> ## Documentation Index > Fetch the complete documentation index at: https://braintrust.dev/docs/llms.txt > Use this file to discover all available pages before exploring further. # Project-scoped access with service tokens export const plans_0 = "Any" export const deployments_0 = "Any" export const data_plane_version_0 = undefined export const use_case_0 = undefined **Applies to:** * Plan - {plans_0} * Deployment - {deployments_0} * {data_plane_version_0} * {use_case_0} ## Summary **Goal:** Create API keys with project-level permissions more restrictive than the user's own access. **Features:** Service tokens with custom permission groups provide project-scoped access control independent of user permissions. ## Configuration Steps ### Step 1: Create a service token Navigate to Settings → Service Tokens and create a new service token. ### Step 2: Create a permission group Go to Settings → Access Control and create a permission group that excludes production projects or includes only the projects you want to grant access to. ### Step 3: Assign the service token to the permission group Add the service token as a member of the restricted permission group. ### Step 4: Use the service token Use the service token's API key in your application code instead of your personal API key. ```python theme={"theme":{"light":"github-light","dark":"github-dark-dimmed"}} import braintrust # Use service token with restricted permissions braintrust.init(api_key="your-service-token-key") ``` ## Key Points * API keys inherit the creator's full permissions and cannot be scoped below that level * Service tokens are separate accounts that can be assigned lower permissions than admin accounts * Service tokens inherit project access from their assigned permission groups * Multiple service tokens can be created for different permission levels (dev, staging, production) ## Related Documentation * [Service Tokens](/admin/organizations#create-service-tokens) * [Access Control](/admin/access-control) * [API Keys](/admin/authentication)