Skip to main content
An OIDC trust lets tokens from an external issuer (e.g. GitHub Actions) authenticate as a service account: tokens whose issuer and subject exactly match the trust are exchanged for short-lived Synthetiq tokens. No credentials are stored anywhere. All trust commands require the org:trusts scope on your organization role.

create

Create a trust on a service account: 
synthetiq trust create \
  --service-account-id <service-account-id> \
  --issuer https://token.actions.githubusercontent.com \
  --subject "repo:acme/infra:ref:refs/heads/main"
FlagDescription
--service-account-id <id>The service account this trust authenticates as
--issuer <url>OIDC issuer URL (https, no default)
--subject <subject>Token subject, matched exactly (e.g. repo:<owner>/<repo>:ref:refs/heads/main)
--jwks <path>Optional JWK Set file pinning the issuer’s signing keys — verification then never contacts the issuer. Omit to resolve keys via OIDC discovery (issuer must be reachable from the Synthetiq platform; rotation is automatic)
--description <text>Optional description of the trust
--jsonOutput as JSON
Trust created.
  ID:       3c1f8a44-9b2d-4e07-8f1a-6d5c2e9b7a01
  Issuer:   https://token.actions.githubusercontent.com
  Subject:  repo:acme/infra:ref:refs/heads/main
One trust per (issuer, subject) pair per organization.

list

List the organization’s trusts: 
synthetiq trust list

ID                                     SERVICE ACCOUNT   ISSUER                                        SUBJECT
3c1f8a44-9b2d-4e07-8f1a-6d5c2e9b7a01   infra-apply       token.actions.githubusercontent.com          repo:acme/infra:ref:refs/heads/main
FlagDescription
--jsonOutput as JSON

update

Update an existing trust: 
synthetiq trust update <trust-id> [--issuer <url>] [--subject <subject>] [--service-account-id <id>] [--description <text>]

delete

Delete a trust: 
synthetiq trust delete <trust-id>
Revocation is immediate — the next token exchange for this issuer and subject fails.