> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Quick start: Client credentials

> Create a service principal, generate credentials, and make your first API call in under 5 minutes.

<Warning>
  **Early access.** This feature is in early access, which means it's undergoing ongoing testing and development while we gather feedback, validate functionality, and improve outputs. Contact the C1 Support team if you'd like to try it out or share feedback.
</Warning>

This guide gets you from zero to a working API call in under 5 minutes.

## Step 1: Create a service principal

<Steps>
  <Step>
    Navigate to **Settings** in the left sidebar.
  </Step>

  <Step>
    Under **Developers**, select **Service principals**.
  </Step>

  <Step>
    Click **Create service principal**.
  </Step>

  <Step>
    Enter a display name, for example "Terraform CI" or "Monitoring Script".
  </Step>

  <Step>
    Click **Create**.
  </Step>
</Steps>

## Step 2: Create a credential

<Steps>
  <Step>
    On the service principal detail page, select the **Credentials** tab.
  </Step>

  <Step>
    Click **Create credential**.
  </Step>

  <Step>
    Configure the credential:

    | Setting              | Description                                                                                                         |
    | :------------------- | :------------------------------------------------------------------------------------------------------------------ |
    | **Display name**     | A label for this credential, for example "prod-terraform"                                                           |
    | **Expiration**       | How long until the credential expires: 30, 60, 90, or 180 days. 90 days is recommended.                             |
    | **Limit source IPs** | **Optional.** Restrict which IP addresses can use this credential. Enter IP ranges like `192.168.1.0/24`.           |
    | **Limit scopes**     | "Full permissions" uses all of the service principal's roles. Or select a specific role for least-privilege access. |
    | **Require DPoP**     | **Optional.** Enables proof-of-possession token binding (advanced).                                                 |
  </Step>

  <Step>
    Click **Create**.
  </Step>

  <Step>
    Copy the **client ID** and **client secret** immediately.

    <Warning>
      The secret is shown only once and can't be retrieved later. The secret starts with `secret-token:` -- this prefix is part of the value and must be included when authenticating.
    </Warning>
  </Step>
</Steps>

## Step 3: Get an access token

Exchange the client credentials for a bearer token:

```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
curl -s -X POST "https://yourcompany.conductor.one/auth/v1/token" \
  -d "grant_type=client_credentials" \
  -d "client_id=clever-fox-42195@yourcompany.conductor.one/spc" \
  -d "client_secret=secret-token:YOUR_SECRET_HERE"
```

Response:

```json theme={"theme":{"light":"css-variables","dark":"css-variables"}}
{
  "access_token": "eyJhbGciOiJFZERTQSIs...",
  "token_type": "Bearer",
  "expires_in": 3600
}
```

## Step 4: Call the API

Use the access token in an `Authorization` header:

```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
curl -s "https://yourcompany.conductor.one/api/v1/apps" \
  -H "Authorization: Bearer ${CONDUCTORONE_ACCESS_TOKEN}"
```

## Use with the Terraform provider

Configure the [C1 Terraform provider](/developer/terraform) with your service principal credentials. The server URL is derived automatically from the client ID, so you only need two values:

```hcl theme={"theme":{"light":"css-variables","dark":"css-variables"}}
provider "conductorone" {
  client_id     = "clever-fox-42195@yourcompany.conductor.one/spc"
  client_secret = var.conductorone_client_secret
}
```

Or use environment variables:

```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
export CONDUCTORONE_CLIENT_ID="clever-fox-42195@yourcompany.conductor.one/spc"
export CONDUCTORONE_CLIENT_SECRET="secret-token:YOUR_SECRET_HERE"

terraform plan
```

<Tip>
  Never commit client secrets to source control. Use your CI/CD platform's secret management, environment variables, or a vault.
</Tip>

## Use with Cone CLI

Once the environment variables are set, [Cone](/product/cli/install) picks them up automatically:

```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
export CONDUCTORONE_CLIENT_ID="clever-fox-42195@yourcompany.conductor.one/spc"
export CONDUCTORONE_CLIENT_SECRET="secret-token:YOUR_SECRET_HERE"

cone whoami
```

## Next steps

* [Manage service principals](/product/admin/service-principals/manage) -- edit, disable, rotate credentials, assign owners
* [Workload federation](/product/admin/service-principals/workload-federation) -- eliminate stored secrets with OIDC-based authentication
* [Security controls](/product/admin/service-principals/security) -- scoped roles, IP allowlists, DPoP