> ## Documentation Index > Fetch the complete documentation index at: https://conductorone-docs-mcp-bridge-private-server.mintlify.site/llms.txt > Use this file to discover all available pages before exploring further. # Test Token > TestToken validates a JWT against a specific trust's configuration without issuing an access token. Returns per-step validation results for debugging. ## OpenAPI ````yaml https://spec.speakeasy.com/conductor-one/conductorone/my-source-with-code-samples post /api/v1/service_principals/{service_principal_id}/trusts/{client_id}/test openapi: 3.1.0 info: description: The C1 API is a HTTP API for managing C1 resources. title: C1 API version: 0.1.0-alpha servers: - description: The C1 API server for the current tenant. url: https://{tenantDomain}.conductor.one variables: tenantDomain: default: example description: The domain of the tenant to use for this request. security: - bearerAuth: [] oauth: [] paths: /api/v1/service_principals/{service_principal_id}/trusts/{client_id}/test: post: tags: - Workload Federation summary: Test Token description: >- TestToken validates a JWT against a specific trust's configuration without issuing an access token. Returns per-step validation results for debugging. operationId: c1.api.workload_federation.v1.WorkloadFederationService.TestToken parameters: - in: path name: service_principal_id required: true schema: description: The service principal ID (from URL path). type: string - in: path name: client_id required: true schema: description: >- The trust client ID. Accepts the cutename (e.g. "clever-fox-42195") or the full client ID (e.g. "clever-fox-42195@acme.conductorone.com/wfe"). The server normalizes to the cutename portion before lookup. type: string requestBody: content: application/json: schema: $ref: >- #/components/schemas/c1.api.workload_federation.v1.WorkloadFederationServiceTestTokenRequestInput responses: '200': content: application/json: schema: $ref: >- #/components/schemas/c1.api.workload_federation.v1.WorkloadFederationServiceTestTokenResponse description: Successful response x-codeSamples: - lang: go label: TestToken source: "package main\n\nimport(\n\t\"context\"\n\t\"github.com/conductorone/conductorone-sdk-go/pkg/models/shared\"\n\tconductoronesdkgo \"github.com/conductorone/conductorone-sdk-go\"\n\t\"github.com/conductorone/conductorone-sdk-go/pkg/models/operations\"\n\t\"log\"\n)\n\nfunc main() {\n ctx := context.Background()\n\n s := conductoronesdkgo.New(\n conductoronesdkgo.WithSecurity(shared.Security{\n BearerAuth: \"\",\n Oauth: \"\",\n }),\n )\n\n res, err := s.WorkloadFederation.TestToken(ctx, operations.C1APIWorkloadFederationV1WorkloadFederationServiceTestTokenRequest{\n ClientID: \"\",\n ServicePrincipalID: \"\",\n })\n if err != nil {\n log.Fatal(err)\n }\n if res.WorkloadFederationServiceTestTokenResponse != nil {\n // handle response\n }\n}" - lang: typescript label: Typescript (SDK) source: >- import { ConductoroneSDKTypescript } from "conductorone-sdk-typescript"; const conductoroneSDKTypescript = new ConductoroneSDKTypescript({ security: { bearerAuth: "", oauth: "", }, }); async function run() { const result = await conductoroneSDKTypescript.workloadFederation.testToken({ servicePrincipalId: "", clientId: "", }); console.log(result); } run(); components: schemas: c1.api.workload_federation.v1.WorkloadFederationServiceTestTokenRequestInput: description: The WorkloadFederationServiceTestTokenRequest message. properties: sourceIp: description: |- Optional: override source IP for CIDR testing. If empty, uses the request's source IP. Accepts IPv4 (e.g. 10.0.0.5) or IPv6 (e.g. 2001:db8::1) addresses, optionally with a CIDR prefix. type: - string - 'null' subjectToken: description: The raw JWT to validate (the subject_token from a CI job). type: - string - 'null' title: Workload Federation Service Test Token Request type: object x-speakeasy-name-override: WorkloadFederationServiceTestTokenRequest c1.api.workload_federation.v1.WorkloadFederationServiceTestTokenResponse: description: The WorkloadFederationServiceTestTokenResponse message. properties: audienceValidation: oneOf: - $ref: >- #/components/schemas/c1.api.workload_federation.v1.TestTokenStepResult - type: 'null' celEvaluation: oneOf: - $ref: >- #/components/schemas/c1.api.workload_federation.v1.TestTokenStepResult - type: 'null' cidrCheck: oneOf: - $ref: >- #/components/schemas/c1.api.workload_federation.v1.TestTokenStepResult - type: 'null' decodedClaimsJson: description: |- The decoded JWT claims (best-effort, even if signature fails). Returned as JSON string for display. type: - string - 'null' issuerMatch: oneOf: - $ref: >- #/components/schemas/c1.api.workload_federation.v1.TestTokenStepResult - type: 'null' jwtDecode: oneOf: - $ref: >- #/components/schemas/c1.api.workload_federation.v1.TestTokenStepResult - type: 'null' overallResult: description: 'Overall result: true only if ALL steps passed.' type: - boolean - 'null' signatureValidation: oneOf: - $ref: >- #/components/schemas/c1.api.workload_federation.v1.TestTokenStepResult - type: 'null' subjectValidation: oneOf: - $ref: >- #/components/schemas/c1.api.workload_federation.v1.TestTokenStepResult - type: 'null' tokenFreshness: oneOf: - $ref: >- #/components/schemas/c1.api.workload_federation.v1.TestTokenStepResult - type: 'null' title: Workload Federation Service Test Token Response type: object x-speakeasy-name-override: WorkloadFederationServiceTestTokenResponse c1.api.workload_federation.v1.TestTokenStepResult: description: TestTokenStepResult represents the result of a single validation step. properties: actual: description: Actual value from the token. type: - string - 'null' detail: description: Human-readable detail message. type: - string - 'null' expected: description: Expected value (for comparison steps). type: - string - 'null' passed: description: Whether this step passed. type: - boolean - 'null' skipped: description: >- Whether this step was skipped (e.g., CIDR check when no allowlist configured). type: - boolean - 'null' stepName: description: Step name for display (e.g., "JWT decode", "Issuer match"). type: - string - 'null' title: Test Token Step Result type: object x-speakeasy-name-override: TestTokenStepResult securitySchemes: bearerAuth: scheme: bearer type: http oauth: description: >- This API uses OAuth2 with the Client Credential flow. Client Credentials must be sent in the BODY, not the headers. For an example of how to implement this, refer to the [c1TokenSource.Token()](https://github.com/ConductorOne/conductorone-sdk-go/blob/3375fe7c0126d17e7ec4e711693dee7b791023aa/token_source.go#L101-L187) function. flows: clientCredentials: scopes: {} tokenUrl: /auth/v1/token type: oauth2 ````