Mobile Biometrics

Download OpenAPI specification:Download

Login users with native mobile biometrics. This process relies on the device ability to leverage built-in biometric sensors. To support mobile biometrics in the app, first implement the SDK call that creates an authenticator (cryptographic key-pair) on the end-user device and then register this authenticator with Transmit. The private key remains securely stored on the device and protected by biometrics, while the public key is registered with Transmit for a given user. To authenticate, the device uses mobile biometrics to access the private key and to sign a challenge that gets verified by Transmit. Note: registration and authentication are two-step procedures that start by calling the client-side SDK provided by Transmit, and complete using these APIs.

Authenticate with mobile biometrics

Completes authentication in Transmit. Before calling this API, invoke the client-side SDK provided by Transmit to sign a challenge using the private key stored by the device, which only occurs after the user verifies themselves with biometrics. Returns an access token for the user associated with the key.

SecurityOAuth2: ClientAccessToken
Request
Request Body schema: application/json
required
resource
string

Resource URI the authentication request is attempting to access, which is reflected in the audience (aud claim) of the access token. This must be configured as resource for the application.

object

Used to request additional claims in the ID token, such as roles, permissions, and other user profile data. The structure is per the OIDC Standard. For supported claims and how to request custom claims, see the ID Token Reference.

org_id
string

Organization ID, used for member login in B2B scenarios

object

Client attributes

session_id
string

Used to associate the authentication with an existing session (such as for MFA). If unspecified, a new session is created and the session ID is returned.

signature
required
string

Signed challenge returned by SDK authentication call

challenge
required
string

A string used to create attestation

key_id
required
string

ID of the key

user_id
required
string

ID of the user

Responses
200

Returns user tokens

post/v1/auth/mobile-biometrics/authenticate
Request samples
application/json
{
  • "resource": "string",
  • "claims": {
    },
  • "org_id": "string",
  • "client_attributes": {
    },
  • "session_id": "string",
  • "signature": "string",
  • "challenge": "string",
  • "key_id": "string",
  • "user_id": "string"
}
Response samples
application/json
{
  • "access_token": "string",
  • "id_token": "string",
  • "refresh_token": "string",
  • "token_type": "string",
  • "expires_in": 3600,
  • "session_id": "string"
}

Register mobile biometrics

Completes mobile biometrics registration in Transmit. Before calling this API, create an authenticator (cryptographic key-pair) on the end-user's device by invoking the client-side SDK provided by Transmit. This API must be called from the backend using the user access token returned upon successful authentication. If successful, the mobile biometrics authenticator will be registered for the user that corresponds to the authorization token.

SecurityHTTP: UserAccessToken
Request
Request Body schema: application/json
required
publicKey
required
string

Public key generated by SDK registration call

publicKeyId
required
string

ID of the public key

challenge
string

A string used to create attestation

attestation_encoded_result
string

Encoded attestation data

os
required
string

OS type

Responses
200

Register mobile biometrics

400
404
post/v1/auth/mobile-biometrics/register
Request samples
application/json
{
  • "publicKey": "string",
  • "publicKeyId": "string",
  • "challenge": "string",
  • "attestation_encoded_result": "string",
  • "os": "string"
}
Response samples
application/json
{
  • "error_code": "invalid_request",
  • "message": "Invalid request: property should not be null or undefined"
}

Delete mobile biometrics

Deletes mobile biometrics authenticator for a user that is currently logged in. This API must be called from the backend using the user access token. If successful, the key will be deleted for the user that corresponds to the authorization token.

SecurityHTTP: UserAccessToken
Request
Request Body schema: application/json
required
publicKeyId
required
string

ID of the public key

Responses
204

Key deleted

400
404
delete/v1/auth/mobile-biometrics/delete
Request samples
application/json
{
  • "publicKeyId": "string"
}
Response samples
application/json
{
  • "error_code": "invalid_request",
  • "message": "Invalid request: property should not be null or undefined"
}