Creating an OAuth Service Account
CyberArk Privilege Cloud uses OAuth 2.0 Client Credentials for API authentication. You need to create a dedicated service user in the CyberArk Identity Administration portal.
Sign in to CyberArk Identity Administration
Sign in to your CyberArk Identity Administration portal.
- You need administrator privileges in the Identity Administration portal
- Your Identity portal URL follows the format:
https://<tenant-id>.id.cyberark.cloud
Create a New Service User
Click Add User and fill in the following fields.
- Login Name: Enter a descriptive name (e.g.,
stackone-api-service). This will be your Client ID. - Display Name: Enter a display name (e.g.,
StackOne API Service Account) - Password: Set a strong password. This will be your Client Secret.
Configure Service Account Settings
In the Status checklist, enable the following checkboxes before saving.
- Is OAuth confidential client — Required for OAuth 2.0 authentication
- Is Service User — Marks this as a non-interactive API account
- Password never expires — Automatically selected for service users
Assigning Privilege Cloud Roles
The service account must be assigned to the correct role to access Privilege Cloud APIs.
Add Service User to Privilege Cloud Role
Find and open the Privilege Cloud Administrators role (or the appropriate role for your use case), then add the service user as a member.
- Privilege Cloud Administrators — Full API access (uses Privileged Standard User license)
- Privilege Cloud Administrators Basic — Limited access (uses Privileged Basic User license)
- Privilege Cloud Users — Standard user-level access
- Click Members tab, then Add to add your service user
Configure Vault-Level Permissions (Optional)
For actions like managing users, groups, or safes, the service account may need additional Vault-level permissions.
- Audit Users — Required for listing and viewing users/groups
- Add/Update Users — Required for creating, updating, and deleting users/groups
- Reset Users’ Passwords — Required for password reset actions
- Add Safes — Required for creating new safes
- Manage Safe Members — Required for adding/updating/removing safe members
Finding Your Tenant ID
The Identity Tenant ID is needed to construct the OAuth token endpoint URL.
Locate Your Tenant ID
In the Identity Administration portal, click the user icon in the top-right corner.
- Click About or Tenant Details to see your Tenant ID
- Your Identity tenant URL follows the format:
https://<tenant-id>.id.cyberark.cloud - The Tenant ID is the prefix before
.id.cyberark.cloud - Important: The Identity Tenant ID may differ from your Privilege Cloud subdomain
Finding Your Privilege Cloud Subdomain
The Privilege Cloud subdomain is needed to construct the API base URL.
Locate Your Subdomain
Open your CyberArk Privilege Cloud portal in a browser.
- Your Privilege Cloud URL follows the format:
https://<subdomain>.privilegecloud.cyberark.com - The subdomain is the prefix before
.privilegecloud.cyberark.com - Example: If your URL is
https://acme.privilegecloud.cyberark.com, your subdomain isacme - You can also find this in the CyberArk welcome email or by contacting your CyberArk administrator
Linking the Account from the Hub
Navigate to the Hub
Fill out the fields
- Client ID
- Client Secret
- Identity Tenant ID
- Privilege Cloud Subdomain