> ## Documentation Index > Fetch the complete documentation index at: https://conductorone-docs-mcp-bridge-private-server.mintlify.site/llms.txt > Use this file to discover all available pages before exploring further. # Create Trust > CreateTrust creates a trust policy for a service principal. Validates the CEL condition_expression at creation time. ## OpenAPI ````yaml https://spec.speakeasy.com/conductor-one/conductorone/my-source-with-code-samples post /api/v1/service_principals/{service_principal_id}/trusts openapi: 3.1.0 info: description: The C1 API is a HTTP API for managing C1 resources. title: C1 API version: 0.1.0-alpha servers: - description: The C1 API server for the current tenant. url: https://{tenantDomain}.conductor.one variables: tenantDomain: default: example description: The domain of the tenant to use for this request. security: - bearerAuth: [] oauth: [] paths: /api/v1/service_principals/{service_principal_id}/trusts: post: tags: - Workload Federation summary: Create Trust description: |- CreateTrust creates a trust policy for a service principal. Validates the CEL condition_expression at creation time. operationId: c1.api.workload_federation.v1.WorkloadFederationService.CreateTrust parameters: - in: path name: service_principal_id required: true schema: description: The service principal ID to create the trust for (from URL path). type: string requestBody: content: application/json: schema: $ref: >- #/components/schemas/c1.api.workload_federation.v1.WorkloadFederationServiceCreateTrustRequestInput responses: '200': content: application/json: schema: $ref: >- #/components/schemas/c1.api.workload_federation.v1.WorkloadFederationServiceCreateTrustResponse description: Successful response x-codeSamples: - lang: go label: CreateTrust source: "package main\n\nimport(\n\t\"context\"\n\t\"github.com/conductorone/conductorone-sdk-go/pkg/models/shared\"\n\tconductoronesdkgo \"github.com/conductorone/conductorone-sdk-go\"\n\t\"github.com/conductorone/conductorone-sdk-go/pkg/models/operations\"\n\t\"log\"\n)\n\nfunc main() {\n ctx := context.Background()\n\n s := conductoronesdkgo.New(\n conductoronesdkgo.WithSecurity(shared.Security{\n BearerAuth: \"\",\n Oauth: \"\",\n }),\n )\n\n res, err := s.WorkloadFederation.CreateTrust(ctx, operations.C1APIWorkloadFederationV1WorkloadFederationServiceCreateTrustRequest{\n ServicePrincipalID: \"\",\n })\n if err != nil {\n log.Fatal(err)\n }\n if res.WorkloadFederationServiceCreateTrustResponse != nil {\n // handle response\n }\n}" - lang: typescript label: Typescript (SDK) source: >- import { ConductoroneSDKTypescript } from "conductorone-sdk-typescript"; const conductoroneSDKTypescript = new ConductoroneSDKTypescript({ security: { bearerAuth: "", oauth: "", }, }); async function run() { const result = await conductoroneSDKTypescript.workloadFederation.createTrust({ servicePrincipalId: "", }); console.log(result); } run(); components: schemas: c1.api.workload_federation.v1.WorkloadFederationServiceCreateTrustRequestInput: description: The WorkloadFederationServiceCreateTrustRequest message. properties: allowSourceCidrs: description: |- IP allowlist for token exchange requests matching this trust. Accepts IPv4 (e.g. 10.0.0.0/24) or IPv6 (e.g. 2001:db8::/32) CIDRs. items: type: string type: - array - 'null' conditionExpression: description: |- CEL expression evaluated against JWT claims. Must return bool. Compiled and validated before storage. type: - string - 'null' description: description: A description of what this trust policy matches. type: - string - 'null' displayName: description: The display name for the trust. type: - string - 'null' passthroughClaims: description: >- JWT claim names from the subject token to copy into the issued C1 token. items: type: string type: - array - 'null' providerId: description: The provider this trust references. type: - string - 'null' scopedRoleIds: description: >- Scoped role IDs. Effective permissions = min(SP roles, trust.scoped_role_ids). items: type: string type: - array - 'null' title: Workload Federation Service Create Trust Request type: object x-speakeasy-name-override: WorkloadFederationServiceCreateTrustRequest c1.api.workload_federation.v1.WorkloadFederationServiceCreateTrustResponse: description: The WorkloadFederationServiceCreateTrustResponse message. properties: trust: oneOf: - $ref: >- #/components/schemas/c1.api.workload_federation.v1.WorkloadFederationTrust - type: 'null' title: Workload Federation Service Create Trust Response type: object x-speakeasy-name-override: WorkloadFederationServiceCreateTrustResponse c1.api.workload_federation.v1.WorkloadFederationTrust: description: |- WorkloadFederationTrust represents a per-SP trust policy that references a tenant-level provider and defines a CEL condition for claim matching. properties: allowSourceCidrs: description: IP allowlist for token exchange requests matching this trust. items: type: string type: - array - 'null' clientId: description: >- The full client ID of the trust (e.g., "clever-fox-42195@acme.conductorone.com/wfe"). Used as the client_id parameter in RFC 8693 token exchange requests. readOnly: true type: - string - 'null' conditionExpression: description: |- CEL expression evaluated against JWT claims. Must return bool. Example: claims.sub.startsWith("repo:acme/infra:") && claims.environment == "production" type: - string - 'null' createdAt: format: date-time readOnly: true type: - string - 'null' description: description: A description of what this trust policy matches. type: - string - 'null' disabled: description: Whether the trust is disabled. type: - boolean - 'null' displayName: description: The display name of the trust. type: - string - 'null' passthroughClaims: description: >- JWT claim names from the subject token to copy into the issued C1 token. Values are placed in the "c1wfc" claim as a map[string]string. Only string-valued claims are copied; non-string claims are silently skipped. Example: ["repository", "repository_owner", "job_workflow_ref"] items: type: string type: - array - 'null' providerId: description: The provider ID this trust references. Immutable after creation. readOnly: true type: - string - 'null' scopedRoleIds: description: >- Scoped role IDs. Effective permissions = min(SP roles, trust.scoped_role_ids). items: type: string type: - array - 'null' servicePrincipalId: description: The service principal user ID this trust belongs to. readOnly: true type: - string - 'null' updatedAt: format: date-time readOnly: true type: - string - 'null' title: Workload Federation Trust type: object x-speakeasy-name-override: WorkloadFederationTrust securitySchemes: bearerAuth: scheme: bearer type: http oauth: description: >- This API uses OAuth2 with the Client Credential flow. Client Credentials must be sent in the BODY, not the headers. For an example of how to implement this, refer to the [c1TokenSource.Token()](https://github.com/ConductorOne/conductorone-sdk-go/blob/3375fe7c0126d17e7ec4e711693dee7b791023aa/token_source.go#L101-L187) function. flows: clientCredentials: scopes: {} tokenUrl: /auth/v1/token type: oauth2 ````