Automation & management

Service accounts & management tokens

A service account is a non-human identity — an agent, CI job, or trusted server integration — that manages your PokerWorks console resources without a person signing in. It authenticates with a management token (pw_mgmt_…), not a product API key.

Which key do I use?

pw_test_…Calculation API — Test calculation calls.

pw_live_…Calculation API — Live calculation calls.

pw_mgmt_…Automation & management — Service-account automation and management HTTP contracts. Never calculation calls.

How it works

Service accounts are owned by the organization, never by a user. Each one holds a granular set of scopes and zero or more management tokens. You create the service account and its tokens in the console, then hand the token to your automation.

Management tokens manage the console. They create projects, mint or revoke product API keys, read usage, and so on.
They never call the calculation API. Equity, ICM, and the other calculations require a product key (pw_test_ / pw_live_). A pw_mgmt_ token is rejected there by design.

Scopes

Service accounts use least-privilege scopes. The launch set:

Scope	Grants
`org:read`	Read the organization/account, balances, settings, and visible projects/keys when paired with their read scopes.
`projects:read`	List projects visible to the token.
`projects:create`	Create projects. Tokens restricted to specific projects cannot create new projects.
`projects:update`	Update visible project settings, including name and allowed origins.
`api_keys:read`	List product API keys visible to the token. Secrets are never returned.
`api_keys:create`	Create reveal-once product API keys for allowed projects and environments.
`api_keys:revoke`	Revoke visible product API keys.
`usage:read`	Read usage summaries and recent requests for allowed projects/environments.
`billing:read`	Read wallet, balance, credit-pack, receipt, and auto-recharge summary state. Tokens with project restrictions cannot read account billing.
`audit_log:read`	Read audit events. Tokens with project or environment restrictions cannot read account-level audit events.

Tokens can also be restricted to specific project IDs and environments (test, live). An empty project or environment restriction means account-wide access for that dimension, subject to scopes.

Creating a token

Tokens are shown once at creation and hashed at rest — store them in a secret manager immediately. Tokens are always minted server-side; they are never generated in the browser.

Console users create them under Service accounts:

Create a service account with name and optional description.
Create a token under that service account with label, scopes, optional projectIds, optional environments, and optional expiresAt.
Store the returned secret immediately.

The token response returns:


Code
{
  "secret": "pw_mgmt_…",
  "token": {
    "id": "devsat_…",
    "serviceAccountId": "devsa_…",
    "label": "CI provisioning",
    "status": "active",
    "scopes": ["projects:read", "api_keys:create"],
    "projectIds": [],
    "environments": ["test"],
    "expiresAt": "2026-06-26T00:00:00.000Z",
    "masked": "pw_mgmt_…",
    "lastUsedAt": null
  }
}

The public secret appears only in this creation response. Later reads return metadata such as masked, prefix, status, scopes, restrictions, and timestamps, never the secret.

Rules & gotchas

A management token can't mint more management tokens (no privilege escalation).
Revoking a service account revokes all of its tokens immediately; revoke individual tokens to rotate without downtime.
Money-moving and account-admin actions are not available to service accounts.

TypeScript SDK Webhooks

How it works

Management tokens manage the console. They create projects, mint or revoke product API keys, read usage, and so on.

They never call the calculation API. Equity, ICM, and the other calculations require a product key (pw_test_ / pw_live_). A pw_mgmt_ token is rejected there by design.

Scopes

Service accounts use least-privilege scopes. The launch set:

Scope

Grants

org:read

Read the organization/account, balances, settings, and visible projects/keys when paired with their read scopes.

projects:read

List projects visible to the token.

projects:create

Create projects. Tokens restricted to specific projects cannot create new projects.

projects:update

Update visible project settings, including name and allowed origins.

api_keys:read

List product API keys visible to the token. Secrets are never returned.

api_keys:create

Create reveal-once product API keys for allowed projects and environments.

api_keys:revoke

Revoke visible product API keys.

usage:read

Read usage summaries and recent requests for allowed projects/environments.

billing:read

Read wallet, balance, credit-pack, receipt, and auto-recharge summary state. Tokens with project restrictions cannot read account billing.

audit_log:read

Read audit events. Tokens with project or environment restrictions cannot read account-level audit events.

Tokens can also be restricted to specific project IDs and environments (test, live). An empty project or environment restriction means account-wide access for that dimension, subject to scopes.

Creating a token

Tokens are shown once at creation and hashed at rest — store them in a secret manager immediately. Tokens are always minted server-side; they are never generated in the browser.

Console users create them under Service accounts:

Create a service account with name and optional description.

Create a token under that service account with label, scopes, optional projectIds, optional environments, and optional expiresAt.

Store the returned secret immediately.

The token response returns:

Code

{
  "secret": "pw_mgmt_…",
  "token": {
    "id": "devsat_…",
    "serviceAccountId": "devsa_…",
    "label": "CI provisioning",
    "status": "active",
    "scopes": ["projects:read", "api_keys:create"],
    "projectIds": [],
    "environments": ["test"],
    "expiresAt": "2026-06-26T00:00:00.000Z",
    "masked": "pw_mgmt_…",
    "lastUsedAt": null
  }
}

The public secret appears only in this creation response. Later reads return metadata such as masked, prefix, status, scopes, restrictions, and timestamps, never the secret.

How it works

Scopes

Creating a token

Rules & gotchas

Related

How it works

Scopes

Creating a token

Rules & gotchas

Related