diff --git a/policy/diamond/policy/blueapi/blueapi.rego b/policy/diamond/policy/blueapi/blueapi.rego
new file mode 100644
index 00000000..bf2df8a7
--- /dev/null
+++ b/policy/diamond/policy/blueapi/blueapi.rego
@@ -0,0 +1,12 @@
+package diamond.policy.blueapi
+
+import data.diamond.policy.token
+import rego.v1
+
+default tiled_service_account_for_beamline := false
+
+tiled_service_account_for_beamline if {
+	input.beamline == token.claims.beamline
+	"tiled-writer" in token.claims.aud
+	not token.claims.fedid
+}
diff --git a/policy/diamond/policy/blueapi/blueapi_test.rego b/policy/diamond/policy/blueapi/blueapi_test.rego
new file mode 100644
index 00000000..73e94a43
--- /dev/null
+++ b/policy/diamond/policy/blueapi/blueapi_test.rego
@@ -0,0 +1,24 @@
+package diamond.policy.blueapi_test
+
+import data.diamond.policy.blueapi
+import rego.v1
+
+test_service_account_if_beamline_matches if {
+	blueapi.tiled_service_account_for_beamline with input as {"beamline": "i22"}
+		with data.diamond.policy.token.claims as {"beamline": "i22", "aud": ["tiled-writer"]}
+}
+
+test_not_service_account_if_beamline_mismatch if {
+	not blueapi.tiled_service_account_for_beamline with input as {"beamline": "b21"}
+		with data.diamond.policy.token.claims as {"beamline": "i22", "aud": ["tiled-writer"]}
+}
+
+test_not_service_account_if_missing_aud if {
+	not blueapi.tiled_service_account_for_beamline with input as {"beamline": "i22"}
+		with data.diamond.policy.token.claims as {"beamline": "i22", "aud": ["blueapiCli"]}
+}
+
+test_not_service_account_if_fedid_present if {
+	not blueapi.tiled_service_account_for_beamline with input as {"beamline": "i22"}
+		with data.diamond.policy.token.claims as {"beamline": "i22", "aud": ["tiled-writer"], "fedid": "abc12345"}
+}