> ## Documentation Index > Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt > Use this file to discover all available pages before exploring further. # Get Trust > GetTrust returns a trust by ID for a service principal. ## OpenAPI ````yaml https://spec.speakeasy.com/conductor-one/conductorone/my-source-with-code-samples get /api/v1/service_principals/{service_principal_id}/trusts/{client_id} openapi: 3.1.0 info: description: The C1 API is a HTTP API for managing C1 resources. title: C1 API version: 0.1.0-alpha servers: - description: The C1 API server for the current tenant. url: https://{tenantDomain}.conductor.one variables: tenantDomain: default: example description: The domain of the tenant to use for this request. security: - bearerAuth: [] oauth: [] paths: /api/v1/service_principals/{service_principal_id}/trusts/{client_id}: get: tags: - Workload Federation summary: Get Trust description: GetTrust returns a trust by ID for a service principal. operationId: c1.api.workload_federation.v1.WorkloadFederationService.GetTrust parameters: - in: path name: service_principal_id required: true schema: description: The service principal ID (from URL path). readOnly: false type: string - in: path name: client_id required: true schema: description: >- The trust client ID. Accepts the cutename (e.g. "clever-fox-42195") or the full client ID (e.g. "clever-fox-42195@acme.conductorone.com/wfe"). The server normalizes to the cutename portion before lookup. readOnly: false type: string responses: '200': content: application/json: schema: $ref: >- #/components/schemas/c1.api.workload_federation.v1.WorkloadFederationServiceGetTrustResponse description: Successful response x-codeSamples: - lang: go label: GetTrust source: "package main\n\nimport(\n\t\"context\"\n\t\"github.com/conductorone/conductorone-sdk-go/pkg/models/shared\"\n\tconductoronesdkgo \"github.com/conductorone/conductorone-sdk-go\"\n\t\"github.com/conductorone/conductorone-sdk-go/pkg/models/operations\"\n\t\"log\"\n)\n\nfunc main() {\n ctx := context.Background()\n\n s := conductoronesdkgo.New(\n conductoronesdkgo.WithSecurity(shared.Security{\n BearerAuth: \"\",\n Oauth: \"\",\n }),\n )\n\n res, err := s.WorkloadFederation.GetTrust(ctx, operations.C1APIWorkloadFederationV1WorkloadFederationServiceGetTrustRequest{\n ClientID: \"\",\n ServicePrincipalID: \"\",\n })\n if err != nil {\n log.Fatal(err)\n }\n if res.WorkloadFederationServiceGetTrustResponse != nil {\n // handle response\n }\n}" - lang: typescript label: Typescript (SDK) source: >- import { ConductoroneSDKTypescript } from "conductorone-sdk-typescript"; const conductoroneSDKTypescript = new ConductoroneSDKTypescript({ security: { bearerAuth: "", oauth: "", }, }); async function run() { const result = await conductoroneSDKTypescript.workloadFederation.getTrust({ servicePrincipalId: "", clientId: "", }); console.log(result); } run(); components: schemas: c1.api.workload_federation.v1.WorkloadFederationServiceGetTrustResponse: description: The WorkloadFederationServiceGetTrustResponse message. properties: trust: $ref: >- #/components/schemas/c1.api.workload_federation.v1.WorkloadFederationTrust title: Workload Federation Service Get Trust Response type: object x-speakeasy-name-override: WorkloadFederationServiceGetTrustResponse c1.api.workload_federation.v1.WorkloadFederationTrust: description: |- WorkloadFederationTrust represents a per-SP trust policy that references a tenant-level provider and defines a CEL condition for claim matching. properties: allowSourceCidrs: description: IP allowlist for token exchange requests matching this trust. items: type: string nullable: true readOnly: false type: array clientId: description: >- The full client ID of the trust (e.g., "clever-fox-42195@acme.conductorone.com/wfe"). Used as the client_id parameter in RFC 8693 token exchange requests. readOnly: true type: string conditionExpression: description: |- CEL expression evaluated against JWT claims. Must return bool. Example: claims.sub.startsWith("repo:acme/infra:") && claims.environment == "production" readOnly: false type: string createdAt: format: date-time readOnly: true type: string description: description: A description of what this trust policy matches. readOnly: false type: string disabled: description: Whether the trust is disabled. readOnly: false type: boolean displayName: description: The display name of the trust. readOnly: false type: string passthroughClaims: description: >- JWT claim names from the subject token to copy into the issued C1 token. Values are placed in the "c1wfc" claim as a map[string]string. Only string-valued claims are copied; non-string claims are silently skipped. Example: ["repository", "repository_owner", "job_workflow_ref"] items: type: string nullable: true readOnly: false type: array providerId: description: The provider ID this trust references. Immutable after creation. readOnly: true type: string scopedRoleIds: description: >- Scoped role IDs. Effective permissions = min(SP roles, trust.scoped_role_ids). items: type: string nullable: true readOnly: false type: array servicePrincipalId: description: The service principal user ID this trust belongs to. readOnly: true type: string updatedAt: format: date-time readOnly: true type: string title: Workload Federation Trust type: object x-speakeasy-name-override: WorkloadFederationTrust securitySchemes: bearerAuth: scheme: bearer type: http oauth: description: >- This API uses OAuth2 with the Client Credential flow. Client Credentials must be sent in the BODY, not the headers. For an example of how to implement this, refer to the [c1TokenSource.Token()](https://github.com/ConductorOne/conductorone-sdk-go/blob/3375fe7c0126d17e7ec4e711693dee7b791023aa/token_source.go#L101-L187) function. flows: clientCredentials: scopes: {} tokenUrl: /auth/v1/token type: oauth2 ````