Get client access tokens

Transmit APIs are authorized using Bearer access tokens in the header of the request. These tokens are retrieved from the oidc/token endpoint (defined by the OIDC standard) using your app's client credentials. The tokens are JWT tokens and are valid for one hour. For the token structure, see our Token reference.


To authorize operations across all apps of your tenant, you'll need a admin access token. This is a token retrieved using client credentials that corresponds to a Management Application created from the Settings page of the Admin Portal.

Retrieve access tokens

To retrieve a client access token, send the following HTTP POST request:

curl -i -X POST \ \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d grant_type=client_credentials \
-d client_id=[CLIENT_ID] \
-d client_secret=[CLIENT_SECRET]

where [CLIENT_ID] and [CLIENT_SECRET] should be substituted with your app's client credentials. They can be found from the Transmit Admin Portal by selecting your application from Applications. If you don't already have an application, you'll need to create one first (see Create application).

  • When generating access tokens for Detection and Response or Identity Verification services, target them to the relevant resources by passing their URLs in the resource parameter. See Authorization
  • With the resource parameter, you can restrict access to a specific resource within your application. A resource should be configured for this application (see Manage resources ). The targeted resource will be reflected in the audience ( aud claim) of the access token.

Check token expiration

Client access tokens are valid for one hour since the time they were generated. Since they are JWT tokens, you can check expiration from the exp claim of the token. Expired client access tokens cannot be refreshed.

Here are some basic claims included in the token:

Claim Description
sub Subject of the token. This is the client-id
iss Issuer, identifies the principal that issued the JWT
aud Audience, identifies the recipients that the JWT is intended for
exp Expiration time, in epoch time format. The token will not be accepted on or after this time
iat Issued At, identifies the time the JWT was issued.