Skip to main content

Overview

Overview

A Service Account enables a third-party partner to access Apple Business API without a user authenticating on their behalf ("two-legged OAuth"). The partner presents their credentials directly to obtain an access token using the client_credentials grant type.

note

Use a Service Account for automated, server-to-server integrations where no user interaction is required. To access API on behalf of a specific user or organization, use an OAuth App instead.

The partner's platform uses the access token to access Apple Business API for sixty (60) minutes. When the token expires, the partner requests a new access token using the same client_credentials grant type. Unlike the OAuth App flow, the client_credentials grant type does not issue a refresh token.

Illustration

Permissions

Service Account permissions are binary and set at account creation time. Unlike the OAuth App flow, there is no per-feature or per-brand access selection.

Permission LevelDescription
Read + WriteRead and write access across all APIs the partner is approved for
Read OnlyRead-only access across all APIs the partner is approved for

The permission level applies uniformly to all resources — it cannot be scoped to specific brands or features after account creation. To change the permission level, remove the Service Account and create a new one.

Availability

  • Only a partner with approved API access may create a Service Account.
  • Only an Organization Administrator or Marketing Administrator may create a Service Account.

Dependencies

The Request Token flow depends upon registration of a Service Account in Apple Business.

Register a Service Account in Apple Business

For instructions on creating a Service Account and obtaining a client_id and client_secret, refer to Brands API access in the Apple Business User Guide.

Recommendations

  • Immediately encrypt the client_secret or store as a hashed version, not as plain text.
  • Restrict access to the client_secret.
  • If the security of the client_secret is compromised, immediately generate a new one.
Copyright © 2026 Apple Inc. All rights reserved.