diff --git a/policy/diamond/policy/blueapi/blueapi.rego b/policy/diamond/policy/blueapi/blueapi.rego
new file mode 100644
index 0000000..8b9c711
--- /dev/null
+++ b/policy/diamond/policy/blueapi/blueapi.rego
@@ -0,0 +1,26 @@
+package diamond.policy.blueapi
+
+import data.diamond.policy.token
+import rego.v1
+
+# METADATA
+# entrypoint: true
+tiled_service_account_for_beamline.errors contains "Missing or invalid beamline" if {
+	input.beamline != token.claims.beamline
+}
+
+tiled_service_account_for_beamline.errors contains "Missing tiled-writer audience" if {
+	not "tiled-writer" in token.claims.aud
+}
+
+tiled_service_account_for_beamline.errors contains "User has fedid" if {
+	token.claims.fedid
+}
+
+# METADATA
+# entrypoint: true
+default tiled_service_account_for_beamline.allow := false
+
+tiled_service_account_for_beamline.allow if {
+	tiled_service_account_for_beamline.errors == set()
+}
diff --git a/policy/diamond/policy/blueapi/blueapi_test.rego b/policy/diamond/policy/blueapi/blueapi_test.rego
new file mode 100644
index 0000000..0003203
--- /dev/null
+++ b/policy/diamond/policy/blueapi/blueapi_test.rego
@@ -0,0 +1,36 @@
+package diamond.policy.blueapi_test
+
+import data.diamond.policy.blueapi
+import rego.v1
+
+test_service_account_if_beamline_matches if {
+	response := blueapi.tiled_service_account_for_beamline with input as {"beamline": "i22"}
+		with data.diamond.policy.token.claims as {"beamline": "i22", "aud": ["tiled-writer"]}
+
+	response.allow
+	response.errors == set()
+}
+
+test_not_service_account_if_beamline_mismatch if {
+	response := blueapi.tiled_service_account_for_beamline with input as {"beamline": "b21"}
+		with data.diamond.policy.token.claims as {"beamline": "i22", "aud": ["tiled-writer"]}
+
+	not response.allow
+	response.errors == {"Missing or invalid beamline"}
+}
+
+test_not_service_account_if_missing_aud if {
+	response := blueapi.tiled_service_account_for_beamline with input as {"beamline": "i22"}
+		with data.diamond.policy.token.claims as {"beamline": "i22", "aud": ["blueapiCli"]}
+
+	not response.allow
+	response.errors == {"Missing tiled-writer audience"}
+}
+
+test_not_service_account_if_fedid_present if {
+	response := blueapi.tiled_service_account_for_beamline with input as {"beamline": "i22"}
+		with data.diamond.policy.token.claims as {"beamline": "i22", "aud": ["tiled-writer"], "fedid": "abc12345"}
+
+	not response.allow
+	response.errors == {"User has fedid"}
+}