diff --git a/ee/rbac/assets/permissions.yaml b/ee/rbac/assets/permissions.yaml
index 971a4119a..7f5c4e607 100644
--- a/ee/rbac/assets/permissions.yaml
+++ b/ee/rbac/assets/permissions.yaml
@@ -70,6 +70,10 @@ permissions:
       description: "View the existing dashboards within the organization."
     - name: "organization.dashboards.manage"
       description: "Create new dashboard views."
+    - name: "organization.service_accounts.view"
+      description: "View service accounts within the organization."
+    - name: "organization.service_accounts.manage"
+      description: "Manage service accounts within the organization."
   project:
     - name: "project.view"
       description: "Access the project. This permission is needed to see any page within the project."
diff --git a/ee/rbac/assets/roles.yaml b/ee/rbac/assets/roles.yaml
index a64e1ffcb..2a6c8c6ff 100644
--- a/ee/rbac/assets/roles.yaml
+++ b/ee/rbac/assets/roles.yaml
@@ -39,6 +39,8 @@ roles:
         - "organization.custom_roles.view"
         - "organization.dashboards.view"
         - "organization.dashboards.manage"
+        - "organization.service_accounts.view"
+        - "organization.service_accounts.manage"
     - name: "Admin"
       description: "Admins can modify settings within the organization or any of its projects. However, they do not have access to billing information, and they cannot change general organization details, such as the organization name and URL."
       maps_to: "Admin"
@@ -77,6 +79,8 @@ roles:
         - "organization.dashboards.view"
         - "organization.dashboards.manage"
         - "project.delete"
+        - "organization.service_accounts.view"
+        - "organization.service_accounts.manage"
     - name: "Member"
       description: "Members can access the organization's homepage and the projects they are assigned to. However, they are not able to modify any settings."
       permissions:
diff --git a/front/Dockerfile b/front/Dockerfile
index 0929df2a4..7765b402d 100644
--- a/front/Dockerfile
+++ b/front/Dockerfile
@@ -45,7 +45,7 @@ RUN mix sentry_recompile && mix compile --warnings-as-errors
 # -- elixir stage
 
 # -- node stage
-FROM node:16-alpine as node
+FROM node:16-alpine AS node
 WORKDIR /assets
 COPY front/assets/package.json front/assets/package-lock.json ./
 RUN npm set progress=false && npm install
diff --git a/front/assets/css/app-semaphore.css b/front/assets/css/app-semaphore.css
index 3b61f3a2f..49988f443 100644
--- a/front/assets/css/app-semaphore.css
+++ b/front/assets/css/app-semaphore.css
@@ -2795,6 +2795,8 @@ img { max-width: 100%; }
 .b--indigo { border-color: #1570ff; }
 .b--dark-indigo { border-color: #00359f; }
 .b--orange { border-color: #fd7e14; }
+.b--yellow { border-color: #FBC335; }
+.b--blue { border-color: #2196F3; }
 .b--purple { border-color: #8658d6; }
 .b--dark-purple { border-color: #5122a5; }
 .b--dark-brown { border-color: #974510; }
@@ -4585,6 +4587,7 @@ code, .code, pre {
 .bg-washed-purple {   background-color: #f3ecff; }
 /* Yellows */
 .yellow               { color: #FBC335; }
+.gold                 { color: #FBC335; }
 .lightest-yellow      { color: #fff3bf; }
 .washed-yellow        { color: #fffae4; }
 .bg-yellow            { background-color: #FBC335; }
diff --git a/front/assets/js/app.js b/front/assets/js/app.js
index 7d8762e69..d2fd32f45 100644
--- a/front/assets/js/app.js
+++ b/front/assets/js/app.js
@@ -66,6 +66,7 @@ import { default as Agents} from "./agents";
 import { default as AddPeople } from "./people/add_people";
 import { default as EditPerson } from "./people/edit_person";
 import { default as SyncPeople } from "./people/sync_people";
+import { default as ServiceAccounts } from "./service_accounts";
 import { default as Report } from "./report";
 
 import { InitializingScreen } from "./project_onboarding/initializing";
@@ -294,12 +295,23 @@ export var App = {
     GroupManagement.init();
     new Star();
 
-    const addPeopleAppRoot = document.getElementById("add-people");
-    if (addPeopleAppRoot) {
-      AddPeople({
-        dom: addPeopleAppRoot,
-        config: addPeopleAppRoot.dataset,
-      });
+
+    // Initialize Preact apps
+    const serviceAccountsEl = document.getElementById("service-accounts");
+    if (serviceAccountsEl) {
+      const config = JSON.parse(serviceAccountsEl.dataset.config);
+      ServiceAccounts({ dom: serviceAccountsEl, config });
+    }
+
+    const addPeopleEl = document.getElementById("add-people");
+    if (addPeopleEl) {
+      AddPeople({ dom: addPeopleEl, config: addPeopleEl.dataset });
+    }
+
+    const syncPeopleEl = document.querySelector(".app-sync-people");
+    if (syncPeopleEl) {
+      const config = JSON.parse(syncPeopleEl.dataset.config);
+      SyncPeople({ dom: syncPeopleEl, config });
     }
 
     document.querySelectorAll(".app-edit-person").forEach((editPersonAppRoot) => {
@@ -516,6 +528,7 @@ export var App = {
 
     window.Notice.init();
 
+
     $(document).on("click", ".x-select-on-click", function (event) {
       event.currentTarget.setSelectionRange(0, event.currentTarget.value.length);
     });
diff --git a/front/assets/js/people/add_people/index.tsx b/front/assets/js/people/add_people/index.tsx
index 7b28c5a1c..4ce823de7 100644
--- a/front/assets/js/people/add_people/index.tsx
+++ b/front/assets/js/people/add_people/index.tsx
@@ -44,7 +44,7 @@ export const App = () => {
         <span className="material-symbols-outlined mr2">person_add</span>
         {`Add people`}
       </button>
-      <Modal isOpen={isOpen} close={() => close(false)} title="Add people">
+      <Modal isOpen={isOpen} close={() => close(false)} title="Add new people" width="w-70-m">
         <AddNewUsers close={close}/>
       </Modal>
     </Fragment>
@@ -85,7 +85,7 @@ const AddNewUsers = (props: { close: (reload: boolean) => void, }) => {
     const Link = (props: { icon: VNode, title: string, }) => {
       return (
         <ActiveShadowLink
-          className={`btn btn-secondary ${
+          className={`flex-grow-1 btn btn-secondary ${
             currentProvider === provider ? `active` : ``
           }`}
           disabled={loading}
@@ -134,16 +134,9 @@ const AddNewUsers = (props: { close: (reload: boolean) => void, }) => {
   };
 
   return (
-    <div
-      className="bg-white br3 shadow-1 w-90 w-70-m mw6 relative popup"
-      style={{ top: `200px`, transform: `translate(-50%, 0)` }}
-    >
-      <div className="flex items-center justify-between ph4 pt4 mb3">
-        <h2 className="f3 mb0">Add new people</h2>
-      </div>
-
+    <div className="pa4">
       {userProviders.length > 1 && (
-        <div className="mb3 button-group ph4 w-100 items-center justify-center">
+        <div className="mb3 button-group w-100 items-center">
           {userProviders.map(userProviderBox)}
         </div>
       )}
@@ -158,7 +151,7 @@ const AddNewUsers = (props: { close: (reload: boolean) => void, }) => {
           return (
             <Fragment key={idx}>
               {loading && (
-                <div className="ph4 pb4 tc">
+                <div className="pb4 tc">
                   <toolbox.Asset path="images/spinner.svg"/>
                 </div>
               )}
@@ -280,7 +273,7 @@ const ProvideVia = (props: ProvideViaProps) => {
     return (
       <Fragment>
         <div className="ph4 pb4">{message}</div>
-        <div className="flex justify-end items-center mt2 pb4 ph4">
+        <div className="flex justify-end items-center mt2">
           <button
             className="btn btn-primary ml3"
             onClick={() => props?.onCancel(anyInvites)}
@@ -294,11 +287,11 @@ const ProvideVia = (props: ProvideViaProps) => {
 
   return (
     <Fragment>
-      <div className="ph4">
+      <div className="">
         <label className="db mb2">Invite users to join your organization</label>
       </div>
       <div
-        className="ph4 pv1 w-100"
+        className="pv1 ph1 w-100"
         style={{ maxHeight: `400px`, overflow: `auto` }}
       >
         {!props.noManualInvite && (
@@ -370,7 +363,7 @@ const ProvideVia = (props: ProvideViaProps) => {
       </div>
 
       {collaborators.length != 0 && (
-        <div className="flex justify-end items-center mt2 pb4 ph4">
+        <div className="flex justify-end items-center mt2">
           <a
             className="gray underline pointer"
             onClick={() => setSelectedCollaborators(collaborators)}
@@ -513,7 +506,7 @@ const ProvideViaEmail = (props: ProvideViaEmailProps) => {
 
   return (
     <Fragment>
-      <div className="ph4" style={{ maxHeight: `400px`, overflow: `auto` }}>
+      <div className="ph1" style={{ maxHeight: `400px`, overflow: `auto` }}>
         {!arePeopleInvited && (
           <label className="db mb2">Email addresses and usernames</label>
         )}
@@ -593,7 +586,7 @@ const ProvideViaEmail = (props: ProvideViaEmailProps) => {
         ))}
       </div>
       {arePeopleInvited && (
-        <div className="flex justify-end pb4 ph4">
+        <div className="flex justify-end">
           <button
             className="btn btn-primary"
             onClick={() => props?.onCancel(true)}
@@ -603,7 +596,7 @@ const ProvideViaEmail = (props: ProvideViaEmailProps) => {
         </div>
       )}
       {!arePeopleInvited && (
-        <div className="flex justify-end pb4 ph4">
+        <div className="flex justify-end">
           <button
             className="btn btn-secondary mr3"
             onClick={() => props?.onCancel(false)}
diff --git a/front/assets/js/people/add_to_project.js b/front/assets/js/people/add_to_project.js
index 7a1c96497..f352da6cd 100644
--- a/front/assets/js/people/add_to_project.js
+++ b/front/assets/js/people/add_to_project.js
@@ -21,6 +21,7 @@ export var AddToProject = {
     if(modal){
       var addPeopleToProjectBtn = document.getElementById("add_people_to_project");
       var addGroupsToProjectBtn = document.getElementById("add_group_to_project");
+      var addServiceAccountsToProjectBtn = document.getElementById("add_service_accounts_to_project");
       var cancelModalBtn = document.getElementById("cancel_btn");
 
       if(addPeopleToProjectBtn){
@@ -37,6 +38,13 @@ export var AddToProject = {
         }
       }
 
+      if(addServiceAccountsToProjectBtn){
+        addServiceAccountsToProjectBtn.onclick = () => {
+          modal.style.display = "block";
+          this.initProjectNonMembersFilter("service_account")
+        }
+      }
+
       cancelModalBtn.onclick = () => {
         this.selectedUserIds = []
         document.getElementById('users').innerHTML = ''
@@ -137,9 +145,11 @@ export var AddToProject = {
           let assets_path = document.querySelector("meta[name='assets-path']").getAttribute("content")
 
           return `<span ${props}>
-            ${result.has_avatar
-              ? `<img src="${result.avatar}" class="ba b--black-50 br-100 mr2" width="32">`
-              : `<img src="${assets_path}/images/org-${result.name.charAt(0).toLowerCase()}.svg" class="bg-washed-gray w2 h2 br-100 mr2 ba b--black-50"></div>`
+            ${result.subject_type === "service_account"
+              ? `<div class="dib w2 h2 br-100 mr2 ba b--black-50 tc bg-light-gray"><span class="material-symbols-outlined f6 gray" style="line-height: 2;">smart_toy</span></div>`
+              : result.has_avatar
+                ? `<img src="${result.avatar}" class="ba b--black-50 br-100 mr2" width="32">`
+                : `<img src="${assets_path}/images/org-${result.name.charAt(0).toLowerCase()}.svg" class="bg-washed-gray w2 h2 br-100 mr2 ba b--black-50"></div>`
             }
             <span>${escapeHtml(result.name)}</span>
             </span>`
@@ -180,9 +190,11 @@ export var AddToProject = {
     `
     <div id="${user.id}" class="flex items-center justify-between bg-white shadow-1 mv1 mh1 ph3 pv2 br3">
       <div class="flex items-center">
-        ${user.has_avatar
-          ? `<img src="${user.avatar}" class="w2 h2 br-100 mr2 ba b--black-50">`
-          : `<img src="${assets_path}/images/org-${user.name.charAt(0).toLowerCase()}.svg" class="bg-washed-gray w2 h2 br-100 mr2 ba b--black-50">`
+        ${user.subject_type === "service_account"
+          ? `<div class="w2 h2 br-100 mr2 ba b--black-50 flex items-center justify-center bg-light-gray"><span class="material-symbols-outlined f6 gray">smart_toy</span></div>`
+          : user.has_avatar
+            ? `<img src="${user.avatar}" class="w2 h2 br-100 mr2 ba b--black-50">`
+            : `<img src="${assets_path}/images/org-${user.name.charAt(0).toLowerCase()}.svg" class="bg-washed-gray w2 h2 br-100 mr2 ba b--black-50">`
         }
         <div class="flex items-center">
           <div class="b">${escapeHtml(user.name)}</div>
diff --git a/front/assets/js/people/edit_person/index.tsx b/front/assets/js/people/edit_person/index.tsx
index 0768868a6..1266dc281 100644
--- a/front/assets/js/people/edit_person/index.tsx
+++ b/front/assets/js/people/edit_person/index.tsx
@@ -163,53 +163,48 @@ export const Button = () => {
         <span className="material-symbols-outlined mr1">manage_accounts</span>
         <span>Edit</span>
       </button>
-      <toolbox.Modal isOpen={isOpen} close={close} title="Add people">
-        <div className="bg-white br3 shadow-1 w-90 w-50-m mw6 relative popup">
-          <div className="pa3">
-            <div className="flex items-center justify-between mb3">
-              <h2 className="f3 mb0">Edit user</h2>
-            </div>
-            <div className="mb3">
-              <label className="db mb2 b">Email address</label>
-              <div className="flex">
-                <input
-                  type="email"
-                  className="form-control w-100"
-                  value={email}
-                  onChange={onEmailChanged}
-                  disabled={emailResponse.status == `loading`}
-                />
-              </div>
-              <ResponseHandler response={emailResponse}/>
+      <toolbox.Modal isOpen={isOpen} close={close} title="Edit user">
+        <div className="pa3">
+          <div className="mb3">
+            <label className="db mb2 b">Email address</label>
+            <div className="flex">
+              <input
+                type="email"
+                className="form-control w-100"
+                value={email}
+                onChange={onEmailChanged}
+                disabled={emailResponse.status == `loading`}
+              />
             </div>
+            <ResponseHandler response={emailResponse}/>
+          </div>
 
-            <div className="mb3">
-              <label className="db mb2 b">Password</label>
-              <PasswordReset user={user}/>
-            </div>
+          <div className="mb3">
+            <label className="db mb2 b">Password</label>
+            <PasswordReset user={user}/>
+          </div>
 
-            <div>
-              <label className="db mb2 b">Role</label>
-              <ChangeRole
-                user={user}
-                selectRole={setSelectedRole}
-                selectedRole={selectedRole}
-              />
-              <ResponseHandler response={roleResponse}/>
-            </div>
-            <div className="flex justify-end mt4">
-              <button className="btn btn-secondary mr3" onClick={close}>
+          <div>
+            <label className="db mb2 b">Role</label>
+            <ChangeRole
+              user={user}
+              selectRole={setSelectedRole}
+              selectedRole={selectedRole}
+            />
+            <ResponseHandler response={roleResponse}/>
+          </div>
+          <div className="flex justify-end mt4">
+            <button className="btn btn-secondary mr3" onClick={close}>
                 Cancel
-              </button>
+            </button>
 
-              <button
-                className="btn btn-primary"
-                onClick={save}
-                disabled={!roleChanged && !emailChanged}
-              >
+            <button
+              className="btn btn-primary"
+              onClick={save}
+              disabled={!roleChanged && !emailChanged}
+            >
                 Save changes
-              </button>
-            </div>
+            </button>
           </div>
         </div>
       </toolbox.Modal>
diff --git a/front/assets/js/service_accounts/components/CreateServiceAccount.tsx b/front/assets/js/service_accounts/components/CreateServiceAccount.tsx
new file mode 100644
index 000000000..36cc2b073
--- /dev/null
+++ b/front/assets/js/service_accounts/components/CreateServiceAccount.tsx
@@ -0,0 +1,139 @@
+import { useState, useContext } from "preact/hooks";
+import { Modal } from "js/toolbox";
+import { ConfigContext } from "../config";
+import { ServiceAccountsAPI } from "../utils/api";
+import { TokenDisplay } from "./TokenDisplay";
+import * as toolbox from "js/toolbox";
+
+interface CreateServiceAccountProps {
+  isOpen: boolean;
+  onClose: () => void;
+  onCreated: () => void;
+}
+
+export const CreateServiceAccount = ({ isOpen, onClose, onCreated }: CreateServiceAccountProps) => {
+  const config = useContext(ConfigContext);
+  const api = new ServiceAccountsAPI(config);
+
+  const [name, setName] = useState(``);
+  const [description, setDescription] = useState(``);
+  const [selectedRoleId, setSelectedRoleId] = useState(``);
+  const [loading, setLoading] = useState(false);
+  const [error, setError] = useState(``);
+  const [token, setToken] = useState(``);
+
+  const handleSubmit = async (e: Event) => {
+    e.preventDefault();
+    setError(null);
+    setLoading(true);
+
+    const response = await api.create(name, description, selectedRoleId);
+
+    if (response.error) {
+      setError(response.error);
+      setLoading(false);
+    } else if (response.data) {
+      setToken(response.data.api_token);
+      setLoading(false);
+    }
+  };
+
+  const handleClose = () => {
+    if (token) {
+      onCreated();
+    }
+    setName(``);
+    setDescription(``);
+    setSelectedRoleId(``);
+    setError(``);
+    setToken(``);
+    onClose();
+  };
+
+  const canSubmit = name.trim().length > 0 && selectedRoleId.length > 0 && !loading;
+
+  return (
+    <Modal isOpen={isOpen} close={handleClose} title="Create Service Account">
+      {!token ? (
+        <form onSubmit={(e) => void handleSubmit(e)}>
+          <div className="pa3">
+            <div className="mb3">
+              <label className="db mb2 f6 b">Name *</label>
+              <input
+                type="text"
+                className="form-control w-100"
+                value={name}
+                onInput={(e) => setName(e.currentTarget.value)}
+                placeholder="e.g., CI/CD Pipeline"
+                disabled={loading}
+                autoFocus
+              />
+            </div>
+
+            <div className="mb3">
+              <label className="db mb2 f6 b">Description</label>
+              <textarea
+                className="form-control w-100"
+                value={description}
+                onInput={(e) => setDescription(e.currentTarget.value)}
+                placeholder="Optional description of what this service account is used for"
+                rows={3}
+                disabled={loading}
+              />
+            </div>
+
+            <div className="mb3">
+              <label className="db mb2 f6 b">Role *</label>
+              <select
+                className="form-control w-100"
+                value={selectedRoleId}
+                onChange={(e) => setSelectedRoleId(e.currentTarget.value)}
+                disabled={loading}
+              >
+                <option value="">Select a role...</option>
+                {config.roles.map((role) => (
+                  <option key={role.id} value={role.id}>
+                    {role.name} - {role.description}
+                  </option>
+                ))}
+              </select>
+            </div>
+
+            {error && (
+              <div className="bg-washed-red ba b--red br2 pa2 mb3">
+                <p className="f6 mb0 red">{error}</p>
+              </div>
+            )}
+          </div>
+
+          <div className="flex justify-end items-center pa2 bt b--black-10">
+            <button
+              type="button"
+              className="btn btn-secondary mr3"
+              onClick={handleClose}
+              disabled={loading}
+            >
+              Cancel
+            </button>
+            <button
+              type="submit"
+              className="btn btn-primary"
+              disabled={!canSubmit}
+            >
+              {loading ? (
+                <span className="flex items-center">
+                  <toolbox.Asset path="images/spinner.svg" className="w1 h1 mr2"/>
+                  Creating...
+                </span>
+              ) : (
+                `Create Service Account`
+              )}
+            </button>
+          </div>
+        </form>
+      ) : (
+        <TokenDisplay token={token} onClose={handleClose}/>
+      )}
+    </Modal>
+  );
+};
diff --git a/front/assets/js/service_accounts/components/EditServiceAccount.tsx b/front/assets/js/service_accounts/components/EditServiceAccount.tsx
new file mode 100644
index 000000000..8894276bc
--- /dev/null
+++ b/front/assets/js/service_accounts/components/EditServiceAccount.tsx
@@ -0,0 +1,153 @@
+import { useState, useContext, useEffect } from "preact/hooks";
+import { Modal } from "js/toolbox";
+import { ConfigContext } from "../config";
+import { ServiceAccountsAPI } from "../utils/api";
+import { ServiceAccount } from "../types";
+import * as toolbox from "js/toolbox";
+
+interface EditServiceAccountProps {
+  serviceAccount: ServiceAccount | null;
+  isOpen: boolean;
+  onClose: () => void;
+  onUpdated: () => void;
+}
+
+export const EditServiceAccount = ({
+  serviceAccount,
+  isOpen,
+  onClose,
+  onUpdated
+}: EditServiceAccountProps) => {
+  const config = useContext(ConfigContext);
+  const api = new ServiceAccountsAPI(config);
+
+  const [name, setName] = useState(``);
+  const [description, setDescription] = useState(``);
+  const [selectedRoleId, setSelectedRoleId] = useState(``);
+  const [loading, setLoading] = useState(false);
+  const [error, setError] = useState(``);
+
+  useEffect(() => {
+    if (serviceAccount) {
+      setName(serviceAccount.name);
+      setDescription(serviceAccount.description);
+      setSelectedRoleId(serviceAccount.roles.find((role) => role.source == `manual`)?.id || ``);
+    }
+  }, [serviceAccount]);
+
+  const handleSubmit = async (e: Event) => {
+    e.preventDefault();
+    if (!serviceAccount) return;
+
+    setError(null);
+    setLoading(true);
+
+    const response = await api.update(serviceAccount.id, name, description, selectedRoleId);
+
+    if (response.error) {
+      setError(response.error);
+      setLoading(false);
+    } else {
+      onUpdated();
+      handleClose();
+    }
+  };
+
+  const handleClose = () => {
+    setError(null);
+    setLoading(false);
+    onClose();
+  };
+
+  const hasChanges = serviceAccount && (
+    name !== serviceAccount.name ||
+    description !== serviceAccount.description ||
+    selectedRoleId !== serviceAccount.roles.find((role) => role.source == `manual`)?.id
+  );
+
+  const canSubmit = name.trim().length > 0 && !loading && hasChanges;
+
+  if (!serviceAccount) return null;
+
+  return (
+    <Modal isOpen={isOpen} close={handleClose} title="Edit Service Account">
+      <form onSubmit={(e) => void handleSubmit(e)}>
+        <div className="pa3">
+          <div className="mb3">
+            <label className="db mb2 f6 b">Name *</label>
+            <input
+              type="text"
+              className="form-control w-100"
+              value={name}
+              onInput={(e) => setName(e.currentTarget.value)}
+              placeholder="e.g., CI/CD Pipeline"
+              disabled={loading}
+              autoFocus
+            />
+          </div>
+
+          <div className="mb3">
+            <label className="db mb2 f6 b">Description</label>
+            <textarea
+              className="form-control w-100"
+              value={description}
+              onInput={(e) => setDescription(e.currentTarget.value)}
+              placeholder="Optional description of what this service account is used for"
+              rows={3}
+              disabled={loading}
+            />
+          </div>
+
+
+          <div className="mb3">
+            <label className="db mb2 f6 b">Role *</label>
+            <select
+              className="form-control w-100"
+              value={selectedRoleId}
+              onChange={(e) => setSelectedRoleId(e.currentTarget.value)}
+              disabled={loading}
+            >
+              <option value="">Select a role...</option>
+              {config.roles.map((role) => (
+                <option key={role.id} value={role.id}>
+                  {role.name} - {role.description}
+                </option>
+              ))}
+            </select>
+          </div>
+
+          {error && (
+            <div className="bg-washed-red ba b--red br2 pa2 mb3">
+              <p className="f6 mb0 red">{error}</p>
+            </div>
+          )}
+        </div>
+
+        <div className="flex justify-end items-center pa3 bt b--black-10">
+          <button
+            type="button"
+            className="btn btn-secondary mr3"
+            onClick={handleClose}
+            disabled={loading}
+          >
+            Cancel
+          </button>
+          <button
+            type="submit"
+            className="btn btn-primary"
+            disabled={!canSubmit}
+          >
+            {loading ? (
+              <span className="flex items-center">
+                <toolbox.Asset path="images/spinner.svg" className="w1 h1 mr2"/>
+                Saving...
+              </span>
+            ) : (
+              `Save Changes`
+            )}
+          </button>
+        </div>
+      </form>
+    </Modal>
+  );
+};
diff --git a/front/assets/js/service_accounts/components/ServiceAccountsList.tsx b/front/assets/js/service_accounts/components/ServiceAccountsList.tsx
new file mode 100644
index 000000000..8f6278d0b
--- /dev/null
+++ b/front/assets/js/service_accounts/components/ServiceAccountsList.tsx
@@ -0,0 +1,178 @@
+import { useContext } from "preact/hooks";
+import { ServiceAccount } from "../types";
+import { ConfigContext } from "../config";
+import * as toolbox from "js/toolbox";
+
+interface ServiceAccountsListProps {
+  serviceAccounts: ServiceAccount[];
+  loading: boolean;
+  onEdit: (account: ServiceAccount) => void;
+  onDelete: (account: ServiceAccount) => void;
+  onRegenerateToken: (account: ServiceAccount) => void;
+  onLoadMore?: () => void;
+  hasMore?: boolean;
+  onCreateNew: () => void;
+}
+
+
+export const ServiceAccountsList = ({
+  serviceAccounts,
+  loading,
+  onEdit,
+  onDelete,
+  onRegenerateToken,
+  onLoadMore,
+  hasMore,
+  onCreateNew
+}: ServiceAccountsListProps) => {
+  const config = useContext(ConfigContext);
+
+  const formatDate = (dateString: string) => {
+    const date = new Date(dateString);
+    return date.toLocaleDateString(`en-US`, {
+      year: `numeric`,
+      month: `short`,
+      day: `numeric`
+    });
+  };
+
+  if (loading && serviceAccounts.length === 0) {
+    return (
+      <div className="bb b--black-075 w-100-l mt4 br3 shadow-3 bg-white">
+        <div className="flex items-center justify-between pa3 bb bw1 b--black-075 br3 br--top">
+          <div>
+            <div className="flex items-center">
+              <span className="material-symbols-outlined pr2">key</span>
+              <div className="b">Service Accounts</div>
+            </div>
+          </div>
+          {config.permissions.canManage && (
+            <button
+              className="btn btn-primary flex items-center"
+              onClick={onCreateNew}
+            >
+              <span className="material-symbols-outlined mr2">smart_toy</span>
+              Create Service Account
+            </button>
+          )}
+        </div>
+        <div className="tc pv5">
+          <toolbox.Asset path="images/spinner.svg"/>
+        </div>
+      </div>
+    );
+  }
+
+  return (
+    <div className="bb b--black-075 w-100-l mt4 br3 shadow-3 bg-white">
+      <div className="flex items-center justify-between pa3 bb bw1 b--black-075 br3 br--top">
+        <div>
+          <div className="flex items-center">
+            <span className="material-symbols-outlined pr2">key</span>
+            <div className="b">Service Accounts</div>
+          </div>
+        </div>
+        {config.permissions.canManage && (
+          <button
+            className="btn btn-primary flex items-center"
+            onClick={onCreateNew}
+          >
+            <span className="material-symbols-outlined mr2">smart_toy</span>
+            Create Service Account
+          </button>
+        )}
+      </div>
+
+      {serviceAccounts.length === 0 ? (
+        <div className="tc pv5">
+          <toolbox.Asset path="images/ill-girl-showing-continue.svg" className="mb3"/>
+          <h3 className="f4 mb2">No service accounts yet</h3>
+          <p className="f6 gray mb0">
+            Create your first service account to get started with API access.
+          </p>
+        </div>
+      ) : (
+        <div id="service-accounts">
+          {serviceAccounts.map((account, idx) => (
+            <div key={account.id} className={`bg-white shadow-1 ph3 pv2 ${idx == serviceAccounts.length - 1 ? `br2 br--bottom` : ``}`}>
+              <div className="flex items-center justify-between" style={{ minHeight: `45px` }}>
+                <div className="flex items-center">
+                  <div className={`br2 ${account.deactivated ? `bg-washed-red red` : `bg-washed-green green`} br-100 w2 h2 flex items-center justify-center mr2`}>
+                    <toolbox.Tooltip
+                      anchor={<span className={`material-symbols-outlined`}>smart_toy</span>}
+                      content={account.deactivated ? `Deactivated account` : `Active account`}
+                    />
+
+                  </div>
+                  <div>
+                    <div className="flex items-center">
+                      <span className="b black">{account.name}</span>
+                      {(() => {
+                        const role = account.roles.find((role) => role.source == `manual`);
+                        if(role){
+                          return <span className={`f6 normal ml1 ph1 br2 bg-${role.color} white`}>{role.name}</span>;
+                        }
+                      })()}
+                    </div>
+                    <div className="f7 gray mt1">
+                      {account.description || `No description`} • Created {formatDate(account.created_at)}
+                    </div>
+                  </div>
+                </div>
+
+                {config.permissions.canManage && (
+                  <div className="flex-shrink-0 pl2">
+                    <div className="button-group">
+                      <button
+                        className="flex items-center btn btn-sm btn-secondary"
+                        onClick={() => onEdit(account)}
+                        title="Edit"
+                      >
+                        <span className="material-symbols-outlined mr1">edit</span>
+                        <span>Edit</span>
+                      </button>
+                      <button
+                        className="flex items-center btn btn-sm btn-secondary"
+                        onClick={() => onRegenerateToken(account)}
+                        title="Regenerate Token"
+                      >
+                        <span className="material-symbols-outlined mr1">refresh</span>
+                        <span>Refresh</span>
+                      </button>
+                      <button
+                        className="flex items-center btn btn-sm btn-danger"
+                        onClick={() => onDelete(account)}
+                        title="Delete"
+                      >
+                        ×
+                      </button>
+                    </div>
+                  </div>
+                )}
+              </div>
+            </div>
+          ))}
+        </div>
+      )}
+
+      {hasMore && (
+        <div className="tc pa3">
+          <button
+            className="btn btn-secondary"
+            onClick={onLoadMore}
+            disabled={loading}
+          >
+            {loading ? (
+              <span className="flex items-center">
+                <toolbox.Asset path="images/spinner.svg" className="w1 h1 mr2"/>
+                Loading...
+              </span>
+            ) : (
+              `Load More`
+            )}
+          </button>
+        </div>
+      )}
+    </div>
+  );
+};
diff --git a/front/assets/js/service_accounts/components/TokenDisplay.tsx b/front/assets/js/service_accounts/components/TokenDisplay.tsx
new file mode 100644
index 000000000..f2ac1476c
--- /dev/null
+++ b/front/assets/js/service_accounts/components/TokenDisplay.tsx
@@ -0,0 +1,35 @@
+import { Box } from "js/toolbox";
+
+interface TokenDisplayProps {
+  token: string;
+  onClose: () => void;
+}
+
+export const TokenDisplay = ({ token, onClose }: TokenDisplayProps) => {
+  return (
+    <div className="pa3">
+      <div className="mb3">
+        <h3 className="f4 mb2">API Token Generated</h3>
+        <p className="f6 gray mb3">
+          This token will only be shown once. Please copy it and store it securely.
+        </p>
+      </div>
+
+      <Box type="info" className="mb3" showCopy={true} copyContent={token}>
+        {token}
+      </Box>
+
+      <Box type="warning" className="mb3">
+        This token provides API access to your organization.
+        <br/>
+        Keep it secure and do not share it publicly.
+      </Box>
+
+      <div className="flex justify-end">
+        <button className="btn btn-primary" onClick={onClose}>
+          Done
+        </button>
+      </div>
+    </div>
+  );
+};
diff --git a/front/assets/js/service_accounts/config.ts b/front/assets/js/service_accounts/config.ts
new file mode 100644
index 000000000..fac35882e
--- /dev/null
+++ b/front/assets/js/service_accounts/config.ts
@@ -0,0 +1,30 @@
+import { createContext } from "preact";
+import { Config } from "./types";
+
+export const ConfigContext = createContext<Config>({} as Config);
+
+export class AppConfig {
+  static fromJSON(json: any): Config {
+    const isOrgScope = !json.project_id;
+
+    return {
+      organizationId: json.organization_id,
+      projectId: json.project_id,
+      isOrgScope,
+      permissions: {
+        canView: json.permissions?.view || false,
+        canManage: json.permissions?.manage || false,
+      },
+      roles: json.roles || [],
+      urls: {
+        list: `/service_accounts`,
+        create: `/service_accounts`,
+        update: (id: string) => `/service_accounts/${id}`,
+        delete: (id: string) => `/service_accounts/${id}`,
+        regenerateToken: (id: string) =>
+          `/service_accounts/${id}/regenerate_token`,
+        assignRole: json.assign_role_url,
+      },
+    };
+  }
+}
diff --git a/front/assets/js/service_accounts/index.tsx b/front/assets/js/service_accounts/index.tsx
new file mode 100644
index 000000000..aaf496249
--- /dev/null
+++ b/front/assets/js/service_accounts/index.tsx
@@ -0,0 +1,241 @@
+import { Fragment, render } from "preact";
+import { useState, useContext, useEffect, useCallback } from "preact/hooks";
+import { Modal, Box } from "js/toolbox";
+import { AppConfig, ConfigContext } from "./config";
+import { ServiceAccount, AppState } from "./types";
+import { ServiceAccountsAPI } from "./utils/api";
+import { ServiceAccountsList } from "./components/ServiceAccountsList";
+import { CreateServiceAccount } from "./components/CreateServiceAccount";
+import { EditServiceAccount } from "./components/EditServiceAccount";
+import { TokenDisplay } from "./components/TokenDisplay";
+
+export default function ({
+  dom,
+  config: jsonConfig,
+}: {
+  dom: HTMLElement;
+  config: any;
+}) {
+  render(
+    <ConfigContext.Provider value={AppConfig.fromJSON(jsonConfig)}>
+      <App/>
+    </ConfigContext.Provider>,
+    dom
+  );
+}
+
+const App = () => {
+  const config = useContext(ConfigContext);
+  const api = new ServiceAccountsAPI(config);
+
+  const [state, setState] = useState<AppState>({
+    serviceAccounts: [],
+    loading: true,
+    error: null,
+    selectedServiceAccount: null,
+    newToken: null,
+    page: 1,
+    totalPages: 0,
+  });
+
+  const [createModalOpen, setCreateModalOpen] = useState(false);
+  const [editModalOpen, setEditModalOpen] = useState(false);
+  const [deleteModalOpen, setDeleteModalOpen] = useState(false);
+  const [regenerateModalOpen, setRegenerateModalOpen] = useState(false);
+
+  const loadServiceAccounts = useCallback(async (page?: number) => {
+    setState(prev => ({ ...prev, loading: true, error: null }));
+
+    const response = await api.list(page);
+
+    if (response.error) {
+      setState(prev => ({
+        ...prev,
+        loading: false,
+        error: response.error || `Failed to load service accounts`
+      }));
+    } else if (response.data) {
+      setState(prev => ({
+        ...prev,
+        loading: false,
+        page: page || 1,
+        serviceAccounts: page > 1
+          ? [...prev.serviceAccounts, ...response.data.items]
+          : response.data.items,
+        totalPages: response.data.totalPages || null,
+      }));
+    }
+  }, []);
+
+  useEffect(() => {
+    void loadServiceAccounts();
+  }, []);
+
+  const handleEdit = (account: ServiceAccount) => {
+    setState(prev => ({ ...prev, selectedServiceAccount: account }));
+    setEditModalOpen(true);
+  };
+
+  const handleDelete = (account: ServiceAccount) => {
+    setState(prev => ({ ...prev, selectedServiceAccount: account }));
+    setDeleteModalOpen(true);
+  };
+
+  const confirmDelete = async () => {
+    if (!state.selectedServiceAccount) return;
+
+    setState(prev => ({ ...prev, loading: true }));
+    const response = await api.delete(state.selectedServiceAccount.id);
+
+    if (response.error) {
+      setState(prev => ({ ...prev, loading: false, error: response.error || `Failed to delete` }));
+    } else {
+      await loadServiceAccounts();
+      setDeleteModalOpen(false);
+      setState(prev => ({ ...prev, selectedServiceAccount: null }));
+    }
+  };
+
+  const handleRegenerateToken = (account: ServiceAccount) => {
+    setState(prev => ({ ...prev, selectedServiceAccount: account }));
+    setRegenerateModalOpen(true);
+  };
+
+  const confirmRegenerateToken = async () => {
+    if (!state.selectedServiceAccount) return;
+
+    setState(prev => ({ ...prev, loading: true }));
+    const response = await api.regenerateToken(state.selectedServiceAccount.id);
+
+    if (response.error) {
+      setState(prev => ({ ...prev, loading: false, error: response.error || `Failed to regenerate token` }));
+    } else if (response.data) {
+      setState(prev => ({ ...prev, loading: false, newToken: response.data.api_token }));
+      setRegenerateModalOpen(false);
+    }
+  };
+
+  const handleTokenDisplayClose = () => {
+    setState(prev => ({ ...prev, newToken: null, selectedServiceAccount: null }));
+    void loadServiceAccounts();
+  };
+
+  const hasMorePages = state.totalPages && state.page < state.totalPages;
+
+  const handleLoadMore = () => {
+    if (hasMorePages) {
+      void loadServiceAccounts(state.page + 1);
+    }
+  };
+
+  return (
+    <Fragment>
+      {state.error && (
+        <div className="bg-washed-red ba b--red br2 pa3 mb3">
+          <p className="f6 mb0 red">{state.error}</p>
+        </div>
+      )}
+
+      <ServiceAccountsList
+        serviceAccounts={state.serviceAccounts}
+        loading={state.loading}
+        onEdit={handleEdit}
+        onDelete={handleDelete}
+        onRegenerateToken={handleRegenerateToken}
+        onLoadMore={handleLoadMore}
+        hasMore={hasMorePages}
+        onCreateNew={() => setCreateModalOpen(true)}
+      />
+
+      <CreateServiceAccount
+        isOpen={createModalOpen}
+        onClose={() => setCreateModalOpen(false)}
+        onCreated={() => void loadServiceAccounts()}
+      />
+
+      <EditServiceAccount
+        serviceAccount={state.selectedServiceAccount}
+        isOpen={editModalOpen}
+        onClose={() => {
+          setEditModalOpen(false);
+          setState(prev => ({ ...prev, selectedServiceAccount: null }));
+        }}
+        onUpdated={() => void loadServiceAccounts()}
+      />
+
+      <Modal
+        isOpen={deleteModalOpen}
+        close={() => setDeleteModalOpen(false)}
+        title="Delete Service Account"
+      >
+        <div className="pa3">
+          <p className="f5 mb3">
+            Are you sure you want to delete the service account{` `}
+            <strong>{state.selectedServiceAccount?.name}</strong>?
+          </p>
+          <p className="f6 gray mb3">
+            This will immediately revoke API access. This action cannot be undone.
+          </p>
+        </div>
+        <div className="flex justify-end items-center pa3 bt b--black-10">
+          <button
+            className="btn btn-secondary mr3"
+            onClick={() => setDeleteModalOpen(false)}
+          >
+            Cancel
+          </button>
+          <button
+            className="btn btn-danger"
+            onClick={() => void confirmDelete()}
+            disabled={state.loading}
+          >
+            {state.loading ? `Deleting...` : `Delete Service Account`}
+          </button>
+        </div>
+      </Modal>
+
+      <Modal
+        isOpen={regenerateModalOpen}
+        close={() => setRegenerateModalOpen(false)}
+        title="Regenerate API Token"
+      >
+        <div className="pa3">
+          <p className="f5 mb3">
+            Are you sure you want to regenerate the API token for{` `}
+            <strong>{state.selectedServiceAccount?.name}</strong>?
+          </p>
+          <Box type="warning" className="mb3">
+            The current token will be immediately invalidated.
+            <br/>
+            Any systems using the old token will lose access.
+          </Box>
+        </div>
+        <div className="flex justify-end items-center pa3 bt b--black-10">
+          <button
+            className="btn btn-secondary mr3"
+            onClick={() => setRegenerateModalOpen(false)}
+          >
+            Cancel
+          </button>
+          <button
+            className="btn btn-primary"
+            onClick={() => void confirmRegenerateToken()}
+            disabled={state.loading}
+          >
+            {state.loading ? `Regenerating...` : `Regenerate Token`}
+          </button>
+        </div>
+      </Modal>
+
+      {state.newToken && (
+        <Modal
+          isOpen={true}
+          close={handleTokenDisplayClose}
+          title="New API Token"
+        >
+          <TokenDisplay token={state.newToken} onClose={handleTokenDisplayClose}/>
+        </Modal>
+      )}
+    </Fragment>
+  );
+};
diff --git a/front/assets/js/service_accounts/types.ts b/front/assets/js/service_accounts/types.ts
new file mode 100644
index 000000000..9be8ed049
--- /dev/null
+++ b/front/assets/js/service_accounts/types.ts
@@ -0,0 +1,67 @@
+export interface ServiceAccount {
+  id: string;
+  name: string;
+  description: string;
+  created_at: string;
+  updated_at: string;
+  deactivated: boolean;
+  roles: Role[];
+}
+
+export interface Role {
+  id: string;
+  name: string;
+  source: string;
+  color: string;
+}
+
+export interface ServiceAccountWithToken extends ServiceAccount {
+  api_token: string;
+}
+
+export interface Role {
+  id: string;
+  name: string;
+  description: string;
+  scope: `organization` | `project`;
+}
+
+export interface Permission {
+  id: string;
+  name: string;
+  description: string;
+}
+
+export interface PaginatedResponse<T> {
+  items: T[];
+  totalPages?: number;
+}
+
+export interface AppState {
+  serviceAccounts: ServiceAccount[];
+  loading: boolean;
+  error?: string;
+  selectedServiceAccount?: ServiceAccount;
+  newToken?: string;
+  page?: number;
+  totalPages?: number;
+}
+
+export interface Config {
+  organizationId: string;
+  projectId?: string;
+  isOrgScope: boolean;
+  permissions: {
+    canView: boolean;
+    canManage: boolean;
+  };
+  roles: Role[];
+  urls: {
+    list: string;
+    create: string;
+    update: (id: string) => string;
+    delete: (id: string) => string;
+    regenerateToken: (id: string) => string;
+    assignRole?: string;
+  };
+}
diff --git a/front/assets/js/service_accounts/utils/api.ts b/front/assets/js/service_accounts/utils/api.ts
new file mode 100644
index 000000000..ddc08a0a5
--- /dev/null
+++ b/front/assets/js/service_accounts/utils/api.ts
@@ -0,0 +1,76 @@
+import * as toolbox from "js/toolbox";
+import {
+  Config,
+  ServiceAccount,
+  ServiceAccountWithToken,
+  PaginatedResponse,
+} from "../types";
+
+export class ServiceAccountsAPI {
+  constructor(private config: Config) {}
+
+  async list(
+    page?: number
+  ): Promise<
+    toolbox.APIRequest.ApiResponse<PaginatedResponse<ServiceAccount>>
+    > {
+    const params = new URLSearchParams();
+    if (page) params.append(`page`, `${page}`);
+
+    const response = await toolbox.APIRequest.get<any>(
+      `${this.config.urls.list}?${params.toString()}`
+    );
+
+    if (response.error) {
+      return { data: null, error: response.error, status: response.status };
+    }
+
+    // Extract total pages from response
+    const totalPages = response.data?.total_pages || null;
+
+    return {
+      data: {
+        items: response.data?.service_accounts || [],
+        totalPages: totalPages,
+      },
+      error: null,
+      status: response.status,
+    };
+  }
+
+  async create(
+    name: string,
+    description: string,
+    roleId: string
+  ): Promise<toolbox.APIRequest.ApiResponse<ServiceAccountWithToken>> {
+    return toolbox.APIRequest.post<ServiceAccountWithToken>(
+      this.config.urls.create,
+      { name, description, role_id: roleId }
+    );
+  }
+
+  async update(
+    id: string,
+    name: string,
+    description: string,
+    role_id: string
+  ): Promise<toolbox.APIRequest.ApiResponse<ServiceAccount>> {
+    return toolbox.APIRequest.put<ServiceAccount>(this.config.urls.update(id), {
+      name,
+      description,
+      role_id,
+    });
+  }
+
+  async delete(id: string): Promise<toolbox.APIRequest.ApiResponse<void>> {
+    return toolbox.APIRequest.del<void>(this.config.urls.delete(id));
+  }
+
+  async regenerateToken(
+    id: string
+  ): Promise<toolbox.APIRequest.ApiResponse<{ api_token: string, }>> {
+    return toolbox.APIRequest.post<{ api_token: string, }>(
+      this.config.urls.regenerateToken(id)
+    );
+  }
+}
diff --git a/front/assets/js/toolbox/api_request.ts b/front/assets/js/toolbox/api_request.ts
index 35ea6be71..6a376808f 100644
--- a/front/assets/js/toolbox/api_request.ts
+++ b/front/assets/js/toolbox/api_request.ts
@@ -46,14 +46,28 @@ async function apiRequest<T>(
       transformFun = options.transform;
     }
 
-    const json = await response.json();
-
-    const data = transformFun(json);
+    // Check if response has content
+    const contentLength = response.headers.get(`content-length`);
+    const hasContent = contentLength !== `0` && response.status !== 204;
+    
+    let json: any = null;
+    let data: T | null = null;
+    
+    if (hasContent) {
+      try {
+        json = await response.json();
+        data = transformFun(json);
+      } catch (e) {
+        // If JSON parsing fails, treat as empty response
+        json = null;
+        data = null;
+      }
+    }
 
     if (!response.ok) {
       return {
         data: data,
-        error: json.message || `Something went wrong`,
+        error: json?.message || `Something went wrong`,
         status: response.status,
       };
     }
diff --git a/front/assets/js/toolbox/box.tsx b/front/assets/js/toolbox/box.tsx
new file mode 100644
index 000000000..ab905ea81
--- /dev/null
+++ b/front/assets/js/toolbox/box.tsx
@@ -0,0 +1,101 @@
+import { h } from "preact";
+import { useState } from "preact/hooks";
+import * as toolbox from "js/toolbox";
+
+interface BoxProps extends h.JSX.HTMLAttributes<HTMLDivElement> {
+  type: `danger` | `warning` | `info`;
+  copyContent?: string;
+  showCopy?: boolean;
+}
+
+export const Box = (props: BoxProps) => {
+  const [copied, setCopied] = useState(false);
+  const [anchorFocused, setAnchorFocused] = useState(false);
+
+  const { type, copyContent, showCopy = false, className = ``, children, ...rest } = props;
+
+  const onCopyClick = () => {
+    if (copyContent) {
+      void navigator.clipboard.writeText(copyContent);
+      setCopied(true);
+      setTimeout(() => setCopied(false), 2000);
+    }
+  };
+
+  const getColorClasses = () => {
+    switch (type) {
+      case `danger`:
+        return `bg-washed-red b--red`;
+      case `warning`:
+        return `bg-washed-yellow b--yellow`;
+      case `info`:
+        return `bg-washed-blue b--blue`;
+    }
+  };
+
+  const getIcon = () => {
+    switch (type) {
+      case `danger`:
+        return <toolbox.MaterializeIcon name="error" className="f4 red mr2"/>;
+      case `warning`:
+        return <toolbox.MaterializeIcon name="warning" className="f4 gold mr2"/>;
+      case `info`:
+        return <toolbox.MaterializeIcon name="info" className="f4 blue mr2"/>;
+    }
+  };
+
+  const copyButton = showCopy && copyContent && (
+    <div
+      className="absolute"
+      style={{
+        right: `0.5rem`,
+        top: `0.5rem`,
+      }}
+    >
+      <toolbox.Tooltip
+        content="Copy to clipboard"
+        anchor={
+          <button
+            className={`btn pa1 btn-secondary btn-tiny ${
+              anchorFocused ? `` : `o-50`
+            }`}
+            onClick={onCopyClick}
+          >
+            {!copied && (
+              <div className="flex items-center gray f6">
+                <toolbox.MaterializeIcon name="content_copy" className="f4"/>
+              </div>
+            )}
+            {copied && (
+              <div className="flex items-center gray f6">
+                <toolbox.MaterializeIcon name="done" className="f4"/>
+              </div>
+            )}
+          </button>
+        }
+        placement="top"
+      />
+    </div>
+  );
+
+  return (
+    <div
+      className={`f6 ba br3 relative ${getColorClasses()} ${className as string}`}
+      onMouseOver={() => setAnchorFocused(true)}
+      onMouseOut={() => setAnchorFocused(false)}
+      {...rest}
+    >
+      <div className="flex items-start pa3">
+        {getIcon()}
+        <div className="flex-auto">
+          {typeof children === `string` ? (
+            <div dangerouslySetInnerHTML={{ __html: children }}/>
+          ) : (
+            children
+          )}
+        </div>
+      </div>
+      {copyButton}
+    </div>
+  );
+};
diff --git a/front/assets/js/toolbox/index.ts b/front/assets/js/toolbox/index.ts
index 454b63773..922bdc31e 100644
--- a/front/assets/js/toolbox/index.ts
+++ b/front/assets/js/toolbox/index.ts
@@ -12,6 +12,7 @@ import * as Formatter from "./formatter";
 import * as ChartHelpers from "./chart_helpers";
 import * as APIRequest from "./api_request";
 import { default as PreCopy } from "./pre_copy";
+import { Box } from "./box";
 
 export {
   Asset,
@@ -28,4 +29,5 @@ export {
   Modal,
   YamlEditor,
   PreCopy,
+  Box,
 };
diff --git a/front/assets/js/toolbox/modal.tsx b/front/assets/js/toolbox/modal.tsx
index 6bc947a1d..97bbb4ba0 100644
--- a/front/assets/js/toolbox/modal.tsx
+++ b/front/assets/js/toolbox/modal.tsx
@@ -1,9 +1,11 @@
-import React, { createPortal, useEffect, useRef } from "preact/compat";
+import { createPortal, useEffect, useRef } from "preact/compat";
+import { h } from "preact";
 
-interface ModalProps extends React.HTMLAttributes<HTMLDivElement> {
+interface ModalProps extends h.JSX.HTMLAttributes<HTMLDivElement> {
   isOpen: boolean;
   close: () => void;
   title: string;
+  width?: string;
 }
 
 export const Modal = (props: ModalProps) => {
@@ -40,11 +42,26 @@ export const Modal = (props: ModalProps) => {
   return createPortal(
     <div
       ref={modalRef}
-      className="fixed overlay flex items-center justify-center vh-100 w-100"
-      style="display: block; z-index: 1000; left: 0; top: 0;"
+      className="fixed flex items-start justify-center vh-100 w-100"
+      style={{
+        zIndex: 1000,
+        backgroundColor: `rgba(0, 0, 0, 0.5)`,
+        left: 0,
+        top: 0
+      }}
       onClick={close}
     >
-      {props.children}
+      <div className={`bg-white br3 shadow-1 w-90 ${props.width || `w-50-m`} mw6 relative`}
+        style={{
+          top: `20vh`
+        }}>
+        {props.title && (
+          <div className="pa3 bb b--black-10">
+            <h2 className="f3 mb0">{props.title}</h2>
+          </div>
+        )}
+        {props.children}
+      </div>
     </div>,
     modalRoot
   );
diff --git a/front/config/config.exs b/front/config/config.exs
index f7a942db9..bebb86b5a 100644
--- a/front/config/config.exs
+++ b/front/config/config.exs
@@ -32,6 +32,7 @@ config :front, default_user_name: "Semaphore User"
 config :feature_provider, provider: {Front.FeatureHubProvider, []}
 config :front, :superjerry_client, {Support.FakeClients.Superjerry, []}
 config :front, :scouter_client, {Front.Clients.Scouter, []}
+config :front, :service_account_client, {Support.FakeClients.ServiceAccount, []}
 
 config :money,
   default_currency: :USD,
diff --git a/front/config/prod.exs b/front/config/prod.exs
index 64596a63e..a84ce86c4 100644
--- a/front/config/prod.exs
+++ b/front/config/prod.exs
@@ -8,6 +8,7 @@ config :front, FrontWeb.Endpoint,
   cache_static_manifest: "priv/static/cache_manifest.json"
 
 config :front, :superjerry_client, {Front.Clients.Superjerry, []}
+config :front, :service_account_client, {Front.Clients.ServiceAccount, []}
 config :front, guard_grpc_timeout: 15_000
 config :front, permission_patrol_timeout: 15_000
 config :front, me_host: "me.", me_path: "/"
diff --git a/front/config/runtime.exs b/front/config/runtime.exs
index a475204d1..75e339b0d 100644
--- a/front/config/runtime.exs
+++ b/front/config/runtime.exs
@@ -98,6 +98,7 @@ config :front,
   velocity_grpc_endpoint: System.fetch_env!("INTERNAL_API_URL_VELOCITY"),
   workflow_api_grpc_endpoint: System.fetch_env!("INTERNAL_API_URL_PLUMBER"),
   jwt_grpc_endpoint: System.fetch_env!("INTERNAL_API_URL_SECRETHUB"),
+  service_account_grpc_endpoint: System.fetch_env!("INTERNAL_API_URL_SERVICE_ACCOUNT"),
   permission_patrol_grpc_endpoint: "127.0.0.1:50052"
 
 config :front,
diff --git a/front/env/.env.internal-apis b/front/env/.env.internal-apis
index d2cf4c5e9..8724c7f41 100644
--- a/front/env/.env.internal-apis
+++ b/front/env/.env.internal-apis
@@ -35,4 +35,5 @@ INTERNAL_API_URL_LICENSE=127.0.0.1:50052
 INTERNAL_API_URL_GOFER=127.0.0.1:50052
 INTERNAL_API_URL_GROUPS=127.0.0.1:50052
 INTERNAL_API_URL_LOGHUB=127.0.0.1:50051
-INTERNAL_API_URL_LICENSE_CHECKER=127.0.0.1:50052
\ No newline at end of file
+INTERNAL_API_URL_LICENSE_CHECKER=127.0.0.1:50052
+INTERNAL_API_URL_SERVICE_ACCOUNT=127.0.0.1:50051
diff --git a/front/lib/front/application.ex b/front/lib/front/application.ex
index c4f9f5fbb..9e2de884c 100644
--- a/front/lib/front/application.ex
+++ b/front/lib/front/application.ex
@@ -16,14 +16,21 @@ defmodule Front.Application do
       {&:logger_filters.domain/2, {:stop, :equal, [:progress]}}
     )
 
+    base_children = [
+      {Phoenix.PubSub, [name: Front.PubSub, adapter: Phoenix.PubSub.PG2]},
+      FrontWeb.Endpoint,
+      {Task.Supervisor, [name: Front.TaskSupervisor]},
+      Front.Tracing.Store,
+      Front.FeatureProviderInvalidatorWorker
+    ]
+
     children =
-      [
-        {Phoenix.PubSub, [name: Front.PubSub, adapter: Phoenix.PubSub.PG2]},
-        FrontWeb.Endpoint,
-        {Task.Supervisor, [name: Front.TaskSupervisor]},
-        Front.Tracing.Store,
-        Front.FeatureProviderInvalidatorWorker
-      ] ++ reactor() ++ cache() ++ telemetry() ++ feature_provider(provider)
+      base_children ++
+        reactor() ++
+        cache() ++
+        telemetry() ++
+        feature_provider(provider) ++
+        clients()
 
     opts = [strategy: :one_for_one, name: Front.Supervisor]
 
@@ -93,6 +100,17 @@ defmodule Front.Application do
     end
   end
 
+  def clients do
+    Application.get_env(:front, :service_account_client)
+    |> case do
+      {client_mod, _} = client when client_mod in [Support.FakeClients.ServiceAccount] ->
+        [client]
+
+      _ ->
+        []
+    end
+  end
+
   def config_change(changed, _new, removed) do
     FrontWeb.Endpoint.config_change(changed, removed)
     :ok
diff --git a/front/lib/front/clients/service_account.ex b/front/lib/front/clients/service_account.ex
new file mode 100644
index 000000000..f680bfe4f
--- /dev/null
+++ b/front/lib/front/clients/service_account.ex
@@ -0,0 +1,192 @@
+defmodule Front.Clients.ServiceAccount do
+  require Logger
+
+  alias InternalApi.ServiceAccount.{
+    CreateRequest,
+    DestroyRequest,
+    DescribeRequest,
+    DescribeManyRequest,
+    ListRequest,
+    RegenerateTokenRequest,
+    UpdateRequest
+  }
+
+  @behaviour Front.ServiceAccount.Behaviour
+
+  @impl Front.ServiceAccount.Behaviour
+  def create(org_id, name, description, creator_id) do
+    %CreateRequest{
+      org_id: org_id,
+      name: name,
+      description: description,
+      creator_id: creator_id
+    }
+    |> grpc_call(:create)
+    |> case do
+      {:ok, result} ->
+        {:ok, {result.service_account, result.api_token}}
+
+      err ->
+        Logger.error("Error creating service account for org #{org_id}: #{inspect(err)}")
+        handle_error(err)
+    end
+  end
+
+  @impl Front.ServiceAccount.Behaviour
+  def list(org_id, page_size, page_token) do
+    %ListRequest{
+      org_id: org_id,
+      page_size: page_size,
+      page_token: page_token || ""
+    }
+    |> grpc_call(:list)
+    |> case do
+      {:ok, result} ->
+        next_page_token = if result.next_page_token == "", do: nil, else: result.next_page_token
+        {:ok, {result.service_accounts, next_page_token}}
+
+      err ->
+        Logger.error("Error listing service accounts for org #{org_id}: #{inspect(err)}")
+        handle_error(err)
+    end
+  end
+
+  @impl Front.ServiceAccount.Behaviour
+  def describe(service_account_id) do
+    %DescribeRequest{
+      service_account_id: service_account_id
+    }
+    |> grpc_call(:describe)
+    |> case do
+      {:ok, service_account} ->
+        {:ok, service_account}
+
+      err ->
+        Logger.error("Error describing service account #{service_account_id}: #{inspect(err)}")
+        handle_error(err)
+    end
+  end
+
+  @impl Front.ServiceAccount.Behaviour
+  def describe_many(service_account_ids) do
+    %DescribeManyRequest{
+      sa_ids: service_account_ids
+    }
+    |> grpc_call(:describe_many)
+    |> case do
+      {:ok, service_accounts} ->
+        {:ok, service_accounts}
+
+      err ->
+        Logger.error("Error describing multiple service accounts: #{inspect(err)}")
+        handle_error(err)
+    end
+  end
+
+  @impl Front.ServiceAccount.Behaviour
+  def update(service_account_id, name, description) do
+    %UpdateRequest{
+      service_account_id: service_account_id,
+      name: name,
+      description: description
+    }
+    |> grpc_call(:update)
+    |> case do
+      {:ok, service_account} ->
+        {:ok, service_account}
+
+      err ->
+        Logger.error("Error updating service account #{service_account_id}: #{inspect(err)}")
+        handle_error(err)
+    end
+  end
+
+  @impl Front.ServiceAccount.Behaviour
+  def delete(service_account_id) do
+    %DestroyRequest{
+      service_account_id: service_account_id
+    }
+    |> grpc_call(:delete)
+    |> case do
+      {:ok, _result} ->
+        :ok
+
+      err ->
+        Logger.error("Error deleting service account #{service_account_id}: #{inspect(err)}")
+        handle_error(err)
+    end
+  end
+
+  @impl Front.ServiceAccount.Behaviour
+  def regenerate_token(service_account_id) do
+    %RegenerateTokenRequest{
+      service_account_id: service_account_id
+    }
+    |> grpc_call(:regenerate_token)
+    |> case do
+      {:ok, result} ->
+        {:ok, result.api_token}
+
+      err ->
+        Logger.error(
+          "Error regenerating token for service account #{service_account_id}: #{inspect(err)}"
+        )
+
+        handle_error(err)
+    end
+  end
+
+  defp grpc_call(request, action) do
+    Watchman.benchmark("service_account.#{action}.duration", fn ->
+      channel()
+      |> call_grpc(
+        InternalApi.ServiceAccount.ServiceAccountService.Stub,
+        action,
+        request,
+        metadata(),
+        timeout()
+      )
+      |> tap(fn
+        {:ok, _} -> Watchman.increment("service_account.#{action}.success")
+        {:error, _} -> Watchman.increment("service_account.#{action}.failure")
+      end)
+    end)
+  end
+
+  defp call_grpc(error = {:error, err}, _, _, _, _, _) do
+    Logger.error("""
+    Unexpected error when connecting to ServiceAccount: #{inspect(err)}
+    """)
+
+    error
+  end
+
+  defp call_grpc({:ok, channel}, module, function_name, request, metadata, timeout) do
+    apply(module, function_name, [channel, request, [metadata: metadata, timeout: timeout]])
+  end
+
+  defp channel do
+    Application.fetch_env!(:front, :service_account_grpc_endpoint)
+    |> GRPC.Stub.connect()
+  end
+
+  defp timeout do
+    15_000
+  end
+
+  defp metadata do
+    nil
+  end
+
+  defp handle_error({:error, %GRPC.RPCError{status: status, message: message}}) do
+    if status == GRPC.Status.internal() do
+      {:error, "Unknown error, if this persists, please contact support."}
+    else
+      {:error, message}
+    end
+  end
+
+  defp handle_error({:error, _}) do
+    {:error, "Unknown error, if this persists, please contact support."}
+  end
+end
diff --git a/front/lib/front/models/service_account.ex b/front/lib/front/models/service_account.ex
new file mode 100644
index 000000000..6e5106ed9
--- /dev/null
+++ b/front/lib/front/models/service_account.ex
@@ -0,0 +1,199 @@
+defmodule Front.Models.ServiceAccount do
+  @moduledoc """
+  Model representing a Service Account
+  """
+
+  alias Front.RBAC.Members
+  alias Front.RBAC.RoleManagement
+  require Logger
+
+  @type role_source :: :unspecified | :manual | :external
+
+  @type role :: %{
+          id: String.t(),
+          name: String.t(),
+          source: role_source()
+        }
+
+  @type t :: %__MODULE__{
+          id: String.t(),
+          name: String.t(),
+          description: String.t(),
+          org_id: String.t(),
+          creator_id: String.t(),
+          created_at: DateTime.t(),
+          updated_at: DateTime.t(),
+          deactivated: boolean(),
+          roles: [role()]
+        }
+
+  defstruct [
+    :id,
+    :name,
+    :description,
+    :org_id,
+    :creator_id,
+    :created_at,
+    :updated_at,
+    :deactivated,
+    roles: []
+  ]
+
+  def list(org_id, page) do
+    # rbac accepts page_no starting from 0 :<
+    page_no = page - 1
+    page_size = 20
+
+    with {:ok, {members, total_pages}} <-
+           Members.list_org_members(org_id,
+             page_no: page_no,
+             page_size: page_size,
+             member_type: "service_account"
+           ),
+         member_ids <- Enum.map(members, & &1.id),
+         {:ok, service_accounts} <-
+           Front.ServiceAccount.describe_many(member_ids),
+         service_accounts <- assign_service_accounts_to_members(members, service_accounts) do
+      {:ok, {service_accounts, total_pages}}
+    else
+      error ->
+        Logger.error("Failed to list service accounts: #{inspect(error)}")
+        {:error, "Failed to list service accounts"}
+    end
+  end
+
+  def create(org_id, name, description, user_id, role_id) do
+    with {:ok, {service_account, token}} <-
+           Front.ServiceAccount.create(org_id, name, description, user_id),
+         {:ok, _} <- assign_role(org_id, user_id, service_account, role_id) do
+      {:ok, {from_proto(service_account), token}}
+    else
+      error ->
+        Logger.error("Failed to create service account or assign role: #{inspect(error)}")
+        {:error, "Failed to create service account or assign role"}
+    end
+  end
+
+  def update(service_account_id, name, description, user_id, role_id) do
+    with {:ok, service_account} <-
+           Front.ServiceAccount.update(service_account_id, name, description),
+         {:ok, _} <-
+           assign_role(
+             service_account.org_id,
+             user_id,
+             service_account,
+             role_id
+           ) do
+      {:ok, from_proto(service_account)}
+    else
+      error ->
+        Logger.error("Failed to update service account or assign role: #{inspect(error)}")
+        {:error, "Failed to update service account or assign role"}
+    end
+  end
+
+  def delete(service_account_id) do
+    with {:ok, service_account} <- Front.ServiceAccount.describe(service_account_id),
+         :ok <- Front.ServiceAccount.delete(service_account_id) do
+      {:ok, from_proto(service_account)}
+    else
+      error ->
+        Logger.error("Failed to delete service account: #{inspect(error)}")
+        {:error, "Failed to delete service account"}
+    end
+  end
+
+  def regenerate_token(service_account_id) do
+    with {:ok, service_account} <- Front.ServiceAccount.describe(service_account_id),
+         {:ok, api_token} <- Front.ServiceAccount.regenerate_token(service_account_id) do
+      {:ok, {from_proto(service_account), api_token}}
+    else
+      error ->
+        Logger.error("Failed to regenerate service account token: #{inspect(error)}")
+        {:error, "Failed to regenerate service account token"}
+    end
+  end
+
+  @doc """
+  Creates a new ServiceAccount struct from protobuf data
+  """
+  @spec from_proto(InternalApi.ServiceAccount.t()) :: t
+  def from_proto(proto) do
+    %__MODULE__{
+      id: proto.id,
+      name: proto.name,
+      description: proto.description,
+      org_id: proto.org_id,
+      creator_id: proto.creator_id,
+      created_at: timestamp_to_datetime(proto.created_at),
+      updated_at: timestamp_to_datetime(proto.updated_at),
+      deactivated: proto.deactivated,
+      roles: []
+    }
+  end
+
+  defp timestamp_to_datetime(%Google.Protobuf.Timestamp{seconds: seconds}) do
+    DateTime.from_unix!(seconds)
+  end
+
+  defp timestamp_to_datetime(_), do: DateTime.utc_now()
+
+  defp assign_service_accounts_to_members(members, service_accounts) do
+    members
+    |> Enum.map(fn member ->
+      {member, Enum.find(service_accounts, &(&1.id == member.id))}
+    end)
+    |> Enum.map(fn
+      {member, nil} ->
+        Logger.warn("Service account #{member.id} not found in service accounts list")
+        nil
+
+      {member, service_account} ->
+        from_proto(service_account)
+        |> Map.put(:roles, parse_role_bindings(member.subject_role_bindings))
+    end)
+    |> Enum.filter(& &1)
+  end
+
+  @spec parse_role_bindings([InternalApi.RBAC.SubjectRoleBinding.t()]) :: [role]
+  defp parse_role_bindings(role_bindings) do
+    Enum.map(role_bindings, &parse_role_binding/1)
+  end
+
+  @spec parse_role_binding(InternalApi.RBAC.SubjectRoleBinding.t()) :: role()
+  defp parse_role_binding(subject_role_binding) do
+    %{
+      id: subject_role_binding.role.id,
+      source: parse_role_source(subject_role_binding.source),
+      name: subject_role_binding.role.name
+    }
+  end
+
+  @spec parse_role_source(InternalApi.RBAC.RoleBindingSource.t()) :: role_source
+  defp parse_role_source(subject_role_source) do
+    subject_role_source
+    |> InternalApi.RBAC.RoleBindingSource.key()
+    |> case do
+      :ROLE_BINDING_SOURCE_MANUALLY ->
+        :manual
+
+      source
+      when source in [
+             :ROLE_BINDING_SOURCE_GITHUB,
+             :ROLE_BINDING_SOURCE_BITBUCKET,
+             :ROLE_BINDING_SOURCE_GITLAB,
+             :ROLE_BINDING_SOURCE_SCIM,
+             :ROLE_BINDING_SOURCE_INHERITED_FROM_ORG_ROLE,
+             :ROLE_BINDING_SOURCE_SAML_JIT
+           ] ->
+        :external
+
+      _ ->
+        :unspecified
+    end
+  end
+
+  defp assign_role(org_id, user_id, service_account, role_id) do
+    RoleManagement.assign_role(user_id, org_id, service_account.id, role_id)
+  end
+end
diff --git a/front/lib/front/rbac/groups.ex b/front/lib/front/rbac/groups.ex
index e138d60b4..7b433a41a 100644
--- a/front/lib/front/rbac/groups.ex
+++ b/front/lib/front/rbac/groups.ex
@@ -127,6 +127,26 @@ defmodule Front.RBAC.Groups do
         }
       )
 
-    group |> Map.put(:members, members)
+    member_user_ids = members |> Enum.map(& &1.id)
+    non_member_ids = group.member_ids -- member_user_ids
+
+    service_accounts =
+      Front.ServiceAccount.describe_many(non_member_ids)
+      |> case do
+        {:ok, service_accounts} ->
+          service_accounts
+
+        _ ->
+          []
+      end
+      |> Enum.map(
+        &%{
+          id: &1.id,
+          name: &1.name,
+          avatar: ""
+        }
+      )
+
+    group |> Map.put(:members, members ++ service_accounts)
   end
 end
diff --git a/front/lib/front/rbac/members.ex b/front/lib/front/rbac/members.ex
index dc7232fe0..36bb1d70b 100644
--- a/front/lib/front/rbac/members.ex
+++ b/front/lib/front/rbac/members.ex
@@ -112,7 +112,13 @@ defmodule Front.RBAC.Members do
     alias InternalApi.RBAC.SubjectType, as: Type
 
     member_type =
-      if opts[:member_type] == "group", do: Type.value(:GROUP), else: Type.value(:USER)
+      opts[:member_type]
+      |> case do
+        "group" -> Type.value(:GROUP)
+        "service_account" -> Type.value(:SERVICE_ACCOUNT)
+        # assume user if not specified
+        _ -> Type.value(:USER)
+      end
 
     req =
       build_list_members_request(org_id, project_id,
diff --git a/front/lib/front/rbac/role_management.ex b/front/lib/front/rbac/role_management.ex
index 13265804c..e20a5acfa 100644
--- a/front/lib/front/rbac/role_management.ex
+++ b/front/lib/front/rbac/role_management.ex
@@ -180,7 +180,7 @@ defmodule Front.RBAC.RoleManagement do
     If the 'project_id' parameter is not passed, it is interpreted as the role being assigned
     within the organization scope.
   """
-  @spec assign_role(id(), id(), id(), id(), id()) :: {:ok, String.t()} | {:error, String.t()}
+  @spec assign_role(id(), id(), id(), id(), String.t()) :: {:ok, String.t()} | {:error, any}
   def assign_role(requester_id, org_id, subject_id, role_id, project_id \\ "") do
     Watchman.benchmark("assign_role.duration", fn ->
       Logger.info(
@@ -211,7 +211,7 @@ defmodule Front.RBAC.RoleManagement do
     Since only one role can be manually assigned, there is no need to specify which role is being
     retracted
   """
-  @spec retract_role(id(), id(), id(), id()) :: {:ok, String.t()} | {:error, String.t()}
+  @spec retract_role(id(), id(), id(), String.t()) :: {:ok, String.t()} | {:error, any}
   def retract_role(requester_id, org_id, subject_id, project_id \\ "") do
     Watchman.benchmark("remove_member.duration", fn ->
       Logger.info(
diff --git a/front/lib/front/service_account.ex b/front/lib/front/service_account.ex
new file mode 100644
index 000000000..f86dbd468
--- /dev/null
+++ b/front/lib/front/service_account.ex
@@ -0,0 +1,62 @@
+defmodule Front.ServiceAccount do
+  defmodule Behaviour do
+    alias InternalApi.ServiceAccount.ServiceAccount
+
+    @callback create(
+                org_id :: String.t(),
+                name :: String.t(),
+                description :: String.t(),
+                creator_id :: String.t()
+              ) :: {:ok, {ServiceAccount.t(), String.t()}} | {:error, any}
+
+    @callback list(
+                org_id :: String.t(),
+                page_size :: integer(),
+                page_token :: String.t() | nil
+              ) :: {:ok, {[ServiceAccount.t()], String.t() | nil}} | {:error, any}
+
+    @callback describe(service_account_id :: String.t()) ::
+                {:ok, ServiceAccount.t()} | {:error, any}
+
+    @callback describe_many(service_account_ids :: [String.t()]) ::
+                {:ok, [ServiceAccount.t()]} | {:error, any}
+
+    @callback update(
+                service_account_id :: String.t(),
+                name :: String.t(),
+                description :: String.t()
+              ) :: {:ok, ServiceAccount.t()} | {:error, any}
+
+    @callback delete(service_account_id :: String.t()) :: :ok | {:error, any}
+
+    @callback regenerate_token(service_account_id :: String.t()) ::
+                {:ok, String.t()} | {:error, any}
+  end
+
+  def create(org_id, name, description, creator_id),
+    do: service_account_impl().create(org_id, name, description, creator_id)
+
+  def list(org_id, page_size, page_token \\ nil),
+    do: service_account_impl().list(org_id, page_size, page_token)
+
+  def describe(service_account_id),
+    do: service_account_impl().describe(service_account_id)
+
+  def describe_many(service_account_ids),
+    do: service_account_impl().describe_many(service_account_ids)
+
+  def update(service_account_id, name, description),
+    do: service_account_impl().update(service_account_id, name, description)
+
+  def delete(service_account_id),
+    do: service_account_impl().delete(service_account_id)
+
+  def regenerate_token(service_account_id),
+    do: service_account_impl().regenerate_token(service_account_id)
+
+  defp service_account_impl do
+    {client, _client_opts} = Application.fetch_env!(:front, :service_account_client)
+
+    client
+  end
+end
diff --git a/front/lib/front_web/controllers/groups_controller.ex b/front/lib/front_web/controllers/groups_controller.ex
index ee608550f..2f65e5308 100644
--- a/front/lib/front_web/controllers/groups_controller.ex
+++ b/front/lib/front_web/controllers/groups_controller.ex
@@ -114,20 +114,36 @@ defmodule FrontWeb.GroupsController do
         )
       end)
 
+    fetch_org_service_accounts =
+      Async.run(fn ->
+        Members.list_org_members(org_id,
+          username: username,
+          page_size: @max_people_per_org,
+          member_type: "service_account"
+        )
+      end)
+
     if group_id != "nil" do
       fetch_group_members = Async.run(fn -> Groups.fetch_group_members(org_id, group_id) end)
 
       {:ok, {:ok, group_members}} = Async.await(fetch_group_members)
       {:ok, {:ok, {org_members, _total_pages}}} = Async.await(fetch_org_members)
 
+      {:ok, {:ok, {service_account_members, _total_pages}}} =
+        Async.await(fetch_org_service_accounts)
+
       non_members =
-        org_members
+        (org_members ++ service_account_members)
         |> Enum.filter(fn member -> member.id not in Enum.map(group_members, & &1.id) end)
 
       conn |> json(non_members |> Enum.take(@return_non_members))
     else
       {:ok, {:ok, {org_members, _total_pages}}} = Async.await(fetch_org_members)
-      conn |> json(org_members |> Enum.take(@return_non_members))
+
+      {:ok, {:ok, {service_account_members, _total_pages}}} =
+        Async.await(fetch_org_service_accounts)
+
+      conn |> json((org_members ++ service_account_members) |> Enum.take(@return_non_members))
     end
   end
 
diff --git a/front/lib/front_web/controllers/people_controller.ex b/front/lib/front_web/controllers/people_controller.ex
index f88d1c6b4..b86ad41fa 100644
--- a/front/lib/front_web/controllers/people_controller.ex
+++ b/front/lib/front_web/controllers/people_controller.ex
@@ -657,6 +657,9 @@ defmodule FrontWeb.PeopleController do
       fetch_groups =
         Async.run(fn -> Members.list_project_members(org_id, project.id, member_type: "group") end)
 
+      fetch_service_accounts =
+        async_fetch_members(org_id, project.id, member_type: "service_account")
+
       fetch_is_project_starred? =
         Async.run(fn -> Models.User.has_favorite(user_id, org_id, project.id) end)
 
@@ -667,6 +670,7 @@ defmodule FrontWeb.PeopleController do
       {:ok, {:ok, {members, total_pages}}} = Async.await(fetch_members)
       {:ok, {:ok, {groups, _}}} = Async.await(fetch_groups)
       {:ok, is_project_starred?} = Async.await(fetch_is_project_starred?)
+      {:ok, {:ok, {service_accounts, _total_pages}}} = Async.await(fetch_service_accounts)
 
       assigns =
         %{
@@ -677,6 +681,7 @@ defmodule FrontWeb.PeopleController do
           permissions: conn.assigns.permissions,
           members: members,
           groups: groups,
+          service_accounts: service_accounts,
           project_id: project.id,
           title: "People・#{project.name}",
           org_scope?: false,
diff --git a/front/lib/front_web/controllers/service_account_controller.ex b/front/lib/front_web/controllers/service_account_controller.ex
new file mode 100644
index 000000000..736d6e44f
--- /dev/null
+++ b/front/lib/front_web/controllers/service_account_controller.ex
@@ -0,0 +1,141 @@
+defmodule FrontWeb.ServiceAccountController do
+  use FrontWeb, :controller
+  require Logger
+
+  alias Front.{Audit, Models}
+  alias FrontWeb.Plugs.{FetchPermissions, PageAccess, FeatureEnabled}
+
+  @manage ~w(create update delete regenerate_token)a
+
+  plug(FetchPermissions, scope: "org")
+  plug(PageAccess, permissions: "organization.service_accounts.view")
+  plug(PageAccess, [permissions: "organization.service_accounts.manage"] when action in @manage)
+  plug(FeatureEnabled, [:service_accounts])
+
+  def index(conn, params) do
+    org_id = conn.assigns.organization_id
+    page = String.to_integer(params["page"] || "1")
+
+    case Models.ServiceAccount.list(org_id, page) do
+      {:ok, {service_accounts, total_pages}} ->
+        conn
+        |> render("index.json",
+          service_accounts: service_accounts,
+          total_pages: total_pages
+        )
+
+      {:error, message} ->
+        conn
+        |> put_status(422)
+        |> json(%{error: message})
+    end
+  end
+
+  def create(conn, params) do
+    org_id = conn.assigns.organization_id
+    user_id = conn.assigns.user_id
+    name = params["name"] || ""
+    description = params["description"] || ""
+    role_id = params["role_id"] || ""
+
+    Models.ServiceAccount.create(org_id, name, description, user_id, role_id)
+    |> case do
+      {:ok, {service_account, api_token}} ->
+        conn
+        |> Audit.new(:ServiceAccount, :Added)
+        |> Audit.add(resource_id: service_account.id)
+        |> Audit.add(resource_name: service_account.name)
+        |> Audit.add(description: "Service account created")
+        |> Audit.metadata(organization_id: org_id)
+        |> Audit.metadata(user_id: user_id)
+        |> Audit.log()
+
+        conn
+        |> put_status(:created)
+        |> render("show.json", service_account: service_account, api_token: api_token)
+
+      {:error, message} ->
+        conn
+        |> put_status(422)
+        |> json(%{error: message})
+    end
+  end
+
+  def update(conn, params = %{"id" => service_account_id}) do
+    org_id = conn.assigns.organization_id
+    user_id = conn.assigns.user_id
+    name = params["name"] || ""
+    description = params["description"] || ""
+    role_id = params["role_id"] || ""
+
+    Models.ServiceAccount.update(service_account_id, name, description, user_id, role_id)
+    |> case do
+      {:ok, service_account} ->
+        conn
+        |> Audit.new(:ServiceAccount, :Modified)
+        |> Audit.add(resource_id: service_account.id)
+        |> Audit.add(resource_name: service_account.name)
+        |> Audit.add(description: "Service account updated")
+        |> Audit.metadata(organization_id: org_id)
+        |> Audit.metadata(user_id: user_id)
+        |> Audit.log()
+
+        render(conn, "show.json", service_account: service_account)
+
+      {:error, message} ->
+        conn
+        |> put_status(422)
+        |> json(%{error: message})
+    end
+  end
+
+  def delete(conn, %{"id" => service_account_id}) do
+    org_id = conn.assigns.organization_id
+    user_id = conn.assigns.user_id
+
+    Models.ServiceAccount.delete(service_account_id)
+    |> case do
+      {:ok, service_account} ->
+        conn
+        |> Audit.new(:ServiceAccount, :Removed)
+        |> Audit.add(resource_id: service_account.id)
+        |> Audit.add(resource_name: service_account.name)
+        |> Audit.add(description: "Service account deleted")
+        |> Audit.metadata(organization_id: org_id)
+        |> Audit.metadata(user_id: user_id)
+        |> Audit.log()
+
+        send_resp(conn, :no_content, "")
+
+      {:error, message} ->
+        conn
+        |> put_status(422)
+        |> json(%{error: message})
+    end
+  end
+
+  def regenerate_token(conn, %{"id" => service_account_id}) do
+    org_id = conn.assigns.organization_id
+    user_id = conn.assigns.user_id
+
+    Models.ServiceAccount.regenerate_token(service_account_id)
+    |> case do
+      {:ok, {service_account, api_token}} ->
+        conn
+        |> Audit.new(:ServiceAccount, :Rebuild)
+        |> Audit.add(resource_id: service_account.id)
+        |> Audit.add(resource_name: service_account.name)
+        |> Audit.add(description: "Service account token regenerated")
+        |> Audit.metadata(organization_id: org_id)
+        |> Audit.metadata(user_id: user_id)
+        |> Audit.log()
+
+        json(conn, %{api_token: api_token})
+
+      {:error, message} ->
+        conn
+        |> put_status(422)
+        |> json(%{error: message})
+    end
+  end
+end
diff --git a/front/lib/front_web/plugs/feature_enabled.ex b/front/lib/front_web/plugs/feature_enabled.ex
index 442730d3a..2b6a30e10 100644
--- a/front/lib/front_web/plugs/feature_enabled.ex
+++ b/front/lib/front_web/plugs/feature_enabled.ex
@@ -1,12 +1,15 @@
 defmodule FrontWeb.Plugs.FeatureEnabled do
+  @behaviour Plug
   alias Front.Auth
 
-  @type feature_name :: [String.t() | :atom]
+  @type feature_name :: atom()
 
   @nil_uuid "00000000-0000-0000-0000-000000000000"
 
+  @impl true
   def init(features), do: features
 
+  @impl true
   def call(conn, features) do
     enabled = feature_enabled?(conn, features) or is_insider?(conn)
 
diff --git a/front/lib/front_web/router.ex b/front/lib/front_web/router.ex
index 29d1bcae8..557624466 100644
--- a/front/lib/front_web/router.ex
+++ b/front/lib/front_web/router.ex
@@ -170,6 +170,15 @@ defmodule FrontWeb.Router do
       get("/offboarding/:user_id", OffboardingController, :show)
     end
 
+    scope "/service_accounts" do
+      get("/", ServiceAccountController, :index)
+      post("/", ServiceAccountController, :create)
+      get("/:id", ServiceAccountController, :show)
+      put("/:id", ServiceAccountController, :update)
+      delete("/:id", ServiceAccountController, :delete)
+      post("/:id/regenerate_token", ServiceAccountController, :regenerate_token)
+    end
+
     post("/project/:name_or_id/offboarding", OffboardingController, :transfer)
     delete("/project/:name_or_id/offboarding", OffboardingController, :remove)
 
diff --git a/front/lib/front_web/templates/people/members/__metadata.html.eex b/front/lib/front_web/templates/people/members/__metadata.html.eex
index e0879ead9..0b06e05f6 100644
--- a/front/lib/front_web/templates/people/members/__metadata.html.eex
+++ b/front/lib/front_web/templates/people/members/__metadata.html.eex
@@ -1,20 +1,24 @@
 <div class="f6 gray flex items-center">
-    <%= if @member.github_login do %>
-      <svg class="mh1" width="16" height="16" xmlns="http://www.w3.org/2000/svg">
-        <path d="M8 0A8 8 0 005.47 15.59c.4.075.546-.172.546-.385 0-.19-.007-.693-.01-1.36-2.226.483-2.695-1.073-2.695-1.073-.364-.924-.889-1.17-.889-1.17-.726-.496.055-.486.055-.486.803.056 1.225.824 1.225.824.714 1.223 1.873.87 2.329.665.073-.517.28-.87.508-1.07-1.777-.201-3.644-.888-3.644-3.953 0-.873.311-1.588.823-2.147-.082-.202-.357-1.016.079-2.117 0 0 .671-.215 2.2.82A7.662 7.662 0 018 3.868a7.67 7.67 0 012.003.27c1.527-1.035 2.198-.82 2.198-.82.436 1.101.162 1.915.08 2.117.513.559.822 1.274.822 2.147 0 3.073-1.87 3.75-3.652 3.947.286.247.542.736.542 1.482 0 1.07-.01 1.932-.01 2.194 0 .215.145.463.55.385A8 8 0 008 0" fill-rule="evenodd"/>
-      </svg>
-      <a href="https://github.com/<%= @member.github_login%>/">@<%= @member.github_login%></a>
-    <% end %>
-    <%= if @member.bitbucket_login do %>
-      <svg class="mh1" height="16" width="16" xmlns="http://www.w3.org/2000/svg">
-        <path d="M.75 1.032a.5.5 0 00-.5.58l2.123 12.886a.68.68 0 00.664.567H13.22a.5.5 0 00.5-.42l2.122-13.03a.5.5 0 00-.5-.58zm8.938 9.313h-3.25l-.88-4.598h4.917z" fill-rule="evenodd"/>
-      </svg>
-      <a href="https://bitbucket.org/<%= @member.bitbucket_login%>/">@<%= @member.bitbucket_login%></a>
-    <% end %>
-    <%= if @member.gitlab_login do %>
-      <svg width="16px" height="16px" xmlns="http://www.w3.org/2000/svg" fill="#000000" viewBox="0 0 32 32">
-        <path d="M 8.382813 1.972656 L 4.078125 13.453125 L 3.835938 14.105469 L 1.796875 19.542969 L 16 29.875 L 30.203125 19.542969 L 28.164063 14.105469 L 23.613281 1.972656 L 19.882813 13.453125 L 12.117188 13.453125 Z M 8.25 8.027344 L 10.015625 13.453125 L 6.214844 13.453125 Z M 23.75 8.027344 L 25.785156 13.453125 L 21.984375 13.453125 Z M 5.464844 15.453125 L 10.664063 15.453125 L 14.09375 26.015625 L 4.203125 18.820313 Z M 12.765625 15.453125 L 19.234375 15.453125 L 16 25.402344 Z M 21.335938 15.453125 L 26.53125 15.453125 L 27.796875 18.820313 L 17.902344 26.015625 Z" />
-      </svg>
-      <a href="https://gitlab.com/<%= @member.gitlab_login%>/">@<%= @member.gitlab_login%></a>
+    <%= if @member.subject_type == "service_account" do %>
+      <span class="mh1"><%= @member.name %></span>
+    <% else %>
+      <%= if @member.github_login do %>
+        <svg class="mh1" width="16" height="16" xmlns="http://www.w3.org/2000/svg">
+          <path d="M8 0A8 8 0 005.47 15.59c.4.075.546-.172.546-.385 0-.19-.007-.693-.01-1.36-2.226.483-2.695-1.073-2.695-1.073-.364-.924-.889-1.17-.889-1.17-.726-.496.055-.486.055-.486.803.056 1.225.824 1.225.824.714 1.223 1.873.87 2.329.665.073-.517.28-.87.508-1.07-1.777-.201-3.644-.888-3.644-3.953 0-.873.311-1.588.823-2.147-.082-.202-.357-1.016.079-2.117 0 0 .671-.215 2.2.82A7.662 7.662 0 018 3.868a7.67 7.67 0 012.003.27c1.527-1.035 2.198-.82 2.198-.82.436 1.101.162 1.915.08 2.117.513.559.822 1.274.822 2.147 0 3.073-1.87 3.75-3.652 3.947.286.247.542.736.542 1.482 0 1.07-.01 1.932-.01 2.194 0 .215.145.463.55.385A8 8 0 008 0" fill-rule="evenodd"/>
+        </svg>
+        <a href="https://github.com/<%= @member.github_login%>/">@<%= @member.github_login%></a>
+      <% end %>
+      <%= if @member.bitbucket_login do %>
+        <svg class="mh1" height="16" width="16" xmlns="http://www.w3.org/2000/svg">
+          <path d="M.75 1.032a.5.5 0 00-.5.58l2.123 12.886a.68.68 0 00.664.567H13.22a.5.5 0 00.5-.42l2.122-13.03a.5.5 0 00-.5-.58zm8.938 9.313h-3.25l-.88-4.598h4.917z" fill-rule="evenodd"/>
+        </svg>
+        <a href="https://bitbucket.org/<%= @member.bitbucket_login%>/">@<%= @member.bitbucket_login%></a>
+      <% end %>
+      <%= if @member.gitlab_login do %>
+        <svg width="16px" height="16px" xmlns="http://www.w3.org/2000/svg" fill="#000000" viewBox="0 0 32 32">
+          <path d="M 8.382813 1.972656 L 4.078125 13.453125 L 3.835938 14.105469 L 1.796875 19.542969 L 16 29.875 L 30.203125 19.542969 L 28.164063 14.105469 L 23.613281 1.972656 L 19.882813 13.453125 L 12.117188 13.453125 Z M 8.25 8.027344 L 10.015625 13.453125 L 6.214844 13.453125 Z M 23.75 8.027344 L 25.785156 13.453125 L 21.984375 13.453125 Z M 5.464844 15.453125 L 10.664063 15.453125 L 14.09375 26.015625 L 4.203125 18.820313 Z M 12.765625 15.453125 L 19.234375 15.453125 L 16 25.402344 Z M 21.335938 15.453125 L 26.53125 15.453125 L 27.796875 18.820313 L 17.902344 26.015625 Z" />
+        </svg>
+        <a href="https://gitlab.com/<%= @member.gitlab_login%>/">@<%= @member.gitlab_login%></a>
+      <% end %>
     <% end %>
 </div>
diff --git a/front/lib/front_web/templates/people/members/_add_service_account_button.html.eex b/front/lib/front_web/templates/people/members/_add_service_account_button.html.eex
new file mode 100644
index 000000000..8d8f56929
--- /dev/null
+++ b/front/lib/front_web/templates/people/members/_add_service_account_button.html.eex
@@ -0,0 +1,12 @@
+<%= if show_people_management_buttons?(@conn, @org_scope?, @permissions) do %>
+  <div>
+    <div class="flex-m">
+      <div>
+        <button id="add_service_accounts_to_project" class="btn btn-primary flex items-center">
+          <span class="material-symbols-outlined mr2">smart_toy</span>
+          Add service accounts
+        </button>
+      </div>
+    </div>
+  </div>
+<% end %>
\ No newline at end of file
diff --git a/front/lib/front_web/templates/people/members/_member.html.eex b/front/lib/front_web/templates/people/members/_member.html.eex
index ef5d67c42..68030eeb4 100644
--- a/front/lib/front_web/templates/people/members/_member.html.eex
+++ b/front/lib/front_web/templates/people/members/_member.html.eex
@@ -6,14 +6,17 @@
       <div>
         <div class="flex items-center">
           <span class="ml1 b">
-            <%= if !@is_group? do %>
-              <%= link @member.name, to: people_path(@conn, :show, @member.id), class: "link black" %>
-            <% else %>
-              <%= if @permissions["organization.people.manage"] do %>
-                <span class="black pointer" style="cursor: pointer;" name="modify-group-btn" group_id="<%= @member.id %>"><%= @member.name %></span>
-              <% else %>
+            <%= cond do %>
+              <% Map.get(assigns, :is_service_account?) -> %>
                 <span class="black"><%= @member.name %></span>
-              <% end %>
+              <% @is_group? -> %>
+                <%= if @permissions["organization.people.manage"] do %>
+                  <span class="black pointer" style="cursor: pointer;" name="modify-group-btn" group_id="<%= @member.id %>"><%= @member.name %></span>
+                <% else %>
+                  <span class="black"><%= @member.name %></span>
+                <% end %>
+              <% true -> %>
+                <%= link @member.name, to: people_path(@conn, :show, @member.id), class: "link black" %>
             <% end %>
           </span>
           <%= render "members/__role_labels.html", role_bindings: @member.subject_role_bindings %>
@@ -34,13 +37,18 @@
               <%= render "members/__change_role_btn.html", member: @member, roles: @roles, permissions: @permissions %>
             <% end %>
           <% end %>
-          <%= if @is_group? and @org_scope? do %>
-            <%= render "members/__modify_group_button.html", group: @member, permissions: @permissions %>
-            <%= render "members/__delete_group_button.html", group: @member, conn: @conn, permissions: @permissions %>
-          <% else %>
-            <%= if @org_scope? || !Front.ce_roles?() || "Member" in member_role_names do %>
-              <%= render "members/__remove_member_btn.html", member: @member %>
-            <% end %>
+          <%= cond do %>
+            <% @is_group? and @org_scope? -> %>
+              <%= render "members/__modify_group_button.html", group: @member, permissions: @permissions %>
+              <%= render "members/__delete_group_button.html", group: @member, conn: @conn, permissions: @permissions %>
+            <% Map.get(assigns, :is_service_account?) -> %>
+              <%= if @org_scope? || !Front.ce_roles?() || "Member" in member_role_names do %>
+                <%= render "members/__remove_member_btn.html", member: @member %>
+              <% end %>
+            <% true -> %>
+              <%= if @org_scope? || !Front.ce_roles?() || "Member" in member_role_names do %>
+                <%= render "members/__remove_member_btn.html", member: @member %>
+              <% end %>
           <% end %>
 
         </div>
diff --git a/front/lib/front_web/templates/people/members/members_list.html.eex b/front/lib/front_web/templates/people/members/members_list.html.eex
index c4c0f1f3d..5576be245 100644
--- a/front/lib/front_web/templates/people/members/members_list.html.eex
+++ b/front/lib/front_web/templates/people/members/members_list.html.eex
@@ -43,4 +43,27 @@
       <% end) %>
     </div>
   </div>
+
+  <%= if FeatureProvider.feature_enabled?(:service_accounts, param: @conn.assigns[:organization_id]) &&
+         Map.has_key?(assigns, :service_accounts) do %>
+    <div class="bb b--black-075 w-100-l mt4 br3 shadow-3 bg-white">
+      <div class="flex items-center justify-between pa3 bb bw1 b--black-075 br3 br--top ">
+        <div>
+          <div class="flex items-center">
+            <span class="material-symbols-outlined pr2">key</span>
+            <div class="b">Service Accounts</div>
+          </div>
+        </div>
+        <%= if !@org_scope? && show_people_management_buttons?(@conn, @org_scope?, @permissions) do %>
+          <%= render "members/_add_service_account_button.html", conn: @conn, org_scope?: @org_scope?, permissions: @permissions %>
+        <% end %>
+      </div>
+
+      <div id="service_accounts">
+        <%= @service_accounts |> Enum.map(fn (service_account) -> %>
+          <%= render "members/_member.html", is_group?: false, is_service_account?: true, member: service_account, roles: @roles, org_scope?: @org_scope?, conn: @conn, permissions: @permissions %>
+        <% end) %>
+      </div>
+    </div>
+  <% end %>
 <% end %>
diff --git a/front/lib/front_web/templates/people/organization.html.eex b/front/lib/front_web/templates/people/organization.html.eex
index f9581d8cf..a971f39d7 100644
--- a/front/lib/front_web/templates/people/organization.html.eex
+++ b/front/lib/front_web/templates/people/organization.html.eex
@@ -42,4 +42,8 @@
       Ask any of the admins to give you access permission.</p>
     </div>
   <% end %>
+
+  <%= if FeatureProvider.feature_enabled?(:service_accounts, param: @org_id) and @permissions["organization.service_accounts.view"] do %>
+      <div id="service-accounts" data-config="<%= Poison.encode!(service_accounts_config(@conn)) %>"></div>
+  <% end %>
 </div>
diff --git a/front/lib/front_web/templates/people/project.html.eex b/front/lib/front_web/templates/people/project.html.eex
index 50a657bd1..e4bf2da82 100644
--- a/front/lib/front_web/templates/people/project.html.eex
+++ b/front/lib/front_web/templates/people/project.html.eex
@@ -30,7 +30,7 @@
         <%= render "_role_filter.html", conn: @conn, roles: @roles%>
       <% end %>
     </div>
-    <%= render "members/members_list.html", org_id: @org_id, groups: @groups, members: @members, roles: @roles, org_scope?: @org_scope?, conn: @conn, permissions: @permissions %>
+    <%= render "members/members_list.html", org_id: @org_id, groups: @groups, members: @members, service_accounts: @service_accounts, roles: @roles, org_scope?: @org_scope?, conn: @conn, permissions: @permissions %>
     <%= render "_pagination.html", pagination: @pagination%>
   <% else %>
     <div class="pv6 tc">
diff --git a/front/lib/front_web/views/people_view.ex b/front/lib/front_web/views/people_view.ex
index f03552d30..53ef14fe0 100644
--- a/front/lib/front_web/views/people_view.ex
+++ b/front/lib/front_web/views/people_view.ex
@@ -45,6 +45,38 @@ defmodule FrontWeb.PeopleView do
     }
   end
 
+  def service_accounts_config(conn) do
+    org_id = conn.assigns.organization_id
+    permissions = conn.assigns.permissions
+
+    {:ok, all_roles} = Front.RBAC.RoleManagement.list_possible_roles(org_id, "org_scope")
+
+    # Filter roles - exclude Owner unless user has change_owner permission
+    filtered_roles =
+      all_roles
+      |> Enum.filter(fn
+        %{name: "Owner"} -> permissions["organization.change_owner"] || false
+        _role -> true
+      end)
+      |> Enum.map(fn role ->
+        %{
+          id: role.id,
+          name: role.name,
+          description: role.description
+        }
+      end)
+
+    %{
+      organization_id: org_id,
+      project_id: conn.assigns[:project_id],
+      permissions: %{
+        view: permissions["organization.service_accounts.view"] || false,
+        manage: permissions["organization.service_accounts.manage"] || false
+      },
+      roles: filtered_roles
+    }
+  end
+
   @spec available_user_providers(org_id :: String.t()) :: [String.t()]
   defp available_user_providers(org_id) do
     [
@@ -194,28 +226,40 @@ defmodule FrontWeb.PeopleView do
     |> raw()
   end
 
-  defp map_role_to_colour("Admin"), do: "blue"
-  defp map_role_to_colour("Contributor"), do: "green"
-  defp map_role_to_colour("Reader"), do: "yellow"
-  defp map_role_to_colour("Owner"), do: "red"
-  defp map_role_to_colour("Member"), do: "green"
-  defp map_role_to_colour("Viewer"), do: "orange"
-  defp map_role_to_colour("Billing Admin"), do: "purple"
-  defp map_role_to_colour(_), do: "cyan"
+  def map_role_to_colour("Admin"), do: "blue"
+  def map_role_to_colour("Contributor"), do: "green"
+  def map_role_to_colour("Reader"), do: "yellow"
+  def map_role_to_colour("Owner"), do: "red"
+  def map_role_to_colour("Member"), do: "green"
+  def map_role_to_colour("Viewer"), do: "orange"
+  def map_role_to_colour("Billing Admin"), do: "purple"
+  def map_role_to_colour(_), do: "cyan"
 
   def construct_member_avatar(member) do
-    avatar_url =
-      if member.has_avatar do
-        member.avatar
-      else
-        first_letter = member.name |> String.first() |> String.downcase()
-        "#{assets_path()}/images/org-#{first_letter}.svg"
-      end
-
-    """
-      <img src="#{avatar_url}" class="w2 h2 br-100 mr2 ba b--black-50">
-    """
-    |> raw()
+    # Check if this is a service account
+    is_service_account = member.subject_type == "service_account"
+
+    if is_service_account do
+      """
+        <div class="w2 h2 br-100 mr2 ba b--black-50 flex items-center justify-center bg-light-gray">
+          <span class="material-symbols-outlined f6 gray">smart_toy</span>
+        </div>
+      """
+      |> raw()
+    else
+      avatar_url =
+        if member.has_avatar do
+          member.avatar
+        else
+          first_letter = member.name |> String.first() |> String.downcase()
+          "#{assets_path()}/images/org-#{first_letter}.svg"
+        end
+
+      """
+        <img src="#{avatar_url}" class="w2 h2 br-100 mr2 ba b--black-50">
+      """
+      |> raw()
+    end
   end
 
   def build_roles(member, roles) do
diff --git a/front/lib/front_web/views/service_account_view.ex b/front/lib/front_web/views/service_account_view.ex
new file mode 100644
index 000000000..0f995a2d1
--- /dev/null
+++ b/front/lib/front_web/views/service_account_view.ex
@@ -0,0 +1,49 @@
+defmodule FrontWeb.ServiceAccountView do
+  use FrontWeb, :view
+
+  alias Front.Models.ServiceAccount
+
+  def render("index.json", %{service_accounts: service_accounts, total_pages: total_pages}) do
+    %{
+      service_accounts: Enum.map(service_accounts, &service_account_json/1),
+      total_pages: total_pages
+    }
+  end
+
+  def render("show.json", assigns = %{service_account: service_account = %ServiceAccount{}}) do
+    data = service_account_json(service_account)
+
+    # Only include api_token if it's present (on create/regenerate)
+    case Map.get(assigns, :api_token) do
+      nil -> data
+      token -> Map.put(data, :api_token, token)
+    end
+  end
+
+  defp service_account_json(service_account = %ServiceAccount{}) do
+    %{
+      id: service_account.id,
+      name: service_account.name,
+      description: service_account.description,
+      created_at: format_datetime(service_account.created_at),
+      updated_at: format_datetime(service_account.updated_at),
+      deactivated: service_account.deactivated,
+      roles: Enum.map(service_account.roles, &role_json/1)
+    }
+  end
+
+  defp role_json(role) do
+    %{
+      id: role.id,
+      name: role.name,
+      source: role.source,
+      color: FrontWeb.PeopleView.map_role_to_colour(role.name)
+    }
+  end
+
+  defp format_datetime(nil), do: nil
+
+  defp format_datetime(datetime = %DateTime{}) do
+    DateTime.to_iso8601(datetime)
+  end
+end
diff --git a/front/lib/internal_api/audit.pb.ex b/front/lib/internal_api/audit.pb.ex
index 20f03239a..5ea53d435 100644
--- a/front/lib/internal_api/audit.pb.ex
+++ b/front/lib/internal_api/audit.pb.ex
@@ -415,6 +415,7 @@ defmodule InternalApi.Audit.Event.Resource do
   field(:Okta, 17)
   field(:FlakyTests, 18)
   field(:RBACRole, 19)
+  field(:ServiceAccount, 20)
 end
 
 defmodule InternalApi.Audit.Event.Operation do
diff --git a/front/lib/internal_api/billing.pb.ex b/front/lib/internal_api/billing.pb.ex
index af0625fc7..61e8e3e55 100644
--- a/front/lib/internal_api/billing.pb.ex
+++ b/front/lib/internal_api/billing.pb.ex
@@ -908,6 +908,38 @@ defmodule InternalApi.Billing.NoteChanged do
   field(:timestamp, 3, type: Google.Protobuf.Timestamp)
 end
 
+defmodule InternalApi.Billing.BudgetAlert do
+  @moduledoc false
+  use Protobuf, syntax: :proto3
+
+  @type t :: %__MODULE__{
+          org_id: String.t(),
+          spending_amount: String.t(),
+          spending_limit: String.t(),
+          email: String.t(),
+          percentage_threshold: integer,
+          from_date: Google.Protobuf.Timestamp.t(),
+          to_date: Google.Protobuf.Timestamp.t()
+        }
+  defstruct [
+    :org_id,
+    :spending_amount,
+    :spending_limit,
+    :email,
+    :percentage_threshold,
+    :from_date,
+    :to_date
+  ]
+
+  field(:org_id, 1, type: :string)
+  field(:spending_amount, 2, type: :string)
+  field(:spending_limit, 3, type: :string)
+  field(:email, 4, type: :string)
+  field(:percentage_threshold, 5, type: :int32)
+  field(:from_date, 6, type: Google.Protobuf.Timestamp)
+  field(:to_date, 7, type: Google.Protobuf.Timestamp)
+end
+
 defmodule InternalApi.Billing.TrialOwnerOnboarded do
   @moduledoc false
   use Protobuf, syntax: :proto3
diff --git a/front/lib/internal_api/plumber_w_f.workflow.pb.ex b/front/lib/internal_api/plumber_w_f.workflow.pb.ex
index 97d0606a8..10e53ae68 100644
--- a/front/lib/internal_api/plumber_w_f.workflow.pb.ex
+++ b/front/lib/internal_api/plumber_w_f.workflow.pb.ex
@@ -16,7 +16,9 @@ defmodule InternalApi.PlumberWF.ScheduleRequest do
           label: String.t(),
           triggered_by: integer,
           scheduler_task_id: String.t(),
-          env_vars: [InternalApi.PlumberWF.ScheduleRequest.EnvVar.t()]
+          env_vars: [InternalApi.PlumberWF.ScheduleRequest.EnvVar.t()],
+          start_in_conceived_state: boolean,
+          git_reference: String.t()
         }
   defstruct [
     :service,
@@ -32,7 +34,9 @@ defmodule InternalApi.PlumberWF.ScheduleRequest do
     :label,
     :triggered_by,
     :scheduler_task_id,
-    :env_vars
+    :env_vars,
+    :start_in_conceived_state,
+    :git_reference
   ]
 
   field(:service, 2, type: InternalApi.PlumberWF.ScheduleRequest.ServiceType, enum: true)
@@ -49,6 +53,8 @@ defmodule InternalApi.PlumberWF.ScheduleRequest do
   field(:triggered_by, 15, type: InternalApi.PlumberWF.TriggeredBy, enum: true)
   field(:scheduler_task_id, 16, type: :string)
   field(:env_vars, 17, repeated: true, type: InternalApi.PlumberWF.ScheduleRequest.EnvVar)
+  field(:start_in_conceived_state, 18, type: :bool)
+  field(:git_reference, 19, type: :string)
 end
 
 defmodule InternalApi.PlumberWF.ScheduleRequest.Repo do
diff --git a/front/lib/internal_api/projecthub.pb.ex b/front/lib/internal_api/projecthub.pb.ex
index 097c4b7d7..8cb1ba837 100644
--- a/front/lib/internal_api/projecthub.pb.ex
+++ b/front/lib/internal_api/projecthub.pb.ex
@@ -332,6 +332,7 @@ defmodule InternalApi.Projecthub.Project.Spec.Repository.RunType do
   field(:TAGS, 1)
   field(:PULL_REQUESTS, 2)
   field(:FORKED_PULL_REQUESTS, 3)
+  field(:DRAFT_PULL_REQUESTS, 4)
 end
 
 defmodule InternalApi.Projecthub.Project.Spec.Scheduler do
diff --git a/front/lib/internal_api/rbac.pb.ex b/front/lib/internal_api/rbac.pb.ex
index 29fb21c76..5e1c7a6bf 100644
--- a/front/lib/internal_api/rbac.pb.ex
+++ b/front/lib/internal_api/rbac.pb.ex
@@ -514,6 +514,7 @@ defmodule InternalApi.RBAC.SubjectType do
 
   field(:USER, 0)
   field(:GROUP, 1)
+  field(:SERVICE_ACCOUNT, 2)
 end
 
 defmodule InternalApi.RBAC.Scope do
diff --git a/front/lib/internal_api/service_account.pb.ex b/front/lib/internal_api/service_account.pb.ex
new file mode 100644
index 000000000..50069e25f
--- /dev/null
+++ b/front/lib/internal_api/service_account.pb.ex
@@ -0,0 +1,313 @@
+defmodule InternalApi.ServiceAccount.CreateRequest do
+  @moduledoc false
+  use Protobuf, syntax: :proto3
+
+  @type t :: %__MODULE__{
+          org_id: String.t(),
+          name: String.t(),
+          description: String.t(),
+          creator_id: String.t()
+        }
+  defstruct [:org_id, :name, :description, :creator_id]
+
+  field(:org_id, 1, type: :string)
+  field(:name, 2, type: :string)
+  field(:description, 3, type: :string)
+  field(:creator_id, 4, type: :string)
+end
+
+defmodule InternalApi.ServiceAccount.CreateResponse do
+  @moduledoc false
+  use Protobuf, syntax: :proto3
+
+  @type t :: %__MODULE__{
+          service_account: InternalApi.ServiceAccount.ServiceAccount.t(),
+          api_token: String.t()
+        }
+  defstruct [:service_account, :api_token]
+
+  field(:service_account, 1, type: InternalApi.ServiceAccount.ServiceAccount)
+  field(:api_token, 2, type: :string)
+end
+
+defmodule InternalApi.ServiceAccount.ListRequest do
+  @moduledoc false
+  use Protobuf, syntax: :proto3
+
+  @type t :: %__MODULE__{
+          org_id: String.t(),
+          page_size: integer,
+          page_token: String.t()
+        }
+  defstruct [:org_id, :page_size, :page_token]
+
+  field(:org_id, 1, type: :string)
+  field(:page_size, 2, type: :int32)
+  field(:page_token, 3, type: :string)
+end
+
+defmodule InternalApi.ServiceAccount.ListResponse do
+  @moduledoc false
+  use Protobuf, syntax: :proto3
+
+  @type t :: %__MODULE__{
+          service_accounts: [InternalApi.ServiceAccount.ServiceAccount.t()],
+          next_page_token: String.t()
+        }
+  defstruct [:service_accounts, :next_page_token]
+
+  field(:service_accounts, 1, repeated: true, type: InternalApi.ServiceAccount.ServiceAccount)
+  field(:next_page_token, 2, type: :string)
+end
+
+defmodule InternalApi.ServiceAccount.DescribeRequest do
+  @moduledoc false
+  use Protobuf, syntax: :proto3
+
+  @type t :: %__MODULE__{
+          service_account_id: String.t()
+        }
+  defstruct [:service_account_id]
+
+  field(:service_account_id, 1, type: :string)
+end
+
+defmodule InternalApi.ServiceAccount.DescribeResponse do
+  @moduledoc false
+  use Protobuf, syntax: :proto3
+
+  @type t :: %__MODULE__{
+          service_account: InternalApi.ServiceAccount.ServiceAccount.t()
+        }
+  defstruct [:service_account]
+
+  field(:service_account, 1, type: InternalApi.ServiceAccount.ServiceAccount)
+end
+
+defmodule InternalApi.ServiceAccount.DescribeManyRequest do
+  @moduledoc false
+  use Protobuf, syntax: :proto3
+
+  @type t :: %__MODULE__{
+          sa_ids: [String.t()]
+        }
+  defstruct [:sa_ids]
+
+  field(:sa_ids, 1, repeated: true, type: :string)
+end
+
+defmodule InternalApi.ServiceAccount.DescribeManyResponse do
+  @moduledoc false
+  use Protobuf, syntax: :proto3
+
+  @type t :: %__MODULE__{
+          service_accounts: [InternalApi.ServiceAccount.ServiceAccount.t()]
+        }
+  defstruct [:service_accounts]
+
+  field(:service_accounts, 1, repeated: true, type: InternalApi.ServiceAccount.ServiceAccount)
+end
+
+defmodule InternalApi.ServiceAccount.UpdateRequest do
+  @moduledoc false
+  use Protobuf, syntax: :proto3
+
+  @type t :: %__MODULE__{
+          service_account_id: String.t(),
+          name: String.t(),
+          description: String.t()
+        }
+  defstruct [:service_account_id, :name, :description]
+
+  field(:service_account_id, 1, type: :string)
+  field(:name, 2, type: :string)
+  field(:description, 3, type: :string)
+end
+
+defmodule InternalApi.ServiceAccount.UpdateResponse do
+  @moduledoc false
+  use Protobuf, syntax: :proto3
+
+  @type t :: %__MODULE__{
+          service_account: InternalApi.ServiceAccount.ServiceAccount.t()
+        }
+  defstruct [:service_account]
+
+  field(:service_account, 1, type: InternalApi.ServiceAccount.ServiceAccount)
+end
+
+defmodule InternalApi.ServiceAccount.DeactivateRequest do
+  @moduledoc false
+  use Protobuf, syntax: :proto3
+
+  @type t :: %__MODULE__{
+          service_account_id: String.t()
+        }
+  defstruct [:service_account_id]
+
+  field(:service_account_id, 1, type: :string)
+end
+
+defmodule InternalApi.ServiceAccount.DeactivateResponse do
+  @moduledoc false
+  use Protobuf, syntax: :proto3
+
+  defstruct []
+end
+
+defmodule InternalApi.ServiceAccount.ReactivateRequest do
+  @moduledoc false
+  use Protobuf, syntax: :proto3
+
+  @type t :: %__MODULE__{
+          service_account_id: String.t()
+        }
+  defstruct [:service_account_id]
+
+  field(:service_account_id, 1, type: :string)
+end
+
+defmodule InternalApi.ServiceAccount.ReactivateResponse do
+  @moduledoc false
+  use Protobuf, syntax: :proto3
+
+  defstruct []
+end
+
+defmodule InternalApi.ServiceAccount.DestroyRequest do
+  @moduledoc false
+  use Protobuf, syntax: :proto3
+
+  @type t :: %__MODULE__{
+          service_account_id: String.t()
+        }
+  defstruct [:service_account_id]
+
+  field(:service_account_id, 1, type: :string)
+end
+
+defmodule InternalApi.ServiceAccount.DestroyResponse do
+  @moduledoc false
+  use Protobuf, syntax: :proto3
+
+  defstruct []
+end
+
+defmodule InternalApi.ServiceAccount.RegenerateTokenRequest do
+  @moduledoc false
+  use Protobuf, syntax: :proto3
+
+  @type t :: %__MODULE__{
+          service_account_id: String.t()
+        }
+  defstruct [:service_account_id]
+
+  field(:service_account_id, 1, type: :string)
+end
+
+defmodule InternalApi.ServiceAccount.RegenerateTokenResponse do
+  @moduledoc false
+  use Protobuf, syntax: :proto3
+
+  @type t :: %__MODULE__{
+          api_token: String.t()
+        }
+  defstruct [:api_token]
+
+  field(:api_token, 1, type: :string)
+end
+
+defmodule InternalApi.ServiceAccount.ServiceAccount do
+  @moduledoc false
+  use Protobuf, syntax: :proto3
+
+  @type t :: %__MODULE__{
+          id: String.t(),
+          name: String.t(),
+          description: String.t(),
+          org_id: String.t(),
+          creator_id: String.t(),
+          created_at: Google.Protobuf.Timestamp.t(),
+          updated_at: Google.Protobuf.Timestamp.t(),
+          deactivated: boolean
+        }
+  defstruct [
+    :id,
+    :name,
+    :description,
+    :org_id,
+    :creator_id,
+    :created_at,
+    :updated_at,
+    :deactivated
+  ]
+
+  field(:id, 1, type: :string)
+  field(:name, 2, type: :string)
+  field(:description, 3, type: :string)
+  field(:org_id, 4, type: :string)
+  field(:creator_id, 5, type: :string)
+  field(:created_at, 6, type: Google.Protobuf.Timestamp)
+  field(:updated_at, 7, type: Google.Protobuf.Timestamp)
+  field(:deactivated, 8, type: :bool)
+end
+
+defmodule InternalApi.ServiceAccount.ServiceAccountService.Service do
+  @moduledoc false
+  use GRPC.Service, name: "InternalApi.ServiceAccount.ServiceAccountService"
+
+  rpc(
+    :Create,
+    InternalApi.ServiceAccount.CreateRequest,
+    InternalApi.ServiceAccount.CreateResponse
+  )
+
+  rpc(:List, InternalApi.ServiceAccount.ListRequest, InternalApi.ServiceAccount.ListResponse)
+
+  rpc(
+    :Describe,
+    InternalApi.ServiceAccount.DescribeRequest,
+    InternalApi.ServiceAccount.DescribeResponse
+  )
+
+  rpc(
+    :DescribeMany,
+    InternalApi.ServiceAccount.DescribeManyRequest,
+    InternalApi.ServiceAccount.DescribeManyResponse
+  )
+
+  rpc(
+    :Update,
+    InternalApi.ServiceAccount.UpdateRequest,
+    InternalApi.ServiceAccount.UpdateResponse
+  )
+
+  rpc(
+    :Deactivate,
+    InternalApi.ServiceAccount.DeactivateRequest,
+    InternalApi.ServiceAccount.DeactivateResponse
+  )
+
+  rpc(
+    :Reactivate,
+    InternalApi.ServiceAccount.ReactivateRequest,
+    InternalApi.ServiceAccount.ReactivateResponse
+  )
+
+  rpc(
+    :Destroy,
+    InternalApi.ServiceAccount.DestroyRequest,
+    InternalApi.ServiceAccount.DestroyResponse
+  )
+
+  rpc(
+    :RegenerateToken,
+    InternalApi.ServiceAccount.RegenerateTokenRequest,
+    InternalApi.ServiceAccount.RegenerateTokenResponse
+  )
+end
+
+defmodule InternalApi.ServiceAccount.ServiceAccountService.Stub do
+  @moduledoc false
+  use GRPC.Stub, service: InternalApi.ServiceAccount.ServiceAccountService.Service
+end
diff --git a/front/lib/internal_api/user.pb.ex b/front/lib/internal_api/user.pb.ex
index 5fc2ba9a3..0389664df 100644
--- a/front/lib/internal_api/user.pb.ex
+++ b/front/lib/internal_api/user.pb.ex
@@ -534,6 +534,7 @@ defmodule InternalApi.User.User.CreationSource do
 
   field(:NOT_SET, 0)
   field(:OKTA, 1)
+  field(:SERVICE_ACCOUNT, 2)
 end
 
 defmodule InternalApi.User.UserCreated do
diff --git a/front/lib/public_api/semaphore/notifications.v1alpha.pb.ex b/front/lib/public_api/semaphore/notifications.v1alpha.pb.ex
index cbffbd89c..ffc705a72 100644
--- a/front/lib/public_api/semaphore/notifications.v1alpha.pb.ex
+++ b/front/lib/public_api/semaphore/notifications.v1alpha.pb.ex
@@ -22,14 +22,16 @@ defmodule Semaphore.Notifications.V1alpha.Notification.Metadata do
           name: String.t(),
           id: String.t(),
           create_time: integer,
-          update_time: integer
+          update_time: integer,
+          creator_id: String.t()
         }
-  defstruct [:name, :id, :create_time, :update_time]
+  defstruct [:name, :id, :create_time, :update_time, :creator_id]
 
   field(:name, 1, type: :string)
   field(:id, 2, type: :string)
   field(:create_time, 3, type: :int64)
   field(:update_time, 4, type: :int64)
+  field(:creator_id, 5, type: :string)
 end
 
 defmodule Semaphore.Notifications.V1alpha.Notification.Spec do
diff --git a/front/mix.exs b/front/mix.exs
index 15c88b37d..9474d2f4e 100644
--- a/front/mix.exs
+++ b/front/mix.exs
@@ -57,6 +57,7 @@ defmodule Front.Mixfile do
       {:yaml_elixir, "~> 2.4"},
       {:junit_formatter, "~> 3.3", only: [:test]},
       {:mock, "~> 0.3.8", only: :test},
+      {:mox, "~> 1.0", only: :test},
       {:util, github: "renderedtext/elixir-util"},
       {:typed_struct, "~> 0.1.4"},
       {:amqp_client, "~> 3.9.27"},
diff --git a/front/mix.lock b/front/mix.lock
index d89b45c44..8fa920c77 100644
--- a/front/mix.lock
+++ b/front/mix.lock
@@ -45,7 +45,9 @@
   "mix_audit": {:hex, :mix_audit, "0.1.4", "35c424173a574436a80ad7f63cf014a7d9ce727de8cd4e7b4138d90b11aec043", [:make, :mix], [{:jason, "~> 1.1", [hex: :jason, repo: "hexpm", optional: false]}, {:yaml_elixir, "~> 2.4.0", [hex: :yaml_elixir, repo: "hexpm", optional: false]}], "hexpm", "7a43fee661bcadbad31aa04a86d33a890421c174723814b8a3a7f0e7076936a1"},
   "mock": {:hex, :mock, "0.3.8", "7046a306b71db2488ef54395eeb74df0a7f335a7caca4a3d3875d1fc81c884dd", [:mix], [{:meck, "~> 0.9.2", [hex: :meck, repo: "hexpm", optional: false]}], "hexpm", "7fa82364c97617d79bb7d15571193fc0c4fe5afd0c932cef09426b3ee6fe2022"},
   "money": {:hex, :money, "1.12.4", "9d9817aa79d1317871f6b006721c264bf1910fb28ba2af50746514f0d7e8ddbe", [:mix], [{:decimal, "~> 1.0 or ~> 2.0", [hex: :decimal, repo: "hexpm", optional: true]}, {:ecto, "~> 1.0 or ~> 2.0 or ~> 3.0", [hex: :ecto, repo: "hexpm", optional: true]}, {:phoenix_html, "~> 2.0 or ~> 3.0 or ~> 4.0", [hex: :phoenix_html, repo: "hexpm", optional: true]}], "hexpm", "87e4bb907df1da184cb4640569d8df99ee6d88c84ce4f5da03cb2fab8d433eb9"},
+  "mox": {:hex, :mox, "1.2.0", "a2cd96b4b80a3883e3100a221e8adc1b98e4c3a332a8fc434c39526babafd5b3", [:mix], [{:nimble_ownership, "~> 1.0", [hex: :nimble_ownership, repo: "hexpm", optional: false]}], "hexpm", "c7b92b3cc69ee24a7eeeaf944cd7be22013c52fcb580c1f33f50845ec821089a"},
   "nimble_options": {:hex, :nimble_options, "1.1.0", "3b31a57ede9cb1502071fade751ab0c7b8dbe75a9a4c2b5bbb0943a690b63172", [:mix], [], "hexpm", "8bbbb3941af3ca9acc7835f5655ea062111c9c27bcac53e004460dfd19008a99"},
+  "nimble_ownership": {:hex, :nimble_ownership, "1.0.1", "f69fae0cdd451b1614364013544e66e4f5d25f36a2056a9698b793305c5aa3a6", [:mix], [], "hexpm", "3825e461025464f519f3f3e4a1f9b68c47dc151369611629ad08b636b73bb22d"},
   "parallel_stream": {:hex, :parallel_stream, "1.0.6", "b967be2b23f0f6787fab7ed681b4c45a215a81481fb62b01a5b750fa8f30f76c", [:mix], [], "hexpm", "639b2e8749e11b87b9eb42f2ad325d161c170b39b288ac8d04c4f31f8f0823eb"},
   "parse_trans": {:hex, :parse_trans, "3.3.1", "16328ab840cc09919bd10dab29e431da3af9e9e7e7e6f0089dd5a2d2820011d8", [:rebar3], [], "hexpm", "07cd9577885f56362d414e8c4c4e6bdf10d43a8767abb92d24cbe8b24c54888b"},
   "phoenix": {:hex, :phoenix, "1.6.16", "e5bdd18c7a06da5852a25c7befb72246de4ddc289182285f8685a40b7b5f5451", [:mix], [{:castore, ">= 0.0.0", [hex: :castore, repo: "hexpm", optional: false]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: true]}, {:phoenix_pubsub, "~> 2.0", [hex: :phoenix_pubsub, repo: "hexpm", optional: false]}, {:phoenix_view, "~> 1.0 or ~> 2.0", [hex: :phoenix_view, repo: "hexpm", optional: false]}, {:plug, "~> 1.10", [hex: :plug, repo: "hexpm", optional: false]}, {:plug_cowboy, "~> 2.2", [hex: :plug_cowboy, repo: "hexpm", optional: true]}, {:plug_crypto, "~> 1.2", [hex: :plug_crypto, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "e15989ff34f670a96b95ef6d1d25bad0d9c50df5df40b671d8f4a669e050ac39"},
diff --git a/front/scripts/internal_protos.sh b/front/scripts/internal_protos.sh
index 9bc250b21..7d5981914 100755
--- a/front/scripts/internal_protos.sh
+++ b/front/scripts/internal_protos.sh
@@ -39,7 +39,9 @@ feature
 superjerry
 instance_config
 usage
-scouter'
+scouter
+license
+service_account'
 
 for element in $list;do
   echo "$element"
diff --git a/front/test/front_web/controllers/service_account_controller_test.exs b/front/test/front_web/controllers/service_account_controller_test.exs
new file mode 100644
index 000000000..5b32c1c4a
--- /dev/null
+++ b/front/test/front_web/controllers/service_account_controller_test.exs
@@ -0,0 +1,427 @@
+defmodule FrontWeb.ServiceAccountControllerTest do
+  use FrontWeb.ConnCase
+  import Mox
+  alias Support.Stubs.DB
+
+  setup :verify_on_exit!
+
+  setup %{conn: conn} do
+    Cacheman.clear(:front)
+    Support.Stubs.init()
+    Support.Stubs.build_shared_factories()
+
+    original_client = Application.get_env(:front, :service_account_client)
+    Application.put_env(:front, :service_account_client, {ServiceAccountMock, []})
+
+    on_exit(fn ->
+      Application.put_env(:front, :service_account_client, original_client)
+    end)
+
+    user_id = DB.first(:users) |> Map.get(:id)
+    org_id = DB.first(:organizations) |> Map.get(:id)
+
+    Support.Stubs.PermissionPatrol.remove_all_permissions()
+
+    Support.Stubs.PermissionPatrol.add_permissions(org_id, user_id, [
+      "organization.view",
+      "organization.service_accounts.view"
+    ])
+
+    conn =
+      conn
+      |> put_req_header("x-semaphore-org-id", org_id)
+      |> put_req_header("x-semaphore-user-id", user_id)
+
+    {:ok, conn: conn, org_id: org_id, user_id: user_id}
+  end
+
+  describe "GET /service_accounts" do
+    test "lists service accounts successfully", %{conn: conn, org_id: org_id} do
+      GrpcMock.expect(RBACMock, :list_members, fn request, _stream ->
+        member = %InternalApi.RBAC.ListMembersResponse.Member{
+          subject: %InternalApi.RBAC.Subject{
+            subject_id: "sa_123",
+            subject_type: InternalApi.RBAC.SubjectType.value(:SERVICE_ACCOUNT),
+            display_name: ""
+          },
+          subject_role_bindings: [
+            %InternalApi.RBAC.SubjectRoleBinding{
+              role: %InternalApi.RBAC.Role{
+                id: "role_123",
+                name: "Admin",
+                org_id: org_id,
+                scope: InternalApi.RBAC.Scope.value(:SCOPE_ORG),
+                description: "",
+                permissions: [],
+                rbac_permissions: [],
+                readonly: false
+              },
+              source: InternalApi.RBAC.RoleBindingSource.value(:ROLE_BINDING_SOURCE_MANUALLY)
+            }
+          ]
+        }
+
+        assert request.org_id == org_id
+        assert request.page.page_no == 0
+        assert request.page.page_size == 20
+        assert request.member_type == InternalApi.RBAC.SubjectType.value(:SERVICE_ACCOUNT)
+
+        response = %InternalApi.RBAC.ListMembersResponse{
+          members: [member],
+          total_pages: 1
+        }
+
+        response
+      end)
+
+      service_account_proto = %InternalApi.ServiceAccount.ServiceAccount{
+        id: "sa_123",
+        name: "Test Service Account",
+        description: "Test description",
+        org_id: org_id,
+        creator_id: "",
+        created_at: %Google.Protobuf.Timestamp{seconds: 1_704_103_200},
+        updated_at: %Google.Protobuf.Timestamp{seconds: 1_704_103_200},
+        deactivated: false
+      }
+
+      expect(ServiceAccountMock, :describe_many, fn ["sa_123"] ->
+        {:ok, [service_account_proto]}
+      end)
+
+      conn = get(conn, "/service_accounts")
+
+      assert json_response(conn, 200) == %{
+               "service_accounts" => [
+                 %{
+                   "id" => "sa_123",
+                   "name" => "Test Service Account",
+                   "description" => "Test description",
+                   "created_at" => "2024-01-01T10:00:00Z",
+                   "updated_at" => "2024-01-01T10:00:00Z",
+                   "deactivated" => false,
+                   "roles" => [
+                     %{
+                       "id" => "role_123",
+                       "name" => "Admin",
+                       "source" => "manual",
+                       "color" => "blue"
+                     }
+                   ]
+                 }
+               ],
+               "total_pages" => 1
+             }
+    end
+
+    test "handles pagination parameters", %{conn: conn, org_id: org_id} do
+      GrpcMock.expect(RBACMock, :list_members, fn request, _stream ->
+        assert request.org_id == org_id
+        assert request.page.page_no == 1
+        assert request.page.page_size == 20
+        assert request.member_type == InternalApi.RBAC.SubjectType.value(:SERVICE_ACCOUNT)
+
+        response = %InternalApi.RBAC.ListMembersResponse{
+          members: [],
+          total_pages: 2
+        }
+
+        response
+      end)
+
+      expect(ServiceAccountMock, :describe_many, fn [] ->
+        {:ok, []}
+      end)
+
+      conn = get(conn, "/service_accounts", %{"page" => "2"})
+
+      assert json_response(conn, 200) == %{
+               "service_accounts" => [],
+               "total_pages" => 2
+             }
+    end
+
+    test "handles backend errors", %{conn: conn} do
+      GrpcMock.expect(RBACMock, :list_members, fn _request, _stream ->
+        raise GRPC.RPCError, status: 2, message: "Internal Server Error"
+      end)
+
+      conn = get(conn, "/service_accounts")
+
+      assert json_response(conn, 422) ==
+               %{"error" => "Failed to list service accounts"}
+    end
+
+    test "requires service_accounts.view permission", %{
+      conn: conn,
+      org_id: org_id,
+      user_id: user_id
+    } do
+      Support.Stubs.PermissionPatrol.remove_all_permissions()
+      Support.Stubs.PermissionPatrol.add_permissions(org_id, user_id, ["organization.view"])
+
+      conn = get(conn, "/service_accounts")
+
+      assert html_response(conn, 404) =~ "Page not found"
+    end
+  end
+
+  describe "POST /service_accounts" do
+    setup %{org_id: org_id, user_id: user_id} do
+      Support.Stubs.PermissionPatrol.add_permissions(org_id, user_id, [
+        "organization.service_accounts.manage"
+      ])
+
+      :ok
+    end
+
+    test "creates service account successfully", %{conn: conn, org_id: org_id, user_id: user_id} do
+      service_account_proto = %InternalApi.ServiceAccount.ServiceAccount{
+        id: "sa_new",
+        name: "New Service Account",
+        description: "New description",
+        org_id: org_id,
+        creator_id: user_id,
+        created_at: %Google.Protobuf.Timestamp{seconds: 1_704_103_200},
+        updated_at: %Google.Protobuf.Timestamp{seconds: 1_704_103_200},
+        deactivated: false
+      }
+
+      expect(ServiceAccountMock, :create, fn ^org_id,
+                                             "New Service Account",
+                                             "New description",
+                                             ^user_id ->
+        {:ok, {service_account_proto, "api_token_123"}}
+      end)
+
+      GrpcMock.expect(RBACMock, :assign_role, fn request, _stream ->
+        assert request.role_assignment.subject.subject_id == "sa_new"
+        assert request.role_assignment.role_id == "role_123"
+        assert request.role_assignment.org_id == org_id
+        assert request.requester_id == user_id
+
+        %InternalApi.RBAC.AssignRoleResponse{}
+      end)
+
+      conn =
+        post(conn, "/service_accounts", %{
+          "name" => "New Service Account",
+          "description" => "New description",
+          "role_id" => "role_123"
+        })
+
+      assert json_response(conn, 201) == %{
+               "id" => "sa_new",
+               "name" => "New Service Account",
+               "description" => "New description",
+               "created_at" => "2024-01-01T10:00:00Z",
+               "updated_at" => "2024-01-01T10:00:00Z",
+               "deactivated" => false,
+               "api_token" => "api_token_123",
+               "roles" => []
+             }
+    end
+
+    test "handles empty parameters", %{conn: conn, org_id: org_id, user_id: user_id} do
+      expect(ServiceAccountMock, :create, fn ^org_id, "", "", ^user_id ->
+        {:error, "Service account name cannot be empty"}
+      end)
+
+      conn = post(conn, "/service_accounts", %{})
+
+      assert json_response(conn, 422) == %{
+               "error" => "Failed to create service account or assign role"
+             }
+    end
+
+    test "handles backend errors", %{conn: conn, org_id: org_id, user_id: user_id} do
+      expect(ServiceAccountMock, :create, fn ^org_id, "Test", "Desc", ^user_id ->
+        {:error, "Backend error"}
+      end)
+
+      conn =
+        post(conn, "/service_accounts", %{
+          "name" => "Test",
+          "description" => "Desc"
+        })
+
+      assert json_response(conn, 422) == %{
+               "error" => "Failed to create service account or assign role"
+             }
+    end
+
+    test "requires service_accounts.manage permission", %{
+      conn: conn,
+      org_id: org_id,
+      user_id: user_id
+    } do
+      Support.Stubs.PermissionPatrol.remove_all_permissions()
+
+      Support.Stubs.PermissionPatrol.add_permissions(org_id, user_id, [
+        "organization.view",
+        "organization.service_accounts.view"
+      ])
+
+      conn = post(conn, "/service_accounts", %{"name" => "Test"})
+
+      assert html_response(conn, 404) =~ "Page not found"
+    end
+  end
+
+  describe "PUT /service_accounts/:id" do
+    setup %{org_id: org_id, user_id: user_id} do
+      Support.Stubs.PermissionPatrol.add_permissions(org_id, user_id, [
+        "organization.service_accounts.manage"
+      ])
+
+      :ok
+    end
+
+    test "updates service account successfully", %{conn: conn, user_id: user_id, org_id: org_id} do
+      updated_account_proto = %InternalApi.ServiceAccount.ServiceAccount{
+        id: "sa_123",
+        name: "Updated Name",
+        description: "Updated description",
+        org_id: org_id,
+        creator_id: "some_creator",
+        created_at: %Google.Protobuf.Timestamp{seconds: 1_704_103_200},
+        updated_at: %Google.Protobuf.Timestamp{seconds: 1_704_189_600},
+        deactivated: false
+      }
+
+      expect(ServiceAccountMock, :update, fn "sa_123", "Updated Name", "Updated description" ->
+        {:ok, updated_account_proto}
+      end)
+
+      GrpcMock.expect(RBACMock, :assign_role, fn request, _stream ->
+        assert request.role_assignment.subject.subject_id == "sa_123"
+        assert request.role_assignment.role_id == "role_456"
+        assert request.role_assignment.org_id == org_id
+        assert request.requester_id == user_id
+
+        %InternalApi.RBAC.AssignRoleResponse{}
+      end)
+
+      conn =
+        put(conn, "/service_accounts/sa_123", %{
+          "name" => "Updated Name",
+          "description" => "Updated description",
+          "role_id" => "role_456"
+        })
+
+      assert json_response(conn, 200) == %{
+               "id" => "sa_123",
+               "name" => "Updated Name",
+               "description" => "Updated description",
+               "created_at" => "2024-01-01T10:00:00Z",
+               "updated_at" => "2024-01-02T10:00:00Z",
+               "deactivated" => false,
+               "roles" => []
+             }
+    end
+
+    test "handles update errors", %{conn: conn} do
+      expect(ServiceAccountMock, :update, fn "sa_123", "", "" ->
+        {:error, "Service account name cannot be empty"}
+      end)
+
+      conn = put(conn, "/service_accounts/sa_123", %{})
+
+      assert json_response(conn, 422) == %{
+               "error" => "Failed to update service account or assign role"
+             }
+    end
+  end
+
+  describe "DELETE /service_accounts/:id" do
+    setup %{org_id: org_id, user_id: user_id} do
+      Support.Stubs.PermissionPatrol.add_permissions(org_id, user_id, [
+        "organization.service_accounts.manage"
+      ])
+
+      :ok
+    end
+
+    test "deletes service account successfully", %{conn: conn} do
+      service_account_proto = %InternalApi.ServiceAccount.ServiceAccount{
+        id: "sa_123",
+        name: "To Delete",
+        description: "Will be deleted",
+        org_id: "some_org_id",
+        creator_id: "some_creator",
+        created_at: %Google.Protobuf.Timestamp{seconds: 1_704_103_200},
+        updated_at: %Google.Protobuf.Timestamp{seconds: 1_704_103_200},
+        deactivated: false
+      }
+
+      expect(ServiceAccountMock, :describe, fn "sa_123" ->
+        {:ok, service_account_proto}
+      end)
+
+      expect(ServiceAccountMock, :delete, fn "sa_123" ->
+        :ok
+      end)
+
+      conn = delete(conn, "/service_accounts/sa_123")
+
+      assert response(conn, 204) == ""
+    end
+
+    test "handles delete errors", %{conn: conn} do
+      expect(ServiceAccountMock, :describe, fn "sa_123" ->
+        {:error, "Service account not found"}
+      end)
+
+      conn = delete(conn, "/service_accounts/sa_123")
+
+      assert json_response(conn, 422) == %{"error" => "Failed to delete service account"}
+    end
+  end
+
+  describe "POST /service_accounts/:id/regenerate_token" do
+    setup %{org_id: org_id, user_id: user_id} do
+      Support.Stubs.PermissionPatrol.add_permissions(org_id, user_id, [
+        "organization.service_accounts.manage"
+      ])
+
+      :ok
+    end
+
+    test "regenerates token successfully", %{conn: conn} do
+      service_account_proto = %InternalApi.ServiceAccount.ServiceAccount{
+        id: "sa_123",
+        name: "Test Account",
+        description: "Test",
+        org_id: "some_org_id",
+        creator_id: "some_creator",
+        created_at: %Google.Protobuf.Timestamp{seconds: 1_704_103_200},
+        updated_at: %Google.Protobuf.Timestamp{seconds: 1_704_103_200},
+        deactivated: false
+      }
+
+      expect(ServiceAccountMock, :describe, fn "sa_123" ->
+        {:ok, service_account_proto}
+      end)
+
+      expect(ServiceAccountMock, :regenerate_token, fn "sa_123" ->
+        {:ok, "new_api_token_456"}
+      end)
+
+      conn = post(conn, "/service_accounts/sa_123/regenerate_token")
+
+      assert json_response(conn, 200) == %{"api_token" => "new_api_token_456"}
+    end
+
+    test "handles regenerate errors", %{conn: conn} do
+      expect(ServiceAccountMock, :describe, fn "sa_123" ->
+        {:error, "Service account not found"}
+      end)
+
+      conn = post(conn, "/service_accounts/sa_123/regenerate_token")
+
+      assert json_response(conn, 422) == %{
+               "error" => "Failed to regenerate service account token"
+             }
+    end
+  end
+end
diff --git a/front/test/support/fake_clients/service_account.ex b/front/test/support/fake_clients/service_account.ex
new file mode 100644
index 000000000..342bc57c2
--- /dev/null
+++ b/front/test/support/fake_clients/service_account.ex
@@ -0,0 +1,217 @@
+defmodule Support.FakeClients.ServiceAccount do
+  @moduledoc """
+  Fake implementation of the ServiceAccount client for testing purposes.
+  This module uses an Agent to store service accounts in memory.
+  It simulates the behaviour of the actual ServiceAccount client.
+  It provides methods to create, list, describe, update, delete, and regenerate tokens for service accounts.
+  This is useful for testing and development without needing a real backend.
+  """
+  use Agent
+  @behaviour Front.ServiceAccount.Behaviour
+
+  alias InternalApi.ServiceAccount.ServiceAccount
+  alias Support.Stubs.RBAC
+
+  @doc """
+  Starts the fake service account agent with empty state
+  """
+  def start_link(opts \\ []) do
+    Agent.start_link(
+      fn -> %{service_accounts: %{}, tokens: %{}} end,
+      Keyword.put_new(opts, :name, __MODULE__)
+    )
+  end
+
+  @doc """
+  Resets the agent state - useful for tests
+  """
+  def reset do
+    Agent.update(__MODULE__, fn _ -> %{service_accounts: %{}, tokens: %{}} end)
+  end
+
+  @impl Front.ServiceAccount.Behaviour
+  def create(org_id, name, description, creator_id) do
+    cond do
+      name == "" ->
+        {:error, "Service account name cannot be empty"}
+
+      String.length(name) > 100 ->
+        {:error, "Service account name is too long (maximum 100 characters)"}
+
+      true ->
+        service_account = %ServiceAccount{
+          id: Ecto.UUID.generate(),
+          name: name,
+          description: description,
+          org_id: org_id,
+          creator_id: creator_id,
+          created_at: now_proto_timestamp(),
+          updated_at: now_proto_timestamp(),
+          deactivated: false
+        }
+
+        api_token = generate_token()
+
+        Agent.update(__MODULE__, fn state ->
+          RBAC.add_service_account(org_id, service_account)
+
+          state
+          |> put_in([:service_accounts, service_account.id], service_account)
+          |> put_in([:tokens, service_account.id], api_token)
+        end)
+
+        {:ok, {service_account, api_token}}
+    end
+  end
+
+  @impl Front.ServiceAccount.Behaviour
+  def describe_many(service_account_ids) do
+    service_accounts =
+      service_account_ids
+      |> Enum.map(fn id ->
+        describe(id)
+      end)
+      |> Enum.filter(fn
+        {:ok, _} -> true
+        _ -> false
+      end)
+      |> Enum.map(fn {:ok, account} -> account end)
+
+    {:ok, service_accounts}
+  end
+
+  @impl Front.ServiceAccount.Behaviour
+  def list(org_id, page_size, page_token) do
+    cond do
+      page_size < 1 ->
+        {:error, "Page size must be greater than 0"}
+
+      page_size > 1000 ->
+        {:error, "Page size too large (maximum 1000)"}
+
+      true ->
+        service_accounts =
+          Agent.get(__MODULE__, fn state ->
+            state.service_accounts
+            |> Map.values()
+            |> Enum.filter(&(&1.org_id == org_id))
+            |> Enum.sort_by(& &1.created_at, {:desc, DateTime})
+          end)
+
+        # Simple pagination implementation
+        {page_accounts, has_more} = paginate_results(service_accounts, page_size, page_token)
+        next_page_token = if has_more, do: generate_page_token(page_accounts), else: nil
+
+        {:ok, {page_accounts, next_page_token}}
+    end
+  end
+
+  @impl Front.ServiceAccount.Behaviour
+  def describe(service_account_id) do
+    case Agent.get(__MODULE__, &get_in(&1, [:service_accounts, service_account_id])) do
+      nil -> {:error, "Service account not found"}
+      service_account -> {:ok, service_account}
+    end
+  end
+
+  @impl Front.ServiceAccount.Behaviour
+  def update(service_account_id, name, description) do
+    cond do
+      name == "" ->
+        {:error, "Service account name cannot be empty"}
+
+      String.length(name) > 100 ->
+        {:error, "Service account name is too long (maximum 100 characters)"}
+
+      !valid_uuid?(service_account_id) ->
+        {:error, "Invalid service account ID format"}
+
+      true ->
+        Agent.get_and_update(__MODULE__, fn state ->
+          case get_in(state, [:service_accounts, service_account_id]) do
+            nil ->
+              {{:error, "Service account not found"}, state}
+
+            service_account ->
+              updated_account = %{
+                service_account
+                | name: name,
+                  description: description,
+                  updated_at: now_proto_timestamp()
+              }
+
+              new_state = put_in(state, [:service_accounts, service_account_id], updated_account)
+
+              {{:ok, updated_account}, new_state}
+          end
+        end)
+    end
+  end
+
+  @impl Front.ServiceAccount.Behaviour
+  def delete(service_account_id) do
+    Agent.get_and_update(__MODULE__, fn state ->
+      case get_in(state, [:service_accounts, service_account_id]) do
+        nil ->
+          {{:error, "Service account not found"}, state}
+
+        _service_account ->
+          new_state =
+            state
+            |> update_in([:service_accounts], &Map.delete(&1, service_account_id))
+            |> update_in([:tokens], &Map.delete(&1, service_account_id))
+
+          {:ok, new_state}
+      end
+    end)
+  end
+
+  @impl Front.ServiceAccount.Behaviour
+  def regenerate_token(service_account_id) do
+    Agent.get_and_update(__MODULE__, fn state ->
+      case get_in(state, [:service_accounts, service_account_id]) do
+        nil ->
+          {{:error, "Service account not found"}, state}
+
+        _service_account ->
+          new_token = generate_token()
+          new_state = put_in(state, [:tokens, service_account_id], new_token)
+          {{:ok, new_token}, new_state}
+      end
+    end)
+  end
+
+  defp generate_token do
+    "sa_" <> Base.encode64(:crypto.strong_rand_bytes(32), padding: false)
+  end
+
+  defp valid_uuid?(string) do
+    case Ecto.UUID.cast(string) do
+      {:ok, _} -> true
+      :error -> false
+    end
+  end
+
+  defp paginate_results(items, page_size, nil) do
+    {Enum.take(items, page_size), length(items) > page_size}
+  end
+
+  defp paginate_results(items, page_size, page_token) do
+    start_index =
+      case Enum.find_index(items, &(&1.id == page_token)) do
+        nil -> 0
+        index -> index + 1
+      end
+
+    remaining = Enum.drop(items, start_index)
+    {Enum.take(remaining, page_size), length(remaining) > page_size}
+  end
+
+  defp generate_page_token([]), do: nil
+  defp generate_page_token(accounts), do: List.last(accounts).id
+
+  defp now_proto_timestamp do
+    seconds = DateTime.utc_now() |> DateTime.to_unix()
+    Google.Protobuf.Timestamp.new(seconds: seconds)
+  end
+end
diff --git a/front/test/support/stubs/feature.ex b/front/test/support/stubs/feature.ex
index 60fb23987..16fe246ae 100644
--- a/front/test/support/stubs/feature.ex
+++ b/front/test/support/stubs/feature.ex
@@ -138,7 +138,9 @@ defmodule Support.Stubs.Feature do
       {"open_id_connect_filter", state: :ENABLED, quantity: 1},
       {"wf_editor_via_jobs", state: :HIDDEN, quantity: 0},
       {"ui_reports", state: :ENABLED, quantity: 1},
-      {"ui_partial_ppl_rebuild", state: :ENABLED, quantity: 1}
+      {"ui_partial_ppl_rebuild", state: :ENABLED, quantity: 1},
+      {"service_accounts", state: :ENABLED, quantity: 1},
+      {"rbac__project_roles", state: :ENABLED, quantity: 1}
     ]
   end
 
diff --git a/front/test/support/stubs/permission_patrol.ex b/front/test/support/stubs/permission_patrol.ex
index b71dbf0d7..619d166fa 100644
--- a/front/test/support/stubs/permission_patrol.ex
+++ b/front/test/support/stubs/permission_patrol.ex
@@ -1,7 +1,7 @@
 defmodule Support.Stubs.PermissionPatrol do
   alias Support.Stubs.DB
 
-  @all_organization_permissions "organization.custom_roles.view,organization.custom_roles.manage,organization.okta.view,organization.okta.manage,organization.contact_support,organization.delete,organization.view,organization.secrets_policy_settings.manage,organization.secrets_policy_settings.view,organization.activity_monitor.view,organization.projects.create,organization.audit_logs.view,organization.audit_logs.manage,organization.people.view,organization.people.invite,organization.people.manage,organization.groups.view,organization.groups.manage,organization.custom_roles.manage,organization.self_hosted_agents.view,organization.self_hosted_agents.manage,organization.general_settings.view,organization.general_settings.manage,organization.secrets.view,organization.secrets.manage,organization.ip_allow_list.view,organization.ip_allow_list.manage,organization.notifications.view,organization.notifications.manage,organization.pre_flight_checks.view,organization.pre_flight_checks.manage,organization.plans_and_billing.view,organization.plans_and_billing.manage,organization.repo_to_role_mappers.manage,organization.dashboards.view,organization.dashboards.manage,organization.instance_git_integration.manage"
+  @all_organization_permissions "organization.custom_roles.view,organization.custom_roles.manage,organization.okta.view,organization.okta.manage,organization.contact_support,organization.delete,organization.view,organization.secrets_policy_settings.manage,organization.secrets_policy_settings.view,organization.activity_monitor.view,organization.projects.create,organization.audit_logs.view,organization.audit_logs.manage,organization.people.view,organization.people.invite,organization.people.manage,organization.groups.view,organization.groups.manage,organization.custom_roles.manage,organization.self_hosted_agents.view,organization.self_hosted_agents.manage,organization.general_settings.view,organization.general_settings.manage,organization.secrets.view,organization.secrets.manage,organization.ip_allow_list.view,organization.ip_allow_list.manage,organization.notifications.view,organization.notifications.manage,organization.pre_flight_checks.view,organization.pre_flight_checks.manage,organization.plans_and_billing.view,organization.plans_and_billing.manage,organization.repo_to_role_mappers.manage,organization.dashboards.view,organization.dashboards.manage,organization.instance_git_integration.manage,organization.service_accounts.view,organization.service_accounts.manage"
   @all_project_permissions "project.view,project.delete,project.access.view,project.access.manage,project.debug,project.secrets.view,project.secrets.manage,project.notifications.view,project.notifications.manage,project.insights.view,project.insights.manage,project.artifacts.view,project.artifacts.delete,project.artifacts.view_settings,project.artifacts.modify_settings,project.scheduler.view,project.scheduler.manage,project.scheduler.run_manually,project.general_settings.view,project.general_settings.manage,project.repository_info.view,project.repository_info.manage,project.deployment_targets.view,project.deployment_targets.manage,project.pre_flight_checks.view,project.pre_flight_checks.manage,project.workflow.view,project.workflow.manage,project.job.view,project.job.rerun,project.job.stop,project.job.port_forwarding,project.job.attach"
 
   def init do
diff --git a/front/test/support/stubs/rbac.ex b/front/test/support/stubs/rbac.ex
index e2a366f95..e06cfd789 100644
--- a/front/test/support/stubs/rbac.ex
+++ b/front/test/support/stubs/rbac.ex
@@ -46,7 +46,9 @@ defmodule Support.Stubs.RBAC do
     "organization.plans_and_billing.manage",
     "organization.repo_to_role_mappers.manage",
     "organization.dashboards.view",
-    "organization.dashboards.manage"
+    "organization.dashboards.manage",
+    "organization.service_accounts.view",
+    "organization.service_accounts.manage"
   ]
 
   @project_permissions [
@@ -223,6 +225,24 @@ defmodule Support.Stubs.RBAC do
       add_member(@default_org_id, u.id, nil)
     end
 
+    service_accounts = [
+      "Robot #1",
+      "Robot #2",
+      "Robot #3"
+    ]
+
+    for service_account_name <- service_accounts do
+      {:ok, {service_account, _}} =
+        Front.ServiceAccount.create(
+          @default_org_id,
+          service_account_name,
+          "Service account for testing",
+          ""
+        )
+
+      add_service_account(@default_org_id, service_account)
+    end
+
     # Enable okta (includes rbac as well) for rtx
     Feature.enable_feature(@default_org_id, "rbac__saml")
   end
@@ -334,6 +354,22 @@ defmodule Support.Stubs.RBAC do
     })
   end
 
+  def add_service_account(org_id, service_account) do
+    DB.insert(:subjects, %{
+      id: service_account.id,
+      name: service_account.name,
+      type: "service_account"
+    })
+
+    DB.insert(:subject_role_bindings, %{
+      id: UUID.gen(),
+      org_id: org_id,
+      subject_id: service_account.id,
+      role_id: member_role_id(),
+      project_id: nil
+    })
+  end
+
   def member_role_id do
     DB.find_all_by(:rbac_roles, :name, "Member") |> List.first() |> Map.get(:id)
   end
@@ -441,58 +477,58 @@ defmodule Support.Stubs.RBAC do
         DB.find_all_by(:subject_role_bindings, :org_id, org_id)
         |> Enum.filter(fn binding -> binding.project_id == project_id end)
 
-      user_grouped_role_bindings = Enum.group_by(all_org_subject_role_bindings, & &1.subject_id)
-
-      paginated_bindings =
-        user_grouped_role_bindings
-        |> Enum.drop(page.page_no * page_size)
-        |> Enum.take(page.page_no * page_size + page_size)
+      subject_grouped_role_bindings =
+        Enum.group_by(all_org_subject_role_bindings, & &1.subject_id)
 
       string_member_type =
         RBAC.SubjectType.key(member_type) |> Atom.to_string() |> String.downcase()
 
+      members =
+        Enum.map(subject_grouped_role_bindings, fn {subject_id, bindings} ->
+          user =
+            DB.filter(:subjects, &(&1.id == subject_id and &1.type == string_member_type))
+            |> List.first()
+
+          if !is_nil(user) and
+               (member_name_contains == "" ||
+                  String.downcase(user.name) =~ String.downcase(member_name_contains)) do
+            RBAC.ListMembersResponse.Member.new(
+              subject:
+                RBAC.Subject.new(
+                  subject_type: member_type,
+                  subject_id: user.id,
+                  display_name: user.name
+                ),
+              subject_role_bindings:
+                Enum.map(bindings, fn binding ->
+                  role = DB.find_by(:rbac_roles, :id, binding.role_id)
+
+                  RBAC.SubjectRoleBinding.new(
+                    role:
+                      RBAC.Role.new(
+                        id: role.id,
+                        name: role.name
+                      ),
+                    source: RBAC.RoleBindingSource.value(:ROLE_BINDING_SOURCE_MANUALLY)
+                  )
+                end)
+            )
+          else
+            nil
+          end
+        end)
+        |> Enum.filter(& &1)
+
+      paginated_members =
+        members
+        |> Enum.sort_by(& &1.subject.display_name)
+        |> Enum.chunk_every(page_size)
+        |> Enum.at(page.page_no, [])
+
       RBAC.ListMembersResponse.new(
-        members:
-          Enum.map(paginated_bindings, fn {subject_id, bindings} ->
-            filter_f = fn entity ->
-              entity.id == subject_id && entity.type == string_member_type
-            end
-
-            user =
-              DB.filter(:subjects, filter_f)
-              |> List.first()
-
-            if !is_nil(user) and
-                 (member_name_contains == "" ||
-                    String.downcase(user.name) =~ String.downcase(member_name_contains)) do
-              RBAC.ListMembersResponse.Member.new(
-                subject:
-                  RBAC.Subject.new(
-                    subject_type: member_type,
-                    subject_id: user.id,
-                    display_name: user.name
-                  ),
-                subject_role_bindings:
-                  Enum.map(bindings, fn binding ->
-                    role = DB.find_by(:rbac_roles, :id, binding.role_id)
-
-                    RBAC.SubjectRoleBinding.new(
-                      role:
-                        RBAC.Role.new(
-                          id: role.id,
-                          name: role.name
-                        ),
-                      source: RBAC.RoleBindingSource.value(:ROLE_BINDING_SOURCE_MANUALLY)
-                    )
-                  end)
-              )
-            else
-              nil
-            end
-          end)
-          |> Enum.filter(fn user -> user != nil end),
+        members: paginated_members,
         total_pages:
-          ((user_grouped_role_bindings |> map_size()) / page_size)
+          (length(members) / page_size)
           |> Float.ceil()
           |> round()
       )
@@ -603,17 +639,15 @@ defmodule Support.Stubs.RBAC do
             req.role_assignment.project_id
           end
 
-        # If role is already assigned, remove id
-        srb =
-          DB.filter(:subject_role_bindings, fn entity ->
-            entity.subject_id == req.role_assignment.subject.subject_id and
-              entity.org_id == req.role_assignment.org_id and
-              (project_id == nil or entity.project_id == project_id)
-          end)
-
-        if srb != [] do
-          DB.delete(:subject_role_bindings, hd(srb).id)
-        end
+        # If role is already assigned, remove it
+        DB.filter(:subject_role_bindings, fn entity ->
+          entity.subject_id == req.role_assignment.subject.subject_id and
+            entity.org_id == req.role_assignment.org_id and
+            (project_id == nil or entity.project_id == project_id)
+        end)
+        |> Enum.each(fn srb ->
+          DB.delete(:subject_role_bindings, srb.id)
+        end)
 
         DB.insert(:subject_role_bindings, %{
           id: UUID.gen(),
diff --git a/front/test/test_helper.exs b/front/test/test_helper.exs
index 486526879..c663ac7db 100644
--- a/front/test/test_helper.exs
+++ b/front/test/test_helper.exs
@@ -15,6 +15,8 @@ Application.put_env(:wallaby, :js_logger, file)
 
 Support.Stubs.init()
 
+Mox.defmock(ServiceAccountMock, for: Front.ServiceAccount.Behaviour)
+
 ExUnit.configure(formatters: [JUnitFormatter, ExUnit.CLIFormatter])
 ExUnit.start(trace: false, capture_log: true)
 
diff --git a/helm-chart/templates/configmaps/features.yaml b/helm-chart/templates/configmaps/features.yaml
index d1e7868c8..ecbc7a658 100644
--- a/helm-chart/templates/configmaps/features.yaml
+++ b/helm-chart/templates/configmaps/features.yaml
@@ -112,6 +112,8 @@ data:
       enabled: true
     wf_editor_via_jobs:
       enabled: true
+    service_accounts:
+      enabled: true
 {{- else }}
   features.yml: |-
     activity_monitor:
@@ -216,4 +218,6 @@ data:
       enabled: true
     new_project_onboarding:
       enabled: true
+    service_accounts:
+      enabled: true
 {{- end }}
diff --git a/helm-chart/templates/configmaps/internal-api-urls.yaml b/helm-chart/templates/configmaps/internal-api-urls.yaml
index c14d2eb85..fedb5cdaf 100644
--- a/helm-chart/templates/configmaps/internal-api-urls.yaml
+++ b/helm-chart/templates/configmaps/internal-api-urls.yaml
@@ -39,6 +39,7 @@ data:
   INTERNAL_API_URL_TASK: zebra-task-api:50051
   INTERNAL_API_URL_USER: guard-user-api:50051
   INTERNAL_API_URL_VELOCITY: velocity-hub:50051
+  INTERNAL_API_URL_SERVICE_ACCOUNT: guard-service-account-api:50051
 {{- if eq .Values.global.edition "ce" }}
   INTERNAL_API_URL_RBAC: rbac:50051
   INTERNAL_API_URL_OKTA: guard-okta-internal-api:50051
diff --git a/helm-chart/templates/configmaps/permissions.yaml b/helm-chart/templates/configmaps/permissions.yaml
index f5f940271..38b8b19f1 100644
--- a/helm-chart/templates/configmaps/permissions.yaml
+++ b/helm-chart/templates/configmaps/permissions.yaml
@@ -50,6 +50,10 @@ data:
           description: "Create new dashboard views."
         - name: "organization.instance_git_integration.manage"
           description: "Manage the instance Git integration settings."
+        - name: "organization.service_accounts.view"
+          description: "View service accounts within the organization."
+        - name: "organization.service_accounts.manage"
+          description: "Manage service accounts within the organization."
       project:
         - name: "project.view"
           description: "Access the project. This permission is needed to see any page within the project."
@@ -186,6 +190,10 @@ data:
           description: "Create new dashboard views."
         - name: "organization.instance_git_integration.manage"
           description: "Manage the instance Git integration settings."
+        - name: "organization.service_accounts.view"
+          description: "View service accounts within the organization."
+        - name: "organization.service_accounts.manage"
+          description: "Manage service accounts within the organization."
       project:
         - name: "project.view"
           description: "Access the project. This permission is needed to see any page within the project."
@@ -249,4 +257,5 @@ data:
           description: "Manually stop running jobs or workflows."
         - name: "project.job.attach"
           description: "SSH into the running job, or start a debug session."
-{{- end }}
\ No newline at end of file
+
+{{- end }}
diff --git a/helm-chart/templates/configmaps/roles.yaml b/helm-chart/templates/configmaps/roles.yaml
index cf2c7ac93..458f4f40a 100644
--- a/helm-chart/templates/configmaps/roles.yaml
+++ b/helm-chart/templates/configmaps/roles.yaml
@@ -33,6 +33,8 @@ data:
             - "organization.dashboards.view"
             - "organization.dashboards.manage"
             - "organization.instance_git_integration.manage"
+            - "organization.service_accounts.view"
+            - "organization.service_accounts.manage"
         - name: "Admin"
           description: "Admins can modify settings within the organization or any of its projects. However, they do not have access to billing information, and they cannot change general organization details, such as the organization name and URL."
           maps_to: "Admin"
@@ -57,6 +59,8 @@ data:
             - "organization.dashboards.view"
             - "organization.dashboards.manage"
             - "project.delete"
+            - "organization.service_accounts.view"
+            - "organization.service_accounts.manage"
         - name: "Member"
           description: "Members can access the organization's homepage and the projects they are assigned to. However, they are not able to modify any settings."
           permissions:
@@ -197,6 +201,8 @@ data:
             - "organization.dashboards.view"
             - "organization.dashboards.manage"
             - "organization.instance_git_integration.manage"
+            - "organization.service_accounts.view"
+            - "organization.service_accounts.manage"
         - name: "Admin"
           description: "Admins can modify settings within the organization or any of its projects. However, they do not have access to billing information, and they cannot change general organization details, such as the organization name and URL."
           maps_to: "Admin"
@@ -234,6 +240,8 @@ data:
             - "organization.custom_roles.view"
             - "organization.dashboards.view"
             - "organization.dashboards.manage"
+            - "organization.service_accounts.view"
+            - "organization.service_accounts.manage"
             - "project.delete"
         - name: "Member"
           description: "Members can access the organization's homepage and the projects they are assigned to. However, they are not able to modify any settings."