Get client access tokens

Transmit APIs are authorized using Bearer access tokens in the header of the request. These tokens are retrieved from the oidc/token endpoint (defined by the OIDC standard) using your app's client credentials. The tokens are JWT tokens and are valid for one hour. For the token structure, see our Token reference.

Note

To authorize operations across all apps of your tenant, you'll need a admin access token. This is a token retrieved using client credentials that corresponds to a Management Application created from the Settings page of the Admin Portal.

Retrieve access tokens

To retrieve a client access token, send the following HTTP POST request:

Copy
Copied
curl --location --request POST 'https://api.userid.security/oidc/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=[CLIENT_ID]' \
--data-urlencode 'client_secret=[CLIENT_SECRET]'

where [CLIENT_ID] and [CLIENT_SECRET] should be substituted with your app's client credentials. They can be found from the Transmit Admin Portal by selecting your application from Applications. If you don't already have an application, you'll need to create one first (see Create application).

Note

You can target the access to specific resources using the resource parameter, by passing the URI of a resource configured for this application (see Manage resources). The targeted resource will be reflected in the audience (aud claim) of the access token.

Check token expiration

Client access tokens are valid for one hour since the time they were generated. Since they are JWT tokens, you can check expiration from the exp claim of the token. Expired client access tokens cannot be refreshed.

Here are some basic claims included in the token:

Claim Description
sub Subject of the token. This is the client-id
iss Issuer, identifies the principal that issued the JWT.
aud Audience, identifies the recipients that the JWT is intended for
exp Expiration time, in epoch time format. The token will not be accepted on or after this time.
iat Issued At, identifies the time the JWT was issued.