> ## Documentation Index > Fetch the complete documentation index at: https://conductorone-docs-mcp-bridge-private-server.mintlify.site/llms.txt > Use this file to discover all available pages before exploring further. # Create Provider > CreateProvider registers a new external OIDC issuer for the tenant. Validates the issuer URL via OIDC discovery synchronously. ## OpenAPI ````yaml https://spec.speakeasy.com/conductor-one/conductorone/my-source-with-code-samples post /api/v1/workload_federation/providers openapi: 3.1.0 info: description: The C1 API is a HTTP API for managing C1 resources. title: C1 API version: 0.1.0-alpha servers: - description: The C1 API server for the current tenant. url: https://{tenantDomain}.conductor.one variables: tenantDomain: default: example description: The domain of the tenant to use for this request. security: - bearerAuth: [] oauth: [] paths: /api/v1/workload_federation/providers: post: tags: - Workload Federation summary: Create Provider description: |- CreateProvider registers a new external OIDC issuer for the tenant. Validates the issuer URL via OIDC discovery synchronously. operationId: c1.api.workload_federation.v1.WorkloadFederationService.CreateProvider requestBody: content: application/json: schema: $ref: >- #/components/schemas/c1.api.workload_federation.v1.WorkloadFederationServiceCreateProviderRequest responses: '200': content: application/json: schema: $ref: >- #/components/schemas/c1.api.workload_federation.v1.WorkloadFederationServiceCreateProviderResponse description: Successful response x-codeSamples: - lang: go label: CreateProvider source: "package main\n\nimport(\n\t\"context\"\n\t\"github.com/conductorone/conductorone-sdk-go/pkg/models/shared\"\n\tconductoronesdkgo \"github.com/conductorone/conductorone-sdk-go\"\n\t\"log\"\n)\n\nfunc main() {\n ctx := context.Background()\n\n s := conductoronesdkgo.New(\n conductoronesdkgo.WithSecurity(shared.Security{\n BearerAuth: \"\",\n Oauth: \"\",\n }),\n )\n\n res, err := s.WorkloadFederation.CreateProvider(ctx, nil)\n if err != nil {\n log.Fatal(err)\n }\n if res.WorkloadFederationServiceCreateProviderResponse != nil {\n // handle response\n }\n}" - lang: typescript label: Typescript (SDK) source: >- import { ConductoroneSDKTypescript } from "conductorone-sdk-typescript"; const conductoroneSDKTypescript = new ConductoroneSDKTypescript({ security: { bearerAuth: "", oauth: "", }, }); async function run() { const result = await conductoroneSDKTypescript.workloadFederation.createProvider(); console.log(result); } run(); components: schemas: c1.api.workload_federation.v1.WorkloadFederationServiceCreateProviderRequest: description: > The WorkloadFederationServiceCreateProviderRequest message. This message contains a oneof named settings. Only a single field of the following list may be set at a time: - oidc - spiffe properties: description: description: A description of what this provider is for. type: - string - 'null' displayName: description: The display name for the new provider. type: - string - 'null' issuerUrl: description: >- The issuer URL. For OIDC providers, this is an HTTPS URL validated via OIDC discovery. For SPIFFE providers, this is the SPIFFE trust-domain URI (e.g., spiffe://prod.example.com). Normalized on write: lowercase scheme/host, no trailing slash. Unique within tenant. type: - string - 'null' oidc: oneOf: - $ref: '#/components/schemas/c1.api.workload_federation.v1.OIDCSettings' - type: 'null' spiffe: oneOf: - $ref: >- #/components/schemas/c1.api.workload_federation.v1.SPIFFESettings - type: 'null' wellKnownProvider: description: |- Well-known provider type. Required -- UNSPECIFIED is rejected. When set to a named source, the backend validates issuer_url consistency. SPIFFE wkp requires `settings.spiffe`; all other wkp values require `settings.oidc`. enum: - WELL_KNOWN_WORKLOAD_PROVIDER_UNSPECIFIED - WELL_KNOWN_WORKLOAD_PROVIDER_CUSTOM - WELL_KNOWN_WORKLOAD_PROVIDER_GITHUB_ACTIONS - WELL_KNOWN_WORKLOAD_PROVIDER_GITLAB_CI - WELL_KNOWN_WORKLOAD_PROVIDER_HCP_TERRAFORM - WELL_KNOWN_WORKLOAD_PROVIDER_AWS_IAM_OUTBOUND - WELL_KNOWN_WORKLOAD_PROVIDER_SPIFFE type: - string - 'null' x-speakeasy-unknown-values: allow title: Workload Federation Service Create Provider Request type: object x-speakeasy-name-override: WorkloadFederationServiceCreateProviderRequest c1.api.workload_federation.v1.WorkloadFederationServiceCreateProviderResponse: description: The WorkloadFederationServiceCreateProviderResponse message. properties: provider: oneOf: - $ref: >- #/components/schemas/c1.api.workload_federation.v1.WorkloadFederationProvider - type: 'null' title: Workload Federation Service Create Provider Response type: object x-speakeasy-name-override: WorkloadFederationServiceCreateProviderResponse c1.api.workload_federation.v1.OIDCSettings: description: |- OIDCSettings is the kind-specific configuration block for classic OIDC providers (GitHub Actions, GitLab CI, HCP Terraform, AWS IAM Outbound, any CUSTOM provider). Empty for now; future fields like custom_jwks_url, audience overrides, and required_claims land here. title: Oidc Settings type: object x-speakeasy-name-override: OIDCSettings c1.api.workload_federation.v1.SPIFFESettings: description: |- SPIFFESettings is the kind-specific configuration block for SPIFFE trust-domain providers (issuer_url = spiffe://). properties: bundleEndpointUrl: description: >- HTTPS URL of the JWKS endpoint serving the trust domain's signing keys. Required: the spiffe:// scheme has no discovery mechanism. Typically the SPIRE OIDC Discovery Provider's /keys endpoint. Mutable: updates re-validate the new URL by fetching its JWKS before persisting; the issuer (trust domain) itself remains immutable. type: - string - 'null' title: Spiffe Settings type: object x-speakeasy-name-override: SPIFFESettings c1.api.workload_federation.v1.WorkloadFederationProvider: description: > WorkloadFederationProvider represents a tenant-level workload identity issuer registration. Two issuer schemes are supported: - https://... classic OIDC issuer; `settings.oidc` MUST be set. - spiffe://... SPIFFE trust-domain URI; `settings.spiffe` MUST be set. The (well_known_provider, issuer_url scheme, settings oneof) tuple is a tri-invariant: SPIFFE wkp ⟺ spiffe:// issuer ⟺ settings.spiffe set; any other wkp ⟺ https:// issuer ⟺ settings.oidc set. Issuer URLs are unique within tenant. This message contains a oneof named settings. Only a single field of the following list may be set at a time: - oidc - spiffe properties: createdAt: format: date-time readOnly: true type: - string - 'null' description: description: A description of what this provider is for. type: - string - 'null' disabled: description: >- Whether the provider is disabled. Disabled providers reject all token exchanges. type: - boolean - 'null' displayName: description: The display name of the provider. type: - string - 'null' id: description: The unique ID of the provider. readOnly: true type: - string - 'null' issuerUrl: description: >- Canonical issuer URL. https:// for OIDC providers, spiffe:// for SPIFFE trust domains. Unique within tenant. Immutable after creation. readOnly: true type: - string - 'null' oidc: oneOf: - $ref: '#/components/schemas/c1.api.workload_federation.v1.OIDCSettings' - type: 'null' spiffe: oneOf: - $ref: >- #/components/schemas/c1.api.workload_federation.v1.SPIFFESettings - type: 'null' updatedAt: format: date-time readOnly: true type: - string - 'null' wellKnownProvider: description: |- Well-known provider type. Drives UX (wizard presets, docs, icons). Set at creation time, immutable. enum: - WELL_KNOWN_WORKLOAD_PROVIDER_UNSPECIFIED - WELL_KNOWN_WORKLOAD_PROVIDER_CUSTOM - WELL_KNOWN_WORKLOAD_PROVIDER_GITHUB_ACTIONS - WELL_KNOWN_WORKLOAD_PROVIDER_GITLAB_CI - WELL_KNOWN_WORKLOAD_PROVIDER_HCP_TERRAFORM - WELL_KNOWN_WORKLOAD_PROVIDER_AWS_IAM_OUTBOUND - WELL_KNOWN_WORKLOAD_PROVIDER_SPIFFE readOnly: true type: - string - 'null' x-speakeasy-unknown-values: allow title: Workload Federation Provider type: object x-speakeasy-name-override: WorkloadFederationProvider securitySchemes: bearerAuth: scheme: bearer type: http oauth: description: >- This API uses OAuth2 with the Client Credential flow. Client Credentials must be sent in the BODY, not the headers. For an example of how to implement this, refer to the [c1TokenSource.Token()](https://github.com/ConductorOne/conductorone-sdk-go/blob/3375fe7c0126d17e7ec4e711693dee7b791023aa/token_source.go#L101-L187) function. flows: clientCredentials: scopes: {} tokenUrl: /auth/v1/token type: oauth2 ````