Skip to main content

API user account management in Zuora

Zuora

API user account management in Zuora

This document outlines the management of API user or service accounts in Zuora, detailing their setup, migration to OneID, and authentication methods. It emphasizes API user accounts and OAuth token configurations.

API User Account Types in Zuora Billing

This section categorizes the various types of API user accounts in Zuora Billing. It outlines their platform permissions and migration compatibility, providing clarity on which accounts can be migrated to OneID.

API User Account Type

Platform Permissions

Migration Compatibility

API user accounts with OAuth client credentials

API write access & UI access both checked

No impact. These API user accounts can be migrated to OneID and centrally managed there. Existing OAuth tokens will remain functional, and you can also generate new OAuth tokens after the migration to OneID. After migration, these user accounts can access the Billing tenants exclusively through OneID.

API user accounts with OAuth client credentials

API write access checked & UI access unchecked

Not compatible. Zuora recommends this API user configuration, and OneID restricts the migration. These API accounts will continue to function indefinitely and can still be managed at the local tenant level.

API user accounts with basic auth credentials

API write access & UI access both checked

Not compatible. Do not migrate these accounts, as basic auth expires post-migration after the grace period.

API user accounts with basic auth credentials

API write access checked & UI access unchecked

Not compatible. Zuora recommends this API user configuration, and OneID restricts the migration. These API accounts will continue to function indefinitely and can still be managed at the local tenant level.

  • Migrating API user accounts from your Zuora Revenue tenant to OneID will have no impact. These accounts will continue to function regardless of whether they are migrated to Zuora OneID.
  • Ensure API write access is enabled and UI access is disabled for all your API or service accounts.

API User Account Management

This section details the processes involved in managing API user accounts within Zuora. It includes guidance on creating new API users, generating OAuth client credentials, and resetting passwords for these accounts.

  • Creating new API users in Billing: After fully transitioning to Zuora OneID, you can still create new API accounts at the local tenant level. The only type of user accounts you can create in Billing will be API user accounts. You can assign only platform roles configured for API users, with API write access enabled and no UI access.
  • Creating new OAuth client credentials: Generate OAuth tokens for new or existing users under the billing tenant. OAuth tokens are valid indefinitely and can be regenerated as needed without impact.
  • Resetting password for API accounts: You can reset the password for your API user accounts managed at the local tenant level. The password reset page will allow you to set a new password regularly to meet compliance requirements for your API accounts.

Creating API User Roles in OneID

This section outlines the steps needed to create roles with API write access, ensuring proper access controls.

  1. Define Zuora Platform roles in the billing system.
  2. Go to Administration > Manage User Roles.
  3. Create a role under Platform with API Write Access (ensure UI Access is unchecked).
  4. Save the role and verify its availability under Administration > Manage Users in the Zuora Platform Role dropdown.

Important Considerations

  • Access management: After migration, all configurations for API/service accounts migrated to OneID must be managed exclusively through OneID. For accounts that are not migrated, access can still be managed at the local tenant level.
  • Accidental migration of Basic Auth users: If these users are mistakenly migrated, credentials will become invalid.
  • OAuth token management: OAuth tokens can be renewed and managed in Billing without impacting active operations. Always verify the setup to ensure it remains functional.