From 68b2d49c2b8cfa1397dbf8add0a44b7cd8f380a8 Mon Sep 17 00:00:00 2001
From: kobergj <jkoberg@owncloud.com>
Date: Thu, 31 Aug 2023 11:18:55 +0000
Subject: [PATCH] Merge pull request #6427 from kobergj/ServiceAccounts

[full-ci] Service Accounts
---
 .../_includes/adoc/antivirus_configvars.adoc  |   2 +-
 .../adoc/app-provider_configvars.adoc         |   2 +-
 .../adoc/app-registry_configvars.adoc         |   2 +-
 services/_includes/adoc/audit_configvars.adoc |   2 +-
 .../_includes/adoc/auth-basic_configvars.adoc |   2 +-
 .../adoc/auth-bearer_configvars.adoc          |   2 +-
 .../adoc/auth-machine_configvars.adoc         |   2 +-
 .../adoc/auth-service_configvars.adoc         | 220 ++++++++++++++++++
 .../adoc/auth-service_deprecation.adoc        |   2 +
 .../adoc/eventhistory_configvars.adoc         |   2 +-
 .../_includes/adoc/frontend_configvars.adoc   |   2 +-
 .../_includes/adoc/gateway_configvars.adoc    |   2 +-
 .../_includes/adoc/global_configvars.adoc     | 150 ++++++++----
 services/_includes/adoc/graph_configvars.adoc |  32 ++-
 .../_includes/adoc/groups_configvars.adoc     |   2 +-
 services/_includes/adoc/idm_configvars.adoc   |   2 +-
 services/_includes/adoc/idp_configvars.adoc   |   2 +-
 .../adoc/invitations_configvars.adoc          |   2 +-
 services/_includes/adoc/nats_configvars.adoc  |   2 +-
 .../adoc/notifications_configvars.adoc        |  32 ++-
 services/_includes/adoc/ocdav_configvars.adoc |   2 +-
 services/_includes/adoc/ocs_configvars.adoc   |   2 +-
 .../_includes/adoc/policies_configvars.adoc   |   2 +-
 .../adoc/postprocessing_configvars.adoc       |   2 +-
 services/_includes/adoc/proxy_configvars.adoc |   2 +-
 .../_includes/adoc/search_configvars.adoc     |  18 +-
 .../_includes/adoc/settings_configvars.adoc   |  12 +-
 .../_includes/adoc/sharing_configvars.adoc    |   2 +-
 services/_includes/adoc/sse_configvars.adoc   |   2 +-
 .../adoc/storage-publiclink_configvars.adoc   |   2 +-
 .../adoc/storage-shares_configvars.adoc       |   2 +-
 .../adoc/storage-system_configvars.adoc       |   2 +-
 .../adoc/storage-users_configvars.adoc        |  22 +-
 services/_includes/adoc/store_configvars.adoc |   2 +-
 .../_includes/adoc/thumbnails_configvars.adoc |   2 +-
 .../_includes/adoc/userlog_configvars.adoc    |  22 +-
 services/_includes/adoc/users_configvars.adoc |   2 +-
 services/_includes/adoc/web_configvars.adoc   |   2 +-
 .../_includes/adoc/webdav_configvars.adoc     |   2 +-
 .../_includes/adoc/webfinger_configvars.adoc  |   2 +-
 .../auth-service-config-example.yaml          |  32 +++
 services/_includes/auth-service_configvars.md |  24 ++
 services/_includes/graph-config-example.yaml  |   4 +-
 services/_includes/graph_configvars.md        |   5 +-
 .../notifications-config-example.yaml         |   4 +-
 .../_includes/notifications_configvars.md     |   5 +-
 services/_includes/search-config-example.yaml |   4 +-
 services/_includes/search_configvars.md       |   3 +-
 .../_includes/settings-config-example.yaml    |   1 +
 services/_includes/settings_configvars.md     |   3 +-
 .../storage-users-config-example.yaml         |   3 +
 .../_includes/storage-users_configvars.md     |   4 +-
 .../_includes/userlog-config-example.yaml     |   3 +
 services/_includes/userlog_configvars.md      |   4 +-
 services/antivirus/_index.md                  |   2 +-
 services/audit/_index.md                      |   2 +-
 services/auth-basic/_index.md                 |  11 +-
 services/auth-bearer/_index.md                |  15 +-
 services/auth-machine/_index.md               |  34 ++-
 services/eventhistory/_index.md               |   2 +-
 services/frontend/_index.md                   |   2 +-
 services/gateway/_index.md                    |   2 +-
 services/graph/_index.md                      |   2 +-
 services/idm/_index.md                        |   2 +-
 services/idp/_index.md                        |   2 +-
 services/invitations/_index.md                |   2 +-
 services/nats/_index.md                       |   2 +-
 services/notifications/_index.md              |   2 +-
 services/ocdav/_index.md                      |   2 +-
 services/ocs/_index.md                        |   2 +-
 services/policies/_index.md                   |   2 +-
 services/postprocessing/_index.md             |   2 +-
 services/proxy/_index.md                      |   2 +-
 services/search/_index.md                     |   2 +-
 services/settings/_index.md                   |   9 +-
 services/sse/_index.md                        |   2 +-
 services/storage-system/_index.md             |   2 +-
 services/storage-users/_index.md              |   2 +-
 services/thumbnails/_index.md                 |   2 +-
 services/userlog/_index.md                    |   2 +-
 services/web/_index.md                        |   2 +-
 services/webdav/_index.md                     |   2 +-
 services/webfinger/_index.md                  |   2 +-
 83 files changed, 633 insertions(+), 157 deletions(-)
 create mode 100644 services/_includes/adoc/auth-service_configvars.adoc
 create mode 100644 services/_includes/adoc/auth-service_deprecation.adoc
 create mode 100644 services/_includes/auth-service-config-example.yaml
 create mode 100644 services/_includes/auth-service_configvars.md

diff --git a/services/_includes/adoc/antivirus_configvars.adoc b/services/_includes/adoc/antivirus_configvars.adoc
index 10927800e13..304a00e77a1 100644
--- a/services/_includes/adoc/antivirus_configvars.adoc
+++ b/services/_includes/adoc/antivirus_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2023-08-31-09-23-28]
+[#deprecation-note-2023-08-31-11-17-46]
 [caption=]
 .Deprecation notes for the antivirus service
 [width="100%",cols="~,~,~,~",options="header"]
diff --git a/services/_includes/adoc/app-provider_configvars.adoc b/services/_includes/adoc/app-provider_configvars.adoc
index be2c2ed03e0..6c3f237148b 100644
--- a/services/_includes/adoc/app-provider_configvars.adoc
+++ b/services/_includes/adoc/app-provider_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2023-08-31-09-23-28]
+[#deprecation-note-2023-08-31-11-17-46]
 [caption=]
 .Deprecation notes for the app-provider service
 [width="100%",cols="~,~,~,~",options="header"]
diff --git a/services/_includes/adoc/app-registry_configvars.adoc b/services/_includes/adoc/app-registry_configvars.adoc
index 5c6d624a777..0d49c331df4 100644
--- a/services/_includes/adoc/app-registry_configvars.adoc
+++ b/services/_includes/adoc/app-registry_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2023-08-31-09-23-28]
+[#deprecation-note-2023-08-31-11-17-46]
 [caption=]
 .Deprecation notes for the app-registry service
 [width="100%",cols="~,~,~,~",options="header"]
diff --git a/services/_includes/adoc/audit_configvars.adoc b/services/_includes/adoc/audit_configvars.adoc
index f0dc2b39c88..58176bf2965 100644
--- a/services/_includes/adoc/audit_configvars.adoc
+++ b/services/_includes/adoc/audit_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2023-08-31-09-23-28]
+[#deprecation-note-2023-08-31-11-17-46]
 [caption=]
 .Deprecation notes for the audit service
 [width="100%",cols="~,~,~,~",options="header"]
diff --git a/services/_includes/adoc/auth-basic_configvars.adoc b/services/_includes/adoc/auth-basic_configvars.adoc
index 77f60815b70..9fef440f06c 100644
--- a/services/_includes/adoc/auth-basic_configvars.adoc
+++ b/services/_includes/adoc/auth-basic_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2023-08-31-09-23-28]
+[#deprecation-note-2023-08-31-11-17-46]
 [caption=]
 .Deprecation notes for the auth-basic service
 [width="100%",cols="~,~,~,~",options="header"]
diff --git a/services/_includes/adoc/auth-bearer_configvars.adoc b/services/_includes/adoc/auth-bearer_configvars.adoc
index 65f1ba0e043..7eb2397b236 100644
--- a/services/_includes/adoc/auth-bearer_configvars.adoc
+++ b/services/_includes/adoc/auth-bearer_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2023-08-31-09-23-28]
+[#deprecation-note-2023-08-31-11-17-46]
 [caption=]
 .Deprecation notes for the auth-bearer service
 [width="100%",cols="~,~,~,~",options="header"]
diff --git a/services/_includes/adoc/auth-machine_configvars.adoc b/services/_includes/adoc/auth-machine_configvars.adoc
index a0ed4b63e25..7c926c8c424 100644
--- a/services/_includes/adoc/auth-machine_configvars.adoc
+++ b/services/_includes/adoc/auth-machine_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2023-08-31-09-23-28]
+[#deprecation-note-2023-08-31-11-17-46]
 [caption=]
 .Deprecation notes for the auth-machine service
 [width="100%",cols="~,~,~,~",options="header"]
diff --git a/services/_includes/adoc/auth-service_configvars.adoc b/services/_includes/adoc/auth-service_configvars.adoc
new file mode 100644
index 00000000000..6a38f76e85f
--- /dev/null
+++ b/services/_includes/adoc/auth-service_configvars.adoc
@@ -0,0 +1,220 @@
+// set the attribute to true or leave empty, true without any quotes.
+
+:show-deprecation: false
+
+ifeval::[{show-deprecation} == true]
+
+[#deprecation-note-2023-08-31-11-17-46]
+[caption=]
+.Deprecation notes for the auth-service service
+[width="100%",cols="~,~,~,~",options="header"]
+|===
+| Deprecation Info
+| Deprecation Version
+| Removal Version
+| Deprecation Replacement
+|===
+
+endif::[]
+
+[caption=]
+.Environment variables for the auth-service service
+[width="100%",cols="~,~,~,~",options="header"]
+|===
+| Name
+| Type
+| Default Value
+| Description
+
+a|`OCIS_TRACING_ENABLED` +
+`AUTH_SERVICE_TRACING_ENABLED` +
+
+a| [subs=-attributes]
+++bool ++
+a| [subs=-attributes]
+++false ++
+a| [subs=-attributes]
+Activates tracing.
+
+a|`OCIS_TRACING_TYPE` +
+`AUTH_SERVICE_TRACING_TYPE` +
+
+a| [subs=-attributes]
+++string ++
+a| [subs=-attributes]
+++ ++
+a| [subs=-attributes]
+The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.
+
+a|`OCIS_TRACING_ENDPOINT` +
+`AUTH_SERVICE_TRACING_ENDPOINT` +
+
+a| [subs=-attributes]
+++string ++
+a| [subs=-attributes]
+++ ++
+a| [subs=-attributes]
+The endpoint of the tracing agent.
+
+a|`OCIS_TRACING_COLLECTOR` +
+`AUTH_SERVICE_TRACING_COLLECTOR` +
+
+a| [subs=-attributes]
+++string ++
+a| [subs=-attributes]
+++ ++
+a| [subs=-attributes]
+The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.
+
+a|`OCIS_LOG_LEVEL` +
+`AUTH_SERVICE_LOG_LEVEL` +
+
+a| [subs=-attributes]
+++string ++
+a| [subs=-attributes]
+++ ++
+a| [subs=-attributes]
+The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.
+
+a|`OCIS_LOG_PRETTY` +
+`AUTH_SERVICE_LOG_PRETTY` +
+
+a| [subs=-attributes]
+++bool ++
+a| [subs=-attributes]
+++false ++
+a| [subs=-attributes]
+Activates pretty log output.
+
+a|`OCIS_LOG_COLOR` +
+`AUTH_SERVICE_LOG_COLOR` +
+
+a| [subs=-attributes]
+++bool ++
+a| [subs=-attributes]
+++false ++
+a| [subs=-attributes]
+Activates colorized log output.
+
+a|`OCIS_LOG_FILE` +
+`AUTH_SERVICE_LOG_FILE` +
+
+a| [subs=-attributes]
+++string ++
+a| [subs=-attributes]
+++ ++
+a| [subs=-attributes]
+The path to the log file. Activates logging to this file if set.
+
+a|`AUTH_SERVICE_DEBUG_ADDR` +
+
+a| [subs=-attributes]
+++string ++
+a| [subs=-attributes]
+++127.0.0.1:9169 ++
+a| [subs=-attributes]
+Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.
+
+a|`AUTH_SERVICE_DEBUG_TOKEN` +
+
+a| [subs=-attributes]
+++string ++
+a| [subs=-attributes]
+++ ++
+a| [subs=-attributes]
+Token to secure the metrics endpoint.
+
+a|`AUTH_SERVICE_DEBUG_PPROF` +
+
+a| [subs=-attributes]
+++bool ++
+a| [subs=-attributes]
+++false ++
+a| [subs=-attributes]
+Enables pprof, which can be used for profiling.
+
+a|`AUTH_SERVICE_DEBUG_ZPAGES` +
+
+a| [subs=-attributes]
+++bool ++
+a| [subs=-attributes]
+++false ++
+a| [subs=-attributes]
+Enables zpages, which can be used for collecting and viewing in-memory traces.
+
+a|`AUTH_SERVICE_GRPC_ADDR` +
+
+a| [subs=-attributes]
+++string ++
+a| [subs=-attributes]
+++127.0.0.1:9199 ++
+a| [subs=-attributes]
+The bind address of the GRPC service.
+
+a|`AUTH_SERVICE_GRPC_PROTOCOL` +
+
+a| [subs=-attributes]
+++string ++
+a| [subs=-attributes]
+++tcp ++
+a| [subs=-attributes]
+The transport protocol of the GRPC service.
+
+a|`OCIS_JWT_SECRET` +
+`AUTH_MACHINE_JWT_SECRET` +
+
+a| [subs=-attributes]
+++string ++
+a| [subs=-attributes]
+++ ++
+a| [subs=-attributes]
+The secret to mint and validate jwt tokens.
+
+a|`OCIS_REVA_GATEWAY` +
+
+a| [subs=-attributes]
+++string ++
+a| [subs=-attributes]
+++com.owncloud.api.gateway ++
+a| [subs=-attributes]
+The CS3 gateway endpoint.
+
+a|`OCIS_GRPC_CLIENT_TLS_MODE` +
+
+a| [subs=-attributes]
+++string ++
+a| [subs=-attributes]
+++ ++
+a| [subs=-attributes]
+TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.
+
+a|`OCIS_GRPC_CLIENT_TLS_CACERT` +
+
+a| [subs=-attributes]
+++string ++
+a| [subs=-attributes]
+++ ++
+a| [subs=-attributes]
+Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.
+
+a|`OCIS_SERVICE_ACCOUNT_ID` +
+`AUTH_SERVICE_SERVICE_ACCOUNT_ID` +
+
+a| [subs=-attributes]
+++string ++
+a| [subs=-attributes]
+++ ++
+a| [subs=-attributes]
+The ID of the service account the service should use. See the 'auth-service' service description for more details.
+
+a|`OCIS_SERVICE_ACCOUNT_SECRET` +
+`AUTH_SERVICE_SERVICE_ACCOUNT_SECRET` +
+
+a| [subs=-attributes]
+++string ++
+a| [subs=-attributes]
+++ ++
+a| [subs=-attributes]
+The service account secret.
+|===
+
diff --git a/services/_includes/adoc/auth-service_deprecation.adoc b/services/_includes/adoc/auth-service_deprecation.adoc
new file mode 100644
index 00000000000..4b3cef689ac
--- /dev/null
+++ b/services/_includes/adoc/auth-service_deprecation.adoc
@@ -0,0 +1,2 @@
+:show-deprecation: false
+
diff --git a/services/_includes/adoc/eventhistory_configvars.adoc b/services/_includes/adoc/eventhistory_configvars.adoc
index 526285f5b06..eea9c555ff5 100644
--- a/services/_includes/adoc/eventhistory_configvars.adoc
+++ b/services/_includes/adoc/eventhistory_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2023-08-31-09-23-28]
+[#deprecation-note-2023-08-31-11-17-46]
 [caption=]
 .Deprecation notes for the eventhistory service
 [width="100%",cols="~,~,~,~",options="header"]
diff --git a/services/_includes/adoc/frontend_configvars.adoc b/services/_includes/adoc/frontend_configvars.adoc
index 599b78d857a..d31f7705cf5 100644
--- a/services/_includes/adoc/frontend_configvars.adoc
+++ b/services/_includes/adoc/frontend_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2023-08-31-09-23-28]
+[#deprecation-note-2023-08-31-11-17-46]
 [caption=]
 .Deprecation notes for the frontend service
 [width="100%",cols="~,~,~,~",options="header"]
diff --git a/services/_includes/adoc/gateway_configvars.adoc b/services/_includes/adoc/gateway_configvars.adoc
index 281c5c36da0..e0b89a68391 100644
--- a/services/_includes/adoc/gateway_configvars.adoc
+++ b/services/_includes/adoc/gateway_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2023-08-31-09-23-28]
+[#deprecation-note-2023-08-31-11-17-46]
 [caption=]
 .Deprecation notes for the gateway service
 [width="100%",cols="~,~,~,~",options="header"]
diff --git a/services/_includes/adoc/global_configvars.adoc b/services/_includes/adoc/global_configvars.adoc
index b3ad022fa8d..e04bc89c83f 100644
--- a/services/_includes/adoc/global_configvars.adoc
+++ b/services/_includes/adoc/global_configvars.adoc
@@ -20,6 +20,21 @@ Note that some global environment variables have been deprecated and replaced by
 
 
 
+a| `AUTH_MACHINE_JWT_SECRET`
+
+a| [subs=attributes+]
+* xref:{s-path}/auth-machine.adoc[auth-machine] +
+* xref:{s-path}/auth-service.adoc[auth-service] +
+
+a| [subs=-attributes]
+++string ++
+
+a| [subs=-attributes]
+++ ++
+
+a| [subs=-attributes]
+The secret to mint and validate jwt tokens.
+
 a| `IDM_CREATE_DEMO_USERS`
 
 a| [subs=attributes+]
@@ -33,7 +48,7 @@ a| [subs=-attributes]
 ++false ++
 
 a| [subs=-attributes]
-The default role assignments the demo users should be setup.
+Flag to enable or disable the creation of the demo users.
 
 a| `LDAP_BIND_PASSWORD`
 
@@ -129,7 +144,7 @@ a| [subs=-attributes]
 ++0 ++
 
 a| [subs=-attributes]
-The maximum quantity of items in the cache. Only applies when store type 'ocmem' is configured. Defaults to 512.
+Max number of entries to hold in the cache.
 
 a| `OCIS_CACHE_STORE`
 
@@ -150,7 +165,7 @@ a| [subs=-attributes]
 ++string ++
 
 a| [subs=-attributes]
-++memory ++
+++noop ++
 
 a| [subs=-attributes]
 The type of the cache store. Supported values are: 'memory', 'ocmem', 'etcd', 'redis', 'redis-sentinel', 'nats-js', 'noop'. See the text description for details.
@@ -198,10 +213,10 @@ a| [subs=-attributes]
 ++Duration ++
 
 a| [subs=-attributes]
-++10m0s ++
+++5m0s ++
 
 a| [subs=-attributes]
-Default time to live for entries in the cache. Only applied when access tokens has no expiration. The duration can be set as number followed by a unit identifier like s, m or h. Defaults to '10m' (10 minutes).
+Default time to live for user info in the cache. Only applied when access tokens has no expiration. The duration can be set as number followed by a unit identifier like s, m or h. Defaults to '300s' (300 seconds).
 
 a| `OCIS_CORS_ALLOW_CREDENTIALS`
 
@@ -246,7 +261,7 @@ a| [subs=-attributes]
 ++[]string ++
 
 a| [subs=-attributes]
-++[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id] ++
+++[Origin Accept Content-Type Depth Authorization Ocs-Apirequest If-None-Match If-Match Destination Overwrite X-Request-Id X-Requested-With Tus-Resumable Tus-Checksum-Algorithm Upload-Concat Upload-Length Upload-Metadata Upload-Defer-Length Upload-Expires Upload-Checksum Upload-Offset X-HTTP-Method-Override Cache-Control] ++
 
 a| [subs=-attributes]
 A blank or comma-separated list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers.
@@ -270,7 +285,7 @@ a| [subs=-attributes]
 ++[]string ++
 
 a| [subs=-attributes]
-++[GET POST PUT PATCH DELETE OPTIONS] ++
+++[OPTIONS HEAD GET PUT POST DELETE MKCOL PROPFIND PROPPATCH MOVE COPY REPORT SEARCH] ++
 
 a| [subs=-attributes]
 A comma-separated list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method
@@ -342,7 +357,7 @@ a| [subs=-attributes]
 ++false ++
 
 a| [subs=-attributes]
-Set this option to 'true' to disable previews in all the different web file listing views. This can speed up file listings in folders with many files. The only list view that is not affected by this setting is the trash bin, as it does not allow previewing at all.
+Set this option to 'true' to disable rendering of thumbnails triggered via webdav access. Note that when disabled, all access to preview related webdav paths will return a 404.
 
 a| `OCIS_EDITION`
 
@@ -408,7 +423,7 @@ a| [subs=-attributes]
 ++false ++
 
 a| [subs=-attributes]
-Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services..
+Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services.
 
 a| `OCIS_EVENTS_ENDPOINT`
 
@@ -458,7 +473,7 @@ a| [subs=-attributes]
 ++ ++
 
 a| [subs=-attributes]
-The root CA certificate used to validate the server's TLS certificate. If provided ANTIVIRUS_EVENTS_TLS_INSECURE will be seen as false.
+The root CA certificate used to validate the server's TLS certificate. If provided POLICIES_EVENTS_TLS_INSECURE will be seen as false.
 
 a| `OCIS_GRPC_CLIENT_TLS_CACERT`
 
@@ -468,6 +483,7 @@ a| [subs=attributes+]
 * xref:{s-path}/auth-basic.adoc[auth-basic] +
 * xref:{s-path}/auth-bearer.adoc[auth-bearer] +
 * xref:{s-path}/auth-machine.adoc[auth-machine] +
+* xref:{s-path}/auth-service.adoc[auth-service] +
 * xref:{s-path}/frontend.adoc[frontend] +
 * xref:{s-path}/gateway.adoc[gateway] +
 * xref:{s-path}/graph.adoc[graph] +
@@ -502,6 +518,7 @@ a| [subs=attributes+]
 * xref:{s-path}/auth-basic.adoc[auth-basic] +
 * xref:{s-path}/auth-bearer.adoc[auth-bearer] +
 * xref:{s-path}/auth-machine.adoc[auth-machine] +
+* xref:{s-path}/auth-service.adoc[auth-service] +
 * xref:{s-path}/frontend.adoc[frontend] +
 * xref:{s-path}/gateway.adoc[gateway] +
 * xref:{s-path}/graph.adoc[graph] +
@@ -630,7 +647,7 @@ a| [subs=-attributes]
 ++false ++
 
 a| [subs=-attributes]
-Allow insecure connections to the OIDC issuer.
+Whether the server should skip the client certificate verification during the TLS handshake.
 
 a| `OCIS_JWT_SECRET`
 
@@ -640,6 +657,7 @@ a| [subs=attributes+]
 * xref:{s-path}/auth-basic.adoc[auth-basic] +
 * xref:{s-path}/auth-bearer.adoc[auth-bearer] +
 * xref:{s-path}/auth-machine.adoc[auth-machine] +
+* xref:{s-path}/auth-service.adoc[auth-service] +
 * xref:{s-path}/frontend.adoc[frontend] +
 * xref:{s-path}/gateway.adoc[gateway] +
 * xref:{s-path}/graph.adoc[graph] +
@@ -773,7 +791,7 @@ a| [subs=-attributes]
 ++string ++
 
 a| [subs=-attributes]
-++uid=reva,ou=sysusers,o=libregraph-idm ++
+++uid=idp,ou=sysusers,o=libregraph-idm ++
 
 a| [subs=-attributes]
 LDAP DN to use for simple bind authentication with the target LDAP server.
@@ -794,7 +812,7 @@ a| [subs=-attributes]
 ++~/.ocis/idm/ldap.crt ++
 
 a| [subs=-attributes]
-Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH:/idm.
+Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH:/idp.
 
 a| `OCIS_LDAP_DISABLED_USERS_GROUP_DN`
 
@@ -826,7 +844,7 @@ a| [subs=-attributes]
 ++attribute ++
 
 a| [subs=-attributes]
-An option to control the behavior for disabling users. Valid options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed.
+An option to control the behavior for disabling users. Supported options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed. Default is 'attribute'.
 
 a| `OCIS_LDAP_GROUP_BASE_DN`
 
@@ -927,7 +945,7 @@ a| [subs=-attributes]
 ++ownclouduuid ++
 
 a| [subs=-attributes]
-LDAP Attribute to use as the unique id for groups. This should be a stable globally unique id (e.g. a UUID).
+LDAP Attribute to use as the unique id for groups. This should be a stable globally unique ID like a UUID.
 
 a| `OCIS_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`
 
@@ -944,7 +962,7 @@ a| [subs=-attributes]
 ++false ++
 
 a| [subs=-attributes]
-Set this to true if the defined 'id' attribute for groups is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the group IDs.
+Set this to true if the defined 'id' attribute for groups is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the group ID's.
 
 a| `OCIS_LDAP_GROUP_SCHEMA_MAIL`
 
@@ -994,7 +1012,7 @@ a| [subs=-attributes]
 ++sub ++
 
 a| [subs=-attributes]
-LDAP search scope to use when looking up groups. Supported values are 'base', 'one' and 'sub'.
+LDAP search scope to use when looking up groups. Supported scopes are 'base', 'one' and 'sub'.
 
 a| `OCIS_LDAP_INSECURE`
 
@@ -1045,7 +1063,7 @@ a| [subs=-attributes]
 ++ldaps://localhost:9235 ++
 
 a| [subs=-attributes]
-URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://'
+Url of the LDAP service to use as IDP.
 
 a| `OCIS_LDAP_USER_BASE_DN`
 
@@ -1080,7 +1098,7 @@ a| [subs=-attributes]
 ++ownCloudUserEnabled ++
 
 a| [subs=-attributes]
-LDAP attribute to use as a flag telling if the user is enabled or disabled.
+LDAP Attribute to use as a flag telling if the user is enabled or disabled.
 
 a| `OCIS_LDAP_USER_FILTER`
 
@@ -1116,7 +1134,7 @@ a| [subs=-attributes]
 ++inetOrgPerson ++
 
 a| [subs=-attributes]
-The object class to use for users in the default user search filter ('inetOrgPerson').
+LDAP User ObjectClass like 'inetOrgPerson'.
 
 a| `OCIS_LDAP_USER_SCHEMA_DISPLAYNAME`
 
@@ -1147,10 +1165,10 @@ a| [subs=-attributes]
 ++string ++
 
 a| [subs=-attributes]
-++ownclouduuid ++
+++ownCloudUUID ++
 
 a| [subs=-attributes]
-LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID.
+LDAP User UUID attribute like 'uid'.
 
 a| `OCIS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`
 
@@ -1167,7 +1185,7 @@ a| [subs=-attributes]
 ++false ++
 
 a| [subs=-attributes]
-Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user IDs.
+Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user ID's.
 
 a| `OCIS_LDAP_USER_SCHEMA_MAIL`
 
@@ -1185,7 +1203,7 @@ a| [subs=-attributes]
 ++mail ++
 
 a| [subs=-attributes]
-LDAP Attribute to use for the email address of users.
+LDAP User email attribute like 'mail'.
 
 a| `OCIS_LDAP_USER_SCHEMA_USERNAME`
 
@@ -1200,10 +1218,10 @@ a| [subs=-attributes]
 ++string ++
 
 a| [subs=-attributes]
-++uid ++
+++displayName ++
 
 a| [subs=-attributes]
-LDAP Attribute to use for username of users.
+LDAP User name attribute like 'displayName'.
 
 a| `OCIS_LDAP_USER_SCHEMA_USER_TYPE`
 
@@ -1236,7 +1254,7 @@ a| [subs=-attributes]
 ++sub ++
 
 a| [subs=-attributes]
-LDAP search scope to use when looking up users. Supported values are 'base', 'one' and 'sub'.
+LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'.
 
 a| `OCIS_LOG_COLOR`
 
@@ -1248,6 +1266,7 @@ a| [subs=attributes+]
 * xref:{s-path}/auth-basic.adoc[auth-basic] +
 * xref:{s-path}/auth-bearer.adoc[auth-bearer] +
 * xref:{s-path}/auth-machine.adoc[auth-machine] +
+* xref:{s-path}/auth-service.adoc[auth-service] +
 * xref:{s-path}/eventhistory.adoc[eventhistory] +
 * xref:{s-path}/frontend.adoc[frontend] +
 * xref:{s-path}/gateway.adoc[gateway] +
@@ -1298,6 +1317,7 @@ a| [subs=attributes+]
 * xref:{s-path}/auth-basic.adoc[auth-basic] +
 * xref:{s-path}/auth-bearer.adoc[auth-bearer] +
 * xref:{s-path}/auth-machine.adoc[auth-machine] +
+* xref:{s-path}/auth-service.adoc[auth-service] +
 * xref:{s-path}/eventhistory.adoc[eventhistory] +
 * xref:{s-path}/frontend.adoc[frontend] +
 * xref:{s-path}/gateway.adoc[gateway] +
@@ -1348,6 +1368,7 @@ a| [subs=attributes+]
 * xref:{s-path}/auth-basic.adoc[auth-basic] +
 * xref:{s-path}/auth-bearer.adoc[auth-bearer] +
 * xref:{s-path}/auth-machine.adoc[auth-machine] +
+* xref:{s-path}/auth-service.adoc[auth-service] +
 * xref:{s-path}/eventhistory.adoc[eventhistory] +
 * xref:{s-path}/frontend.adoc[frontend] +
 * xref:{s-path}/gateway.adoc[gateway] +
@@ -1398,6 +1419,7 @@ a| [subs=attributes+]
 * xref:{s-path}/auth-basic.adoc[auth-basic] +
 * xref:{s-path}/auth-bearer.adoc[auth-bearer] +
 * xref:{s-path}/auth-machine.adoc[auth-machine] +
+* xref:{s-path}/auth-service.adoc[auth-service] +
 * xref:{s-path}/eventhistory.adoc[eventhistory] +
 * xref:{s-path}/frontend.adoc[frontend] +
 * xref:{s-path}/gateway.adoc[gateway] +
@@ -1443,13 +1465,10 @@ a| `OCIS_MACHINE_AUTH_API_KEY`
 a| [subs=attributes+]
 * xref:{s-path}/auth-machine.adoc[auth-machine] +
 * xref:{s-path}/frontend.adoc[frontend] +
-* xref:{s-path}/graph.adoc[graph] +
 * xref:{s-path}/idp.adoc[idp] +
-* xref:{s-path}/notifications.adoc[notifications] +
 * xref:{s-path}/ocdav.adoc[ocdav] +
 * xref:{s-path}/policies.adoc[policies] +
 * xref:{s-path}/proxy.adoc[proxy] +
-* xref:{s-path}/search.adoc[search] +
 * xref:{s-path}/userlog.adoc[userlog] +
 
 a| [subs=-attributes]
@@ -1480,7 +1499,7 @@ a| [subs=-attributes]
 ++https://localhost:9200 ++
 
 a| [subs=-attributes]
-URL of the OIDC issuer. It defaults to URL of the builtin IDP.
+The identity provider href for the openid-discovery relation.
 
 a| `OCIS_PERSISTENT_STORE`
 
@@ -1541,7 +1560,7 @@ a| [subs=-attributes]
 ++Duration ++
 
 a| [subs=-attributes]
-++336h0m0s ++
+++0s ++
 
 a| [subs=-attributes]
 Time to live for events in the store. The duration can be set as number followed by a unit identifier like s, m or h. Defaults to '336h' (2 weeks).
@@ -1554,6 +1573,7 @@ a| [subs=attributes+]
 * xref:{s-path}/auth-basic.adoc[auth-basic] +
 * xref:{s-path}/auth-bearer.adoc[auth-bearer] +
 * xref:{s-path}/auth-machine.adoc[auth-machine] +
+* xref:{s-path}/auth-service.adoc[auth-service] +
 * xref:{s-path}/frontend.adoc[frontend] +
 * xref:{s-path}/gateway.adoc[gateway] +
 * xref:{s-path}/graph.adoc[graph] +
@@ -1583,6 +1603,45 @@ a| [subs=-attributes]
 a| [subs=-attributes]
 The CS3 gateway endpoint.
 
+a| `OCIS_SERVICE_ACCOUNT_ID`
+
+a| [subs=attributes+]
+* xref:{s-path}/auth-service.adoc[auth-service] +
+* xref:{s-path}/graph.adoc[graph] +
+* xref:{s-path}/notifications.adoc[notifications] +
+* xref:{s-path}/search.adoc[search] +
+* xref:{s-path}/settings.adoc[settings] +
+* xref:{s-path}/storage-users.adoc[storage-users] +
+* xref:{s-path}/userlog.adoc[userlog] +
+
+a| [subs=-attributes]
+++string ++
+
+a| [subs=-attributes]
+++ ++
+
+a| [subs=-attributes]
+The ID of the service account the service should use. See the 'auth-service' service description for more details.
+
+a| `OCIS_SERVICE_ACCOUNT_SECRET`
+
+a| [subs=attributes+]
+* xref:{s-path}/auth-service.adoc[auth-service] +
+* xref:{s-path}/graph.adoc[graph] +
+* xref:{s-path}/notifications.adoc[notifications] +
+* xref:{s-path}/search.adoc[search] +
+* xref:{s-path}/storage-users.adoc[storage-users] +
+* xref:{s-path}/userlog.adoc[userlog] +
+
+a| [subs=-attributes]
+++string ++
+
+a| [subs=-attributes]
+++ ++
+
+a| [subs=-attributes]
+The service account secret.
+
 a| `OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD`
 
 a| [subs=attributes+]
@@ -1596,7 +1655,7 @@ a| [subs=-attributes]
 ++false ++
 
 a| [subs=-attributes]
-Set this to true if you want to enforce passwords on Uploader, Editor or Contributor shares. If not using the global OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD, you must define the FRONTEND_OCS_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD in the frontend service.
+Set this to true if you want to enforce passwords on Uploader, Editor or Contributor shares.
 
 a| `OCIS_SPACES_MAX_QUOTA`
 
@@ -1611,7 +1670,7 @@ a| [subs=-attributes]
 ++0 ++
 
 a| [subs=-attributes]
-Set a global max quota for spaces in bytes. A value of 0 equals unlimited. If not using the global OCIS_SPACES_MAX_QUOTA, you must define the FRONTEND_MAX_QUOTA in the frontend service.
+Set the global max quota value in bytes. A value of 0 equals unlimited. The value is provided via capabilities.
 
 a| `OCIS_SYSTEM_USER_API_KEY`
 
@@ -1679,6 +1738,7 @@ a| [subs=attributes+]
 * xref:{s-path}/auth-basic.adoc[auth-basic] +
 * xref:{s-path}/auth-bearer.adoc[auth-bearer] +
 * xref:{s-path}/auth-machine.adoc[auth-machine] +
+* xref:{s-path}/auth-service.adoc[auth-service] +
 * xref:{s-path}/eventhistory.adoc[eventhistory] +
 * xref:{s-path}/frontend.adoc[frontend] +
 * xref:{s-path}/gateway.adoc[gateway] +
@@ -1729,6 +1789,7 @@ a| [subs=attributes+]
 * xref:{s-path}/auth-basic.adoc[auth-basic] +
 * xref:{s-path}/auth-bearer.adoc[auth-bearer] +
 * xref:{s-path}/auth-machine.adoc[auth-machine] +
+* xref:{s-path}/auth-service.adoc[auth-service] +
 * xref:{s-path}/eventhistory.adoc[eventhistory] +
 * xref:{s-path}/frontend.adoc[frontend] +
 * xref:{s-path}/gateway.adoc[gateway] +
@@ -1779,6 +1840,7 @@ a| [subs=attributes+]
 * xref:{s-path}/auth-basic.adoc[auth-basic] +
 * xref:{s-path}/auth-bearer.adoc[auth-bearer] +
 * xref:{s-path}/auth-machine.adoc[auth-machine] +
+* xref:{s-path}/auth-service.adoc[auth-service] +
 * xref:{s-path}/eventhistory.adoc[eventhistory] +
 * xref:{s-path}/frontend.adoc[frontend] +
 * xref:{s-path}/gateway.adoc[gateway] +
@@ -1829,6 +1891,7 @@ a| [subs=attributes+]
 * xref:{s-path}/auth-basic.adoc[auth-basic] +
 * xref:{s-path}/auth-bearer.adoc[auth-bearer] +
 * xref:{s-path}/auth-machine.adoc[auth-machine] +
+* xref:{s-path}/auth-service.adoc[auth-service] +
 * xref:{s-path}/eventhistory.adoc[eventhistory] +
 * xref:{s-path}/frontend.adoc[frontend] +
 * xref:{s-path}/gateway.adoc[gateway] +
@@ -1882,7 +1945,7 @@ a| [subs=-attributes]
 ++ ++
 
 a| [subs=-attributes]
-The storage transfer secret.
+Transfer secret for signing file up- and download requests.
 
 a| `OCIS_URL`
 
@@ -1913,7 +1976,7 @@ a| [subs=-attributes]
 ++https://localhost:9200 ++
 
 a| [subs=-attributes]
-Base URL to load themes from. Will be prepended to the theme path.
+URL where oCIS is reachable for users.
 
 a| `STORAGE_USERS_ASYNC_PROPAGATOR_PROPAGATION_DELAY`
 
@@ -1945,21 +2008,6 @@ a| [subs=-attributes]
 a| [subs=-attributes]
 Endpoint of the permissions service. The endpoints can differ for 'ocis' and 's3ng'.
 
-a| `USERLOG_MACHINE_AUTH_API_KEY`
-
-a| [subs=attributes+]
-* xref:{s-path}/graph.adoc[graph] +
-* xref:{s-path}/userlog.adoc[userlog] +
-
-a| [subs=-attributes]
-++string ++
-
-a| [subs=-attributes]
-++ ++
-
-a| [subs=-attributes]
-Machine auth API key used to validate internal requests necessary to access resources from other services.
-
 a| `WEB_UI_CONFIG_FILE`
 
 a| [subs=attributes+]
diff --git a/services/_includes/adoc/graph_configvars.adoc b/services/_includes/adoc/graph_configvars.adoc
index e36d07dc2c3..3094ae48860 100644
--- a/services/_includes/adoc/graph_configvars.adoc
+++ b/services/_includes/adoc/graph_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2023-08-31-09-23-28]
+[#deprecation-note-2023-08-31-11-17-46]
 [caption=]
 .Deprecation notes for the graph service
 [width="100%",cols="~,~,~,~",options="header"]
@@ -877,16 +877,6 @@ a| [subs=-attributes]
 a| [subs=-attributes]
 Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services..
 
-a|`OCIS_MACHINE_AUTH_API_KEY` +
-`USERLOG_MACHINE_AUTH_API_KEY` +
-
-a| [subs=-attributes]
-++string ++
-a| [subs=-attributes]
-++ ++
-a| [subs=-attributes]
-Machine auth API key used to validate internal requests necessary to access resources from other services.
-
 a|`OCIS_KEYCLOAK_BASE_PATH` +
 `GRAPH_KEYCLOAK_BASE_PATH` +
 
@@ -946,5 +936,25 @@ a| [subs=-attributes]
 ++false ++
 a| [subs=-attributes]
 Disable TLS certificate validation for Keycloak connections. Do not set this in production environments.
+
+a|`OCIS_SERVICE_ACCOUNT_ID` +
+`GRAPH_SERVICE_ACCOUNT_ID` +
+
+a| [subs=-attributes]
+++string ++
+a| [subs=-attributes]
+++ ++
+a| [subs=-attributes]
+The ID of the service account the service should use. See the 'auth-service' service description for more details.
+
+a|`OCIS_SERVICE_ACCOUNT_SECRET` +
+`GRAPH_SERVICE_ACCOUNT_SECRET` +
+
+a| [subs=-attributes]
+++string ++
+a| [subs=-attributes]
+++ ++
+a| [subs=-attributes]
+The service account secret.
 |===
 
diff --git a/services/_includes/adoc/groups_configvars.adoc b/services/_includes/adoc/groups_configvars.adoc
index 5ffff23c62e..ca51dddb221 100644
--- a/services/_includes/adoc/groups_configvars.adoc
+++ b/services/_includes/adoc/groups_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2023-08-31-09-23-28]
+[#deprecation-note-2023-08-31-11-17-46]
 [caption=]
 .Deprecation notes for the groups service
 [width="100%",cols="~,~,~,~",options="header"]
diff --git a/services/_includes/adoc/idm_configvars.adoc b/services/_includes/adoc/idm_configvars.adoc
index 77acdd6f400..7011ff07726 100644
--- a/services/_includes/adoc/idm_configvars.adoc
+++ b/services/_includes/adoc/idm_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2023-08-31-09-23-28]
+[#deprecation-note-2023-08-31-11-17-46]
 [caption=]
 .Deprecation notes for the idm service
 [width="100%",cols="~,~,~,~",options="header"]
diff --git a/services/_includes/adoc/idp_configvars.adoc b/services/_includes/adoc/idp_configvars.adoc
index af0548049d5..b3fdd6077e6 100644
--- a/services/_includes/adoc/idp_configvars.adoc
+++ b/services/_includes/adoc/idp_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2023-08-31-09-23-28]
+[#deprecation-note-2023-08-31-11-17-46]
 [caption=]
 .Deprecation notes for the idp service
 [width="100%",cols="~,~,~,~",options="header"]
diff --git a/services/_includes/adoc/invitations_configvars.adoc b/services/_includes/adoc/invitations_configvars.adoc
index 40195712b31..87abc3e7dbf 100644
--- a/services/_includes/adoc/invitations_configvars.adoc
+++ b/services/_includes/adoc/invitations_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2023-08-31-09-23-28]
+[#deprecation-note-2023-08-31-11-17-46]
 [caption=]
 .Deprecation notes for the invitations service
 [width="100%",cols="~,~,~,~",options="header"]
diff --git a/services/_includes/adoc/nats_configvars.adoc b/services/_includes/adoc/nats_configvars.adoc
index 9b9d0be21be..8082084ebb6 100644
--- a/services/_includes/adoc/nats_configvars.adoc
+++ b/services/_includes/adoc/nats_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2023-08-31-09-23-28]
+[#deprecation-note-2023-08-31-11-17-46]
 [caption=]
 .Deprecation notes for the nats service
 [width="100%",cols="~,~,~,~",options="header"]
diff --git a/services/_includes/adoc/notifications_configvars.adoc b/services/_includes/adoc/notifications_configvars.adoc
index f1d5278db32..33b99822a70 100644
--- a/services/_includes/adoc/notifications_configvars.adoc
+++ b/services/_includes/adoc/notifications_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2023-08-31-09-23-28]
+[#deprecation-note-2023-08-31-11-17-46]
 [caption=]
 .Deprecation notes for the notifications service
 [width="100%",cols="~,~,~,~",options="header"]
@@ -274,16 +274,6 @@ a| [subs=-attributes]
 a| [subs=-attributes]
 Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services..
 
-a|`OCIS_MACHINE_AUTH_API_KEY` +
-`NOTIFICATIONS_MACHINE_AUTH_API_KEY` +
-
-a| [subs=-attributes]
-++string ++
-a| [subs=-attributes]
-++ ++
-a| [subs=-attributes]
-Machine auth API key used to validate internal requests necessary to access resources from other services.
-
 a|`OCIS_EMAIL_TEMPLATE_PATH` +
 `NOTIFICATIONS_EMAIL_TEMPLATE_PATH` +
 
@@ -329,5 +319,25 @@ a| [subs=-attributes]
 ++ ++
 a| [subs=-attributes]
 Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.
+
+a|`OCIS_SERVICE_ACCOUNT_ID` +
+`NOTIFICATIONS_SERVICE_ACCOUNT_ID` +
+
+a| [subs=-attributes]
+++string ++
+a| [subs=-attributes]
+++ ++
+a| [subs=-attributes]
+The ID of the service account the service should use. See the 'auth-service' service description for more details.
+
+a|`OCIS_SERVICE_ACCOUNT_SECRET` +
+`NOTIFICATIONS_SERVICE_ACCOUNT_SECRET` +
+
+a| [subs=-attributes]
+++string ++
+a| [subs=-attributes]
+++ ++
+a| [subs=-attributes]
+The service account secret.
 |===
 
diff --git a/services/_includes/adoc/ocdav_configvars.adoc b/services/_includes/adoc/ocdav_configvars.adoc
index 487461219fd..95573a91edd 100644
--- a/services/_includes/adoc/ocdav_configvars.adoc
+++ b/services/_includes/adoc/ocdav_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2023-08-31-09-23-28]
+[#deprecation-note-2023-08-31-11-17-46]
 [caption=]
 .Deprecation notes for the ocdav service
 [width="100%",cols="~,~,~,~",options="header"]
diff --git a/services/_includes/adoc/ocs_configvars.adoc b/services/_includes/adoc/ocs_configvars.adoc
index e9a5bbe8880..c7d5dca50e6 100644
--- a/services/_includes/adoc/ocs_configvars.adoc
+++ b/services/_includes/adoc/ocs_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2023-08-31-09-23-28]
+[#deprecation-note-2023-08-31-11-17-46]
 [caption=]
 .Deprecation notes for the ocs service
 [width="100%",cols="~,~,~,~",options="header"]
diff --git a/services/_includes/adoc/policies_configvars.adoc b/services/_includes/adoc/policies_configvars.adoc
index 52a504c13d9..234b0935c24 100644
--- a/services/_includes/adoc/policies_configvars.adoc
+++ b/services/_includes/adoc/policies_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2023-08-31-09-23-28]
+[#deprecation-note-2023-08-31-11-17-46]
 [caption=]
 .Deprecation notes for the policies service
 [width="100%",cols="~,~,~,~",options="header"]
diff --git a/services/_includes/adoc/postprocessing_configvars.adoc b/services/_includes/adoc/postprocessing_configvars.adoc
index 62071997271..cbefae9831a 100644
--- a/services/_includes/adoc/postprocessing_configvars.adoc
+++ b/services/_includes/adoc/postprocessing_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2023-08-31-09-23-28]
+[#deprecation-note-2023-08-31-11-17-46]
 [caption=]
 .Deprecation notes for the postprocessing service
 [width="100%",cols="~,~,~,~",options="header"]
diff --git a/services/_includes/adoc/proxy_configvars.adoc b/services/_includes/adoc/proxy_configvars.adoc
index c6160a6ee81..87ab3a30251 100644
--- a/services/_includes/adoc/proxy_configvars.adoc
+++ b/services/_includes/adoc/proxy_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2023-08-31-09-23-28]
+[#deprecation-note-2023-08-31-11-17-46]
 [caption=]
 .Deprecation notes for the proxy service
 [width="100%",cols="~,~,~,~",options="header"]
diff --git a/services/_includes/adoc/search_configvars.adoc b/services/_includes/adoc/search_configvars.adoc
index 18626bb6255..9f6adf3e519 100644
--- a/services/_includes/adoc/search_configvars.adoc
+++ b/services/_includes/adoc/search_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2023-08-31-09-23-28]
+[#deprecation-note-2023-08-31-11-17-46]
 [caption=]
 .Deprecation notes for the search service
 [width="100%",cols="~,~,~,~",options="header"]
@@ -321,14 +321,24 @@ a| [subs=-attributes]
 a| [subs=-attributes]
 Maximum file size in bytes that is allowed for content extraction.
 
-a|`OCIS_MACHINE_AUTH_API_KEY` +
-`SEARCH_MACHINE_AUTH_API_KEY` +
+a|`OCIS_SERVICE_ACCOUNT_ID` +
+`SEARCH_SERVICE_ACCOUNT_ID` +
 
 a| [subs=-attributes]
 ++string ++
 a| [subs=-attributes]
 ++ ++
 a| [subs=-attributes]
-Machine auth API key used to validate internal requests necessary for the access to resources from other services.
+The ID of the service account the service should use. See the 'auth-service' service description for more details.
+
+a|`OCIS_SERVICE_ACCOUNT_SECRET` +
+`SEARCH_SERVICE_ACCOUNT_SECRET` +
+
+a| [subs=-attributes]
+++string ++
+a| [subs=-attributes]
+++ ++
+a| [subs=-attributes]
+The service account secret.
 |===
 
diff --git a/services/_includes/adoc/settings_configvars.adoc b/services/_includes/adoc/settings_configvars.adoc
index 1342996dbe7..27a16a12477 100644
--- a/services/_includes/adoc/settings_configvars.adoc
+++ b/services/_includes/adoc/settings_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2023-08-31-09-23-28]
+[#deprecation-note-2023-08-31-11-17-46]
 [caption=]
 .Deprecation notes for the settings service
 [width="100%",cols="~,~,~,~",options="header"]
@@ -406,5 +406,15 @@ a| [subs=-attributes]
 ++false ++
 a| [subs=-attributes]
 The default role assignments the demo users should be setup.
+
+a|`OCIS_SERVICE_ACCOUNT_ID` +
+`SETTINGS_SERVICE_ACCOUNT_ID_ADMIN` +
+
+a| [subs=-attributes]
+++string ++
+a| [subs=-attributes]
+++service-user-id ++
+a| [subs=-attributes]
+The ID of the service account having the admin role. See the 'auth-service' service description for more details.
 |===
 
diff --git a/services/_includes/adoc/sharing_configvars.adoc b/services/_includes/adoc/sharing_configvars.adoc
index 0040e0ac5fa..0e36795abef 100644
--- a/services/_includes/adoc/sharing_configvars.adoc
+++ b/services/_includes/adoc/sharing_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2023-08-31-09-23-28]
+[#deprecation-note-2023-08-31-11-17-46]
 [caption=]
 .Deprecation notes for the sharing service
 [width="100%",cols="~,~,~,~",options="header"]
diff --git a/services/_includes/adoc/sse_configvars.adoc b/services/_includes/adoc/sse_configvars.adoc
index 1da90c6e5b6..0fca045951d 100644
--- a/services/_includes/adoc/sse_configvars.adoc
+++ b/services/_includes/adoc/sse_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2023-08-31-09-23-28]
+[#deprecation-note-2023-08-31-11-17-46]
 [caption=]
 .Deprecation notes for the sse service
 [width="100%",cols="~,~,~,~",options="header"]
diff --git a/services/_includes/adoc/storage-publiclink_configvars.adoc b/services/_includes/adoc/storage-publiclink_configvars.adoc
index 7ab8d9da5c8..cb28059eee6 100644
--- a/services/_includes/adoc/storage-publiclink_configvars.adoc
+++ b/services/_includes/adoc/storage-publiclink_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2023-08-31-09-23-28]
+[#deprecation-note-2023-08-31-11-17-46]
 [caption=]
 .Deprecation notes for the storage-publiclink service
 [width="100%",cols="~,~,~,~",options="header"]
diff --git a/services/_includes/adoc/storage-shares_configvars.adoc b/services/_includes/adoc/storage-shares_configvars.adoc
index 762c2997bcc..df30c9d38a7 100644
--- a/services/_includes/adoc/storage-shares_configvars.adoc
+++ b/services/_includes/adoc/storage-shares_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2023-08-31-09-23-28]
+[#deprecation-note-2023-08-31-11-17-46]
 [caption=]
 .Deprecation notes for the storage-shares service
 [width="100%",cols="~,~,~,~",options="header"]
diff --git a/services/_includes/adoc/storage-system_configvars.adoc b/services/_includes/adoc/storage-system_configvars.adoc
index 0e7ac8d3ce5..a060f21adb5 100644
--- a/services/_includes/adoc/storage-system_configvars.adoc
+++ b/services/_includes/adoc/storage-system_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2023-08-31-09-23-28]
+[#deprecation-note-2023-08-31-11-17-46]
 [caption=]
 .Deprecation notes for the storage-system service
 [width="100%",cols="~,~,~,~",options="header"]
diff --git a/services/_includes/adoc/storage-users_configvars.adoc b/services/_includes/adoc/storage-users_configvars.adoc
index 76719b26d9a..26386661929 100644
--- a/services/_includes/adoc/storage-users_configvars.adoc
+++ b/services/_includes/adoc/storage-users_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2023-08-31-09-23-28]
+[#deprecation-note-2023-08-31-11-17-46]
 [caption=]
 .Deprecation notes for the storage-users service
 [width="100%",cols="~,~,~,~",options="header"]
@@ -914,5 +914,25 @@ a| [subs=-attributes]
 ++720h0m0s ++
 a| [subs=-attributes]
 Specifies the period of time in which items that have been in the project trash-bin for longer than this value should be deleted. A value of 0 means no automatic deletion. The value is human-readable, valid values are '24h', '60m', '60s' etc.
+
+a|`OCIS_SERVICE_ACCOUNT_ID` +
+`STORAGE_USERS_SERVICE_ACCOUNT_ID` +
+
+a| [subs=-attributes]
+++string ++
+a| [subs=-attributes]
+++ ++
+a| [subs=-attributes]
+The ID of the service account the service should use. See the 'auth-service' service description for more details.
+
+a|`OCIS_SERVICE_ACCOUNT_SECRET` +
+`STORAGE_USERS_SERVICE_ACCOUNT_SECRET` +
+
+a| [subs=-attributes]
+++string ++
+a| [subs=-attributes]
+++ ++
+a| [subs=-attributes]
+The service account secret.
 |===
 
diff --git a/services/_includes/adoc/store_configvars.adoc b/services/_includes/adoc/store_configvars.adoc
index 45b8be8ecd6..590c0c77396 100644
--- a/services/_includes/adoc/store_configvars.adoc
+++ b/services/_includes/adoc/store_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2023-08-31-09-23-28]
+[#deprecation-note-2023-08-31-11-17-46]
 [caption=]
 .Deprecation notes for the store service
 [width="100%",cols="~,~,~,~",options="header"]
diff --git a/services/_includes/adoc/thumbnails_configvars.adoc b/services/_includes/adoc/thumbnails_configvars.adoc
index fe4bcd5f4fa..37c482bd36c 100644
--- a/services/_includes/adoc/thumbnails_configvars.adoc
+++ b/services/_includes/adoc/thumbnails_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2023-08-31-09-23-28]
+[#deprecation-note-2023-08-31-11-17-46]
 [caption=]
 .Deprecation notes for the thumbnails service
 [width="100%",cols="~,~,~,~",options="header"]
diff --git a/services/_includes/adoc/userlog_configvars.adoc b/services/_includes/adoc/userlog_configvars.adoc
index 33c6839ce8d..ca8b3eccc45 100644
--- a/services/_includes/adoc/userlog_configvars.adoc
+++ b/services/_includes/adoc/userlog_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2023-08-31-09-23-28]
+[#deprecation-note-2023-08-31-11-17-46]
 [caption=]
 .Deprecation notes for the userlog service
 [width="100%",cols="~,~,~,~",options="header"]
@@ -391,5 +391,25 @@ a| [subs=-attributes]
 ++ ++
 a| [subs=-attributes]
 The secret to secure the global notifications endpoint. Only system admins and users knowing that secret can call the global notifications POST/DELETE endpoints.
+
+a|`OCIS_SERVICE_ACCOUNT_ID` +
+`USERLOG_SERVICE_ACCOUNT_ID` +
+
+a| [subs=-attributes]
+++string ++
+a| [subs=-attributes]
+++ ++
+a| [subs=-attributes]
+The ID of the service account the service should use. See the 'auth-service' service description for more details.
+
+a|`OCIS_SERVICE_ACCOUNT_SECRET` +
+`USERLOG_SERVICE_ACCOUNT_SECRET` +
+
+a| [subs=-attributes]
+++string ++
+a| [subs=-attributes]
+++ ++
+a| [subs=-attributes]
+The service account secret.
 |===
 
diff --git a/services/_includes/adoc/users_configvars.adoc b/services/_includes/adoc/users_configvars.adoc
index 4f9bd1b569b..db2028797b1 100644
--- a/services/_includes/adoc/users_configvars.adoc
+++ b/services/_includes/adoc/users_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2023-08-31-09-23-28]
+[#deprecation-note-2023-08-31-11-17-46]
 [caption=]
 .Deprecation notes for the users service
 [width="100%",cols="~,~,~,~",options="header"]
diff --git a/services/_includes/adoc/web_configvars.adoc b/services/_includes/adoc/web_configvars.adoc
index 87de578d42c..a32199b03c8 100644
--- a/services/_includes/adoc/web_configvars.adoc
+++ b/services/_includes/adoc/web_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2023-08-31-09-23-28]
+[#deprecation-note-2023-08-31-11-17-46]
 [caption=]
 .Deprecation notes for the web service
 [width="100%",cols="~,~,~,~",options="header"]
diff --git a/services/_includes/adoc/webdav_configvars.adoc b/services/_includes/adoc/webdav_configvars.adoc
index 9b80bca61df..4e06c40e546 100644
--- a/services/_includes/adoc/webdav_configvars.adoc
+++ b/services/_includes/adoc/webdav_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2023-08-31-09-23-28]
+[#deprecation-note-2023-08-31-11-17-46]
 [caption=]
 .Deprecation notes for the webdav service
 [width="100%",cols="~,~,~,~",options="header"]
diff --git a/services/_includes/adoc/webfinger_configvars.adoc b/services/_includes/adoc/webfinger_configvars.adoc
index 7af5f58d939..b1f69eef16a 100644
--- a/services/_includes/adoc/webfinger_configvars.adoc
+++ b/services/_includes/adoc/webfinger_configvars.adoc
@@ -4,7 +4,7 @@
 
 ifeval::[{show-deprecation} == true]
 
-[#deprecation-note-2023-08-31-09-23-28]
+[#deprecation-note-2023-08-31-11-17-46]
 [caption=]
 .Deprecation notes for the webfinger service
 [width="100%",cols="~,~,~,~",options="header"]
diff --git a/services/_includes/auth-service-config-example.yaml b/services/_includes/auth-service-config-example.yaml
new file mode 100644
index 00000000000..00618c84b5a
--- /dev/null
+++ b/services/_includes/auth-service-config-example.yaml
@@ -0,0 +1,32 @@
+# Autogenerated
+# Filename: auth-service-config-example.yaml
+
+tracing:
+  enabled: false
+  type: ""
+  endpoint: ""
+  collector: ""
+log:
+  level: ""
+  pretty: false
+  color: false
+  file: ""
+debug:
+  addr: 127.0.0.1:9169
+  token: ""
+  pprof: false
+  zpages: false
+grpc:
+  addr: 127.0.0.1:9199
+  tls: null
+  protocol: tcp
+token_manager:
+  jwt_secret: ""
+reva:
+  address: com.owncloud.api.gateway
+  tls:
+    mode: ""
+    cacert: ""
+service_account:
+  service_account_id: ""
+  service_account_secret: ""
diff --git a/services/_includes/auth-service_configvars.md b/services/_includes/auth-service_configvars.md
new file mode 100644
index 00000000000..1e0caf7865b
--- /dev/null
+++ b/services/_includes/auth-service_configvars.md
@@ -0,0 +1,24 @@
+## Environment Variables
+
+| Name | Type | Default Value | Description |
+|------|------|---------------|-------------|
+| OCIS_TRACING_ENABLED<br/>AUTH_SERVICE_TRACING_ENABLED | bool | false | Activates tracing.|
+| OCIS_TRACING_TYPE<br/>AUTH_SERVICE_TRACING_TYPE | string |  | The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|
+| OCIS_TRACING_ENDPOINT<br/>AUTH_SERVICE_TRACING_ENDPOINT | string |  | The endpoint of the tracing agent.|
+| OCIS_TRACING_COLLECTOR<br/>AUTH_SERVICE_TRACING_COLLECTOR | string |  | The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|
+| OCIS_LOG_LEVEL<br/>AUTH_SERVICE_LOG_LEVEL | string |  | The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|
+| OCIS_LOG_PRETTY<br/>AUTH_SERVICE_LOG_PRETTY | bool | false | Activates pretty log output.|
+| OCIS_LOG_COLOR<br/>AUTH_SERVICE_LOG_COLOR | bool | false | Activates colorized log output.|
+| OCIS_LOG_FILE<br/>AUTH_SERVICE_LOG_FILE | string |  | The path to the log file. Activates logging to this file if set.|
+| AUTH_SERVICE_DEBUG_ADDR | string | 127.0.0.1:9169 | Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|
+| AUTH_SERVICE_DEBUG_TOKEN | string |  | Token to secure the metrics endpoint.|
+| AUTH_SERVICE_DEBUG_PPROF | bool | false | Enables pprof, which can be used for profiling.|
+| AUTH_SERVICE_DEBUG_ZPAGES | bool | false | Enables zpages, which can be used for collecting and viewing in-memory traces.|
+| AUTH_SERVICE_GRPC_ADDR | string | 127.0.0.1:9199 | The bind address of the GRPC service.|
+| AUTH_SERVICE_GRPC_PROTOCOL | string | tcp | The transport protocol of the GRPC service.|
+| OCIS_JWT_SECRET<br/>AUTH_MACHINE_JWT_SECRET | string |  | The secret to mint and validate jwt tokens.|
+| OCIS_REVA_GATEWAY | string | com.owncloud.api.gateway | The CS3 gateway endpoint.|
+| OCIS_GRPC_CLIENT_TLS_MODE | string |  | TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.|
+| OCIS_GRPC_CLIENT_TLS_CACERT | string |  | Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.|
+| OCIS_SERVICE_ACCOUNT_ID<br/>AUTH_SERVICE_SERVICE_ACCOUNT_ID | string |  | The ID of the service account the service should use. See the 'auth-service' service description for more details.|
+| OCIS_SERVICE_ACCOUNT_SECRET<br/>AUTH_SERVICE_SERVICE_ACCOUNT_SECRET | string |  | The service account secret.|
\ No newline at end of file
diff --git a/services/_includes/graph-config-example.yaml b/services/_includes/graph-config-example.yaml
index 3cd021a73e9..8309dfb324e 100644
--- a/services/_includes/graph-config-example.yaml
+++ b/services/_includes/graph-config-example.yaml
@@ -123,7 +123,6 @@ events:
   tls_insecure: false
   tls_root_ca_certificate: ""
   enable_tls: false
-machine_auth_api_key: ""
 keycloak:
   base_path: ""
   client_id: ""
@@ -131,3 +130,6 @@ keycloak:
   client_realm: ""
   user_realm: ""
   insecure_skip_verify: false
+service_account:
+  service_account_id: ""
+  service_account_secret: ""
diff --git a/services/_includes/graph_configvars.md b/services/_includes/graph_configvars.md
index 3b9ebf75ff0..6a547829d2c 100644
--- a/services/_includes/graph_configvars.md
+++ b/services/_includes/graph_configvars.md
@@ -91,10 +91,11 @@
 | OCIS_INSECURE<br/>GRAPH_EVENTS_TLS_INSECURE | bool | false | Whether to verify the server TLS certificates.|
 | OCIS_EVENTS_TLS_ROOT_CA_CERTIFICATE<br/>GRAPH_EVENTS_TLS_ROOT_CA_CERTIFICATE | string |  | The root CA certificate used to validate the server's TLS certificate. If provided GRAPH_EVENTS_TLS_INSECURE will be seen as false.|
 | OCIS_EVENTS_ENABLE_TLS<br/>GRAPH_EVENTS_ENABLE_TLS | bool | false | Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services..|
-| OCIS_MACHINE_AUTH_API_KEY<br/>USERLOG_MACHINE_AUTH_API_KEY | string |  | Machine auth API key used to validate internal requests necessary to access resources from other services.|
 | OCIS_KEYCLOAK_BASE_PATH<br/>GRAPH_KEYCLOAK_BASE_PATH | string |  | The URL to access keycloak.|
 | OCIS_KEYCLOAK_CLIENT_ID<br/>GRAPH_KEYCLOAK_CLIENT_ID | string |  | The client id to authenticate with keycloak.|
 | OCIS_KEYCLOAK_CLIENT_SECRET<br/>GRAPH_KEYCLOAK_CLIENT_SECRET | string |  | The client secret to use in authentication.|
 | OCIS_KEYCLOAK_CLIENT_REALM<br/>GRAPH_KEYCLOAK_CLIENT_REALM | string |  | The realm the client is defined in.|
 | OCIS_KEYCLOAK_USER_REALM<br/>GRAPH_KEYCLOAK_USER_REALM | string |  | The realm users are defined.|
-| OCIS_KEYCLOAK_INSECURE_SKIP_VERIFY<br/>GRAPH_KEYCLOAK_INSECURE_SKIP_VERIFY | bool | false | Disable TLS certificate validation for Keycloak connections. Do not set this in production environments.|
\ No newline at end of file
+| OCIS_KEYCLOAK_INSECURE_SKIP_VERIFY<br/>GRAPH_KEYCLOAK_INSECURE_SKIP_VERIFY | bool | false | Disable TLS certificate validation for Keycloak connections. Do not set this in production environments.|
+| OCIS_SERVICE_ACCOUNT_ID<br/>GRAPH_SERVICE_ACCOUNT_ID | string |  | The ID of the service account the service should use. See the 'auth-service' service description for more details.|
+| OCIS_SERVICE_ACCOUNT_SECRET<br/>GRAPH_SERVICE_ACCOUNT_SECRET | string |  | The service account secret.|
\ No newline at end of file
diff --git a/services/_includes/notifications-config-example.yaml b/services/_includes/notifications-config-example.yaml
index 96dea5f8604..878b923eb2b 100644
--- a/services/_includes/notifications-config-example.yaml
+++ b/services/_includes/notifications-config-example.yaml
@@ -33,7 +33,6 @@ notifications:
     tls_insecure: false
     tls_root_ca_certificate: ""
     enable_tls: false
-  machine_auth_api_key: ""
   email_template_path: ""
   translation_path: ""
   reva_gateway: com.owncloud.api.gateway
@@ -41,3 +40,6 @@ notifications:
 grpc_client_tls:
   mode: ""
   cacert: ""
+service_account:
+  service_account_id: ""
+  service_account_secret: ""
diff --git a/services/_includes/notifications_configvars.md b/services/_includes/notifications_configvars.md
index eb5aa441ef1..029142ce024 100644
--- a/services/_includes/notifications_configvars.md
+++ b/services/_includes/notifications_configvars.md
@@ -28,9 +28,10 @@
 | OCIS_INSECURE<br/>NOTIFICATIONS_EVENTS_TLS_INSECURE | bool | false | Whether to verify the server TLS certificates.|
 | OCIS_EVENTS_TLS_ROOT_CA_CERTIFICATE<br/>NOTIFICATIONS_EVENTS_TLS_ROOT_CA_CERTIFICATE | string |  | The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false.|
 | OCIS_EVENTS_ENABLE_TLS<br/>NOTIFICATIONS_EVENTS_ENABLE_TLS | bool | false | Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services..|
-| OCIS_MACHINE_AUTH_API_KEY<br/>NOTIFICATIONS_MACHINE_AUTH_API_KEY | string |  | Machine auth API key used to validate internal requests necessary to access resources from other services.|
 | OCIS_EMAIL_TEMPLATE_PATH<br/>NOTIFICATIONS_EMAIL_TEMPLATE_PATH | string |  | Path to Email notification templates overriding embedded ones.|
 | OCIS_TRANSLATION_PATH,NOTIFICATIONS_TRANSLATION_PATH | string |  | (optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details.|
 | OCIS_REVA_GATEWAY | string | com.owncloud.api.gateway | CS3 gateway used to look up user metadata|
 | OCIS_GRPC_CLIENT_TLS_MODE | string |  | TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.|
-| OCIS_GRPC_CLIENT_TLS_CACERT | string |  | Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.|
\ No newline at end of file
+| OCIS_GRPC_CLIENT_TLS_CACERT | string |  | Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.|
+| OCIS_SERVICE_ACCOUNT_ID<br/>NOTIFICATIONS_SERVICE_ACCOUNT_ID | string |  | The ID of the service account the service should use. See the 'auth-service' service description for more details.|
+| OCIS_SERVICE_ACCOUNT_SECRET<br/>NOTIFICATIONS_SERVICE_ACCOUNT_SECRET | string |  | The service account secret.|
\ No newline at end of file
diff --git a/services/_includes/search-config-example.yaml b/services/_includes/search-config-example.yaml
index f2856260775..7969f8e421b 100644
--- a/services/_includes/search-config-example.yaml
+++ b/services/_includes/search-config-example.yaml
@@ -46,4 +46,6 @@ extractor:
   tika:
     tika_url: http://127.0.0.1:9998
 content_extraction_size_limit: 20971520
-machine_auth_api_key: ""
+service_account:
+  service_account_id: ""
+  service_account_secret: ""
diff --git a/services/_includes/search_configvars.md b/services/_includes/search_configvars.md
index 4dd441959e6..c1ab00e987d 100644
--- a/services/_includes/search_configvars.md
+++ b/services/_includes/search_configvars.md
@@ -33,4 +33,5 @@
 | OCIS_INSECURE<br/>SEARCH_EXTRACTOR_CS3SOURCE_INSECURE | bool | false | Ignore untrusted SSL certificates when connecting to the CS3 source.|
 | SEARCH_EXTRACTOR_TIKA_TIKA_URL | string | http://127.0.0.1:9998 | URL of the tika server.|
 | SEARCH_CONTENT_EXTRACTION_SIZE_LIMIT | uint64 | 20971520 | Maximum file size in bytes that is allowed for content extraction.|
-| OCIS_MACHINE_AUTH_API_KEY<br/>SEARCH_MACHINE_AUTH_API_KEY | string |  | Machine auth API key used to validate internal requests necessary for the access to resources from other services.|
\ No newline at end of file
+| OCIS_SERVICE_ACCOUNT_ID<br/>SEARCH_SERVICE_ACCOUNT_ID | string |  | The ID of the service account the service should use. See the 'auth-service' service description for more details.|
+| OCIS_SERVICE_ACCOUNT_SECRET<br/>SEARCH_SERVICE_ACCOUNT_SECRET | string |  | The service account secret.|
\ No newline at end of file
diff --git a/services/_includes/settings-config-example.yaml b/services/_includes/settings-config-example.yaml
index 6df28289fbb..321e43cfde6 100644
--- a/services/_includes/settings-config-example.yaml
+++ b/services/_includes/settings-config-example.yaml
@@ -66,3 +66,4 @@ admin_user_id: ""
 token_manager:
   jwt_secret: ""
 set_default_assignments: false
+service_account_id_admin: service-user-id
diff --git a/services/_includes/settings_configvars.md b/services/_includes/settings_configvars.md
index 05cedf43d6c..8bae9fa3a11 100644
--- a/services/_includes/settings_configvars.md
+++ b/services/_includes/settings_configvars.md
@@ -41,4 +41,5 @@
 | SETTINGS_BUNDLES_PATH | string |  | The path to a JSON file with a list of bundles. If not defined, the default bundles will be loaded.|
 | OCIS_ADMIN_USER_ID<br/>SETTINGS_ADMIN_USER_ID | string |  | ID of the user that should receive admin privileges. Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand.|
 | OCIS_JWT_SECRET<br/>SETTINGS_JWT_SECRET | string |  | The secret to mint and validate jwt tokens.|
-| SETTINGS_SETUP_DEFAULT_ASSIGNMENTS<br/>IDM_CREATE_DEMO_USERS | bool | false | The default role assignments the demo users should be setup.|
\ No newline at end of file
+| SETTINGS_SETUP_DEFAULT_ASSIGNMENTS<br/>IDM_CREATE_DEMO_USERS | bool | false | The default role assignments the demo users should be setup.|
+| OCIS_SERVICE_ACCOUNT_ID<br/>SETTINGS_SERVICE_ACCOUNT_ID_ADMIN | string | service-user-id | The ID of the service account having the admin role. See the 'auth-service' service description for more details.|
\ No newline at end of file
diff --git a/services/_includes/storage-users-config-example.yaml b/services/_includes/storage-users-config-example.yaml
index 146904c1131..b26c2f1a7fa 100644
--- a/services/_includes/storage-users-config-example.yaml
+++ b/services/_includes/storage-users-config-example.yaml
@@ -118,3 +118,6 @@ tasks:
     user_id: ""
     personal_delete_before: 720h0m0s
     project_delete_before: 720h0m0s
+service_account:
+  service_account_id: ""
+  service_account_secret: ""
diff --git a/services/_includes/storage-users_configvars.md b/services/_includes/storage-users_configvars.md
index ade48d770b1..9fbe1705163 100644
--- a/services/_includes/storage-users_configvars.md
+++ b/services/_includes/storage-users_configvars.md
@@ -96,4 +96,6 @@
 | STORAGE_USERS_UPLOAD_EXPIRATION | int64 | 86400 | Duration in seconds after which uploads will expire. Note that when setting this to a low number, uploads could be cancelled before they are finished and return a 403 to the user.|
 | OCIS_ADMIN_USER_ID<br/>STORAGE_USERS_PURGE_TRASH_BIN_USER_ID | string |  | ID of the user who collects all necessary information for deletion. Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand.|
 | STORAGE_USERS_PURGE_TRASH_BIN_PERSONAL_DELETE_BEFORE | Duration | 720h0m0s | Specifies the period of time in which items that have been in the personal trash-bin for longer than this value should be deleted. A value of 0 means no automatic deletion. The value is human-readable, valid values are '24h', '60m', '60s' etc.|
-| STORAGE_USERS_PURGE_TRASH_BIN_PROJECT_DELETE_BEFORE | Duration | 720h0m0s | Specifies the period of time in which items that have been in the project trash-bin for longer than this value should be deleted. A value of 0 means no automatic deletion. The value is human-readable, valid values are '24h', '60m', '60s' etc.|
\ No newline at end of file
+| STORAGE_USERS_PURGE_TRASH_BIN_PROJECT_DELETE_BEFORE | Duration | 720h0m0s | Specifies the period of time in which items that have been in the project trash-bin for longer than this value should be deleted. A value of 0 means no automatic deletion. The value is human-readable, valid values are '24h', '60m', '60s' etc.|
+| OCIS_SERVICE_ACCOUNT_ID<br/>STORAGE_USERS_SERVICE_ACCOUNT_ID | string |  | The ID of the service account the service should use. See the 'auth-service' service description for more details.|
+| OCIS_SERVICE_ACCOUNT_SECRET<br/>STORAGE_USERS_SERVICE_ACCOUNT_SECRET | string |  | The service account secret.|
\ No newline at end of file
diff --git a/services/_includes/userlog-config-example.yaml b/services/_includes/userlog-config-example.yaml
index 55828133331..70d14c8e674 100644
--- a/services/_includes/userlog-config-example.yaml
+++ b/services/_includes/userlog-config-example.yaml
@@ -58,3 +58,6 @@ persistence:
   size: 0
 disable_sse: false
 global_notifications_secret: ""
+service_account:
+  service_account_id: ""
+  service_account_secret: ""
diff --git a/services/_includes/userlog_configvars.md b/services/_includes/userlog_configvars.md
index a8fa135ea01..e342d40bfb4 100644
--- a/services/_includes/userlog_configvars.md
+++ b/services/_includes/userlog_configvars.md
@@ -39,4 +39,6 @@
 | OCIS_PERSISTENT_STORE_TTL<br/>USERLOG_STORE_TTL | Duration | 336h0m0s | Time to live for events in the store. The duration can be set as number followed by a unit identifier like s, m or h. Defaults to '336h' (2 weeks).|
 | OCIS_PERSISTENT_STORE_SIZE<br/>USERLOG_STORE_SIZE | int | 0 | The maximum quantity of items in the store. Only applies when store type 'ocmem' is configured. Defaults to 512.|
 | OCIS_DISABLE_SSE,USERLOG_DISABLE_SSE | bool | false | Disables server-sent events (sse). When disabled, clients will no longer receive sse notifications.|
-| USERLOG_GLOBAL_NOTIFICATIONS_SECRET | string |  | The secret to secure the global notifications endpoint. Only system admins and users knowing that secret can call the global notifications POST/DELETE endpoints.|
\ No newline at end of file
+| USERLOG_GLOBAL_NOTIFICATIONS_SECRET | string |  | The secret to secure the global notifications endpoint. Only system admins and users knowing that secret can call the global notifications POST/DELETE endpoints.|
+| OCIS_SERVICE_ACCOUNT_ID<br/>USERLOG_SERVICE_ACCOUNT_ID | string |  | The ID of the service account the service should use. See the 'auth-service' service description for more details.|
+| OCIS_SERVICE_ACCOUNT_SECRET<br/>USERLOG_SERVICE_ACCOUNT_SECRET | string |  | The service account secret.|
\ No newline at end of file
diff --git a/services/antivirus/_index.md b/services/antivirus/_index.md
index f0c19378451..5446e3e2d94 100644
--- a/services/antivirus/_index.md
+++ b/services/antivirus/_index.md
@@ -1,6 +1,6 @@
 ---
 title: Antivirus
-date: 2023-08-31T09:23:29.883092293Z
+date: 2023-08-31T11:17:46.660813973Z
 weight: 20
 geekdocRepo: https://github.com/owncloud/ocis
 geekdocEditPath: edit/master/services/antivirus
diff --git a/services/audit/_index.md b/services/audit/_index.md
index 5fbd8e01e9d..44bed8a72e6 100644
--- a/services/audit/_index.md
+++ b/services/audit/_index.md
@@ -1,6 +1,6 @@
 ---
 title: Audit
-date: 2023-08-31T09:23:29.883326301Z
+date: 2023-08-31T11:17:46.66103565Z
 weight: 20
 geekdocRepo: https://github.com/owncloud/ocis
 geekdocEditPath: edit/master/services/audit
diff --git a/services/auth-basic/_index.md b/services/auth-basic/_index.md
index 836e8058063..1b9ee80a652 100644
--- a/services/auth-basic/_index.md
+++ b/services/auth-basic/_index.md
@@ -1,6 +1,6 @@
 ---
 title: Auth-Basic
-date: 2023-08-31T09:23:29.883417061Z
+date: 2023-08-31T11:17:46.661295907Z
 weight: 20
 geekdocRepo: https://github.com/owncloud/ocis
 geekdocEditPath: edit/master/services/auth-basic
@@ -22,12 +22,21 @@ To enable `auth-basic`, you first must set `PROXY_ENABLE_BASIC_AUTH` to `true`.
 
 ## Table of Contents
 
+* [The `auth` Service Family](#the-`auth`-service-family)
 * [Auth Managers](#auth-managers)
   * [LDAP Auth Manager](#ldap-auth-manager)
   * [Other Auth Managers](#other-auth-managers)
 * [Scalability](#scalability)
 * [Example Yaml Config](#example-yaml-config)
 
+## The `auth` Service Family
+
+ocis uses serveral authentication services for different use cases. All services that start with `auth-` are part of the authentication service family. Each member authenticates requests with different scopes. As of now, these services exist:
+  -   `auth-basic` handles basic authentication
+  -   `auth-bearer` handles oidc authentication
+  -   `auth-machine` handles interservice authentication when a user is impersonated
+  -   `auth-service` handles interservice authentication when using service accounts
+
 ## Auth Managers
 
 Since the `auth-basic` service does not do any validation itself, it needs to be configured with an authentication manager. One can use the `AUTH_BASIC_AUTH_MANAGER` environment variable to configure this. Currently only one auth manager is supported: `"ldap"`
diff --git a/services/auth-bearer/_index.md b/services/auth-bearer/_index.md
index 75bc8270fc3..460ae27b15d 100644
--- a/services/auth-bearer/_index.md
+++ b/services/auth-bearer/_index.md
@@ -1,6 +1,6 @@
 ---
 title: Auth-Bearer
-date: 2023-08-31T09:23:29.883510335Z
+date: 2023-08-31T11:17:46.661416063Z
 weight: 20
 geekdocRepo: https://github.com/owncloud/ocis
 geekdocEditPath: edit/master/services/auth-bearer
@@ -18,11 +18,20 @@ The oCIS Auth Bearer service communicates with the configured OpenID Connect ide
 
 ## Table of Contents
 
-* [Built in OpenID Connect identity provider](#built-in-openid-connect-identity-provider)
+* [The `auth` Service Family](#the-`auth`-service-family)
+* [Built in OpenID Connect Identity Provider](#built-in-openid-connect-identity-provider)
 * [Scalability](#scalability)
 * [Example Yaml Config](#example-yaml-config)
 
-## Built in OpenID Connect identity provider
+## The `auth` Service Family
+
+ocis uses serveral authentication services for different use cases. All services that start with `auth-` are part of the authentication service family. Each member authenticates requests with different scopes. As of now, these services exist:
+  -   `auth-basic` handles basic authentication
+  -   `auth-bearer` handles oidc authentication
+  -   `auth-machine` handles interservice authentication when a user is impersonated
+  -   `auth-service` handles interservice authentication when using service accounts
+
+## Built in OpenID Connect Identity Provider
 
 A default oCIS deployment will start a [built in OpenID Connect identity provider](https://github.com/owncloud/ocis/tree/master/services/idp) but can be configured to use an external one as well.
 
diff --git a/services/auth-machine/_index.md b/services/auth-machine/_index.md
index edb7c4afd26..69885538e3c 100644
--- a/services/auth-machine/_index.md
+++ b/services/auth-machine/_index.md
@@ -1,16 +1,42 @@
 ---
 title: Auth-Machine
-date: 2022-03-02T00:00:00+00:00
+date: 2023-08-31T11:17:46.661520157Z
 weight: 20
 geekdocRepo: https://github.com/owncloud/ocis
-geekdocEditPath: edit/master/docs/services/auth-machine
-geekdocFilePath: _index.md
+geekdocEditPath: edit/master/services/auth-machine
+geekdocFilePath: README.md
 geekdocCollapseSection: true
 ---
 
+<!-- Do not edit this file, it is autogenerated. Edit the service README.md instead -->
+
 ## Abstract
 
 
+The oCIS Auth Machine is used for interservice communication when using user impersonation.
+
+ocis uses serveral authentication services for different use cases. All services that start with `auth-` are part of the authentication service family. Each member authenticates requests with different scopes. As of now, these services exist:
+  -   `auth-basic` handles basic authentication
+  -   `auth-bearer` handles oidc authentication
+  -   `auth-machine` handles interservice authentication when a user is impersonated
+  -   `auth-service` handles interservice authentication when using service accounts
+
+
 ## Table of Contents
 
-{{< toc-tree >}}
+* [User Impersonation](#user-impersonation)
+* [Deprecation](#deprecation)
+* [Example Yaml Config](#example-yaml-config)
+
+## User Impersonation
+
+When one ocis service is trying to talk to other ocis services, it needs to authenticate itself. To do so, it will impersonate a user using the `auth-machine` service. It will then act on behalf of this user. Any action will show up as action of this specific user, which gets visible when e.g. logged in the audit log.
+
+## Deprecation
+
+With the upcoming `auth-service` service, the `auth-machine` service will be used less frequently and is probably a candidate for deprecation.
+## Example Yaml Config
+{{< include file="services/_includes/auth-machine-config-example.yaml"  language="yaml" >}}
+
+{{< include file="services/_includes/auth-machine_configvars.md" >}}
+
diff --git a/services/eventhistory/_index.md b/services/eventhistory/_index.md
index 005cb3a21a1..b864cb4b529 100644
--- a/services/eventhistory/_index.md
+++ b/services/eventhistory/_index.md
@@ -1,6 +1,6 @@
 ---
 title: Eventhistory
-date: 2023-08-31T09:23:29.883636151Z
+date: 2023-08-31T11:17:46.661800473Z
 weight: 20
 geekdocRepo: https://github.com/owncloud/ocis
 geekdocEditPath: edit/master/services/eventhistory
diff --git a/services/frontend/_index.md b/services/frontend/_index.md
index ae9e1e82c40..eb481b274bd 100644
--- a/services/frontend/_index.md
+++ b/services/frontend/_index.md
@@ -1,6 +1,6 @@
 ---
 title: Frontend
-date: 2023-08-31T09:23:29.883747709Z
+date: 2023-08-31T11:17:46.661941878Z
 weight: 20
 geekdocRepo: https://github.com/owncloud/ocis
 geekdocEditPath: edit/master/services/frontend
diff --git a/services/gateway/_index.md b/services/gateway/_index.md
index 32b0092bc80..eb745d1b792 100644
--- a/services/gateway/_index.md
+++ b/services/gateway/_index.md
@@ -1,6 +1,6 @@
 ---
 title: Gateway
-date: 2023-08-31T09:23:29.883913198Z
+date: 2023-08-31T11:17:46.662088603Z
 weight: 20
 geekdocRepo: https://github.com/owncloud/ocis
 geekdocEditPath: edit/master/services/gateway
diff --git a/services/graph/_index.md b/services/graph/_index.md
index 11a6b95ab79..b387a56e175 100644
--- a/services/graph/_index.md
+++ b/services/graph/_index.md
@@ -1,6 +1,6 @@
 ---
 title: Graph
-date: 2023-08-31T09:23:29.884033724Z
+date: 2023-08-31T11:17:46.662197157Z
 weight: 20
 geekdocRepo: https://github.com/owncloud/ocis
 geekdocEditPath: edit/master/services/graph
diff --git a/services/idm/_index.md b/services/idm/_index.md
index d3d5ba99680..db3a35439fd 100644
--- a/services/idm/_index.md
+++ b/services/idm/_index.md
@@ -1,6 +1,6 @@
 ---
 title: IDM
-date: 2023-08-31T09:23:29.884222688Z
+date: 2023-08-31T11:17:46.662306652Z
 weight: 20
 geekdocRepo: https://github.com/owncloud/ocis
 geekdocEditPath: edit/master/services/idm
diff --git a/services/idp/_index.md b/services/idp/_index.md
index 7ccf937e9e4..0b6ff37b275 100644
--- a/services/idp/_index.md
+++ b/services/idp/_index.md
@@ -1,6 +1,6 @@
 ---
 title: IDP
-date: 2023-08-31T09:23:29.88431438Z
+date: 2023-08-31T11:17:46.662416969Z
 weight: 20
 geekdocRepo: https://github.com/owncloud/ocis
 geekdocEditPath: edit/master/services/idp
diff --git a/services/invitations/_index.md b/services/invitations/_index.md
index 8c40a1a4abc..62142d4be9e 100644
--- a/services/invitations/_index.md
+++ b/services/invitations/_index.md
@@ -1,6 +1,6 @@
 ---
 title: Invitations
-date: 2023-08-31T09:23:29.884404617Z
+date: 2023-08-31T11:17:46.662526665Z
 weight: 20
 geekdocRepo: https://github.com/owncloud/ocis
 geekdocEditPath: edit/master/services/invitations
diff --git a/services/nats/_index.md b/services/nats/_index.md
index 8337104a12b..6540b5171d8 100644
--- a/services/nats/_index.md
+++ b/services/nats/_index.md
@@ -1,6 +1,6 @@
 ---
 title: Nats
-date: 2023-08-31T09:23:29.884519123Z
+date: 2023-08-31T11:17:46.662659284Z
 weight: 20
 geekdocRepo: https://github.com/owncloud/ocis
 geekdocEditPath: edit/master/services/nats
diff --git a/services/notifications/_index.md b/services/notifications/_index.md
index 4780d73b3b1..43481339b00 100644
--- a/services/notifications/_index.md
+++ b/services/notifications/_index.md
@@ -1,6 +1,6 @@
 ---
 title: Notification
-date: 2023-08-31T09:23:29.884669784Z
+date: 2023-08-31T11:17:46.662774319Z
 weight: 20
 geekdocRepo: https://github.com/owncloud/ocis
 geekdocEditPath: edit/master/services/notifications
diff --git a/services/ocdav/_index.md b/services/ocdav/_index.md
index 6bb5d848b65..1fe8e815ec3 100644
--- a/services/ocdav/_index.md
+++ b/services/ocdav/_index.md
@@ -1,6 +1,6 @@
 ---
 title: ocDAV
-date: 2023-08-31T09:23:29.884777434Z
+date: 2023-08-31T11:17:46.662911917Z
 weight: 20
 geekdocRepo: https://github.com/owncloud/ocis
 geekdocEditPath: edit/master/services/ocdav
diff --git a/services/ocs/_index.md b/services/ocs/_index.md
index 14807ace979..2ca7c2631eb 100644
--- a/services/ocs/_index.md
+++ b/services/ocs/_index.md
@@ -1,6 +1,6 @@
 ---
 title: OCS
-date: 2023-08-31T09:23:29.884914101Z
+date: 2023-08-31T11:17:46.663040568Z
 weight: 20
 geekdocRepo: https://github.com/owncloud/ocis
 geekdocEditPath: edit/master/services/ocs
diff --git a/services/policies/_index.md b/services/policies/_index.md
index d3b9c429ae6..959143b36d3 100644
--- a/services/policies/_index.md
+++ b/services/policies/_index.md
@@ -1,6 +1,6 @@
 ---
 title: Policies
-date: 2023-08-31T09:23:29.885045396Z
+date: 2023-08-31T11:17:46.663186491Z
 weight: 20
 geekdocRepo: https://github.com/owncloud/ocis
 geekdocEditPath: edit/master/services/policies
diff --git a/services/postprocessing/_index.md b/services/postprocessing/_index.md
index 7f96da60215..13df3afba75 100644
--- a/services/postprocessing/_index.md
+++ b/services/postprocessing/_index.md
@@ -1,6 +1,6 @@
 ---
 title: Postprocessing
-date: 2023-08-31T09:23:29.885230953Z
+date: 2023-08-31T11:17:46.663384553Z
 weight: 20
 geekdocRepo: https://github.com/owncloud/ocis
 geekdocEditPath: edit/master/services/postprocessing
diff --git a/services/proxy/_index.md b/services/proxy/_index.md
index 92f5bca0079..01c41bf3fea 100644
--- a/services/proxy/_index.md
+++ b/services/proxy/_index.md
@@ -1,6 +1,6 @@
 ---
 title: Proxy
-date: 2023-08-31T09:23:29.885362921Z
+date: 2023-08-31T11:17:46.663551937Z
 weight: 20
 geekdocRepo: https://github.com/owncloud/ocis
 geekdocEditPath: edit/master/services/proxy
diff --git a/services/search/_index.md b/services/search/_index.md
index c427c5a9566..c88b123b55d 100644
--- a/services/search/_index.md
+++ b/services/search/_index.md
@@ -1,6 +1,6 @@
 ---
 title: Search
-date: 2023-08-31T09:23:29.885534792Z
+date: 2023-08-31T11:17:46.6637882Z
 weight: 20
 geekdocRepo: https://github.com/owncloud/ocis
 geekdocEditPath: edit/master/services/search
diff --git a/services/settings/_index.md b/services/settings/_index.md
index 32409572dd2..d9c39bc1cf5 100644
--- a/services/settings/_index.md
+++ b/services/settings/_index.md
@@ -1,6 +1,6 @@
 ---
 title: Settings
-date: 2023-08-31T09:23:29.885714087Z
+date: 2023-08-31T11:17:46.663979769Z
 weight: 20
 geekdocRepo: https://github.com/owncloud/ocis
 geekdocEditPath: edit/master/services/settings
@@ -21,7 +21,7 @@ The settings service is currently used for managing the:
 *   possible user roles and their respective permissions,
 *   assignment of roles to users.
 
-As an example, user profile settings that can be changed in the Web UI must be persistent.  
+As an example, user profile settings that can be changed in the Web UI must be persistent.
 
 The settings service supports two different backends for persisting the data. The backend can be set via the `SETTINGS_STORE_TYPE` environment variable. Supported values are:
 
@@ -53,6 +53,7 @@ graph TD
 * [Caching](#caching)
 * [Settings Management](#settings-management)
 * [Settings Usage](#settings-usage)
+* [Service Accounts](#service-accounts)
 * [Example Yaml Config](#example-yaml-config)
 
 ## Caching
@@ -88,6 +89,10 @@ Infinite Scale services can register *settings bundles* with the settings servic
 ## Settings Usage
 
 Services can set or query ocis *setting values* of a user from settings bundles.
+
+## Service Accounts
+
+The settings service needs to know the ID's of service accounts but it doesn't need their secrets. Currently only one service account can be configured which has the admin role. This can be set with the `SETTINGS_SERVICE_ACCOUNT_ID_ADMIN` envvar, but it will also pick up the global `OCIS_SERVICE_ACCOUNT_ID` envvar. Also see the 'auth-service' service description for additional details.
 ## Example Yaml Config
 {{< include file="services/_includes/settings-config-example.yaml"  language="yaml" >}}
 
diff --git a/services/sse/_index.md b/services/sse/_index.md
index 033af044a88..7493613068a 100644
--- a/services/sse/_index.md
+++ b/services/sse/_index.md
@@ -1,6 +1,6 @@
 ---
 title: SSE
-date: 2023-08-31T09:23:29.885829855Z
+date: 2023-08-31T11:17:46.664088213Z
 weight: 20
 geekdocRepo: https://github.com/owncloud/ocis
 geekdocEditPath: edit/master/services/sse
diff --git a/services/storage-system/_index.md b/services/storage-system/_index.md
index d2592bce3be..a4f78036e6a 100644
--- a/services/storage-system/_index.md
+++ b/services/storage-system/_index.md
@@ -1,6 +1,6 @@
 ---
 title: Storage-System
-date: 2023-08-31T09:23:29.885957743Z
+date: 2023-08-31T11:17:46.664350704Z
 weight: 20
 geekdocRepo: https://github.com/owncloud/ocis
 geekdocEditPath: edit/master/services/storage-system
diff --git a/services/storage-users/_index.md b/services/storage-users/_index.md
index acff771c8dc..83eed19fdac 100644
--- a/services/storage-users/_index.md
+++ b/services/storage-users/_index.md
@@ -1,6 +1,6 @@
 ---
 title: Storage-Users
-date: 2023-08-31T09:23:29.886108074Z
+date: 2023-08-31T11:17:46.664508109Z
 weight: 20
 geekdocRepo: https://github.com/owncloud/ocis
 geekdocEditPath: edit/master/services/storage-users
diff --git a/services/thumbnails/_index.md b/services/thumbnails/_index.md
index ee173eed8b2..a5c84906b22 100644
--- a/services/thumbnails/_index.md
+++ b/services/thumbnails/_index.md
@@ -1,6 +1,6 @@
 ---
 title: Thumbnails
-date: 2023-08-31T09:23:29.8862608Z
+date: 2023-08-31T11:17:46.664671756Z
 weight: 20
 geekdocRepo: https://github.com/owncloud/ocis
 geekdocEditPath: edit/master/services/thumbnails
diff --git a/services/userlog/_index.md b/services/userlog/_index.md
index 57e53d38efb..dc1ca5cd32e 100644
--- a/services/userlog/_index.md
+++ b/services/userlog/_index.md
@@ -1,6 +1,6 @@
 ---
 title: Userlog
-date: 2023-08-31T09:23:29.886410791Z
+date: 2023-08-31T11:17:46.664803343Z
 weight: 20
 geekdocRepo: https://github.com/owncloud/ocis
 geekdocEditPath: edit/master/services/userlog
diff --git a/services/web/_index.md b/services/web/_index.md
index 163a65b64d2..24da62a00c5 100644
--- a/services/web/_index.md
+++ b/services/web/_index.md
@@ -1,6 +1,6 @@
 ---
 title: Web
-date: 2023-08-31T09:23:29.886533491Z
+date: 2023-08-31T11:17:46.664942454Z
 weight: 20
 geekdocRepo: https://github.com/owncloud/ocis
 geekdocEditPath: edit/master/services/web
diff --git a/services/webdav/_index.md b/services/webdav/_index.md
index 3039820279c..28b2cf4c27a 100644
--- a/services/webdav/_index.md
+++ b/services/webdav/_index.md
@@ -1,6 +1,6 @@
 ---
 title: Webdav
-date: 2023-08-31T09:23:29.886621455Z
+date: 2023-08-31T11:17:46.665033334Z
 weight: 20
 geekdocRepo: https://github.com/owncloud/ocis
 geekdocEditPath: edit/master/services/webdav
diff --git a/services/webfinger/_index.md b/services/webfinger/_index.md
index f99983a6be7..340b049976f 100644
--- a/services/webfinger/_index.md
+++ b/services/webfinger/_index.md
@@ -1,6 +1,6 @@
 ---
 title: Webfinger
-date: 2023-08-31T09:23:29.886764552Z
+date: 2023-08-31T11:17:46.665155513Z
 weight: 20
 geekdocRepo: https://github.com/owncloud/ocis
 geekdocEditPath: edit/master/services/webfinger