Version: 6.3.3

Manage Service Users

This is a guide for Administrators about to how to create, list, and delete service users in Cortex Fabric using the CLI.

Service users are non-human system access accounts that allow for programatic access through a system-owned personal access token. Service users are recommended for automated access across teams.


  • Cortex Fabric CLI is installed
  • Administrator role in the Cortex Fabric system

Create Service User

  1. In the CLI enter:

    cortex users create <user-name>


    cortex users create agentInvoker


    "success": true,
    "config": {
    "jwk": {
    "crv": "xxxx",
    "x": "xxxx",
    "d": "xxxx",
    "kty": "xxx",
    "kid": "xxxx"
    "issuer": "",
    "audience": "cortex",
    "username": "xxxx",
    "url": ""
    "token": "xxxx"

    The config property of the response contains the Personal Access Token assigned to authenticate the service user so it can create JWT tokens for system access.

    The token property contains a currently valid JWT token for this user.

  2. Save the PAT returned when you create the user. This is the value that is needed to generate JWT tokens.

  3. You can use the token from the response immediately to call API methods directly by entering the JWT in the Authorization API header.

    To authenticate to the CLI as the service user, run cortex configure and provide the PAT token (the config property of response in {}) when prompted.

  4. Service users are created without roles/grants. By default a service user has access to API methods so assigning roles/grants is optional.

    Use the instruction found here if you want to manage grants for this user.

List Service Users

To get a list of service users that have been created by team admins run the following:

cortex users list


"success": true,
"users": [

Delete Service Users

To delete a service user and invalidate all existing tokens created by this service user in Fabric run:

cortex users delete agentInvoke


"success": true,
"message": "agentInvoke deactivated"

When the user is deleted, any assigned roles and grants are persisted and are enforced if a user with the same name is recreated.

If you are working as system user, and another admin deletes the user you will no longer be able to make requests into the system.