Get client access tokens
Transmit APIs are authorized using Bearer access tokens in the header of the request. These tokens are retrieved from the oidc/token endpoint (defined by the OIDC standard) using your app's client credentials. The tokens are JWT tokens and are valid for one hour. For the token structure, see our Token reference.
Note
To authorize operations across all apps of your tenant, you'll need a admin access token. This is a token retrieved using client credentials that corresponds to a Management Application created from the Settings page of the Admin Portal.
Retrieve access tokens
To retrieve a client access token, send the following HTTP POST request:
curl --location --request POST 'https://api.userid.security/oidc/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=[CLIENT_ID]' \
--data-urlencode 'client_secret=[CLIENT_SECRET]'where [CLIENT_ID] and [CLIENT_SECRET] should be substituted with your app's client credentials. They can be found from the Transmit Admin Portal by selecting your application from Applications. If you don't already have an application, you'll need to create one first (see Create application).
Note
You can target the access to specific resources using the resource parameter, by passing the URI of a resource configured for this application (see Manage resources). The targeted resource will be reflected in the audience (aud claim) of the access token.
Check token expiration
Client access tokens are valid for one hour since the time they were generated. Since they are JWT tokens, you can check expiration from the exp claim of the token. Expired client access tokens cannot be refreshed.
Here are some basic claims included in the token:
| Claim | Description |
|---|---|
| sub | Subject of the token. This is the client-id |
| iss | Issuer, identifies the principal that issued the JWT. |
| aud | Audience, identifies the recipients that the JWT is intended for |
| exp | Expiration time, in epoch time format. The token will not be accepted on or after this time. |
| iat | Issued At, identifies the time the JWT was issued. |