Service Accounts, Vercel Teams, performance improvements & more
Service accounts provide a new and improved way to access secrets programmatically, functioning like the machine equivalent of human user accounts. Service accounts improve upon service tokens by enabling access across multiple apps and environments, and integrating natively with the new access control and permissions engine.
This release represents a major update to Phase's architecture, bringing significant changes across our entire platform including the CLI, Python and Golang SDKs, Kubernetes Operator, Terraform provider, Secrets REST API and more. The engineering team spent several months planning, developing, and testing these changes to ensure a seamless transition for existing users while enabling powerful new programmatic access patterns.
Beyond service tokens
Until now, programmatic access to secrets in Phase has been primarily through service tokens. While these worked for basic use cases, they had significant limitations:
- Permissions couldn't be restricted (all tokens had full read/write access)
- Access was limited to a single app
- Access could not be modified after creation
- No support for path-based restrictions
- Limited integration with external authentication systems
Service accounts solve these limitations by handling programmatic access in the same way as human users - with proper identity, cryptography, and role-based access control.
How service accounts work
Each service account gets its own dedicated cryptographic key pair, just like human users. This allows for fully-functional end-to-end encryption while accessing secrets programmatically. Service accounts can be:
- Assigned specific roles with granular permissions
- Given access to multiple apps and environments
- Restricted to specific paths or folders (coming soon)
- Used with various authentication methods
Create a new Service Account
To create a new Service Account:
- Navigate to Access Control from the sidebar and click on the Service Accounts tab
- Click the Create Service Account button
- Give your service account a name and choose a role
You can also select a different managed role or a custom role from the dropdown menu.
Please see the Service Accounts docs for more complete instructions.
Using service accounts
Service accounts can be used with the Phase API, SDK, or CLI. Here's a quick example using the API:
curl -G https://api.phase.dev/v1/secrets \
-H "Authorization: Bearer ServiceAccount {token}" \
-d app_id=72b9ddd5-8fce-49ab-89d9-c431d53a9552 \
-d env=development
Managing service accounts
You can view and manage all service accounts from the Access page, and click a specific account to manage its assigned role and permissions, app/environment access, tokens, and more.
Check out the Service Accounts docs for complete documentation.
What's next
Service accounts lay the groundwork for more advanced authentication and access control features that we'll be shipping soon:
- IP-based access restrictions for IPv4 and IPv6 addresses and ranges
- Third-party authentication (AWS IAM, Kubernetes ServiceAccounts)
- Path-based access control to secrets within a given environment
Other platform improvements
- Added dual stack (IPv4/IPv6) networking support for
frontendandbackendapplication servers, important for services like Railway that only support routing IPv6 traffic over a private network. PR 395 - Updated sidebar UI with collapsible navigation. PR 389
- Significant performance improvements:
-
Enhanced CLI authentication:
- Improved error handling with step-by-step guidance
- Added dedicated flows for Phase Cloud and self-hosted deployments
- Implemented copyable fields for quick authentication PR 404
-
Bug fixes:
Service accounts are live on Phase Cloud and available in Phase Console v2.34.0 for self-hosted users.
Reach out on Slack or GitHub for any questions or feedback on this release!