Flow Access

Flow access controls how requests are authenticated when invoking flows deployed in Heartbeat. Authentication credentials can be created as service accounts. The service accounts can be managed in Utilihive Console or as Kubernetes objects.

After creating a service account, you must grant it permission to access specific flows. This authorization step ensures that only approved service accounts can invoke the corresponding flow endpoints.

Create a Service Account

To create a service account:

Navigate to your Utilihive Console.
Select Security from the left navigation menu.
Click Create Service Account in the top-right corner.
Enter a Name, select the Credential type, and click Create.

You have created a service account in Connect. You can view the newly created service account from the Service Accounts tab in your Connect Console.

Credential Types

When you create a service account, the credential type can be one of the following:

Type Description

Type	Description
API key	A single, auto-generated string. Set as the value of the HTTP header named `apiKey`. For example: header name — `apiKey`, header value — `HzjQL6Z9VyszduJOPbE8`.
Basic authentication	A username/password pair, where the username is the service account name and the password is auto-generated. Used in the HTTP authorization header as a Base64-encoded string. For example: header name — `Authorization`, header value — `Basic dXNlcm5hbWU6cGFzc3dvcmQ=`, where `dXNlcm5hbWU6cGFzc3dvcmQ=` is the Base64-encoded value of `username:password`.
mTLS	Certificate-based authentication. Server authenticates the client using the certificates provided by the client during the TLS handshake. See mTLS for more information.
OIDC	JSONiq claims match script authentication. See OIDC for more information.
Poller user	No credentials, because authentication is handled by the server. Used for flows that don’t have a public API endpoint. For example: file pollers.

API key

A single, auto-generated string. Set as the value of the HTTP header named apiKey. For example: header name — apiKey, header value — HzjQL6Z9VyszduJOPbE8.

Basic authentication

A username/password pair, where the username is the service account name and the password is auto-generated. Used in the HTTP authorization header as a Base64-encoded string.
For example: header name — Authorization, header value — Basic dXNlcm5hbWU6cGFzc3dvcmQ=, where dXNlcm5hbWU6cGFzc3dvcmQ= is the Base64-encoded value of username:password.

mTLS

Certificate-based authentication. Server authenticates the client using the certificates provided by the client during the TLS handshake. See mTLS for more information.

OIDC

JSONiq claims match script authentication. See OIDC for more information.

Poller user

No credentials, because authentication is handled by the server. Used for flows that don’t have a public API endpoint. For example: file pollers.

For basic authentication and API keys, you will only have access to the auto-generated string once. Make sure to copy it or select the save button () to download the string as a text file.

If you misplace a service account’s credentials, you can generate new ones. Select the service account name, then select Reset Credential.

After you select the Create button, the service account is created immediately.

Connect Service Accounts can also be managed as Kubernetes Objects.

Grant Access to Flows

During service account creation, you are prompted to select which flows the account can access.

Alternatively, navigate to an individual flow and select the Flow access tab to review the service accounts that can access the flow and add new ones by clicking Add Flow Access.

The Flow Access tab displays a list of service accounts with an Add Flow Access button underneath.

Once you add a service account to a flow with REST endpoints, you can make HTTP requests using the account’s credentials or add the credentials to the flow’s Documentation page to test the flows in the Connect Console.

Was this page helpful?