All
Filter by:
How do I deposit cash into my account?
I need help with account verification
Why can't I access my account?
Are there any crypto withdrawal fees?
I need help signing into my account
Service Users in Organizations
Last updated: May 18, 2026
What is a Service User?
A Service User is an API-only operator created within your Organization for programmatic access. Service Users authenticate with API key credentials and are designed for automated integrations, such as trading bots, treasury management scripts, or internal tooling that needs to interact with your Organization's accounts.
Service Users do not represent individual people. They do not sign in to the UI, and they do not require individual KYC.
How Service Users compare to Members
Member | Service User | |
|---|---|---|
Authentication | Individual credentials with 2FA | API key credentials |
UI login | Yes | No |
KYC required | Yes | No |
Can initiate requests | Yes | Yes (via API) |
Can approve requests | Yes, except their own requests | No |
Can execute immediately | Yes, when policy allows | No |
Administrative access | Yes, if granted | No |
Available workflows | Manage Access, Manage Policies, Manage Addresses, Initiate Withdrawal | Withdrawals via API (constrained by API key scopes) |
Authorization model | Organization workflow permissions (View, Initiate, Approve, Execute) | API key permissions |
What Service Users can do
A Service User's capabilities are defined by its API key permissions. Depending on the scopes granted to the key, a Service User can:
- Submit withdrawal requests via API — if an Organization policy is configured for the Initiate Withdrawal workflow, the request enters the approval queue and must be approved by human Members before it takes effect
- Trade on accounts where the API key has order permissions (Create and modify orders, Cancel and close orders) — these execute immediately
- Allocate and deallocate Earn products where the API key has the Earn permission — these execute immediately
- Query balances, ledger entries, open and closed orders, and export data according to the key's read scopes
Only withdrawal operations are subject to Organization policies. All other API key operations — trading, Earn, queries, data exports — are immediate.
What Service Users cannot do
- Approve requests — Service Users cannot review or approve any request
- Complete withdrawals directly — when an Organization policy is configured for Initiate Withdrawal, the API key can only start a request; human Members must approve it before it takes effect
- Access administrative workflows — Service Users have no access to Manage Access or Manage Policies
- Sign in to the UI — Service Users are API-only
Important: When an Organization policy governs the Initiate Withdrawal workflow, Service Users can only initiate requests, not complete them. All other API key operations (trading, Earn, queries) execute immediately. Service Users have no administrative access and cannot approve requests.
API key permissions
Service Users are authorized through API key permissions, not Organization workflow permissions (View, Initiate, Approve, Execute). Each API key is configured with a set of scopes that define what the Service User can access.
Funds and permissions
Permission | What it allows |
|---|---|
Query | View balances and funding status |
Earn | Allocate and deallocate Earn (staking and yield) products |
Deposit | Generate deposit addresses and view deposit history |
Withdraw | Submit withdrawal requests — if an Organization policy governs this workflow, the request requires Member approval (see Policy interaction) |
Orders and trades
Permission | What it allows |
|---|---|
Query open orders & trades | View currently open orders and active trades |
Query closed orders & trades | View historical orders and completed trades |
Create and modify orders | Place new orders and modify existing ones |
Cancel & close orders | Cancel open orders and close positions |
Data
Permission | What it allows |
|---|---|
Query ledger entries | View transaction and ledger history |
Export data | Export account data for reporting and reconciliation |
Configuration options
Each API key also supports the following settings:
Setting | Description |
|---|---|
API Key expiration | Optional expiration date after which the key is automatically disabled |
Query start date | Restrict data queries to entries after this date |
Query end date | Restrict data queries to entries before this date |
Allow WebSocket connections | Enable or disable real-time streaming via WebSocket |
Custom nonce window | Configure a custom nonce window for replay protection |
Restrict IP addresses or ranges | Limit key usage to specific IP addresses or CIDR ranges |
Policy interaction
API key permissions define what a Service User can access, but Organization policies override API key capabilities for withdrawal operations.
When a policy is configured for the Initiate Withdrawal workflow:
- The API key's Withdraw permission allows the Service User to start a withdrawal request, but not complete it
- The request enters the Organization's approval queue
- Members with Approve permission on the Initiate Withdrawal workflow must review and approve the request before it takes effect
All other API key operations — placing and canceling orders, Earn allocations, queries, data exports — are immediate. They are not subject to Organization policies and do not require approval.
If no policy is configured for a workflow, the API key's permissions apply directly for that operation as well.
How to create a Service User
- Go to the Manage Access section in your Organization.
- Select Create Service User (or Create API Key, depending on your interface version).
- Give the Service User a descriptive name that identifies its purpose (for example, "Treasury Bot" or "Reporting Script").
- Configure the API key permissions by selecting the scopes the Service User needs. See API key permissions for the full list.
- Optionally configure security settings such as IP restrictions, key expiration, and nonce window.
- Review the configuration and confirm.
If the Manage Access policy requires approval, your request enters the approval queue. Once approved (or immediately completed via Execute), the Service User is created and its API key credentials are generated.
Caution: API key credentials are shown only once at creation time. Copy and store them securely. You cannot retrieve the secret after leaving the creation screen.
How to edit or remove a Service User
To change a Service User's permissions or remove it entirely, go to Manage Access, select the Service User, and submit the change. The same governance rules apply — if Manage Access requires approval, the change enters the approval queue.
See Permissions and workflows for the full list of Manage Access operations.