{
"openapi": "3.0.0",
"paths": {
"/oidc/auth": {
"get": {
"operationId": "oidcAuthenticate",
"summary": "Authorization",
"description": "Start an authentication process. If the process is successful, an authorization code is returned to the redirect URI specified in the request. (See [OIDC spec](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint)). For pushed authorization requests (PAR), provide `request_uri` returned by the [PAR request](/openapi/user/oidc.openapi/other/pushedauthorizationrequest) endpoint instead of authorization parameters.",
"parameters": [
{
"name": "client_id",
"required": true,
"in": "query",
"description": "Client ID for which authentication is requested. For pushed authorization requests (PAR), the client ID should match the ID of the client that initiated the PAR flow.",
"schema": {
"type": "string"
}
},
{
"name": "redirect_uri",
"required": false,
"in": "query",
"description": "Required for authorization code flow. URI to redirect to upon completion of the authentication flow. This is the server GET endpoint used to call the token endpoint, and should accept `code` as a query parameter. This URI must also be configured as an allowed redirect URI in the Mosaic Admin Portal",
"schema": {
"type": "string"
}
},
{
"name": "scope",
"required": false,
"in": "query",
"description": "Required for authorization code flow. Scope of the requested access. Used to request specific user details like email. Must include `openid` and can include additional values (space delimited). `offline_access` scope allows refreshing access tokens.",
"schema": {
"enum": [
"openid",
"email",
"phone",
"offline_access"
],
"type": "string"
}
},
{
"name": "loginType",
"deprecated": true,
"in": "query",
"description": "For authorization code flow. Authentication method to be used for this process, where `centralized` is used to request authentication via the Authentication Hub.",
"schema": {
"enum": [
"google-direct",
"apple-direct",
"facebook-direct",
"webauthn-direct",
"line-direct",
"centralized"
],
"type": "string"
}
},
{
"name": "response_type",
"required": false,
"in": "query",
"description": "Required for authorization code flow. Response type requested for the authentication flow.",
"schema": {
"enum": [
"code"
],
"default": "code",
"type": "string"
}
},
{
"name": "prompt",
"in": "query",
"description": "For authorization code flow. Space-delimited, case-sensitive list of string values that specifies whether the Authorization Server prompts the end-user for reauthentication and consent.",
"schema": {
"enum": [
"login",
"consent",
"none"
],
"type": "string",
"x-enumDescriptions": {
"login": "Prompts the user to authenticate.",
"consent": "Prompts the user for consent if required. Must be passed to receive a refresh token and when trying to perform silent authentication to the app you haven't logged in before.",
"none": "Checks for an existing session (and consent if required). Used for silent authentication to the same app as initially logged in to."
}
}
},
{
"name": "nonce",
"required": false,
"in": "query",
"description": "For authorization code flow. A random value that is included in the authentication request from the client (e.g. browser) to mitigate replay attacks. It will be added to the id_token and the backend service should only accept id_tokens that include the same nonce value as the one included in the original request.",
"schema": {
"type": "string"
}
},
{
"name": "state",
"required": false,
"in": "query",
"description": "For authorization code flow. An opaque string that is used to maintain state between the request and the callback. It will be added to the redirect URI as a query parameter, which should be validated by your server to protect against cross-site request forgery (CSRF) attacks",
"schema": {
"type": "string"
}
},
{
"name": "code_challenge",
"required": false,
"in": "query",
"description": "Required for authorization code flow with PKCE. A hashed value of the 'code_verifier' required for PKCE",
"schema": {
"type": "string"
}
},
{
"name": "code_challenge_method",
"required": false,
"in": "query",
"description": "Required for authorization code flow with PKCE. The hashing mechanism used to transform a code_verifier into the code_challenge in PKCE flows, must be 'S256'",
"schema": {
"type": "string"
}
},
{
"name": "resource",
"required": false,
"in": "query",
"description": "For authorization code flow. Resource URI the authentication request is attempting to access, which is reflected in the audience (`aud` claim) of the access token. This must be configured as resource for the application.",
"schema": {
"type": "string"
}
},
{
"name": "claims",
"required": false,
"in": "query",
"example": "{\"id_token\":{\"roles\":null}}",
"description": "For authorization code flow. A stringified object used to request additional claims in the ID token, such as roles, permissions, and other user profile data.\nThe structure is per the [OIDC Standard](https://openid.net/specs/openid-connect-core-1_0-final.html#ClaimsParameter). For supported claims and how to request custom claims, see the [ID Token Reference](https://developer.transmitsecurity.com/openapi/id_token_reference/).\n**Note**: You should stringify the value.",
"schema": {
"type": "string"
}
},
{
"name": "acr_values",
"required": false,
"in": "query",
"description": "For authorization code flow. Requested ACR values, specified as a space-separated string. The `acr` claim of the resulting ID token will indicate which requirements were satisfied.",
"schema": {
"enum": [
"mfa",
"phone_number",
"urn:transmit:google_direct",
"urn:transmit:apple_direct",
"urn:transmit:facebook_direct",
"urn:transmit:line_direct",
"urn:transmit:centralized"
],
"type": "string",
"x-enumDescriptions": {
"mfa": "Requires multi-factor authentication. If it isn't satisfied, an error is returned indicating how to satisfy it via email/SMS authentication.",
"phone_number": "Requires a verified phone number for a WebAuthn login. If it isn't yet verified, an SMS verification process will occur.",
"urn:transmit:google_direct": "Requires Google authentication method to be used for this process.",
"urn:transmit:apple_direct": "Requires Apple authentication method to be used for this process.",
"urn:transmit:facebook_direct": "Requires Facebook authentication method to be used for this process.",
"urn:transmit:line_direct": "Requires Line authentication method to be used for this process.",
"urn:transmit:centralized": "Requires centralized authentication method to be used for this process, `centralized` is used to request authentication via the Authentication Hub."
}
}
},
{
"name": "createNewUser",
"required": false,
"in": "query",
"description": "For authorization code flow. Indicates if a new user should be created if one doesn't already exist (or associated with the app if the user isn't already). Public sign up must be enabled for this application.",
"schema": {
"type": "boolean",
"default": false
}
},
{
"name": "login_hint",
"required": false,
"in": "query",
"description": "For authorization code flow. Hint for the user's login identifier for WebAuthn login.",
"example": "user@acme.com",
"schema": {
"type": "string"
}
},
{
"name": "custom_message",
"required": false,
"in": "query",
"description": "For authorization code flow. Custom message to present on the consent screens for WebAuthn login, which provides authentication context details.",
"example": "Welcome to Acme",
"schema": {
"type": "string"
}
},
{
"name": "ui_locales",
"required": false,
"in": "query",
"description": "For authorization code flow. Preferred languages for the user interface for WebAuthn login, specified as a space-separated list of language tag values [RFC5646], ordered by preference.",
"schema": {
"type": "string"
}
},
{
"name": "org_id",
"required": false,
"in": "query",
"description": "For authorization code flow. Organization ID, used for member login in B2B scenarios",
"schema": {
"type": "string"
}
},
{
"name": "request_uri",
"required": false,
"in": "query",
"description": "Required for PAR flow. The URI returned by the [PAR request](/openapi/user/oidc.openapi/other/pushedauthorizationrequest). The request_uri value is bound to the client that sent the PAR authorization request.",
"schema": {
"type": "string"
}
}
],
"responses": {
"303": {
"description": "Redirects with authentication result."
},
"400": {
"description": "",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/BadRequestHttpError"
}
}
}
},
"500": {
"description": "",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/InternalServerHttpError"
}
}
}
}
},
"tags": [],
"security": []
}
},
"/oidc/backchannel": {
"post": {
"operationId": "oidcBackchannelAuthenticate",
"summary": "Backchannel authentication",
"description": "Start a backchannel authentication process (See [CIBA spec](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0-final.html#rfc.section.7)). The request can either be used to obtain a direct link (for example, to embed in a QR code) or to send the user a link by SMS or email. When opened, this link will initiate an authentication process. The request returns the authentication request ID that will be used to complete the process on the authenticating device (by calling `/auth/backchannel/complete`) and obtain the token. If the link channel was specified, the response will also include the link.",
"requestBody": {
"required": true,
"content": {
"application/x-www-form-urlencoded": {
"schema": {
"$ref": "#/components/schemas/BackchannelAuthRequest"
}
}
}
},
"responses": {
"200": {
"description": "The authentication request has been accepted",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/BackchannelAuthResponse"
}
}
}
},
"400": {
"description": "",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/BadRequestHttpError"
}
}
}
},
"500": {
"description": "",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/InternalServerHttpError"
}
}
}
}
},
"tags": [],
"security": []
}
},
"/oidc/device/auth": {
"post": {
"operationId": "oidcDeviceAuth",
"summary": "Device authorization",
"description": "Initiate the device flow (See [OAuth 2.0 Device Authorization Grant (RFC 8628)](https://www.rfc-editor.org/rfc/rfc8628)). This call returns a user code and verification URI for the user to approve or deny access on a separate device. Additionally, a device code is provided to obtain the token.",
"requestBody": {
"required": true,
"content": {
"application/x-www-form-urlencoded": {
"schema": {
"$ref": "#/components/schemas/DeviceAuthRequest"
}
}
}
},
"responses": {
"200": {
"description": "The authorization request has been accepted",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/DeviceAuthResponse"
}
}
}
},
"400": {
"description": "",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/BadRequestHttpError"
}
}
}
},
"500": {
"description": "",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/InternalServerHttpError"
}
}
}
}
},
"tags": [],
"security": []
}
},
"/oidc/token": {
"post": {
"operationId": "oidcToken",
"summary": "Token",
"description": "Retrieves tokens in various OIDC/OAuth flows. It's used to retrieve an ID token and user access token upon successful user authentication (for an [authorization code flow](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint)), or to retrieve client access tokens for API authorization (in a [client credentials flow](https://www.rfc-editor.org/rfc/rfc6749#section-4.4)).",
"requestBody": {
"required": true,
"content": {
"application/x-www-form-urlencoded": {
"schema": {
"oneOf": [
{
"$ref": "#/components/schemas/AuthCodeRequest"
},
{
"$ref": "#/components/schemas/AuthCodeRequestWithPKCE"
},
{
"$ref": "#/components/schemas/ClientCredsRequest"
},
{
"$ref": "#/components/schemas/CIBATokenRequest"
},
{
"$ref": "#/components/schemas/DeviceTokenRequest"
},
{
"$ref": "#/components/schemas/PasswordRequest"
},
{
"$ref": "#/components/schemas/DelegatedAccessRequest"
},
{
"$ref": "#/components/schemas/RefreshTokenRequest"
}
]
}
}
}
},
"responses": {
"200": {
"description": "Returns user tokens",
"content": {
"application/json": {
"schema": {
"oneOf": [
{
"$ref": "#/components/schemas/TokenResponse"
},
{
"$ref": "#/components/schemas/ClientCredsResponse"
},
{
"$ref": "#/components/schemas/PasswordResponse"
},
{
"$ref": "#/components/schemas/DelegatedAccessResponse"
}
]
}
}
}
},
"400": {
"description": "",
"content": {
"application/json": {
"schema": {
"oneOf": [
{
"$ref": "#/components/schemas/BadRequestHttpError"
},
{
"$ref": "#/components/schemas/AuthorizationPendingError"
},
{
"$ref": "#/components/schemas/AccessDeniedError"
},
{
"$ref": "#/components/schemas/ExpiredTokenError"
}
]
}
}
}
},
"500": {
"description": "",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/InternalServerHttpError"
}
}
}
}
},
"tags": [],
"security": []
}
},
"/oidc/token/revocation": {
"post": {
"operationId": "oidcRevokeToken",
"summary": "Revocation",
"description": "Revoke a specific refresh token, making it no longer valid and forcing the user to re-authenticate if they need a new one.",
"parameters": [],
"requestBody": {
"required": true,
"content": {
"application/x-www-form-urlencoded": {
"schema": {
"$ref": "#/components/schemas/ApiTokenRevocationInput"
}
}
}
},
"responses": {
"200": {
"description": "Token revoked successfully"
},
"400": {
"description": "",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/BadRequestHttpError"
}
}
}
},
"500": {
"description": "",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/InternalServerHttpError"
}
}
}
}
},
"tags": [],
"security": []
}
},
"/oidc/session/end": {
"get": {
"operationId": "endOidcSession",
"summary": "Terminate sessions",
"description": "Terminates all the user’s active sessions for this tenant. Note that running this call does not revoke valid access tokens or refresh tokens. See [OIDC RP-Initiated Logout](https://openid.net/specs/openid-connect-rpinitiated-1_0.html)",
"parameters": [
{
"name": "client_id",
"required": false,
"in": "query",
"description": "Recommended. Client ID initiating the logout request. If not passed, our default logout success page will be shown instead.",
"schema": {
"type": "string"
}
},
{
"name": "id_token_hint",
"required": false,
"in": "query",
"description": "Previously issued ID Token passed as a hint about the user's current authenticated session with the client.",
"schema": {
"type": "string"
}
},
{
"name": "post_logout_redirect_uri",
"required": false,
"in": "query",
"description": "Recommended. URI to which the user should be redirected after the logout has been performed. If not passed, our default logout success page will be shown instead. This URI must be configured in the client’s allowed redirect URIs.",
"schema": {
"type": "string"
}
},
{
"name": "state",
"required": false,
"in": "query",
"description": "Opaque value used to maintain state between the logout request and the post logout redirect URI (which will receive it via the `state` query parameter).",
"schema": {
"type": "string"
}
}
],
"responses": {
"200": {
"description": "Returns HTML that when parsed by the browser, will finish the logout flow.",
"content": {
"text/html": {}
}
},
"400": {
"description": "",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/BadRequestHttpError"
}
}
}
},
"500": {
"description": "",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/InternalServerHttpError"
}
}
}
}
},
"tags": [],
"security": []
}
},
"/oidc/jwks": {
"get": {
"operationId": "oidcGetKeys",
"summary": "JWKS",
"description": "Returns the signing key used to validate the signature of the authorization request (per [OIDC spec](https://openid.net/specs/openid-connect-core-1_0.html#SigEnc))",
"responses": {
"200": {
"description": "",
"content": {
"application/json": {
"schema": {
"properties": {
"keys": {
"type": "array",
"items": {
"$ref": "#/components/schemas/ApiJWKSResponse"
}
}
}
}
}
}
},
"500": {
"description": "",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/InternalServerHttpError"
}
}
}
}
},
"tags": [],
"security": []
}
},
"/oidc/.well-known/openid-configuration": {
"get": {
"operationId": "getOidcConfiguration",
"summary": "Discovery",
"description": "Get all metadata for the OIDC server, including paths to relevant endpoints. (see [OIDC spec](https://openid.net/specs/openid-connect-discovery-1_0.html))",
"responses": {
"200": {
"description": "",
"content": {
"application/json": {}
}
},
"500": {
"description": "",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/InternalServerHttpError"
}
}
}
}
},
"tags": [],
"security": []
}
},
"/oidc/request": {
"post": {
"operationId": "pushedAuthorizationRequest",
"summary": "PAR",
"description": "Pushed authorization request (PAR) is a secure way to initiate the authorization flow. All parameters are sent in the body of the request (see [OAuth 2.0 Pushed Authorization Requests RFC](https://www.rfc-editor.org/rfc/rfc9126)).",
"requestBody": {
"required": true,
"content": {
"application/x-www-form-urlencoded": {
"schema": {
"$ref": "#/components/schemas/PushedAuthorizationRequestBody"
}
}
}
},
"responses": {
"200": {
"description": "The request has been accepted",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/PushedAuthorizationRequestResponse"
}
}
}
},
"400": {
"description": "",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/BadRequestHttpError"
}
}
}
},
"500": {
"description": "",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/InternalServerHttpError"
}
}
}
}
},
"tags": [],
"security": []
}
}
},
"info": {
"title": "OIDC and OAuth 2.0",
"description": "[OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html) (OIDC) extends the authentication and authorization mechanisms of OAuth 2.0 with identity-focused security features like ID tokens and user profiles. Mosaic supports an OIDC-based integration option for hosted login using secure FIDO2 WebAuthn biometrics, and social providers like Google, Facebook, Apple, and LINE.
Decoupled authentication flows are supported using [Client-Initiated Backchannel Authentication (CIBA)](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html) or using the [OAuth Device Flow](https://www.rfc-editor.org/rfc/rfc8628) for input-limited devices.",
"version": "",
"contact": {}
},
"tags": [],
"servers": [
{
"url": "https://api.sbx.transmitsecurity.io/cis",
"description": "Sandbox environment"
},
{
"url": "https://api.transmitsecurity.io/cis",
"description": "Production environment (US)"
},
{
"url": "https://api.eu.transmitsecurity.io/cis",
"description": "Production environment (EU)"
},
{
"url": "https://api.ca.transmitsecurity.io/cis",
"description": "Production environment (CA)"
},
{
"url": "https://api.au.transmitsecurity.io/cis",
"description": "Production environment (AU)"
}
],
"components": {
"securitySchemes": {},
"schemas": {
"TokenResponse": {
"type": "object",
"properties": {
"access_token": {
"type": "string",
"description": "User access token for accessing endpoints on behalf of the authenticated user."
},
"id_token": {
"type": "string",
"description": "ID token that identifies the user."
},
"expires_in": {
"type": "number",
"description": "Expiration time of the access token in seconds.",
"default": 3600
},
"scope": {
"type": "string",
"description": "Scope of the access token."
},
"token_type": {
"type": "string",
"description": "Bearer."
},
"refresh_token": {
"type": "string",
"description": "Refresh token used to refresh an expired access token. Returned only if the requested `prompt` includes `consent` and `scope` includes `offline_access`."
}
},
"required": [
"access_token",
"id_token",
"expires_in",
"scope",
"token_type"
]
},
"ClientCredsResponse": {
"type": "object",
"properties": {
"access_token": {
"type": "string",
"description": "Client access token for accessing endpoints on behalf of the application."
},
"expires_in": {
"type": "number",
"description": "Expiration time of the access token in seconds.",
"default": 3600
},
"scope": {
"type": "string",
"description": "Scope of the access token."
},
"token_type": {
"type": "string",
"description": "Bearer."
}
},
"required": [
"access_token",
"expires_in",
"scope",
"token_type"
]
},
"PasswordResponse": {
"type": "object",
"properties": {
"access_token": {
"type": "string",
"description": "User access token for accessing endpoints on behalf of the authenticated user."
},
"expires_in": {
"type": "number",
"description": "Expiration time of the access token in seconds.",
"default": 3600
},
"scope": {
"type": "string",
"description": "Scope of the access token."
},
"token_type": {
"type": "string",
"description": "Bearer."
},
"refresh_token": {
"type": "string",
"description": "Refresh token used to refresh an expired access token. Returned only if the requested `prompt` includes `consent` and `scope` includes `offline_access`."
}
},
"required": [
"access_token",
"expires_in",
"scope",
"token_type"
]
},
"DelegatedAccessResponse": {
"type": "object",
"properties": {
"access_token": {
"type": "string",
"description": "Delegated user access token for accessing endpoints on behalf of the subject user."
},
"expires_in": {
"type": "number",
"description": "Expiration time of the access token in seconds.",
"default": 3600
},
"scope": {
"type": "string",
"description": "Scope of the access token."
},
"token_type": {
"type": "string",
"description": "Bearer."
},
"issued_token_type": {
"type": "string",
"description": "The type of the issued token."
}
},
"required": [
"access_token",
"expires_in",
"scope",
"token_type",
"issued_token_type"
]
},
"ApiJWKSResponse": {
"type": "object",
"properties": {
"kty": {
"type": "string",
"description": "Key type. Identifies the cryptographic algorithm family used with the key, which is 'RSA'."
},
"use": {
"type": "string",
"description": "Public key use, where `sig` indicates the public key is used to validate the signature of the data"
},
"kid": {
"type": "string",
"description": "The 'kid' (key ID) parameter is used to match a specific key. This is used, for instance, to choose among a set of keys within a JWK Set during key rollover."
},
"alg": {
"type": "string",
"description": "Identifies the cryptographic algorithm family used with the key."
},
"e": {
"type": "string",
"description": "RSA public exponent value e."
},
"n": {
"type": "string",
"description": "RSA public modulus value n."
}
}
},
"ApiTokenRevocationInput": {
"type": "object",
"properties": {
"client_id": {
"description": "Client ID.",
"type": "string"
},
"client_secret": {
"description": "Client secret.",
"type": "string"
},
"token": {
"type": "string",
"description": "Token to revoke."
},
"token_type_hint": {
"type": "string",
"description": "A hint about the type of the token submitted for revocation.",
"enum": [
"access_token",
"refresh_token"
]
}
},
"required": [
"client_id",
"client_secret",
"token"
]
},
"ClientCredsRequest": {
"type": "object",
"properties": {
"client_id": {
"description": "Client ID.",
"type": "string"
},
"client_secret": {
"description": "Client secret.",
"type": "string"
},
"grant_type": {
"description": "Should be set to `client_credentials` to obtain client access tokens for API authorization",
"enum": [
"client_credentials"
],
"type": "string"
},
"resource": {
"description": "Resource URI the authentication request is attempting to access, which is reflected in the audience (`aud` claim) of the access token. This must be configured as resource for the application.",
"type": "string"
}
},
"required": [
"client_id",
"client_secret",
"grant_type"
]
},
"AuthCodeRequest": {
"type": "object",
"properties": {
"client_id": {
"description": "Client ID for which authentication is requested.",
"type": "string"
},
"client_secret": {
"description": "Client secret.",
"type": "string"
},
"code": {
"description": "Authorization code received from a successful authentication flow.",
"type": "string"
},
"grant_type": {
"description": "Should be set to `authorization_code` to identify users upon successful authentication.",
"enum": [
"authorization_code"
],
"type": "string"
},
"redirect_uri": {
"description": "Redirect URI passed in the authorization request.",
"type": "string"
}
},
"required": [
"client_id",
"client_secret",
"code",
"grant_type",
"redirect_uri"
]
},
"AuthCodeRequestWithPKCE": {
"type": "object",
"properties": {
"client_id": {
"description": "Client ID for which authentication is requested.",
"type": "string"
},
"client_secret": {
"description": "Client secret. Should be sent if the client is configured to enforce or allow PKCE alongside client credentials.",
"type": "string"
},
"code_verifier": {
"description": "In PKCE flows, a unique string to verify the auth request and the auth code request originate from the same client.",
"type": "string"
},
"code": {
"description": "Authorization code received from a successful authentication flow.",
"type": "string"
},
"grant_type": {
"description": "Should be set to `authorization_code` to identify users upon successful authentication.",
"enum": [
"authorization_code"
],
"type": "string"
},
"redirect_uri": {
"description": "Redirect URI passed in the authorization request.",
"type": "string"
}
},
"required": [
"client_id",
"code_verifier",
"code",
"grant_type",
"redirect_uri"
]
},
"PasswordRequest": {
"type": "object",
"properties": {
"client_id": {
"description": "Client ID for which authentication is requested.",
"type": "string"
},
"client_secret": {
"description": "Client secret.",
"type": "string"
},
"username": {
"type": "string",
"description": "The user's username. Can contain the user's primary email or phone number if `email` or `phone_number` respectively, was used to register password credentials (`username_type` must match the value used)."
},
"username_type": {
"type": "string",
"description": "Type of user alias used to register the password",
"default": "username",
"enum": [
"username",
"email",
"phone_number"
]
},
"password": {
"type": "string",
"description": "The user's current password."
},
"scope": {
"type": "string",
"description": "The scope of the access request."
},
"grant_type": {
"description": "Should be set to `password` to identify users upon successful authentication.",
"enum": [
"password"
],
"type": "string"
}
},
"required": [
"client_id",
"client_secret",
"grant_type",
"username",
"password"
]
},
"DelegatedAccessRequest": {
"type": "object",
"properties": {
"client_id": {
"description": "Client ID for which access is requested.",
"type": "string"
},
"client_secret": {
"description": "Client secret.",
"type": "string"
},
"actor_token": {
"type": "string",
"description": "The access token of the user that is requesting the access"
},
"actor_token_type": {
"type": "string",
"description": "The type of the actor token.",
"enum": [
"urn:ietf:params:oauth:token-type:access_token"
],
"default": "urn:ietf:params:oauth:token-type:access_token"
},
"subject_identifier": {
"type": "string",
"description": "The identifier of the user that is delegating access"
},
"subject_identifier_type": {
"type": "string",
"description": "The type of the subject identifier.",
"enum": [
"user_id"
],
"default": "user_id"
},
"scope": {
"type": "string",
"description": "The scope of the access request."
},
"grant_type": {
"description": "Should be set to `urn:transmit:grant-type:delegated-access` to obtain an access token to act on behalf of another user.",
"enum": [
"urn:transmit:grant-type:delegated-access"
],
"type": "string"
}
},
"required": [
"client_id",
"client_secret",
"grant_type",
"subject_identifier",
"actor_token"
]
},
"RefreshTokenRequest": {
"type": "object",
"properties": {
"client_id": {
"description": "Client ID for which access is requested.",
"type": "string"
},
"client_secret": {
"description": "Client secret.",
"type": "string"
},
"grant_type": {
"description": "Should be set to `refresh_token` to refresh an access token.",
"enum": [
"refresh_token"
],
"type": "string"
},
"refresh_token": {
"description": "Refresh token associated with the access token you want to refresh",
"type": "string"
}
},
"required": [
"client_id",
"client_secret",
"grant_type",
"refresh_token"
]
},
"CIBATokenRequest": {
"type": "object",
"properties": {
"client_id": {
"description": "Client ID for which authentication is requested.",
"type": "string"
},
"client_secret": {
"description": "Client secret.",
"type": "string"
},
"auth_req_id": {
"description": "Unique ID of the authentication request made by the Client.",
"type": "string"
},
"grant_type": {
"description": "Should be set to `urn:openid:params:grant-type:ciba` to identify the authentication request.",
"enum": [
"urn:openid:params:grant-type:ciba"
],
"type": "string"
}
},
"required": [
"client_id",
"client_secret",
"auth_req_id",
"grant_type"
]
},
"DeviceTokenRequest": {
"type": "object",
"properties": {
"client_id": {
"description": "Client ID.",
"type": "string"
},
"client_secret": {
"description": "Client secret.",
"type": "string"
},
"device_code": {
"description": "The device code obtained from the device authorization request.",
"type": "string"
},
"grant_type": {
"description": "Should be set to `urn:ietf:params:oauth:grant-type:device_code` to identify the authorization request.",
"enum": [
"urn:ietf:params:oauth:grant-type:device_code"
],
"type": "string"
}
},
"required": [
"client_id",
"client_secret",
"device_code",
"grant_type"
]
},
"BadRequestHttpError": {
"type": "object",
"properties": {
"message": {
"example": "Bad request",
"type": "array",
"items": {
"type": "string"
}
},
"error_code": {
"type": "number",
"example": 400
}
},
"required": [
"message",
"error_code"
]
},
"InternalServerHttpError": {
"type": "object",
"properties": {
"message": {
"type": "string",
"example": "Something went wrong - Internal server error"
},
"error_code": {
"type": "number",
"example": 500
}
},
"required": [
"message",
"error_code"
]
},
"AuthorizationPendingError": {
"type": "object",
"properties": {
"error": {
"type": "string",
"default": "authorization_pending",
"enum": [
"authorization_pending",
"slow_down"
],
"example": "authorization_pending"
},
"error_description": {
"type": "string",
"example": "authorization request is still pending as the end-user hasn't yet completed the user interaction steps"
}
},
"required": [
"error"
]
},
"AccessDeniedError": {
"type": "object",
"properties": {
"error": {
"type": "string",
"enum": [
"access_denied"
],
"example": "access_denied"
},
"error_description": {
"type": "string",
"example": "The end-user denied the authorization request."
}
},
"required": [
"error"
]
},
"ExpiredTokenError": {
"type": "object",
"properties": {
"error": {
"type": "string",
"enum": [
"expired_token"
],
"example": "expired_token"
},
"error_description": {
"type": "string",
"example": "The auth_req_id has expired. The Client will need to make a new Authentication Request."
}
},
"required": [
"error"
]
},
"BackchannelAuthRequest": {
"type": "object",
"properties": {
"client_id": {
"description": "Client ID for which authentication is requested.",
"type": "string"
},
"client_secret": {
"description": "Client secret.",
"type": "string"
},
"scope": {
"description": "Scope of the requested access. Used to request specific user details like email. Must include `openid` and can include additional values (space delimited). `offline_access` scope allows refreshing access tokens.",
"enum": [
"openid",
"email",
"phone",
"offline_access"
],
"type": "string"
},
"login_hint": {
"type": "string",
"description": "Identifier of a user for whom authentication is requested (email, phone or user_id)"
},
"binding_message": {
"type": "string",
"pattern": "^[a-zA-Z0-9-._+/!?#]{1,20}$",
"description": "A message intended to be displayed on both consumption and authentication devices so the end-user can see how they are interconnected for the transaction.\n\n The message needs to be 1 - 20 characters in length and should contain only digits, alphabet and the characters: -._+/!?#"
},
"requested_expiry": {
"type": "integer",
"description": "Requested expiration of the authentication request in seconds.",
"default": 600
},
"request_context": {
"type": "string",
"description": "A stringify object that contains more data about the request\n\n example of object: \n```json\n{\n\t\"channel\": \"email\", \n\t\"login_hint_type\": \"email\", \n\t\"custom_message\": \"click on the following link to approve the access: \"\n}\n``` \n**Note**: You should stringify the value. \n| property | description |\n|-----------|-------|\n| channel | The channel to use for triggering the authentication device, one of the values: `sms` (default), `email`, `link` |\n| login_hint_type | The `login_hint` identifier type, one of the values: `phone` (default), `email`, `user_id` |\n| custom_message | Custom message to be sent when triggering the authentication device (default: `To verify it's you, click this link:`) |\n",
"example": "{\"channel\": \"email\", \"login_hint_type\": \"email\", \"custom_message\": \"click on the following link to approve the access: \"}"
}
},
"required": [
"client_id",
"client_secret",
"scope",
"login_hint"
]
},
"BackchannelAuthResponse": {
"type": "object",
"properties": {
"auth_req_id": {
"type": "string",
"description": "A unique identifier of the authentication request."
},
"expires_in": {
"type": "integer",
"description": "A positive integer value indicating the expiration time of the `auth_req_id` in seconds since the authentication request was received",
"default": 600
}
},
"required": [
"auth_req_id",
"expires_in"
]
},
"DeviceAuthRequest": {
"type": "object",
"properties": {
"client_id": {
"description": "Client ID for which authentication is requested.",
"type": "string"
},
"client_secret": {
"description": "Client secret.",
"type": "string"
},
"scope": {
"description": "Scope of the requested access. Used to request specific user details like email. Must include `openid` and can include additional values (space delimited). `offline_access` scope allows refreshing access tokens.",
"enum": [
"openid",
"email",
"phone",
"offline_access"
],
"type": "string"
},
"loginType": {
"type": "string",
"deprecated": true,
"description": "Authentication method to be used for this process, where `centralized` is used to request authentication via the Authentication Hub.",
"enum": [
"google-direct",
"apple-direct",
"facebook-direct",
"webauthn-direct",
"line-direct",
"centralized"
]
},
"acr_values": {
"type": "string",
"description": "Requested ACR values, specified as a space-separated string. The `acr` claim of the resulting ID token will indicate which requirements were satisfied.",
"enum": [
"urn:transmit:google_direct",
"urn:transmit:apple_direct",
"urn:transmit:facebook_direct",
"urn:transmit:line_direct",
"urn:transmit:centralized"
],
"x-enumDescriptions": {
"urn:transmit:google_direct": "Requires Google authentication method to be used for this process.",
"urn:transmit:apple_direct": "Requires Apple authentication method to be used for this process.",
"urn:transmit:facebook_direct": "Requires Facebook authentication method to be used for this process.",
"urn:transmit:line_direct": "Requires Line authentication method to be used for this process.",
"urn:transmit:centralized": "Requires centralized authentication method to be used for this process, `centralized` is used to request authentication via the Authentication Hub."
}
}
},
"required": [
"client_id",
"client_secret",
"scope",
"acr_values"
]
},
"DeviceAuthResponse": {
"type": "object",
"properties": {
"device_code": {
"type": "string",
"description": "The device code to be used to obtain a token."
},
"user_code": {
"type": "string",
"description": "The user code to be displayed to the user."
},
"verification_uri": {
"type": "string",
"description": "The URI that verifies the user submitted a valid user code on the input page."
},
"verification_uri_complete": {
"type": "string",
"description": "(Recommended) The URI with embedded user code that verifies if the user code is valid while skipping the input page."
},
"expires_in": {
"type": "integer",
"description": "The number of seconds before the `device_code` expires.",
"default": 600
}
},
"required": [
"device_code",
"user_code",
"verification_url",
"expires_in"
]
},
"PushedAuthorizationRequestBody": {
"type": "object",
"properties": {
"client_id": {
"description": "Client ID for which authentication is requested.",
"type": "string"
},
"client_secret": {
"description": "Client secret.",
"type": "string"
},
"redirect_uri": {
"description": "URI to redirect to upon completion of the authentication flow. This is the server GET endpoint used to call the token endpoint, and should accept `code` as a query parameter. This URI must also be configured as an allowed redirect URI in the Admin Portal",
"type": "string"
},
"response_type": {
"description": "Response type requested for the authentication flow.",
"enum": [
"code"
],
"type": "string"
},
"scope": {
"description": "Scope of the requested access. Used to request specific user details like email. Must include `openid` and can include additional values (space delimited). `offline_access` scope allows refreshing access tokens.",
"enum": [
"openid",
"email",
"phone",
"offline_access"
],
"type": "string"
},
"prompt": {
"description": "Space-delimited, case-sensitive list of string values that specifies whether the Authorization Server prompts the end-user for reauthentication and consent.",
"enum": [
"none",
"login",
"consent"
],
"type": "string"
},
"nonce": {
"description": "A random value that is included in the authentication request from the client (e.g. browser) to mitigate replay attacks. It will be added to the id_token and the backend service should only accept id_tokens that include the same nonce value as the one included in the original request.",
"type": "string"
},
"state": {
"description": "An opaque string that is used to maintain state between the request and the callback. It will be added to the redirect URI as a query parameter, which should be validated by your server to protect against cross-site request forgery (CSRF) attacks",
"type": "string"
},
"resource": {
"description": "Resource URI the authentication request is attempting to access, which is reflected in the audience (`aud` claim) of the access token. This must be configured as resource for the application.",
"type": "string"
},
"claims": {
"description": "A stringified object used to request additional claims in the ID token, such as roles, permissions, and other user profile data.\nThe structure is per the [OIDC Standard](https://openid.net/specs/openid-connect-core-1_0-final.html#ClaimsParameter). For supported claims and how to request custom claims, see the [ID Token Reference](https://developer.transmitsecurity.com/openapi/id_token_reference/).\n**Note**: You should stringify the value.",
"type": "string"
},
"acr_values": {
"description": "Requested ACR values, specified as a space-separated string. The `acr` claim of the resulting ID token will indicate which requirements were satisfied.",
"enum": [
"mfa",
"phone_number",
"urn:transmit:google_direct",
"urn:transmit:apple_direct",
"urn:transmit:facebook_direct",
"urn:transmit:line_direct",
"urn:transmit:centralized"
],
"type": "string"
},
"createNewUser": {
"description": "Indicates if a new user should be created if one doesn't already exist (or associated with the app if the user isn't already). Public sign up must be enabled for this application.",
"type": "boolean",
"default": false
},
"login_hint": {
"description": "Hint for the user's login identifier for WebAuthn login.",
"type": "string"
},
"custom_message": {
"description": "Custom message to present on the consent screens for WebAuthn login, which provides authentication context details.",
"type": "string",
"example": "Welcome to Acme"
},
"ui_locales": {
"description": "Preferred languages for the user interface for WebAuthn login, specified as a space-separated list of language tag values [RFC5646], ordered by preference.",
"type": "string"
},
"org_id": {
"description": "Organization ID, used for member login in B2B scenarios",
"type": "string"
},
"code_challenge": {
"description": "A hashed value of the 'code_verifier' required for PKCE",
"type": "string"
},
"code_challenge_method": {
"description": "The hashing mechanism used to transform a code_verifier into the code_challenge in PKCE flows, must be 'S256'",
"type": "string"
}
},
"required": [
"client_id",
"client_secret",
"response_type",
"redirect_uri"
]
},
"PushedAuthorizationRequestResponse": {
"type": "object",
"properties": {
"request_uri": {
"type": "string",
"description": "A single-use reference to the respective request data in the subsequent authorization request."
},
"expires_in": {
"type": "integer",
"description": "A positive integer value indicating the expiration time of the `request_uri` in seconds since the request was received",
"default": 60
}
},
"required": [
"request_uri",
"expires_in"
]
}
}
}
}