Skip to main content
Early access. This feature is in early access, which means it’s undergoing ongoing testing and development while we gather feedback, validate functionality, and improve outputs. Contact the ConductorOne Support team if you’d like to try it out or share feedback.
This guide gets you from zero to a working API call in under 5 minutes.

Step 1: Create a service principal

1
Navigate to Settings in the left sidebar.
2
Under Developers, select Service principals.
3
Click Create service principal.
4
Enter a display name, for example “Terraform CI” or “Monitoring Script”.
5
Click Create.

Step 2: Create a credential

1
On the service principal detail page, select the Credentials tab.
2
Click Create credential.
3
Configure the credential:
SettingDescription
Display nameA label for this credential, for example “prod-terraform”
ExpirationHow long until the credential expires: 30, 60, 90, or 180 days. 90 days is recommended.
Limit source IPsOptional. Restrict which IP addresses can use this credential. Enter IP ranges like 192.168.1.0/24.
Limit scopes”Full permissions” uses all of the service principal’s roles. Or select a specific role for least-privilege access.
Require DPoPOptional. Enables proof-of-possession token binding (advanced).
4
Click Create.
5
Copy the client ID and client secret immediately.
The secret is shown only once and can’t be retrieved later. The secret starts with secret-token: — this prefix is part of the value and must be included when authenticating.

Step 3: Get an access token

Exchange the client credentials for a bearer token: 
curl -s -X POST "https://yourcompany.conductor.one/auth/v1/token" \
  -d "grant_type=client_credentials" \
  -d "client_id=clever-fox-42195@yourcompany.conductor.one/spc" \
  -d "client_secret=secret-token:YOUR_SECRET_HERE"
Response: 
{
  "access_token": "eyJhbGciOiJFZERTQSIs...",
  "token_type": "Bearer",
  "expires_in": 3600
}

Step 4: Call the API

Use the access token in an Authorization header: 
curl -s "https://yourcompany.conductor.one/api/v1/apps" \
  -H "Authorization: Bearer ${CONDUCTORONE_ACCESS_TOKEN}"

Use with the Terraform provider

Configure the ConductorOne Terraform provider with your service principal credentials. The server URL is derived automatically from the client ID, so you only need two values: 
provider "conductorone" {
  client_id     = "clever-fox-42195@yourcompany.conductor.one/spc"
  client_secret = var.conductorone_client_secret
}
Or use environment variables: 
export CONDUCTORONE_CLIENT_ID="clever-fox-42195@yourcompany.conductor.one/spc"
export CONDUCTORONE_CLIENT_SECRET="secret-token:YOUR_SECRET_HERE"

terraform plan
Never commit client secrets to source control. Use your CI/CD platform’s secret management, environment variables, or a vault.

Use with Cone CLI

Once the environment variables are set, Cone picks them up automatically: 
export CONDUCTORONE_CLIENT_ID="clever-fox-42195@yourcompany.conductor.one/spc"
export CONDUCTORONE_CLIENT_SECRET="secret-token:YOUR_SECRET_HERE"

cone whoami

Next steps