Target audience
Workspace administrators and developers managing Service Account–based integrations.
Overview
This article covers how to connect (mount) the LucidLink daemon using a Service Account, common usage patterns for automation workflows, and how to rotate a Service Account's key while actively linked; without unlinking, remounting, or restarting your daemon session.
Mounting with a Service Account
The LucidLink desktop daemon can mount with a service account by using LucidLink's CLI (lucid help, lucid help daemon, and lucid help link).
Service accounts can be used to connect to a filespace through the CLI, even to workspaces with required SSO or enforced 2FA.
Example usage commands:
Start a daemon and directly connect to a filespace:
lucid [--instance N] daemon --fs filespace.name --login-token [token]Connect an already running daemon:
lucid [--instance N] link --fs filespace.name --login-token [token]
Rotating a Service Account Key
Generate a new key: In your workspace's Service Accounts settings (Web or Desktop app), create a new key for the service account you want to rotate. See “Getting Started with Service Accounts: API Authentication” for the key management steps.
Run the rotation command: From the machine running the linked daemon, run the rotate-credentials command with another valid login token for the current service account:
lucid [--instance N] rotate-credentials --login-token [token]Confirm the swap: The daemon continues running under the new key without disconnecting.
Revoke the old key: Once you've confirmed the new key is working, delete the old key from the Service Accounts management interface to complete the rotation.
System Requirements & Compatibility
For overall the service account ability the client version needs to be 3.3.7766 or later.
For the rotation of service account key the client version needs to be 3.7.8468 or later.
Frequently Asked Questions
Do I need to restart the client to rotate a key?
No. Rotation happens while your daemon stays linked and mounted, no restart or remount required.
Can I reuse a one-time login token after rotating to it?
No. One-time login tokens are single-use. Once you rotate to one and later unlink, that same token can't be used to link again.
What happens if I try to rotate to a key from a different account, or one that's expired or deleted?
Before rotating credentials, LucidLink validates that the new login token belongs to the same service account context as the currently linked daemon session. If any of the values for the context do not match (several ids and crypto information), the rotation is rejected and the daemon remains linked with its current token.