Enterprise
Cursor Enterprise Service Accounts for API, CLI & Cloud Agents
Enterprise service accounts are non-human identities for automating Cursor: they authenticate the Cloud Agents API and CLI (CURSOR_API_KEY), consume usage from your team pool without an extra seat and stay visible to all team admins. Connect the Cursor GitHub app at team level before service accounts can run cloud agents on org repos.
On this page
Why use service accounts instead of a developer API key?
- Survives org changes: automations keep running when people rotate roles.
- Central credential control: rotate API keys without tying them to one engineer's account.
- Audit trail: cloud agent runs initiated by service accounts appear to all admins.
- No seat license: included with Enterprise; usage bills like any other member.
How do we create and secure a service account?
- 1Go to Dashboard → Settings → Service Accounts (Enterprise admin).
- 2Click New Service Account, name it (for example
linear-ticket-agent) and add a description. - 3Copy the API key immediately; Cursor shows it once.
- 4Store the key in your secrets manager; rotate from the dashboard if compromised.
Use the integrating system in the name (sentry-remediation, migration-runner) so audit logs and analytics attribute automation correctly.
Why do cloud agents fail without team GitHub?
Service accounts can start cloud agent runs only on repositories authorized through the team-level Cursor GitHub app. A personal GitHub connection is not enough. Admins connect under Dashboard → Settings → Integrations, install the app on the org and select allowed repositories.
How do we call APIs and CI with a service account?
Pass the API key as a Bearer token to the Cloud Agents API. For CLI and headless jobs, set CURSOR_API_KEY in the environment so pipelines authenticate without browser login. Usage appears in team analytics and billing like human members.
What automations fit service accounts?
Linear or Jira issue opened triggers a cloud agent to implement or investigate.
Sentry or monitoring webhook kicks off a scoped remediation agent run.
Internal platform service runs CLI on a cron with a fixed prompt and repo list.
Pair with BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs. or Agent Review policies; service account owns the runner identity.
Frequently asked questions
Do service accounts count toward seat licenses?
No. They are included on Enterprise and do not consume a Standard or Premium seat.
Can we revoke access without deleting integrations?
Rotate or archive the service account from the dashboard. Rotation invalidates the old key immediately; update every consumer before rotating in production.
Who can see runs started by a service account?
All team admins can access cloud agent runs initiated by service accounts for oversight.
Sources & last verified
Cursor ships frequently. Facts verified against primary sources on June 24, 2026.