Service Users in Organizations

A Service User is an API-only operator created within your Organization for programmatic access. Service Users authenticate with API key credentials and are designed for automated integrations, such as trading bots, treasury management scripts, or internal tooling that needs to interact with your Organization's accounts.

Service Users do not represent individual people. They do not sign in to the UI, and they do not require individual KYC.

A Service User's capabilities are defined by its API key permissions. Depending on the scopes granted to the key, a Service User can:

• Submit withdrawal requests via API — if an Organization policy is configured for the Initiate Withdrawal workflow, the request enters the approval queue and must be approved by human Members before it takes effect
• Trade on accounts where the API key has order permissions (Create and modify orders, Cancel and close orders) — these execute immediately
• Allocate and deallocate Earn products where the API key has the Earn permission — these execute immediately
• Query balances, ledger entries, open and closed orders, and export data according to the key's read scopes

Only withdrawal operations are subject to Organization policies. All other API key operations — trading, Earn, queries, data exports — are immediate.

• Approve requests — Service Users cannot review or approve any request
• Complete withdrawals directly — when an Organization policy is configured for Initiate Withdrawal, the API key can only start a request; human Members must approve it before it takes effect
• Access administrative workflows — Service Users have no access to Manage Access or Manage Policies
• Sign in to the UI — Service Users are API-only

Service Users are authorized through API key permissions, not Organization workflow permissions (View, Initiate, Approve, Execute). Each API key is configured with a set of scopes that define what the Service User can access.

Each API key also supports the following settings:

API key permissions define what a Service User can access, but Organization policies override API key capabilities for withdrawal operations.

When a policy is configured for the Initiate Withdrawal workflow:

• The API key's Withdraw permission allows the Service User to start a withdrawal request, but not complete it
• The request enters the Organization's approval queue
• Members with Approve permission on the Initiate Withdrawal workflow must review and approve the request before it takes effect

All other API key operations — placing and canceling orders, Earn allocations, queries, data exports — are immediate. They are not subject to Organization policies and do not require approval.

1. Go to the Manage Access section in your Organization.
2. Select Create Service User (or Create API Key, depending on your interface version).
3. Give the Service User a descriptive name that identifies its purpose (for example, "Treasury Bot" or "Reporting Script").
4. Configure the API key permissions by selecting the scopes the Service User needs. See API key permissions for the full list.
5. Optionally configure security settings such as IP restrictions, key expiration, and nonce window.
6. Review the configuration and confirm.

If the Manage Access policy requires approval, your request enters the approval queue. Once approved (or immediately completed via Execute), the Service User is created and its API key credentials are generated.

To change a Service User's permissions or remove it entirely, go to Manage Access, select the Service User, and submit the change. The same governance rules apply — if Manage Access requires approval, the change enters the approval queue.

See Permissions and workflows for the full list of Manage Access operations.