API reference

Transmit Security builds every feature using an API-first approach, to give you APIs that are consistent, reusable, and well-designed. This lets you to create great identity experiences for your users, and develop better products—faster.


All API requests must be made over HTTPS. Depending on the API, authentication is performed either using:

  • Client ID only
  • Client ID and Client Secret
  • OAuth2 Access Token in the Authorization header using Bearer authentication scheme

Access tokens

As needed, OAuth2 access tokens can be generated using client credentials retrieved from the Admin Portal.

For user-facing APIs (such as authorized Authentication APIs), these credentials correspond to the application the user wants to access. APIs that require an existing user session (such as Verification APIs) are authorized using the access token returned upon successful user authentication.

For Management APIs, credentials either correspond to a Management Application to provide access to all apps of the tenant, or corresponding to application credentials and only process access to this application.


See Authorization to generate access tokens to run API calls right from the docs, using the Try it button.


Conventional HTTP response codes are used to indicate the success or failure of an API call:

  • 2xx or 3xx codes indicate success
  • 5xx indicate a Transmit Server server error (rare)
  • 4xx codes indicate other failures (missing params, unauthorized, applicative errors, etc.)