Salesforce

Manage OAuth service accounts in Tango

Printable View
« Go Back

Information

 
Answer

 

Note:
As of May 14, 2025, all new client credentials require service accounts to enhance security and ensure uninterrupted service. For client credentials established prior to this date, we highly recommend transitioning to service accounts by November 14, 2025.

 

To create an authorization token for OAuth and verify your system’s identity, you’re required to have service account username and password besides client ID and client secret (OAuth client credentials). To generate OAuth client credentials, see Manage OAuth 2.0 client credentials in Tango.

Once you acquire a token, call the Tango API to establish the API connection. With OAuth 2.0, you can rotate your service account with no downtime. See our API document to learn how you can Secure your connection with OAuth 2.0.

 

Note:
  • OAuth credentials must be enabled for the first time. Contact your Tango representative to enable OAuth credentials for your Tango portal. See the steps in Get started with Tango API.
  • You’re expected to manage your client credentials and service accounts.
  • We recommend you to rotate your client credentials once a year. Client credentials never expire.
  • The OAuth tokens are generated from OAuth credentials and expire in 24 hours (86400 seconds). Fetch a new token at least once every 24 hours to authenticate API calls. New tokens can be generated using the same client credentials and service accounts or the updated credentials. See how you can acquire a Tango access token.

Permissions

In order to access service account, you must have manage permissions for Tango API keys enabled for your user under the Integrations permissions. If you’re not an admin, contact your Tango portal admin to give you permission. Learn how to Set user permissions and access level.

 

Tango API Keys Permissions

View OAuth service accounts

You can view your OAuth service account username in the Tango portal for your API integration. Service account password is only visible at the time of creation.

Make sure to use the right production or sandbox environment when connecting to the Tango API. Tango allows API developers to test using a sandbox environment before integrating the production platform. See Set up work environment for Tango API.

To view your service account username in Tango:

  1. Sign in to Tango portal.
  2. Click Team-settings Team settings > API credentials.
  3. Click an existing OAuth service account to see your username and display name. Password is only visible at the time of creation.

    Note:

    Password is ONLY shown at the time of creation. Create a new service account and delete this one if you no longer have access to the password.



  4. Copy the username by clicking Copy Copy .
  5. To view the history of service account, go to the API credentials > Credential history tab.
  6. Select Service Account from the drop-down menu. You can narrow down your search by entering the credential name.
  7. Find the following information in the Credential history tab under service account:

    Item

    Description

    Action

    Indicates whether the credential has been created, viewed, updated, or deactivated.

    Credential name

    Indicates the display name for your service account.

    Date

    Indicates the date and time the service account has been created

    User’s name

    Indicates the Tango portal user’s name who has created this service account

    User’s email

    Indicates the Tango portal user’s email address who created this service account

    Client ID/API key

    Shows the client ID

    Credential type

    Shows the type of credentials such as service account



  8. Click Edit Columns  to show or hide the table columns.

Generate new OAuth service accounts

OAuth service account adds additional security layer in Tango API. There’s no limit in the number of service account usernames and passwords you can create. See how to Generate OAuth 2.0 client credentials in Tango.

 

Note:
Your service account password is only visible at the time of creation. We recommend you to save the password upon creation. You cannot recover this password again.


To generate a new OAuth service account:

  1. Sign in to Tango portal.
  2. Click Team-settings Team settings > API credentials on the left menu.
  3. Click OAuth Service Accounts > Create service account. There's no limit to the number of service accounts you can create.

    Create service account 
     
  4. Copy Copy the Username and Password. Password is visible at the time of creation. Paste the values directly into your API code, or save it somewhere secure for later use. You will not be able to access this password again.
  5. (Optional) Enter a Display name to help identify your service account later.
  6. Click Save display name.
    New service account is generated and immediately accessible for use.
  7. Go to the Credential history tab and select Service Account in the list to discover details regarding creation, update, or views, and more.
    Use the service account along with OAuth client credentials to acquire a new token.

 

Best practices:
Tango API token can be refreshed at most once a day. We recommend you to save the token and utilize it until expires in 24 hours. Fetch a new token at least once every 24 hours to authenticate API calls. See how you can acquire a Tango access token.

Delete OAuth service accounts

When you delete a service account, the client credentials are still valid but will no longer generate tokens.

 

Best practices:
Create a new service account and a new token using valid and existing service account. Then update your token and API call with the new service account credentials before deleting the old service account. Make sure the new tokens are generated and working before deleting the old service account. It can be done whether or not you cycle your client credentials.

 

Deleting service account cannot be reversed. You can delete an OAuth service account for several reasons:

  • A security best practice
  • To prevent harm— you think your API has been compromised
  • To stay cautious—when people with access leave the company

 

To delete an OAuth Service account:

  1. Sign in to Tango portal.
  2. Click Team-settings Team settings > API credentials.
  3. Click OAuth Service Account box you are going to delete.
  4. Click Delete service account.
    A warning says that passwords are only shown at the time of creation. Create a new service account and delete this one if you no longer have access to the password.
  5. Click Delete service account to confirm. A record of deactivated service accounts can be seen under the Credential history page.

What’s next?

With four pieces of information—the client ID, client secret (OAuth client credentials), service account username, and service account password, you are ready to acquire an API token. See how to Acquire service account token.

More resources

TitleManage OAuth service accounts in Tango
URL Namemanage-new-OAuth-service-accounts-in-Tango
Powered by