Get client access tokens
Mosaic APIs are authorized using Bearer access tokens in the header of the request. These tokens are retrieved from the oidc/token endpoint (defined by the OIDC standard) using your app's client credentials. The tokens are JWT tokens and are valid for one hour—you can reuse tokens multiple times when calling Mosaic APIs during this hour. For the token structure, see our Token reference.
Note
To authorize operations across all apps of your tenant, you'll need a admin access token. This is a token retrieved using client credentials that corresponds to a Management Application created from the Settings page of the Admin Portal.
Retrieve access tokens
To retrieve a client access token, send the following HTTP POST request:
curl -i -X POST \
https://api.transmitsecurity.io/oidc/token \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d grant_type=client_credentials \
-d client_id=[CLIENT_ID] \
-d client_secret=[CLIENT_SECRET]where [CLIENT_ID] and [CLIENT_SECRET] should be substituted with your app's client credentials. They can be found from the Mosaic Admin Portal by selecting your application from Applications. If you don't already have an application, you'll need to create one first (see Create application).
Notes
-
When generating access tokens for
Detection and Response
or
Identity Verification
services, target them to the relevant resources by passing their URLs in the
resourceparameter. See Authorization -
With the
resourceparameter, you can restrict access to a specific resource within your application. A resource should be configured for this application (see Manage resources ). The targeted resource will be reflected in the audience (audclaim) of the access token.
Check token expiration
Client access tokens are valid for one hour since the time they were generated. Since they are JWT tokens, you can check expiration from the exp claim of the token. Expired client access tokens cannot be refreshed.
Here are some basic claims included in the token:
| Claim | Description |
|---|---|
| sub | Subject of the token. This is the client-id |
| iss | Issuer, identifies the principal that issued the JWT |
| aud | Audience, identifies the recipients that the JWT is intended for |
| exp | Expiration time, in epoch time format. The token will not be accepted on or after this time |
| iat | Issued At, identifies the time the JWT was issued. |