Introducing Service Accounts: Programmatic Access to AI Memory

Until now, accessing Aiqbee Brains required a user to sign in interactively. That works for developers in their IDE or teams in Microsoft Teams, but it breaks down when you need a CI/CD pipeline to pull coding standards, a Slack bot to answer questions from a knowledge base, or a headless AI agent to maintain documentation automatically.

Today we're shipping Service Accounts. Applications, automation tools, and AI agents can now access Aiqbee Brains with OAuth2 client credentials, the same flow you'd use with Azure, AWS, or Google Cloud.

What Are Service Accounts?

A service account is a non-human identity that authenticates with a Client ID and Client Secret. Create one, grant it access to specific Brains at a defined permission level, and any application can authenticate and work with those Brains through the API or MCP.

Key Capabilities

• Create service accounts with descriptive display names from the admin panel
• Client credentials (Client ID + Secret) generated on creation — secret shown once only
• Configurable secret expiry: 1 month, 6 months, 1 year, 2 years, or 5 years
• Grant per-brain access at Read, ReadWrite, or Owner level
• Reissue secrets instantly (old secret invalidated immediately)
• Deactivate/reactivate without deletion for temporary access suspension
• Last-active tracking for security monitoring and compliance

How It Works

Service accounts are managed from the Service Accounts tab in the Users admin panel. Creating one requires the ManageServiceAccounts permission. Once created, you grant it access to specific Brains from the Edit Brain dialog — the same unified search that works for users now also finds service accounts, distinguished by a key icon.

Authentication Flow

Your application exchanges the Client ID and Client Secret for a bearer token using the standard OAuth2 client credentials flow. That token works with both the REST API and the MCP server — exactly the same endpoints human users access.

# Exchange credentials for a bearer token
curl -X POST https://app.aiqbee.com/api/auth/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials" \
  -d "client_id=YOUR_CLIENT_ID" \
  -d "client_secret=YOUR_CLIENT_SECRET"

// Use the token with MCP
{
  "mcpServers": {
    "aiqbee": {
      "url": "https://mcp.aiqbee.com/brain/{brain-id}/mcp",
      "headers": {
        "Authorization": "Bearer YOUR_TOKEN"
      }
    }
  }
}

Use Cases

• CI/CD pipelines that pull coding standards and architecture decisions during code review
• Slack or Teams bots that answer questions from your organisation's knowledge base
• Headless MCP agents that keep documentation up to date as code changes
• Data pipelines that ingest external sources into Brains on a schedule
• Custom integrations that sync knowledge between Aiqbee and internal tools

Security by Design

Service accounts follow the same permission model as regular user accounts. They can only reach Brains they've been explicitly granted access to, at the permission level you set. Secrets are hashed before storage, shown once at creation, and can be reissued or revoked on the spot. Expiry dates enforce rotation, and last-active timestamps let admins see what's being used.

Getting Started

Head to the Users panel in your Aiqbee workspace, switch to the Service Accounts tab, and create your first service account. Grant it access to a Brain, copy the credentials, and you are ready to connect your first automation. Full documentation is available in the in-app help center.