Looking at the docs it is unclear if there is a self-service way to enable a service account to self-register and be subject to manual approval/activation ? My use-case is building machine images where I would like to be able to point the image at Ory and say "register for a service account", then an Administrator can $later_time approve or decline the join. Ideally I would like to distribute the machine images without any hard-coded API credentials, and of course avoid the "chicken and egg" problem of the machine having to obtain pre-registration credentials over the network and therefore how to authenticate itself against the pre-registration credential data source. Hope this makes sense ?

Hey @faint-waitress-95602 It does depend a little bit on the details, but here are some ideas 1. Self-Registration: You can allow service accounts to self-register using Ory's self-service registration flow. This flow supports both browser-based and API-based clients. Source 2. Manual Approval: Ory does not directly support manual approval of accounts. However, you can implement this feature by adding a custom field to your identity schema, such as

is_approved

. You can set this field to

false

by default when a service account registers. Source 3. Activation: Once an administrator approves the account (by setting

is_approved

to

true

), you can use Ory's account activation feature to activate the account. This feature is part of Ory's email verification flow, but you can use it for account activation as well. Source 4. Access Control: You can use Ory's access control features to restrict access based on the

is_approved

field. For example, you can deny access to service accounts where

is_approved

is

false

. Source Or you implement a more complex AuthZ with Ory Permissions/Ory Keto

Super, lots of stuff to test out !

Hm maybe I misunderstood @faint-waitress-95602 What does a service account mean in your context? For machine-2-machine interactions we recommend the client credentials flow: https://www.ory.sh/docs/getting-started/ory-network-oauth2#client-credentials-grant

Hi @magnificent-energy-493, as in anything "M2M", so it could be a container instance, a VM, a random bash script. Basically anything that needs to interact in a client/server type relationship with a server (daemon service).