|
| 1 | +--- |
| 2 | +title: Asana Service Accounts & Personal Access Tokens |
| 3 | +description: Connect Asana to Sim with a service account token or a personal access token from a dedicated bot account |
| 4 | +--- |
| 5 | + |
| 6 | +import { Callout } from 'fumadocs-ui/components/callout' |
| 7 | +import { Step, Steps } from 'fumadocs-ui/components/steps' |
| 8 | +import { Image } from '@/components/ui/image' |
| 9 | +import { FAQ } from '@/components/ui/faq' |
| 10 | + |
| 11 | +Asana service accounts let your workflows authenticate as a non-human bot identity instead of a person's account. The service account has its own name and its own token, managed centrally by a super admin — no one person's OAuth consent to expire, and access can be revoked without touching anyone's personal account. |
| 12 | + |
| 13 | +There are two ways to get a token, and both work in Sim: |
| 14 | + |
| 15 | +- **Service account token** (recommended for teams) — available on Asana **Enterprise** and **Enterprise+** plans, created by a super admin in the Admin Console. |
| 16 | +- **Personal access token (PAT)** — available on any plan, created from any user account. For production workflows, create it from a dedicated bot account rather than a personal one. |
| 17 | + |
| 18 | +Both token types use the same format and paste into the same field in Sim. |
| 19 | + |
| 20 | +## Option A: Service Account Token (Enterprise / Enterprise+) |
| 21 | + |
| 22 | +### Prerequisites |
| 23 | + |
| 24 | +You need an Asana **super admin** on an **Enterprise** or **Enterprise+** plan. Service accounts are an organization-level feature — regular users cannot create them. |
| 25 | + |
| 26 | +### Create the Service Account |
| 27 | + |
| 28 | +<Steps> |
| 29 | + <Step> |
| 30 | + Open the Asana **Admin Console** and go to **Apps** → **Service accounts** |
| 31 | + |
| 32 | + {/* TODO(screenshot): Asana Admin Console with Apps → Service accounts highlighted */} |
| 33 | + </Step> |
| 34 | + <Step> |
| 35 | + Click **Add service account**, give it a name (e.g. `Sim Integration`) — this is the name that will appear on tasks and comments the workflows create |
| 36 | + </Step> |
| 37 | + <Step> |
| 38 | + Grant the service account **Full Permissions**. Scoped service accounts (for example, ones limited to User Provisioning / SCIM) cannot call the standard Asana API and will fail when you connect them to Sim |
| 39 | + |
| 40 | + {/* TODO(screenshot): service account permission picker with "Full Permissions" selected */} |
| 41 | + </Step> |
| 42 | + <Step> |
| 43 | + Copy the token when it's shown. Asana only displays it once — if you lose it, you'll have to regenerate it — plan to update the credential in Sim at the same time, since the old token stops working once it's replaced. |
| 44 | + </Step> |
| 45 | +</Steps> |
| 46 | + |
| 47 | +<Callout type="warn"> |
| 48 | +A service account with Full Permissions has org-wide access to all data in your Asana organization, including private projects. Treat the token like an admin password. |
| 49 | +</Callout> |
| 50 | + |
| 51 | +## Option B: Personal Access Token |
| 52 | + |
| 53 | +If you're not on an Enterprise plan, a personal access token works identically on the wire. For production workflows, create a dedicated bot user account (e.g. `sim-bot@yourcompany.com`) and generate the PAT from that account — a PAT is tied to the user who created it, inherits only that user's permissions, and stops working if the user is deprovisioned. |
| 54 | + |
| 55 | +<Steps> |
| 56 | + <Step> |
| 57 | + Log in as the bot account and open the developer console at [app.asana.com/0/my-apps](https://app.asana.com/0/my-apps) |
| 58 | + |
| 59 | + {/* TODO(screenshot): Asana developer console "My apps" page with "Create new token" button */} |
| 60 | + </Step> |
| 61 | + <Step> |
| 62 | + Click **+ Create new token**, give it a name that describes its use (e.g. `Sim Integration`), and click **Create token** |
| 63 | + </Step> |
| 64 | + <Step> |
| 65 | + Copy the token immediately — Asana only shows it once. |
| 66 | + </Step> |
| 67 | + <Step> |
| 68 | + Add the bot account to the workspaces and projects your workflows need. A PAT can only see what its user can see. |
| 69 | + </Step> |
| 70 | +</Steps> |
| 71 | + |
| 72 | +## Adding the Token to Sim |
| 73 | + |
| 74 | +<Steps> |
| 75 | + <Step> |
| 76 | + Open your workspace **Settings** and go to the **Integrations** tab |
| 77 | + </Step> |
| 78 | + <Step> |
| 79 | + Search for "Asana Service Account" and click it, then click **Add to Sim** and choose **Add access token** |
| 80 | + |
| 81 | + {/* TODO(screenshot): Integrations page with "Asana Service Account" in the service list */} |
| 82 | + </Step> |
| 83 | + <Step> |
| 84 | + Paste the token — service account token or personal access token, both work in the same field — and optionally set a display name and description |
| 85 | + |
| 86 | + {/* TODO(screenshot): Add Asana access token dialog with the access token filled in */} |
| 87 | + </Step> |
| 88 | + <Step> |
| 89 | + Click **Add access token**. Sim verifies the token by calling Asana's `/users/me` endpoint — if it fails, you'll see a specific error explaining what went wrong. |
| 90 | + </Step> |
| 91 | +</Steps> |
| 92 | + |
| 93 | +<Callout type="info"> |
| 94 | +If a brand-new token fails validation with an authentication error, wait a few minutes and try again — newly created service account tokens can take a short time to become active. |
| 95 | +</Callout> |
| 96 | + |
| 97 | +The token is encrypted before being stored. |
| 98 | + |
| 99 | +## Using the Service Account in Workflows |
| 100 | + |
| 101 | +Add an Asana block to your workflow. In the credential dropdown, your Asana service account appears alongside any OAuth credentials. Select it and configure the block as you normally would. |
| 102 | + |
| 103 | +{/* TODO(screenshot): Asana block in a workflow with the service account selected as the credential */} |
| 104 | + |
| 105 | +The block calls the Asana API (`app.asana.com/api/1.0`) with the token as a standard Bearer credential. There's no impersonation step — the token acts as itself: the service account identity, or the bot user for a PAT. |
| 106 | + |
| 107 | +<FAQ items={[ |
| 108 | + { question: "What's the difference between a service account token and a personal access token?", answer: "A service account is an org-level bot identity with its own name and (with Full Permissions) org-wide access — it isn't tied to any person. A PAT is tied to the user who created it, inherits only their permissions, and breaks if that user is deactivated. Both use the same token format and paste into the same field in Sim; prefer the service account for team use if your plan supports it." }, |
| 109 | + { question: "Why does my scoped service account fail to connect?", answer: "Scoped service accounts (e.g. limited to User Provisioning / SCIM) can't call the standard Asana API, so Sim's validation call fails. Ask your super admin to create the service account with Full Permissions." }, |
| 110 | + { question: "Does the token expire?", answer: "No scheduled expiry — the token is long-lived until a super admin revokes or regenerates it (for a PAT, until the user deletes it or is deprovisioned). If a working credential suddenly starts failing with 401 errors, the token was revoked; paste a new one." }, |
| 111 | + { question: "How do I rotate the token?", answer: "Regenerate the service account token in the Admin Console, then update the credential in Sim with the new token right away — the old token stops working once it's replaced, so expect a brief window of failed runs if workflows execute in between." }, |
| 112 | + { question: "Do I need to enter a workspace or domain?", answer: "No. Asana has a single API host, and Sim's Asana blocks take workspace and project IDs as block parameters — the token is all the credential needs." }, |
| 113 | + { question: "Will one shared token hit rate limits?", answer: "Asana rate-limits per token, so all workflows sharing one service account token draw from a single rate-limit bucket. If you run heavy concurrent workloads, watch for 429 responses and consider splitting workloads across tokens." }, |
| 114 | +]} /> |
0 commit comments