> ## Documentation Index > Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt > Use this file to discover all available pages before exploring further. # Test Token > TestToken validates a JWT against a specific trust's configuration without issuing an access token. Returns per-step validation results for debugging. ## OpenAPI ````yaml https://spec.speakeasy.com/conductor-one/conductorone/my-source-with-code-samples post /api/v1/service_principals/{service_principal_id}/trusts/{client_id}/test openapi: 3.1.0 info: description: The C1 API is a HTTP API for managing C1 resources. title: C1 API version: 0.1.0-alpha servers: - description: The C1 API server for the current tenant. url: https://{tenantDomain}.conductor.one variables: tenantDomain: default: example description: The domain of the tenant to use for this request. security: - bearerAuth: [] oauth: [] paths: /api/v1/service_principals/{service_principal_id}/trusts/{client_id}/test: post: tags: - Workload Federation summary: Test Token description: >- TestToken validates a JWT against a specific trust's configuration without issuing an access token. Returns per-step validation results for debugging. operationId: c1.api.workload_federation.v1.WorkloadFederationService.TestToken parameters: - in: path name: service_principal_id required: true schema: description: The service principal ID (from URL path). readOnly: false type: string - in: path name: client_id required: true schema: description: >- The trust client ID. Accepts the cutename (e.g. "clever-fox-42195") or the full client ID (e.g. "clever-fox-42195@acme.conductorone.com/wfe"). The server normalizes to the cutename portion before lookup. readOnly: false type: string requestBody: content: application/json: schema: $ref: >- #/components/schemas/c1.api.workload_federation.v1.WorkloadFederationServiceTestTokenRequestInput responses: '200': content: application/json: schema: $ref: >- #/components/schemas/c1.api.workload_federation.v1.WorkloadFederationServiceTestTokenResponse description: Successful response x-codeSamples: - lang: go label: TestToken source: "package main\n\nimport(\n\t\"context\"\n\t\"github.com/conductorone/conductorone-sdk-go/pkg/models/shared\"\n\tconductoronesdkgo \"github.com/conductorone/conductorone-sdk-go\"\n\t\"github.com/conductorone/conductorone-sdk-go/pkg/models/operations\"\n\t\"log\"\n)\n\nfunc main() {\n ctx := context.Background()\n\n s := conductoronesdkgo.New(\n conductoronesdkgo.WithSecurity(shared.Security{\n BearerAuth: \"\",\n Oauth: \"\",\n }),\n )\n\n res, err := s.WorkloadFederation.TestToken(ctx, operations.C1APIWorkloadFederationV1WorkloadFederationServiceTestTokenRequest{\n ClientID: \"\",\n ServicePrincipalID: \"\",\n })\n if err != nil {\n log.Fatal(err)\n }\n if res.WorkloadFederationServiceTestTokenResponse != nil {\n // handle response\n }\n}" - lang: typescript label: Typescript (SDK) source: >- import { ConductoroneSDKTypescript } from "conductorone-sdk-typescript"; const conductoroneSDKTypescript = new ConductoroneSDKTypescript({ security: { bearerAuth: "", oauth: "", }, }); async function run() { const result = await conductoroneSDKTypescript.workloadFederation.testToken({ servicePrincipalId: "", clientId: "", }); console.log(result); } run(); components: schemas: c1.api.workload_federation.v1.WorkloadFederationServiceTestTokenRequestInput: description: The WorkloadFederationServiceTestTokenRequest message. properties: sourceIp: description: |- Optional: override source IP for CIDR testing. If empty, uses the request's source IP. Accepts IPv4 (e.g. 10.0.0.5) or IPv6 (e.g. 2001:db8::1) addresses, optionally with a CIDR prefix. readOnly: false type: string subjectToken: description: The raw JWT to validate (the subject_token from a CI job). readOnly: false type: string title: Workload Federation Service Test Token Request type: object x-speakeasy-name-override: WorkloadFederationServiceTestTokenRequest c1.api.workload_federation.v1.WorkloadFederationServiceTestTokenResponse: description: The WorkloadFederationServiceTestTokenResponse message. properties: audienceValidation: $ref: >- #/components/schemas/c1.api.workload_federation.v1.TestTokenStepResult celEvaluation: $ref: >- #/components/schemas/c1.api.workload_federation.v1.TestTokenStepResult cidrCheck: $ref: >- #/components/schemas/c1.api.workload_federation.v1.TestTokenStepResult decodedClaimsJson: description: |- The decoded JWT claims (best-effort, even if signature fails). Returned as JSON string for display. readOnly: false type: string issuerMatch: $ref: >- #/components/schemas/c1.api.workload_federation.v1.TestTokenStepResult jwtDecode: $ref: >- #/components/schemas/c1.api.workload_federation.v1.TestTokenStepResult overallResult: description: 'Overall result: true only if ALL steps passed.' readOnly: false type: boolean signatureValidation: $ref: >- #/components/schemas/c1.api.workload_federation.v1.TestTokenStepResult tokenFreshness: $ref: >- #/components/schemas/c1.api.workload_federation.v1.TestTokenStepResult title: Workload Federation Service Test Token Response type: object x-speakeasy-name-override: WorkloadFederationServiceTestTokenResponse c1.api.workload_federation.v1.TestTokenStepResult: description: TestTokenStepResult represents the result of a single validation step. properties: actual: description: Actual value from the token. readOnly: false type: string detail: description: Human-readable detail message. readOnly: false type: string expected: description: Expected value (for comparison steps). readOnly: false type: string passed: description: Whether this step passed. readOnly: false type: boolean skipped: description: >- Whether this step was skipped (e.g., CIDR check when no allowlist configured). readOnly: false type: boolean stepName: description: Step name for display (e.g., "JWT decode", "Issuer match"). readOnly: false type: string title: Test Token Step Result type: object x-speakeasy-name-override: TestTokenStepResult securitySchemes: bearerAuth: scheme: bearer type: http oauth: description: >- This API uses OAuth2 with the Client Credential flow. Client Credentials must be sent in the BODY, not the headers. For an example of how to implement this, refer to the [c1TokenSource.Token()](https://github.com/ConductorOne/conductorone-sdk-go/blob/3375fe7c0126d17e7ec4e711693dee7b791023aa/token_source.go#L101-L187) function. flows: clientCredentials: scopes: {} tokenUrl: /auth/v1/token type: oauth2 ````