Automation & management

Automate with a service account

This guide walks the full automation path: create a service account, mint a management token, and use it from trusted server-side automation. Public CLI, MCP, and management SDK packages are coming soon; closed-beta developers should start from the Console and documented HTTP contracts.

Which key do I use?

pw_test_…Calculation API — Test calculation calls.

pw_live_…Calculation API — Live calculation calls.

pw_mgmt_…Automation & management — Service-account automation and management HTTP contracts. Never calculation calls.

1. Create a service account

In the console, open Service accounts and create one. Give it a clear name and the least-privilege scopes the automation needs.

For a typical CI provisioning job that creates a project, mints a short-lived test key, proves a calculation, reads usage/audit evidence, and revokes the key, grant:

Code
org:read
projects:read
projects:create
api_keys:read
api_keys:create
api_keys:revoke
usage:read
billing:read
audit_log:read

If the project already exists, omit projects:create. Keep the token account-wide for the beta-proof command because the proof reads billing and audit evidence as well as project-scoped resources. Use project-restricted tokens for narrower jobs that only need project, key, or usage actions inside a known project.

2. Mint a management token

Create a token under the service account. It's shown once — copy it into your secret manager now.

Token creation accepts label, scopes, optional projectIds, optional environments, and optional expiresAt. The response includes secret once and token metadata:


Code
{
  "secret": "pw_mgmt_…",
  "token": {
    "id": "devsat_…",
    "status": "active",
    "scopes": ["projects:read", "api_keys:create"],
    "projectIds": ["devproj_…"],
    "environments": ["test"]
  }
}

3. Use it

Use the token only from trusted server-side code or PokerWorks-supported proof tooling:

Console setup → create service accounts and product keys in the Console.
Server automation → call the documented management HTTP contracts with the management token.
Operator proof → PokerWorks may run internal CLI/MCP proof commands on your behalf during closed beta.

PokerWorks internal proof tooling can validate the full path during closed beta. It reads account and billing state, creates or verifies a project, mints a temporary product API key, performs one metered Hold'em equity calculation, checks usage and service-account audit evidence, then revokes the temporary key.

The internal proof command requires the private PokerWorks monorepo and is not a public beta install path.

4. Rotate and revoke

Rotate by minting a new token and revoking the old one; the service account stays put. Revoke the whole service account to cut off all of its tokens at once. Every action is recorded in the audit log.

Webhooks Overview

1. Create a service account

In the console, open Service accounts and create one. Give it a clear name and the least-privilege scopes the automation needs.

For a typical CI provisioning job that creates a project, mints a short-lived test key, proves a calculation, reads usage/audit evidence, and revokes the key, grant:

Code

org:read
projects:read
projects:create
api_keys:read
api_keys:create
api_keys:revoke
usage:read
billing:read
audit_log:read

2. Mint a management token

Create a token under the service account. It's shown once — copy it into your secret manager now.

Token creation accepts label, scopes, optional projectIds, optional environments, and optional expiresAt. The response includes secret once and token metadata:

Code

{
  "secret": "pw_mgmt_…",
  "token": {
    "id": "devsat_…",
    "status": "active",
    "scopes": ["projects:read", "api_keys:create"],
    "projectIds": ["devproj_…"],
    "environments": ["test"]
  }
}

3. Use it

Use the token only from trusted server-side code or PokerWorks-supported proof tooling:

Console setup → create service accounts and product keys in the Console.

Server automation → call the documented management HTTP contracts with the management token.

Operator proof → PokerWorks may run internal CLI/MCP proof commands on your behalf during closed beta.

The internal proof command requires the private PokerWorks monorepo and is not a public beta install path.

1. Create a service account

2. Mint a management token

3. Use it

4. Rotate and revoke

Related

1. Create a service account

2. Mint a management token

3. Use it

4. Rotate and revoke

Related