Client access tokens

Client access tokens are used to authorize backend API calls to Transmit services. They are retrieved by calling the /oidc/token endpoint using a client credentials flow (see Get client access tokens), and passed in the Authorization header of API calls to authorize them. This describes the structure and semantics of the client access tokens returned by Transmit.


The access token is a JWT (Json Web Token) signed by Transmit. It contains standard JWT claims, and describes the access context (such as the client/app/tenant for which it was generated, which resources it can access, scope of permissions, etc.).

Claim Description Type
sub Subject of the token (client_id) String
iss Issuer of the token, which should match the issuer returned from the /oidc/jwks endpoint. String
iat Time the token was issued. Number
exp Expiration time, in epoch time format. The token will not be accepted on or after this time. Number
aud Audience, which is the intended recipient of the token. If a specific resource is requested, this contains the resource URI. Default is userid-api. String
scope Requested scopes, as a space delimited string String
role Contains the Admin role for an admin access token (which are generated using credentials of a Management Application). Array
client_id Identifer of the client that requested the access. String
app_name Friendly name of the application that requested the access. String
app_id Identifer of the application that requested the access. String
tid Identifer of the tenant that requested the access. String

Token example

Here's an example of a decoded client access token:

  "tid": "6oi3tjkijshdfgekwjfwey9",
  "app_name": "Acme",
  "app_id": "zl2trg3sanjsd63qs7se",
  "roles": [],
  "jti": "ABCSrjsReaYKk-FSHHZU",
  "sub": "u6jkjhsdf87efbwv57u",
  "iat": 1675590719,
  "exp": 1675594319,
  "scope": "openid offline_access",
  "client_id": "pVEZaxjhbdshcudsLe",
  "iss": "",
  "aud": "userid-api"