Transmit Security builds every feature using an API-first approach, to give you APIs that are consistent, reusable, and well-designed. This lets you create great identity experiences for your users, and develop better products—faster.

Base URL

Transmit APIs are served over HTTPS. The endpoint paths are relative to the base URL, which is comprised of:

  • Scheme, which defines the protocol used. Always https .
  • Host, which varies depending on the tenant's region. Hosts are production environments.
    • (global, US)
    • (EU)
    • (Canada)
    • (Australia)
  • ServiceID, which identifies the type of service:
    • cis — Identity Management and Authentication services
    • risk — Detection and Response services
    • verify — Identity Verification services

For example:

  • https: // / risk /v1/recommendation
  • \_scheme_/\__________host___________/\_serviceID_/\__endpoint_path__/

Examples in Transmit documentation always leverage the global host ( Make sure to check the correct base URL for your region and adjust code snippets as needed.


All API requests must be made over HTTPS. Depending on the API, authentication is performed either using:

  • Client ID only
  • Client ID and Client Secret
  • OAuth2 Access Token in the Authorization header using Bearer authentication scheme

Access tokens

These are the types of access tokens that can be used to authorize API calls in Transmit.

  • Client access tokens — generated using your app credentials
  • Admin access tokens — generated using credentials of management apps
  • User access tokens — returned upon successful user authentication

For more information about token types, see Token reference.


In some cases, client access tokens must be generated for the specific service you want to use. For Detection and Response, and Identity Verification services, specify the relevant resource when generating the token. See Authorization.

To generate access tokens to run API calls right from the docs, using the Try it button.


Conventional HTTP response codes are used to indicate the success or failure of an API call:

  • 2xx or 3xx codes indicate success
  • 5xx codes indicate a Transmit Server server error (rare)
  • 4xx codes indicate other failures (missing params, unauthorized, applicative errors, etc.)