Service token permissions for log ingestion

Applies to:

Plan -
Deployment -

Summary

Overview: Service tokens for log ingestion require specific permission combinations to write logs successfully to Braintrust projects. Key insight: Log writes use merge/update operations internally, requiring update permissions even for new log creation.

How log ingestion permissions work

Required permissions

Permission	Purpose	Required for ingestion?
update	Performs the actual log write (insert or merge)	Yes
read	Read project metadata / fetch logs back	Only if the token also reads/fetches
delete	Delete log rows	Only for deletes

Why Logs Create alone fails

Logs Create permission is insufficient because:

All log writes use a merge/update operation internally
The system does not distinguish between inserting new logs and updating existing ones
Even “new” log entries follow the update code path

Permission scoping

Service tokens support fine-grained scoping. For least privilege, grant update on Project Log (and read on Project only if the token must also fetch logs). Granting update directly on the Project also enables ingestion via inheritance, but it cascades to experiments, datasets, prompts, etc., so prefer the narrower scope. Avoid Project Delete or Manage ACLs unless explicitly needed.

Playground gateway error despite valid API keys

Scorer pane columns collapse on open

⌘I

​Summary

​How log ingestion permissions work

​Required permissions

​Why Logs Create alone fails

​Permission scoping

Summary

How log ingestion permissions work

Required permissions

Why Logs Create alone fails

Permission scoping