> ## Documentation Index > Fetch the complete documentation index at: https://conductorone-docs-mcp-bridge-private-server.mintlify.site/llms.txt > Use this file to discover all available pages before exploring further. # Create > Create mints a decoy credential and returns the one-time vending material exactly once. The Decoy id is server-set; the credential's secret cannot be retrieved again after this response. ## OpenAPI ````yaml https://spec.speakeasy.com/conductor-one/conductorone/my-source-with-code-samples post /api/v1/decoys openapi: 3.1.0 info: description: The C1 API is a HTTP API for managing C1 resources. title: C1 API version: 0.1.0-alpha servers: - description: The C1 API server for the current tenant. url: https://{tenantDomain}.conductor.one variables: tenantDomain: default: example description: The domain of the tenant to use for this request. security: - bearerAuth: [] oauth: [] paths: /api/v1/decoys: post: tags: - Decoy summary: Create description: |- Create mints a decoy credential and returns the one-time vending material exactly once. The Decoy id is server-set; the credential's secret cannot be retrieved again after this response. operationId: c1.api.decoy.v1.DecoyService.Create requestBody: content: application/json: schema: $ref: '#/components/schemas/c1.api.decoy.v1.DecoyServiceCreateRequest' responses: '200': content: application/json: schema: $ref: >- #/components/schemas/c1.api.decoy.v1.DecoyServiceCreateResponse description: Successful response x-codeSamples: - lang: typescript label: Typescript (SDK) source: >- import { ConductoroneSDKTypescript } from "conductorone-sdk-typescript"; const conductoroneSDKTypescript = new ConductoroneSDKTypescript({ security: { bearerAuth: "", oauth: "", }, }); async function run() { const result = await conductoroneSDKTypescript.decoy.create(); console.log(result); } run(); components: schemas: c1.api.decoy.v1.DecoyServiceCreateRequest: description: > The DecoyServiceCreateRequest message. This message contains a oneof named create_input. Only a single field of the following list may be set at a time: - userClientCredential - connectorClient - workloadFed - accessToken properties: accessToken: oneOf: - $ref: '#/components/schemas/c1.api.decoy.v1.DecoyAccessTokenInput' - type: 'null' annotations: additionalProperties: type: string description: The annotations field. type: object connectorClient: oneOf: - $ref: '#/components/schemas/c1.api.decoy.v1.DecoyConnectorClientInput' - type: 'null' description: description: The description field. type: - string - 'null' displayName: description: The displayName field. type: - string - 'null' userClientCredential: oneOf: - $ref: >- #/components/schemas/c1.api.decoy.v1.DecoyUserClientCredentialInput - type: 'null' workloadFed: oneOf: - $ref: >- #/components/schemas/c1.api.decoy.v1.DecoyWorkloadFederationInput - type: 'null' title: Decoy Service Create Request type: object x-speakeasy-name-override: DecoyServiceCreateRequest c1.api.decoy.v1.DecoyServiceCreateResponse: description: The DecoyServiceCreateResponse message. properties: decoy: oneOf: - $ref: '#/components/schemas/c1.api.decoy.v1.Decoy' - type: 'null' material: oneOf: - $ref: '#/components/schemas/c1.api.decoy.v1.DecoyVendingMaterial' - type: 'null' title: Decoy Service Create Response type: object x-speakeasy-name-override: DecoyServiceCreateResponse c1.api.decoy.v1.DecoyAccessTokenInput: description: |- DecoyAccessTokenInput mints a session access-token decoy under an existing User. properties: expiresIn: format: duration type: - string - 'null' subjectUserId: description: Existing User the access token's subject claim references. type: - string - 'null' title: Decoy Access Token Input type: object x-speakeasy-name-override: DecoyAccessTokenInput c1.api.decoy.v1.DecoyConnectorClientInput: description: |- DecoyConnectorClientInput plants a connector-shaped credential decoy. The server allocates placement under the tenant's ConductorOne app; the customer makes no app/connector choice. title: Decoy Connector Client Input type: object x-speakeasy-name-override: DecoyConnectorClientInput c1.api.decoy.v1.DecoyUserClientCredentialInput: description: |- DecoyUserClientCredentialInput plants a client-credential decoy under an existing User. The User must be typ=HUMAN or typ=SERVICE. properties: userId: description: Existing User to plant the decoy credential under. type: - string - 'null' title: Decoy User Client Credential Input type: object x-speakeasy-name-override: DecoyUserClientCredentialInput c1.api.decoy.v1.DecoyWorkloadFederationInput: description: |- DecoyWorkloadFederationInput plants a workload-federation-trust decoy under an existing Provider. The Provider must already be registered so its JWKS is reachable for signature verification. properties: conditionExpression: description: |- CEL boolean evaluated against the presented JWT's claims map. Same shape as the regular WorkloadFederationTrust condition expression. Example: `claims.sub.startsWith("repo:acme/fake-infra:")`. type: - string - 'null' providerId: description: Existing WorkloadFederationProvider to bind the decoy Trust under. type: - string - 'null' servicePrincipalUserId: description: Existing SERVICE-typed User the Trust would act-as on match. type: - string - 'null' title: Decoy Workload Federation Input type: object x-speakeasy-name-override: DecoyWorkloadFederationInput c1.api.decoy.v1.Decoy: description: |- Decoy is the read projection of a planted honey-credential. All fields except annotations are server-managed. properties: annotations: additionalProperties: type: string description: |- Customer-defined grouping/filtering bag. PATCH semantics on Update: keys in the request overwrite, keys missing stay, keys set to empty string delete. Copied onto the Finding produced when a decoy fires, so routing rules can condition on the same keys. type: object x-speakeasy-terraform-plan-modifier: imports: - >- github.com/conductorone/terraform-provider-conductorone/internal/annotations schemaDefinition: annotations.PlanModifier() createdAt: format: date-time readOnly: true type: - string - 'null' description: description: The description field. type: - string - 'null' disabled: description: Admin-disabled. type: - boolean - 'null' displayName: description: The displayName field. type: - string - 'null' id: description: The id field. readOnly: true type: - string - 'null' kind: description: The kind field. enum: - DECOY_KIND_UNSPECIFIED - DECOY_KIND_USER_CLIENT_CREDENTIAL - DECOY_KIND_CONNECTOR_CLIENT - DECOY_KIND_WORKLOAD_FEDERATION - DECOY_KIND_ACCESS_TOKEN readOnly: true type: - string - 'null' x-speakeasy-unknown-values: allow lastUsedAt: format: date-time readOnly: true type: - string - 'null' materialFingerprintSha256: description: |- Hex-encoded SHA256 of the secret string vended at Create / Rotate. Stable for the decoy's current material; changes only on Rotate. Empty for WorkloadFederation decoys (no server-vended secret). readOnly: true type: - string - 'null' updatedAt: format: date-time readOnly: true type: - string - 'null' title: Decoy type: object x-speakeasy-name-override: Decoy c1.api.decoy.v1.DecoyVendingMaterial: description: > DecoyVendingMaterial carries the freshly-vended secret material returned exactly once at Create or Rotate. This message contains a oneof named material. Only a single field of the following list may be set at a time: - clientCredential - accessToken - workloadFederation properties: accessToken: oneOf: - $ref: '#/components/schemas/c1.api.decoy.v1.DecoyAccessTokenMaterial' - type: 'null' clientCredential: oneOf: - $ref: >- #/components/schemas/c1.api.decoy.v1.DecoyClientCredentialMaterial - type: 'null' workloadFederation: oneOf: - $ref: >- #/components/schemas/c1.api.decoy.v1.DecoyWorkloadFederationMaterial - type: 'null' title: Decoy Vending Material type: object x-speakeasy-name-override: DecoyVendingMaterial c1.api.decoy.v1.DecoyAccessTokenMaterial: description: DecoyAccessTokenMaterial is returned for AccessToken decoys. properties: accessToken: description: The accessToken field. type: - string - 'null' title: Decoy Access Token Material type: object x-speakeasy-name-override: DecoyAccessTokenMaterial c1.api.decoy.v1.DecoyClientCredentialMaterial: description: |- DecoyClientCredentialMaterial is returned for UserClientCredential and ConnectorClient decoys. properties: clientId: description: The clientId field. type: - string - 'null' clientSecret: description: The clientSecret field. type: - string - 'null' title: Decoy Client Credential Material type: object x-speakeasy-name-override: DecoyClientCredentialMaterial c1.api.decoy.v1.DecoyWorkloadFederationMaterial: description: |- DecoyWorkloadFederationMaterial is returned for WorkloadFederation decoys. No vended secret; the operator binds the trust on the IdP side. properties: workloadFederationTrustId: description: The workloadFederationTrustId field. type: - string - 'null' title: Decoy Workload Federation Material type: object x-speakeasy-name-override: DecoyWorkloadFederationMaterial securitySchemes: bearerAuth: scheme: bearer type: http oauth: description: >- This API uses OAuth2 with the Client Credential flow. Client Credentials must be sent in the BODY, not the headers. For an example of how to implement this, refer to the [c1TokenSource.Token()](https://github.com/ConductorOne/conductorone-sdk-go/blob/3375fe7c0126d17e7ec4e711693dee7b791023aa/token_source.go#L101-L187) function. flows: clientCredentials: scopes: {} tokenUrl: /auth/v1/token type: oauth2 ````