How authentication works
User authentication can be used to protect your application or only specific resources. The authentication process will identify the user, and grant them access (based on roles, permissions, scopes, etc.).
Choose from a wide variety of authentication methods, including WebAuthn-based biometrics, email magic links, SMS one-time passcodes, social login, and more. Consider which methods work best for your customers and use case. For example, biometric login is the most secure way to login users into their bank account, whereas social login is fast and convenient for signing up customers to a retail app.
Your login preferences configure the methods you'd like to use, such as branding email templates for magic link authentication, or setting up the OAuth credentials for a social login provider. You can manage your login preferences from the Admin Portal or using Administration APIs.
Regardless of method, every authentication flow includes:
- User authenticates using the chosen method
- Upon successful authentication, a code is returned to your app
- Your app securely exchanges this code for tokens that identify the user and grant them access
- Optionally, a new user is created (if you allow authentication to implicitly onboard new users)
Upon authentication, user data is returned in the ID token. Aside from the default claims that are always returned, custom claims can be returned by requesting them. For a complete list and structure of the ID token claims, see our Token reference.
For example, the ID token may include the following (depending on what you request):
- User's identifier in your Transmit tenant
- User's external identifiers in your system
- User's name, emails, phone numbers, address, etc.
- Authentication method that was used
- Whether a new user was created as part of the flow
- User's groups, roles, and permissions
- Any of the custom user data that you've set for this user
A user access token is returned upon each successful authentication. It describes the access that was granted, including requested scopes (
scope) and which resource the user is allowed to access (based on what was requested). The token also includes the expiration, which should be validated before each use. User access tokens are returned together with a refresh token that can be used to prolong the access without requiring the user to re-authenticate. For the claims and structure of the access token, see our Token reference.
Once you've identified the user, you can leverage our identity management capabilities to:
- Enrich the user's profile with verified data
- Authorize access based on the user's role and permissions
- Use the created session to keep them logged in until it expires or they logout