> ## Documentation Index
> Fetch the complete documentation index at: https://braintrust.dev/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Service token permissions for log ingestion

export const plans_0 = "Any"

export const deployments_0 = "Any"

export const data_plane_version_0 = undefined

export const use_case_0 = "Use case - Understanding permissions needed for service tokens that write logs to Braintrust"

<Note>
  **Applies to:**

  * Plan - {plans_0}
  * Deployment - {deployments_0}
  * {data_plane_version_0}
  * {use_case_0}
</Note>

## Summary

**Overview:** Service tokens for log ingestion require specific permission combinations to write logs successfully to Braintrust projects.

**Key insight:** Log writes use merge/update operations internally, requiring update permissions even for new log creation.

## How log ingestion permissions work

### Required permissions

| Permission | Purpose                                         | Required for ingestion?              |
| ---------- | ----------------------------------------------- | ------------------------------------ |
| update     | Performs the actual log write (insert or merge) | Yes                                  |
| read       | Read project metadata / fetch logs back         | Only if the token also reads/fetches |
| delete     | Delete log rows                                 | Only for deletes                     |

### Why Logs Create alone fails

`Logs Create` permission is insufficient because:

* All log writes use a merge/update operation internally
* The system does not distinguish between inserting new logs and updating existing ones
* Even "new" log entries follow the update code path

### Permission scoping

Service tokens support fine-grained scoping. For least privilege, grant update on Project Log (and read on Project only if the token must also fetch logs). Granting update directly on the Project also enables ingestion via inheritance, but it cascades to experiments, datasets, prompts, etc., so prefer the narrower scope. Avoid Project Delete or Manage ACLs unless explicitly needed.
