Authenticate to the Pendo MCP server with a service account

Use a Pendo service account when you need to connect an AI agent, script, or other automated integration to the Pendo MCP server without a person signing in. Service accounts use the OAuth client credentials grant, which lets your application authenticate using a client ID and client secret.

Use cases

Use a service account when:

• You're building an AI agent or integration that runs in the background without a logged-in user.
• You want to query Pendo data from a server-side application or scheduled job.
• You're connecting to the Pendo MCP server from an AI tool that supports OAuth client credentials, such as the Claude API or Claude Code.

If you're connecting an interactive AI client like Claude or Cursor, use OAuth instead. For more information, see Connect to the Pendo MCP server.

Each service account is scoped to a single Pendo subscription and the applications within it. To work with multiple subscriptions, create a separate service account in each one. Service account access also respects Pendo's regional isolation—for example, a service account created in a US subscription can't query EU data, even if the same admin uses subscriptions in both regions.

A service account credential grants programmatic access to all Pendo data the service account can see. Don't use a service account in systems where end users can submit queries through the credential, such as visitor-facing agents or public-facing applications.

Note: Service account authentication currently works only with the Pendo MCP server. You can't use a service account token against other Pendo APIs at this time.

Prerequisites

Before you create a service account, you must have:

• The Pendo API package included in your subscription. Service accounts aren't available without it.
• Subscription admin permissions to create and manage service accounts.
• The Pendo MCP server turned on. If it's not already, a subscription admin must go to Settings > Subscription settings > AI access and turn on Pendo MCP server (read-only tools).

Step 1. Create a service account

Service accounts are managed in your Pendo integration settings. Each subscription supports up to 25 service accounts.

1. Go to Settings > Integrations, then open the Service accounts tab.
2. Select + Create service account.
3. Enter a name and description for the service account.
4. Select the applications you want the service account to have access to.
5. Select Create.
6. Copy the Client ID and Client secret. Store them somewhere secure. You won't be able to view the client secret again after closing this window.

Important: Save the client secret immediately. Pendo can't show you the secret again after you close this window, so if you lose it, you'll need to rotate the secret to generate a new one.

Step 2. Request an access token

Use the OAuth client credentials grant to exchange your client ID and client secret for a bearer token. Tokens are valid for 24 hours and don't include refresh tokens. Request a new token when the current one expires.

Use the OAuth token endpoint that matches your Pendo region. The hostname follows the same regional pattern as the MCP server URL.

Send a POST request with these parameters in the body, encoded as application/x-www-form-urlencoded:

• grant_type=client_credentials
• client_id (your service account's client ID)
• client_secret (your service account's client secret)
• scope=read:me

Example request:

curl -X POST https://app.pendo.io/api/oauth/v1/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials" \
  -d "client_id=YOUR_CLIENT_ID" \
  -d "client_secret=YOUR_CLIENT_SECRET" \
  -d "scope=read:me"

The response includes an access_token, the token type (Bearer), and the expiration time in seconds.

Step 3. Connect to the Pendo MCP server

Pass the access token in the Authorization header when your AI client calls the Pendo MCP server:

Authorization: Bearer YOUR_ACCESS_TOKEN

The exact configuration depends on your AI client. Refer to your AI tool's documentation for instructions on adding a custom MCP server with bearer token authentication or injecting custom OAuth credentials into MCP requests.

Rotate or delete a service account

You can rotate a service account's secret to generate a new client secret without changing the client ID, or delete the service account entirely.

Rotate a service account secret

Rotate a secret when you suspect it's been exposed or as part of regular credential hygiene. Rotation generates a new client secret while preserving the client ID, so you can update integrations without recreating the service account.

1. Go to Settings > Integrations > Service accounts.
2. Find the service account in the table and select Rotate secret.
3. Copy the new client secret and update your integrations.

Note: When you rotate a secret, the previous secret becomes invalid immediately.

Delete a service account

Deleting a service account permanently revokes its credentials. Any integrations using the account will stop working.

1. Go to Settings > Integrations > Service accounts.
2. Find the service account in the table and select the delete icon.
3. Confirm the deletion.

Troubleshooting

If something goes wrong, use these checks to troubleshoot your service account configuration.

Token request returns an authentication error

Verify that:

• The client ID and client secret match the values you copied when you created the service account.
• The request body is encoded as application/x-www-form-urlencoded.
• You're using the correct regional token endpoint.
• The service account hasn't been deleted.

MCP request returns an authorization error

Check that:

• The token hasn't expired. Request a new token if more than 24 hours have passed.
• The Authorization header includes the Bearer prefix.
• The service account has the application roles needed to access the data you're querying.