# Service Accounts (/docs/organizations/service-accounts)



Layers does not currently support dedicated service-account identities
separate from partner API keys. For backend, CI/CD, and webhook-signer
use cases, use an **organization-scoped partner API key** instead.

## Creating a key for machine use [#creating-a-key-for-machine-use]

1. Go to **Org → Settings → API Keys**.
2. Click **Create API key**.
3. Give it a descriptive name (e.g. `gh-actions-prod`).
4. Copy the returned secret (shown once).

Partner API keys are organization-scoped, carry rate-limit tiers, and are
auditable under the organization — they are the recommended "service
identity" for now. See [API Keys](/docs/account/api-keys).

## Recommended usage pattern [#recommended-usage-pattern]

```bash
curl -H "Authorization: Bearer $LAYERS_API_KEY" \
  https://api.layers.com/partner/v1/projects
```

## Rotation and revocation [#rotation-and-revocation]

Rotate via the **Rotate** button on the API keys page — this issues a new
secret and invalidates the old one while keeping the key ID stable.
Revoke with **Revoke**; revocation is immediate.

## Audit [#audit]

Every action taken by a partner API key is recorded in the partner audit
log — see [Audit log](/docs/organizations/audit-log).