> ## Documentation Index > Fetch the complete documentation index at: https://conductorone-docs-mcp-bridge-private-server.mintlify.site/llms.txt > Use this file to discover all available pages before exploring further. # Get > Get an app entitlement by ID. ## OpenAPI ````yaml https://spec.speakeasy.com/conductor-one/conductorone/my-source-with-code-samples get /api/v1/apps/{app_id}/entitlements/{id} openapi: 3.1.0 info: description: The C1 API is a HTTP API for managing C1 resources. title: C1 API version: 0.1.0-alpha servers: - description: The C1 API server for the current tenant. url: https://{tenantDomain}.conductor.one variables: tenantDomain: default: example description: The domain of the tenant to use for this request. security: - bearerAuth: [] oauth: [] paths: /api/v1/apps/{app_id}/entitlements/{id}: get: tags: - App Entitlement summary: Get description: Get an app entitlement by ID. operationId: c1.api.app.v1.AppEntitlements.Get parameters: - in: path name: app_id required: true schema: description: The appId field. type: string - in: path name: id required: true schema: description: The id field. type: string responses: '200': content: application/json: schema: $ref: '#/components/schemas/c1.api.app.v1.GetAppEntitlementResponse' description: >- The get app entitlement response returns an entitlement view containing paths in the expanded array for the objects expanded as indicated by the expand mask in the request. x-codeSamples: - lang: go label: Get source: "package main\n\nimport(\n\t\"context\"\n\t\"github.com/conductorone/conductorone-sdk-go/pkg/models/shared\"\n\tconductoronesdkgo \"github.com/conductorone/conductorone-sdk-go\"\n\t\"github.com/conductorone/conductorone-sdk-go/pkg/models/operations\"\n\t\"log\"\n)\n\nfunc main() {\n ctx := context.Background()\n\n s := conductoronesdkgo.New(\n conductoronesdkgo.WithSecurity(shared.Security{\n BearerAuth: \"\",\n Oauth: \"\",\n }),\n )\n\n res, err := s.AppEntitlements.Get(ctx, operations.C1APIAppV1AppEntitlementsGetRequest{\n AppID: \"\",\n ID: \"\",\n })\n if err != nil {\n log.Fatal(err)\n }\n if res.GetAppEntitlementResponse != nil {\n // handle response\n }\n}" - lang: typescript label: Typescript (SDK) source: >- import { ConductoroneSDKTypescript } from "conductorone-sdk-typescript"; const conductoroneSDKTypescript = new ConductoroneSDKTypescript({ security: { bearerAuth: "", oauth: "", }, }); async function run() { const result = await conductoroneSDKTypescript.appEntitlements.get({ appId: "", id: "", }); console.log(result); } run(); components: schemas: c1.api.app.v1.GetAppEntitlementResponse: description: >- The get app entitlement response returns an entitlement view containing paths in the expanded array for the objects expanded as indicated by the expand mask in the request. properties: appEntitlementView: oneOf: - $ref: '#/components/schemas/c1.api.app.v1.AppEntitlementView' - type: 'null' expanded: description: List of serialized related objects. items: additionalProperties: true description: >- Contains an arbitrary serialized message along with a @type that describes the type of the serialized message. properties: '@type': description: The type of the serialized message. type: string type: object type: - array - 'null' title: Get App Entitlement Response type: object x-speakeasy-name-override: GetAppEntitlementResponse c1.api.app.v1.AppEntitlementView: description: >- The app entitlement view contains the serialized app entitlement and paths to objects referenced by the app entitlement. properties: appEntitlement: oneOf: - $ref: '#/components/schemas/c1.api.app.v1.AppEntitlement' - type: 'null' appPath: description: >- JSONPATH expression indicating the location of the App object in the array. type: - string - 'null' appResourcePath: description: >- JSONPATH expression indicating the location of the App Resource Type object in the expanded array. type: - string - 'null' appResourceTypePath: description: >- JSONPATH expression indicating the location of the App Resource object in the array. type: - string - 'null' objectPermissions: oneOf: - $ref: '#/components/schemas/c1.api.iam.v1.ActorObjectPermissions' - type: 'null' title: App Entitlement View type: object x-speakeasy-name-override: AppEntitlementView c1.api.app.v1.AppEntitlement: description: > The app entitlement represents one permission in a downstream App (SAAS) that can be granted. For example, GitHub Read vs GitHub Write. This message contains a oneof named max_grant_duration. Only a single field of the following list may be set at a time: - durationUnset - durationGrant properties: alias: description: >- The alias of the app entitlement used by Cone. Also exact-match queryable. type: - string - 'null' annotations: additionalProperties: type: string description: |- Bounded key/value metadata bag for IaC marking and customer tags. See .rfcs/object-annotations.md §2. Limits: ≤16 entries; keys 1–128 chars matching ^[A-Za-z][A-Za-z0-9._/-]{0,127}$; values 0–256 chars URL-safe ASCII; total serialized ≤ 4096 bytes. Keys matching ^c1/ are reserved. Well-known keys: `managed_by`, `iac_workspace`, `iac_resource_address`, `iac_tool_version`. type: object x-speakeasy-terraform-plan-modifier: imports: - >- github.com/conductorone/terraform-provider-conductorone/internal/annotations schemaDefinition: annotations.PlanModifier() appId: description: The ID of the app that is associated with the app entitlement. type: - string - 'null' appResourceId: description: >- The ID of the app resource that is associated with the app entitlement type: - string - 'null' appResourceTypeId: description: >- The ID of the app resource type that is associated with the app entitlement type: - string - 'null' certifyPolicyId: description: >- The ID of the policy that will be used for certify tickets related to the app entitlement. type: - string - 'null' complianceFrameworkValueIds: description: >- The IDs of different compliance frameworks associated with this app entitlement ex (SOX, HIPAA, PCI, etc.) items: type: string type: - array - 'null' createdAt: format: date-time readOnly: true type: - string - 'null' defaultValuesApplied: description: >- Flag to indicate if app-level access request defaults have been applied to the entitlement type: - boolean - 'null' deletedAt: format: date-time readOnly: true type: - string - 'null' deprovisionerPolicy: oneOf: - $ref: '#/components/schemas/c1.api.policy.v1.ProvisionPolicy' - type: 'null' description: description: The description of the app entitlement. type: - string - 'null' displayName: description: The display name of the app entitlement. type: - string - 'null' durationGrant: format: duration type: - string - 'null' durationUnset: type: - object - 'null' emergencyGrantEnabled: description: >- This enables tasks to be created in an emergency and use a selected emergency access policy. type: - boolean - 'null' emergencyGrantPolicyId: description: >- The ID of the policy that will be used for emergency access grant tasks. type: - string - 'null' externalId: description: >- The upstream product's native external ID for this entitlement (e.g. an Okta group ID). Populated from the connector's external ID during sync. readOnly: true type: - string - 'null' grantCount: description: The amount of grants open for this entitlement format: int64 readOnly: true type: - string - 'null' grantPolicyId: description: >- The ID of the policy that will be used for grant tickets related to the app entitlement. type: - string - 'null' id: description: The unique ID for the App Entitlement. readOnly: true type: - string - 'null' isAutomationEnabled: description: >- Flag to indicate whether automation (for adding users to entitlement based on rules) has been enabled. readOnly: true type: - boolean - 'null' isManuallyManaged: description: Flag to indicate if the app entitlement is manually managed. type: - boolean - 'null' matchBatonId: description: >- An identifier used to match this entitlement to a connector-synced entitlement during sync. type: - string - 'null' overrideAccessRequestsDefaults: description: >- Flag to indicate if the app-level access request settings have been overridden for the entitlement type: - boolean - 'null' provisionerPolicy: oneOf: - $ref: '#/components/schemas/c1.api.policy.v1.ProvisionPolicy' - type: 'null' purpose: description: >- The purpose of this entitlement (e.g., assignment, permission, ownership). enum: - APP_ENTITLEMENT_PURPOSE_VALUE_UNSPECIFIED - APP_ENTITLEMENT_PURPOSE_VALUE_ASSIGNMENT - APP_ENTITLEMENT_PURPOSE_VALUE_PERMISSION - APP_ENTITLEMENT_PURPOSE_VALUE_OWNERSHIP type: - string - 'null' x-speakeasy-unknown-values: allow requestSchemaId: description: The ID of the request schema associated with this app entitlement. type: - string - 'null' revokePolicyId: description: >- The ID of the policy that will be used for revoke tickets related to the app entitlement type: - string - 'null' riskLevelValueId: description: The ID of the risk level assigned to this entitlement. type: - string - 'null' slug: description: >- The slug is displayed as an oval next to the name in the frontend of C1, it tells you what permission the entitlement grants. See https://www.conductorone.com/docs/product/admin/entitlements/ type: - string - 'null' sourceConnectorIds: additionalProperties: type: string description: Map to tell us which connector the entitlement came from. type: object systemBuiltin: description: This field indicates if this is a system builtin entitlement. readOnly: true type: - boolean - 'null' updatedAt: format: date-time readOnly: true type: - string - 'null' userEditedMask: type: - string - 'null' title: App Entitlement type: object x-speakeasy-entity: Custom App Entitlement x-speakeasy-name-override: AppEntitlement c1.api.iam.v1.ActorObjectPermissions: description: The ActorObjectPermissions message. properties: delete: description: The delete field. type: - boolean - 'null' edit: description: The edit field. type: - boolean - 'null' extra: additionalProperties: type: boolean description: The extra field. type: object read: description: The read field. type: - boolean - 'null' title: Actor Object Permissions type: object x-speakeasy-name-override: ActorObjectPermissions c1.api.policy.v1.ProvisionPolicy: description: > ProvisionPolicy is a oneOf that indicates how a provision step should be processed. This message contains a oneof named typ. Only a single field of the following list may be set at a time: - connector - manual - delegated - webhook - multiStep - externalTicket - unconfigured - action properties: action: oneOf: - $ref: '#/components/schemas/c1.api.policy.v1.ActionProvision' - type: 'null' connector: oneOf: - $ref: '#/components/schemas/c1.api.policy.v1.ConnectorProvision' - type: 'null' delegated: oneOf: - $ref: '#/components/schemas/c1.api.policy.v1.DelegatedProvision' - type: 'null' externalTicket: oneOf: - $ref: '#/components/schemas/c1.api.policy.v1.ExternalTicketProvision' - type: 'null' manual: oneOf: - $ref: '#/components/schemas/c1.api.policy.v1.ManualProvision' - type: 'null' multiStep: oneOf: - $ref: '#/components/schemas/c1.api.policy.v1.MultiStep' - type: 'null' unconfigured: oneOf: - $ref: '#/components/schemas/c1.api.policy.v1.UnconfiguredProvision' - type: 'null' webhook: oneOf: - $ref: '#/components/schemas/c1.api.policy.v1.WebhookProvision' - type: 'null' title: Provision Policy type: object x-speakeasy-name-override: ProvisionPolicy c1.api.policy.v1.ActionProvision: description: >- This provision step indicates that account lifecycle action should be called to provision this entitlement. properties: actionName: description: The actionName field. type: - string - 'null' appId: description: The appId field. type: - string - 'null' connectorId: description: The connectorId field. type: - string - 'null' displayName: description: The displayName field. type: - string - 'null' title: Action Provision type: object x-speakeasy-name-override: ActionProvision c1.api.policy.v1.ConnectorProvision: description: > Indicates that a connector should perform the provisioning. This object has no fields. This message contains a oneof named provision_type. Only a single field of the following list may be set at a time: - defaultBehavior - account - deleteAccount properties: account: oneOf: - $ref: >- #/components/schemas/c1.api.policy.v1.ConnectorProvision.AccountProvision - type: 'null' defaultBehavior: oneOf: - $ref: >- #/components/schemas/c1.api.policy.v1.ConnectorProvision.DefaultBehavior - type: 'null' deleteAccount: oneOf: - $ref: >- #/components/schemas/c1.api.policy.v1.ConnectorProvision.DeleteAccount - type: 'null' title: Connector Provision type: object x-speakeasy-name-override: ConnectorProvision c1.api.policy.v1.DelegatedProvision: description: >- This provision step indicates that we should delegate provisioning to the configuration of another app entitlement. This app entitlement does not have to be one from the same app, but MUST be configured as a proxy binding leading into this entitlement. properties: appId: description: The AppID of the entitlement to delegate provisioning to. type: - string - 'null' entitlementId: description: The ID of the entitlement we are delegating provisioning to. type: - string - 'null' implicit: description: >- If true, a binding will be automatically created from the entitlement of the parent app. type: - boolean - 'null' title: Delegated Provision type: object x-speakeasy-name-override: DelegatedProvision c1.api.policy.v1.ExternalTicketProvision: description: >- This provision step indicates that we should check an external ticket to provision this entitlement properties: appId: description: The appId field. type: - string - 'null' connectorId: description: The connectorId field. type: - string - 'null' externalTicketProvisionerConfigId: description: The externalTicketProvisionerConfigId field. type: - string - 'null' instructions: description: >- This field indicates a text body of instructions for the provisioner to indicate. type: - string - 'null' title: External Ticket Provision type: object x-speakeasy-name-override: ExternalTicketProvision c1.api.policy.v1.ManualProvision: description: >- Manual provisioning indicates that a human must intervene for the provisioning of this step. properties: assignee: oneOf: - $ref: '#/components/schemas/c1.api.policy.v1.ProvisionerAssignment' - type: 'null' instructions: description: >- This field indicates a text body of instructions for the provisioner to indicate. type: - string - 'null' userIds: description: |- An array of users that are required to provision during this step. Deprecated: Use assignee field instead for dynamic provisioner assignment. items: type: string type: - array - 'null' title: Manual Provision type: object x-speakeasy-name-override: ManualProvision c1.api.policy.v1.MultiStep: description: >- MultiStep indicates that this provision step has multiple steps to process. properties: provisionSteps: description: The array of provision steps to process. items: $ref: '#/components/schemas/c1.api.policy.v1.ProvisionPolicy' type: - array - 'null' title: Multi Step type: object x-speakeasy-name-override: MultiStep c1.api.policy.v1.UnconfiguredProvision: description: The UnconfiguredProvision message. title: Unconfigured Provision type: object x-speakeasy-name-override: UnconfiguredProvision c1.api.policy.v1.WebhookProvision: description: >- This provision step indicates that a webhook should be called to provision this entitlement. properties: webhookId: description: The ID of the webhook to call for provisioning. type: - string - 'null' title: Webhook Provision type: object x-speakeasy-name-override: WebhookProvision c1.api.policy.v1.ConnectorProvision.AccountProvision: description: > The AccountProvision message. This message contains a oneof named storage_type. Only a single field of the following list may be set at a time: - saveToVault - doNotSave properties: config: additionalProperties: true type: - object - 'null' connectorId: description: The connectorId field. type: - string - 'null' doNotSave: oneOf: - $ref: >- #/components/schemas/c1.api.policy.v1.ConnectorProvision.DoNotSave - type: 'null' saveToVault: oneOf: - $ref: >- #/components/schemas/c1.api.policy.v1.ConnectorProvision.SaveToVault - type: 'null' schemaId: description: The schemaId field. type: - string - 'null' title: Account Provision type: object x-speakeasy-name-override: AccountProvision c1.api.policy.v1.ConnectorProvision.DefaultBehavior: description: The DefaultBehavior message. properties: connectorId: description: >- this checks if the entitlement is enabled by provisioning in a specific connector this can happen automatically and doesn't need any extra info type: - string - 'null' title: Default Behavior type: object x-speakeasy-name-override: DefaultBehavior c1.api.policy.v1.ConnectorProvision.DeleteAccount: description: The DeleteAccount message. properties: connectorId: description: The connectorId field. type: - string - 'null' title: Delete Account type: object x-speakeasy-name-override: DeleteAccount c1.api.policy.v1.ProvisionerAssignment: description: > ProvisionerAssignment defines how a provisioner is dynamically assigned. This message contains a oneof named typ. Only a single field of the following list may be set at a time: - users - appOwners - group - manager - expression - entitlementOwners properties: appOwners: oneOf: - $ref: '#/components/schemas/c1.api.policy.v1.AppOwnerProvisioner' - type: 'null' entitlementOwners: oneOf: - $ref: >- #/components/schemas/c1.api.policy.v1.EntitlementOwnerProvisioner - type: 'null' expression: oneOf: - $ref: '#/components/schemas/c1.api.policy.v1.ExpressionProvisioner' - type: 'null' group: oneOf: - $ref: '#/components/schemas/c1.api.policy.v1.GroupProvisioner' - type: 'null' manager: oneOf: - $ref: '#/components/schemas/c1.api.policy.v1.ManagerProvisioner' - type: 'null' users: oneOf: - $ref: '#/components/schemas/c1.api.policy.v1.UserProvisioner' - type: 'null' title: Provisioner Assignment type: object x-speakeasy-name-override: ProvisionerAssignment c1.api.policy.v1.ConnectorProvision.DoNotSave: description: The DoNotSave message. title: Do Not Save type: object x-speakeasy-name-override: DoNotSave c1.api.policy.v1.ConnectorProvision.SaveToVault: description: The SaveToVault message. properties: vaultIds: description: The vaultIds field. items: type: string type: - array - 'null' title: Save To Vault type: object x-speakeasy-name-override: SaveToVault c1.api.policy.v1.AppOwnerProvisioner: description: AppOwnerProvisioner resolves to app owners. properties: allowReassignment: description: Whether the provisioner can reassign the task. type: - boolean - 'null' fallbackUserIds: description: Fallback user IDs if no app owners are found. items: type: string type: - array - 'null' title: App Owner Provisioner type: object x-speakeasy-name-override: AppOwnerProvisioner c1.api.policy.v1.EntitlementOwnerProvisioner: description: EntitlementOwnerProvisioner resolves to entitlement owners. properties: allowReassignment: description: Whether the provisioner can reassign the task. type: - boolean - 'null' fallbackUserIds: description: Fallback user IDs if no entitlement owners are found. items: type: string type: - array - 'null' title: Entitlement Owner Provisioner type: object x-speakeasy-name-override: EntitlementOwnerProvisioner c1.api.policy.v1.ExpressionProvisioner: description: >- ExpressionProvisioner evaluates CEL expressions to determine provisioners. properties: allowReassignment: description: Whether the provisioner can reassign the task. type: - boolean - 'null' expressions: description: The CEL expressions to evaluate. items: type: string type: - array - 'null' fallbackUserIds: description: Fallback user IDs if expression evaluation yields no users. items: type: string type: - array - 'null' title: Expression Provisioner type: object x-speakeasy-name-override: ExpressionProvisioner c1.api.policy.v1.GroupProvisioner: description: GroupProvisioner resolves to members of a specific group. properties: allowReassignment: description: Whether the provisioner can reassign the task. type: - boolean - 'null' appGroupId: description: The app group ID (entitlement ID). type: - string - 'null' appId: description: The app ID containing the group. type: - string - 'null' fallbackUserIds: description: Fallback user IDs if no group members are found. items: type: string type: - array - 'null' title: Group Provisioner type: object x-speakeasy-name-override: GroupProvisioner c1.api.policy.v1.ManagerProvisioner: description: ManagerProvisioner resolves to the user's manager. properties: allowReassignment: description: Whether the provisioner can reassign the task. type: - boolean - 'null' fallbackUserIds: description: Fallback user IDs if no manager is found. items: type: string type: - array - 'null' title: Manager Provisioner type: object x-speakeasy-name-override: ManagerProvisioner c1.api.policy.v1.UserProvisioner: description: UserProvisioner assigns specific users as provisioners. properties: allowReassignment: description: Whether the provisioner can reassign the task. type: - boolean - 'null' userIds: description: The user IDs to assign as provisioners. items: type: string type: - array - 'null' title: User Provisioner type: object x-speakeasy-name-override: UserProvisioner securitySchemes: bearerAuth: scheme: bearer type: http oauth: description: >- This API uses OAuth2 with the Client Credential flow. Client Credentials must be sent in the BODY, not the headers. For an example of how to implement this, refer to the [c1TokenSource.Token()](https://github.com/ConductorOne/conductorone-sdk-go/blob/3375fe7c0126d17e7ec4e711693dee7b791023aa/token_source.go#L101-L187) function. flows: clientCredentials: scopes: {} tokenUrl: /auth/v1/token type: oauth2 ````