2026-07-03 - Service Account Authentication Token Fixes¶
Release¶
AgileData.io - Solid Foundations: Service Account Authentication Now Consistent and Correct
Two related authentication bugs affecting service accounts and IAP tenancies have been resolved. Both issues were causing the wrong type of authentication token to be used when AgileData’s backend services called each other, leading to authentication failures in certain tenancy configurations.
The first fix ensures that service accounts always use OIDC tokens targeting the IAP client ID when calling protected endpoints — the correct token type for this authentication path. The second fix addresses IAP tenancies that also have a GCIP configuration: these tenancies were refreshing the wrong token type for calls to the API layer, which has been corrected.
Together these fixes stabilise the authentication chain across all tenancy configurations, particularly those that mix IAP and GCIP identity providers.
What was happening:
Service accounts were not consistently using OIDC tokens when calling IAP-protected endpoints
IAP tenancies with GCIP configuration were refreshing the wrong token type for API layer calls
What this means for you:
Service account authentication works reliably across all tenancy types
No more authentication failures for tenancies that combine IAP and GCIP identity configurations
Last Refreshed¶
Doc Refreshed: 2026-07-03