Flow Access

Flow access controls how requests are authenticated when invoking flows deployed in Heartbeat. Authentication credentials are created as service accounts. You can manage service accounts in the Connect Console or as Kubernetes objects.

After creating a service account, you must grant it permission to access specific flows. This authorization step ensures that only approved service accounts can invoke the corresponding flow endpoints.

Create a Service Account

To create a service account in Connect Console:

Select Security from the left navigation menu.
Click Create Service Account in the top-right corner.
Enter a Name, select the Credential type, and click Create.

The form to create a service account includes fields for the account name and credential type.

After you create a service account, you can view it on the Service Accounts tab in the Connect Console.

Credential Types

When you create a service account, choose one of the following credential types:

Type Description

Type	Description
API key	A single, auto-generated string. Set it as the value of the HTTP header named `apiKey`. For example: header name — `apiKey`, header value — `HzjQL6Z9VyszduJOPbE8`.
Basic authentication	A username and password pair, where the username is the service account name and the password is auto-generated. Use the pair in the HTTP authorization header as a Base64-encoded string. For example: header name — `Authorization`, header value — `Basic dXNlcm5hbWU6cGFzc3dvcmQ=`, where `dXNlcm5hbWU6cGFzc3dvcmQ=` is the Base64-encoded value of `username:password`.
mTLS	Certificate-based authentication. The server authenticates the client using the certificates provided during the TLS handshake. See mTLS for more information.
OIDC	JSONiq claims match script authentication. See OIDC for more information.
Poller user	No credentials, because authentication is handled by the server. Use this option for flows that do not have a public API endpoint, such as file pollers.

API key

A single, auto-generated string. Set it as the value of the HTTP header named apiKey. For example: header name — apiKey, header value — HzjQL6Z9VyszduJOPbE8.

Basic authentication

A username and password pair, where the username is the service account name and the password is auto-generated. Use the pair in the HTTP authorization header as a Base64-encoded string.
For example: header name — Authorization, header value — Basic dXNlcm5hbWU6cGFzc3dvcmQ=, where dXNlcm5hbWU6cGFzc3dvcmQ= is the Base64-encoded value of username:password.

mTLS

Certificate-based authentication. The server authenticates the client using the certificates provided during the TLS handshake. See mTLS for more information.

OIDC

JSONiq claims match script authentication. See OIDC for more information.

Poller user

No credentials, because authentication is handled by the server. Use this option for flows that do not have a public API endpoint, such as file pollers.

For basic authentication and API keys, you can access the auto-generated string only once. Make sure to copy it or select the save button () to download the string as a text file.

If you misplace a service account’s credentials, you can generate new ones. Select the service account name, then select Reset Credential.

After you select the Create button, the service account is created immediately.

Connect Service Accounts can also be managed as Kubernetes Objects.

Grant Access to Flows

During service account creation, you are prompted to select which flows the account can access.

Alternatively, navigate to an individual flow and select the Flow access tab to review the service accounts that can access the flow and add new ones by clicking Add Flow Access.

The Flow Access tab displays a list of service accounts with an Add Flow Access button underneath.

After you add a service account to a flow with REST endpoints, you can make HTTP requests using the account’s credentials or add the credentials to the flow’s Documentation page to test the flow in the Connect Console.

Was this page helpful?