want to grant access to.

Step 3: Assign the service token to the permission group

Add the service token as a member of the restricted permission group.

Step 4: Use the service token

Use the service token’s API key in your application code instead of your personal API key.

import braintrust

# Use service token with restricted permissions
braintrust.init(api_key="your-service-token-key")

Key Points

API keys inherit the creator’s full permissions and cannot be scoped below that level
Service tokens are separate accounts that can be assigned lower permissions than admin accounts
Service tokens inherit project access from their assigned permission groups
Multiple service tokens can be created for different permission levels (dev, staging, production)

​Summary

​Configuration Steps

​Step 1: Create a service token

​Step 2: Create a permission group

​Step 3: Assign the service token to the permission group

​Step 4: Use the service token

​Key Points

​Related Documentation