# Create a Service Client

A backend service — such as a scheduled job or ERP integration — needs to call Aritma APIs without a human user. You need to give it scoped, revocable credentials.

**Approach:** Create an OIDC client, add a secret, then grant it access via a policy.

## Prerequisites

- An access token with IAM admin permissions
- A configured tenant
- The scope URI for the resource you want the client to access


## Step 1: Create the client

Use `allowedGrantTypes: ["client_credentials"]` and an empty `redirectUris` array for service accounts.

## Step 2: Add a secret

Save the secret
Store the returned `value` immediately — it is only shown once and cannot be retrieved again.

## Step 3: Get the client's subject ID

Note the `subjectId` from the response — you will use it as the `subject` in the policy.

## Step 4: Grant the client permissions

Use the client's `subjectId` as the policy `subject`. The client can now exchange its credentials for an access token and call the API within the granted scope.

## Rotate credentials without downtime

When you need to rotate the secret, add a new secret first, update your service to use it, verify it works, then delete the old one. This ensures the service is never without valid credentials during the rotation.

See [OIDC Clients](/apis/platform/iam/clients/overview#secret-rotation) for the full rotation procedure.

## Next steps

- To update the client configuration, see [OIDC Clients](/apis/platform/iam/clients/overview)
- To view what the client can access, use [Get client permissions](/apis/platform/iam/clients/overview#get-client-permissions)
- To revoke all access, delete the policy or the client