Passwordless

Download OpenAPI specification:Download

Provide your users a passwordless authentication experience

Login with WebAuthn Hosted

Authenticate the user using secured biometrics. This endpoint should be called from the user's browser. It will redirect the User Agent to the login page and redirect back to Transmit upon successful authentication. Once Transmit verifies the authentication response, the User Agent will be redirected to the redirect_uri specified in the request. This URI will now include a code parameter in the query, which will be later exchanged for a token via the /token endpoint.

Request
query Parameters
client_id
required
string <= 150 characters

Client ID of the application requesting authentication, retrieved from the Transmit Admin Portal

Example: client_id=DgsdfhSDsdfhtSDFXCCXBVMKPws345yscv2345XCZV
redirect_uri
required
string

URI to redirect to upon completion of the IDP flow. This is the server GET endpoint used to call the token endpoint, and should accept "code" as a query parameter. This URI must also be configured as an allowed redirect URI in the Transmit Admin Portal

Example: redirect_uri=https://www.example.com/login
create_new_user
boolean
Default: true

Indicates if a new user should be created if no user with associated email was found. If enabled, public signups must also be configured as allowed for the application.

resource
string

Resource URI the login is attempting to access.

require_mfa
boolean
Default: false

Require multi factor authentication for this authentication request.

Example: require_mfa=true
login_hint
string

Hint for the user's login identifier.

Example: login_hint=user@acme.com
custom_message
string

Custom message to present on the consent screens, which provides authentication context details.

Example: custom_message=Welcome to Acme
verifications
string

List of data verifications to try and execute, specified as a space-delimited string. Email address will be verified by default, but this can be used to request a verified phone number (phone). If the data is already verified, it won't be verified again. The acr claim of the resulting ID token will indicate which data is verified.

Example: verifications=phone
ui_locales
string

Preferred languages for the user interface, specified as a space-separated list of language tag values [RFC5646], ordered by preference.

Responses
302

Redirect with code

400
get/v1/auth/webauthn
Request samples
curl -i -X GET \
  'https://api.userid.security/v1/auth/webauthn?client_id=string&redirect_uri=string&create_new_user=true&resource=string&require_mfa=false&login_hint=string&custom_message=string&verifications=string&ui_locales=string'
Response samples
application/json
{
  • "message": "Invalid redirect_uri",
  • "error_code": 400
}

Login with Apple

Authenticate the user using Sign in with Apple. This endpoint should be called from the user's browser. It will redirect the User Agent to the Apple IDP and redirect back to Transmit upon successful authentication. Once Transmit verifies the authentication response, the User Agent will be redirected to the redirect_uri specified in the request. This URI will now include a code parameter in the query, which will be later exchanged for a token via the /token endpoint.

Request
query Parameters
client_id
required
string <= 150 characters

Client ID of the application requesting authentication, retrieved from the Transmit Admin Portal

Example: client_id=DgsdfhSDsdfhtSDFXCCXBVMKPws345yscv2345XCZV
redirect_uri
required
string

URI to redirect to upon completion of the IDP flow. This is the server GET endpoint used to call the token endpoint, and should accept "code" as a query parameter. This URI must also be configured as an allowed redirect URI in the Transmit Admin Portal

Example: redirect_uri=https://www.example.com/login
create_new_user
boolean
Default: true

Indicates if a new user should be created if no user with associated email was found. If enabled, public signups must also be configured as allowed for the application.

resource
string

Resource URI the login is attempting to access.

require_mfa
boolean
Default: false

Require multi factor authentication for this authentication request.

Example: require_mfa=true
Responses
302

Redirect with code

400
get/v1/auth/apple
Request samples
curl -i -X GET \
  'https://api.userid.security/v1/auth/apple?client_id=string&redirect_uri=string&create_new_user=true&resource=string&require_mfa=false'
Response samples
application/json
{
  • "message": "Invalid redirect_uri",
  • "error_code": 400
}

Login with Facebook

Authenticate the user using Facebook Login. This endpoint should be called from the user's browser. It will redirect the User Agent to the Facebook IDP and redirect back to Transmit upon successful authentication. Once Transmit verifies the authentication response, the User Agent will be redirected to the redirect_uri specified in the request. This URI will now include a code parameter in the query, which will be later exchanged for a token via the /token endpoint.

Request
query Parameters
client_id
required
string <= 150 characters

Client ID of the application requesting authentication, retrieved from the Transmit Admin Portal

Example: client_id=DgsdfhSDsdfhtSDFXCCXBVMKPws345yscv2345XCZV
redirect_uri
required
string

URI to redirect to upon completion of the IDP flow. This is the server GET endpoint used to call the token endpoint, and should accept "code" as a query parameter. This URI must also be configured as an allowed redirect URI in the Transmit Admin Portal

Example: redirect_uri=https://www.example.com/login
create_new_user
boolean
Default: true

Indicates if a new user should be created if no user with associated email was found. If enabled, public signups must also be configured as allowed for the application.

resource
string

Resource URI the login is attempting to access.

require_mfa
boolean
Default: false

Require multi factor authentication for this authentication request.

Example: require_mfa=true
Responses
302

Redirect with code

400
get/v1/auth/facebook
Request samples
curl -i -X GET \
  'https://api.userid.security/v1/auth/facebook?client_id=string&redirect_uri=string&create_new_user=true&resource=string&require_mfa=false'
Response samples
application/json
{
  • "message": "Invalid redirect_uri",
  • "error_code": 400
}

Login with Google

Authenticate the user using Google Sign-In. This endpoint should be called from the user's browser. It will redirect the User Agent to the Google IDP and redirect back to Transmit upon successful authentication. Once Transmit verifies the authentication response, the User Agent will be redirected to the redirect_uri specified in the request. This URI will now include a code parameter in the query, which will be later exchanged for a token via the /token endpoint.

Request
query Parameters
client_id
required
string <= 150 characters

Client ID of the application requesting authentication, retrieved from the Transmit Admin Portal

Example: client_id=DgsdfhSDsdfhtSDFXCCXBVMKPws345yscv2345XCZV
redirect_uri
required
string

URI to redirect to upon completion of the IDP flow. This is the server GET endpoint used to call the token endpoint, and should accept "code" as a query parameter. This URI must also be configured as an allowed redirect URI in the Transmit Admin Portal

Example: redirect_uri=https://www.example.com/login
create_new_user
boolean
Default: true

Indicates if a new user should be created if no user with associated email was found. If enabled, public signups must also be configured as allowed for the application.

resource
string

Resource URI the login is attempting to access.

require_mfa
boolean
Default: false

Require multi factor authentication for this authentication request.

Example: require_mfa=true
Responses
302

Redirect with code

400
get/v1/auth/google
Request samples
curl -i -X GET \
  'https://api.userid.security/v1/auth/google?client_id=string&redirect_uri=string&create_new_user=true&resource=string&require_mfa=false'
Response samples
application/json
{
  • "message": "Invalid redirect_uri",
  • "error_code": 400
}

Login with LINE

Authenticate the user using LINE login. This endpoint should be called from the user's browser. It will redirect the User Agent to the LINE IDP and redirect back to Transmit upon successful authentication. Once Transmit verifies the authentication response, the User Agent will be redirected to the redirect_uri specified in the request. This URI will now include a code parameter in the query, which will be later exchanged for a token via the /token endpoint.

Request
query Parameters
client_id
required
string <= 150 characters

Client ID of the application requesting authentication, retrieved from the Transmit Admin Portal

Example: client_id=DgsdfhSDsdfhtSDFXCCXBVMKPws345yscv2345XCZV
redirect_uri
required
string

URI to redirect to upon completion of the IDP flow. This is the server GET endpoint used to call the token endpoint, and should accept "code" as a query parameter. This URI must also be configured as an allowed redirect URI in the Transmit Admin Portal

Example: redirect_uri=https://www.example.com/login
create_new_user
boolean
Default: true

Indicates if a new user should be created if no user with associated email was found. If enabled, public signups must also be configured as allowed for the application.

resource
string

Resource URI the login is attempting to access.

require_mfa
boolean
Default: false

Require multi factor authentication for this authentication request.

Example: require_mfa=true
Responses
302

Redirect with code

400
get/v1/auth/line
Request samples
curl -i -X GET \
  'https://api.userid.security/v1/auth/line?client_id=string&redirect_uri=string&create_new_user=true&resource=string&require_mfa=false'
Response samples
application/json
{
  • "message": "Invalid redirect_uri",
  • "error_code": 400
}

Send email link

Send a magic link by email to a user

SecurityHTTP: bearer
Request
Request Body schema: application/json
email
required
string

Email of the user to send the email to

redirect_uri
required
string

URI where the email link will redirect to. This is the server GET endpoint used to call the token endpoint, and should accept "code" as a query parameter. This URI must also be configured as an allowed redirect URI in the Transmit Admin Portal.

create_new_user
boolean
Default: false

Indicates whether to create a new user at the end of the authentication flow if a user is not found for the provided email. If enabled, public signups must also be configured as allowed for the application.

object

Texts, logo and color to render email template with

require_mfa
boolean
Default: false

Require multi factor authentication for this authentication request.

object

Login attributes

Responses
200
400
404
post/v1/auth/links/email
Request samples
application/json
{
  • "email": "name@example.com",
  • "create_new_user": false,
  • "email_content": {
    },
  • "require_mfa": true,
  • "client_attributes": {
    }
}
Response samples
application/json
{
  • "message": "Email sent successfully"
}

Send email OTP

Send a one-time passcode (OTP) by email to the given email address.

SecurityHTTP: bearer
Request
Request Body schema: application/json
email
required
string

Email to send the OTP to

redirect_uri
required
string

URI that will receive the authorization code once the email OTP is validated. This is the server GET endpoint used to call the token endpoint, and should accept 'code' as a query parameter. This URI must also be configured as an allowed redirect URI in the Transmit Admin Portal.

create_new_user
boolean
Default: false

Indicates whether to create a new user at the end of the authentication flow if a user is not found for the provided email. If enabled, public signups must also be configured as allowed for the application.

object

Texts, logo and color to render email template with

require_mfa
boolean
Default: false

Require multi factor authentication for this authentication request.

Responses
200
400
404

User Not Found

post/v1/auth/otp/email
Request samples
application/json
{
  • "email": "name@example.com",
  • "create_new_user": false,
  • "email_content": {
    },
  • "require_mfa": true
}
Response samples
application/json
{
  • "message": "Email sent successfully"
}

Validate email OTP

Validate a one-time passcode sent by email to a user. The endpoint will return a URI which can be used to redirect the client in order to complete authentication.

SecurityHTTP: bearer
Request
Request Body schema: application/json
email
required
string

Email that the OTP was sent to

passcode
required
string

Email code to validate

Responses
200
400
post/v1/auth/otp/email/validation
Request samples
application/json
{
  • "email": "string",
  • "passcode": "string"
}
Response samples
application/json
{
  • "result": "string"
}

Send SMS OTP

Send a one-time passcode (OTP) by SMS to the given phone number

SecurityHTTP: bearer
Request
Request Body schema: application/json
phone_number
required
string

Phone number to send the OTP to

create_new_user
required
boolean
Default: false

Indicates whether to create a new user at the end of the authentication flow if a user is not found for the provided phone number. If enabled, public signups must also be configured as allowed for the application.

redirect_uri
required
string

URI that will receive the authorization code once the SMS OTP is validated. This is the server GET endpoint used to call the token endpoint, and should accept 'code' as a query parameter. This URI must also be configured as an allowed redirect URI in the Transmit Admin Portal

require_mfa
boolean
Default: false

Require multi factor authentication for this authentication request.

custom_message
string

Message to send, must contain {otp} and {app} placeholders to be replaced with one time password and application name. Limited to 140 characters

sender_id
string

The sender name that appears as the message sender on recipients devices. Limited to 11 characters. Limited support see https://docs.aws.amazon.com/sns/latest/dg/sns-supported-regions-countries.html

Responses
200
400
404

User Not Found

post/v1/auth/otp/sms
Request samples
application/json
{
  • "phone_number": "string",
  • "create_new_user": false,
  • "redirect_uri": "string",
  • "require_mfa": true,
  • "custom_message": "string",
  • "sender_id": "string"
}
Response samples
application/json
{
  • "message": "SMS sent"
}

Validate SMS OTP

Validate a one-time passcode sent by SMS to a user. The endpoint will return a URI which can be used to redirect the client in order to complete authentication.

SecurityHTTP: bearer
Request
Request Body schema: application/json
phone_number
required
string

Phone number that the SMS OTP was sent to

passcode
required
string

SMS code to validate

Responses
200
400
post/v1/auth/otp/sms/validation
Request samples
application/json
{
  • "phone_number": "string",
  • "passcode": "string"
}
Response samples
application/json
{
  • "result": "string"
}

Exchange code for token

Retrieve ID and access tokens. This API is used to retrieve ID and access tokens using the code that was returned in the redirect URI as a query parameter (for example, when the user clicks a magic link). It may also create a new user if create_new_user was set to true in the send request and no user exists for the email address or phone number (depending on the flow).

Request
Request Body schema: application/json
code
required
string

Authorization code returned in the redirect URI as a query parameter upon successful authentication

client_id
required
string <= 50 characters

Client ID of the application requesting the token

client_secret
required
string <= 50 characters

Client Secret of the application requesting the token

Responses
200
400
post/v1/token
Request samples
application/json
{
  • "code": "GZxLFKTDCnlANVTxNvaWz7AIGPpXqZYSXdAwjiWRuOH",
  • "client_id": "DgsdfhSDsdfhtSDFXCCXBVMKPws345yscv2345XCZV",
  • "client_secret": "FzxvdDMbvxnc45sdfb789XCVGEW6usazxcvbw3KPsb23"
}
Response samples
application/json
{
  • "id_token": "string",
  • "access_token": "string",
  • "refresh_token": "string",
  • "is_user_created": true
}

Logout

Logout the user from a specific session. The user and session are derived from the access token used to authorize the request (which was issued based on the authentication that created the session)

SecurityHTTP: bearer
Responses
200

Sessions deleted Successfully

400
401
post/v1/auth/logout
Request samples
curl -i -X POST \
  https://api.userid.security/v1/auth/logout \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>'
Response samples
application/json
{
  • "sessions_count": 0
}