Admin follow-up contextService accounts
You navigated here via the admin Week 8 readiness summary. Continue the targeted onboarding, billing, verification, or go-live review for this workspace, capture the outcome on that surface, then return to the filtered admin readiness view. This is navigation-only context and does not change identity, impersonate a member, or automate remediation.
Audit export continuity
Reuse the same Latest export receipt from /settings so the filename, filters, and SHA-256 stay chained from settings through verification, go-live, and back into this admin handoff. This manual evidence relay is navigation-only; open the receipt, carry the proof in the workspace surfaces, and then return here to complete the queue or readiness loop.
Current workspace: default · Requested from admin: default · Week 8 focus: Baseline gaps
Treat this as the manual admin → workspace surface → admin loop: follow the requested surface, capture evidence or outcome notes there, then use the return link below to restore the admin context and keep the focus state aligned.
Returning keeps the same admin filter state in place so the operator can continue the governance review without rerunning the drill-down manually.
Machine identities
Create runtime identities for API keys, automation, and future service-to-service access control.
Audit export continuity
Service account flows must carry the same Latest export receipt proof: reopen the receipt on /settings?intent=upgrade, keep the filename, filters, and SHA-256, and reuse that evidence as you move through verification, the go-live drill, and any admin follow-up.
Navigation-only manual relay: these links preserve workspace context but do not automate remediation or impersonate another operator.
Credential sequence
This is the manual Week 4 / Week 5 credential lane for default. Create one service account, issue a narrow API key, run the first governed demo, confirm the usage trace, then carry the same evidence into verification.
Current session context comes from Environment fallback (non-production). These links keep navigation context together only; they do not send credentials anywhere or automate follow-up.
This sequence is still navigation-only across the console. Creating the service account happens here, while API key issuance, demo execution, usage confirmation, and evidence capture remain separate manual steps.
Manual governance checkpoint
Before you add another service account, check whether the current plan and usage profile still support the next workload you are preparing. This is the conservative path for Week 6 plan-limit awareness.
These are manual checks only. Service-account creation is not auto-blocked here, and no support workflow is triggered on your behalf.
Create service account
Manual gating reminder
Make sure creating another service account aligns with the plan boundary, current usage pressure, and any outstanding manual billing review before you proceed. This is still a human checkpoint, not an enforced product block.
Start with a single service account for the first workspace demo or any external runtime flow you want to run via an API key. Bind future API key scope to `runs:write` so northbound calls stay aligned with the control-plane contract; add broader scope only when you need cancel/replay, approvals, A2A, or MCP calls.
The role field is a governance tag that helps describe what the account is for, but it does not change the scopes an API key grants. Scopes live on the key itself, so pair each new service account with the key scope you expect to need.
Use distinct service accounts per workload so API keys, usage, and audit trails stay attributable.
Disable service accounts when a workload is retired, then separately revoke any surviving API keys that should stop working right away.
After service-account creation
The normal next lane is: mint the first narrow API key, run the governed demo in Playground, confirm the resulting Usage signal, then attach the same run context in Verification before you treat the credential path as ready.
Service accounts
Machine identities used to bind API keys and runtime traffic.
The first service account usually backs your onboarding demo or any workspace-scoped runtime call. Pair it with an API key scoped to `runs:write`; add approvals, cancel/replay, A2A, or MCP scopes later as needed.
Admin readiness follow-up
You followed the Week 8 readiness focus. Keep this page navigation-only while confirming service accounts, billing, or verification evidence before returning to the admin snapshot.
These links preserve the admin handoff navigation context without impersonation, automation, or support tooling.
Audit export continuity
Governance roles should reopen the Latest export receipt from /settings?intent=upgrade to keep the filename, filters, and SHA-256 attached to verification, go-live, and the return to admin oversight.
This is a navigation-only manual relay; these links maintain the workspace context but do not automatically attach the receipt or finalize rollout steps for you.
Onboarding handoff
After creating a service account, mint a first API key to unlock Playground demo runs.
Current blockers
Baseline bootstrap is not complete yet.
Service account is still missing.
API key is still missing.
Use the governance path below to keep the evidence trace connected—service accounts, api keys, and playground runs all stay within the same navigation context.
Loading service accounts...
First-run governance path
Pair the key with a workspace service account, then use `/playground` to submit the first `runs:write` request. Capture the `run_id` and reference it in `/usage` or `/verification` so the Week 8 checklist can see the trace.
When usage metrics look healthy, capture verification evidence and rehearse the go-live drill so the evidence path stays intact before you return to the admin lane.
When you need replay, cancel, approval, A2A send/cancel, or MCP calls, incrementally add the matching scopes (`runs:manage`, `approvals:write`, `a2a:write`, `mcp:call`) for the same key or rotate to a new one. Keep the scope list narrow—each permission should align with a real workflow.
Status semantics
`active` means the service account can still participate in the governed credential path. `disabled` means the identity should be treated as stopped or historical, with any surviving keys reviewed separately. Any other state should be handled as manual-review territory.