Skip to main content
POST
/
api
/
v1
/
decoys
Typescript (SDK)
import { ConductoroneSDKTypescript } from "conductorone-sdk-typescript";

const conductoroneSDKTypescript = new ConductoroneSDKTypescript({
  security: {
    bearerAuth: "<YOUR_BEARER_TOKEN_HERE>",
    oauth: "<YOUR_OAUTH_HERE>",
  },
});

async function run() {
  const result = await conductoroneSDKTypescript.decoy.create();

  console.log(result);
}

run();
{
  "decoy": {
    "annotations": {},
    "createdAt": "2023-11-07T05:31:56Z",
    "description": "<string>",
    "disabled": true,
    "displayName": "<string>",
    "id": "<string>",
    "lastUsedAt": "2023-11-07T05:31:56Z",
    "materialFingerprintSha256": "<string>",
    "updatedAt": "2023-11-07T05:31:56Z"
  },
  "material": {
    "accessToken": {
      "accessToken": "<string>"
    },
    "clientCredential": {
      "clientId": "<string>",
      "clientSecret": "<string>"
    },
    "workloadFederation": {
      "workloadFederationTrustId": "<string>"
    }
  }
}

Authorizations

Authorization
string
header
required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Authorization
string
header
required

This API uses OAuth2 with the Client Credential flow. Client Credentials must be sent in the BODY, not the headers. For an example of how to implement this, refer to the c1TokenSource.Token() function.

Body

application/json

The DecoyServiceCreateRequest message.

This message contains a oneof named create_input. Only a single field of the following list may be set at a time:

  • userClientCredential
  • connectorClient
  • workloadFed
  • accessToken
accessToken
Decoy Access Token Input · object

DecoyAccessTokenInput mints a session access-token decoy under an existing User.

annotations
object

The annotations field.

connectorClient
Decoy Connector Client Input · object

DecoyConnectorClientInput plants a connector-shaped credential decoy. The server allocates placement under the tenant's ConductorOne app; the customer makes no app/connector choice.

description
string | null

The description field.

displayName
string | null

The displayName field.

userClientCredential
Decoy User Client Credential Input · object

DecoyUserClientCredentialInput plants a client-credential decoy under an existing User. The User must be typ=HUMAN or typ=SERVICE.

workloadFed
Decoy Workload Federation Input · object

DecoyWorkloadFederationInput plants a workload-federation-trust decoy under an existing Provider. The Provider must already be registered so its JWKS is reachable for signature verification.

Response

200 - application/json

Successful response

The DecoyServiceCreateResponse message.

decoy
Decoy · object

Decoy is the read projection of a planted honey-credential. All fields except annotations are server-managed.

material
Decoy Vending Material · object

DecoyVendingMaterial carries the freshly-vended secret material returned exactly once at Create or Rotate.

This message contains a oneof named material. Only a single field of the following list may be set at a time:

  • clientCredential
  • accessToken
  • workloadFederation