Skip to content

Overview: Custom API Integration service accounts

Custom API Integration service accounts lets you authenticate and use Venafi Control Plane APIs without the need for API keys. They leverage third-party issued tokens for authentication, offering improved security and scalability through workload identity federation (WIF).

What is workload identity federation (WIF)?

WIF is a security methodology that allows your applications to securely authenticate with Venafi Control Plane without having to manage and secure long-lived credentials (like passwords or API keys). Instead, it uses short-lived tokens obtained from a trusted Identity Provider (IDP). This means your application proves its identity to the IDP and receives a token, which it can then use to access Venafi Control Plane. Learn more

Custom API Integration service accounts are particularly beneficial in situations where:

  • Machines request access to Venafi Control Plane APIs, requiring a scalable and secure authentication mechanism.
  • There's a need for improved VCert deployment and authentication options in mass deployment scenarios.
  • Enhanced security alignment with enterprise customers' API authentication policies is required.

What is the workflow?

In context of Venafi products, WIF allows you to access Venafi Control Plane-protected resources without needing to manage secrets.

Diagram showing the workflow when utilizing workload identity federation via a custom API integration service account

Key benefits of using Custom API Integration

The key benefits of using this type of service account include:

  • Streamlined JWT handling: Simplifies JWT management by using the JWKS_URI to dynamically retrieve signing keys, reducing administrative overhead.
  • Custom API integrations: Provides new authentication use cases in the Service Account UI, initially for VCert-related APIs, with a roadmap to include more integrations such as Keystores as development continues.
  • Flexible configuration: Allows for the use of more than one public key + JWT claims (Audience+Issuer URL), which can be configured at either the tenant level (ideal case) or the application level to start with.
  • Enhanced security: Ensures dynamic and secure credentials by utilizing OAuth2 Token endpoints. You have the flexibility to either enter the JWKS_URI manually or allow the system to retrieve it automatically. This approach aligns with modern security standards and offers simplified credential management.


If you do not see this option, please contact your Venafi sales representative for information on the correct Venafi Control Plane tier subscription you need.

Next steps

Before you create a Custom API Integration service account, review the basics of creating service accounts, or if you've done that already, get started with creating one here.

API Reference