# Mobile Biometrics Login users with native mobile biometrics. This process relies on the device ability to leverage built-in biometric sensors. To support mobile biometrics in the app, first implement the SDK call that creates an authenticator (cryptographic key-pair) on the end-user device and then register this authenticator with Transmit. The private key remains securely stored on the device and protected by biometrics, while the public key is registered with Transmit for a given user. To authenticate, the device uses mobile biometrics to access the private key and to sign a challenge that gets verified by Transmit. Note: registration and authentication are two-step procedures that start by calling the client-side SDK provided by Transmit, and complete using these APIs. ## Servers Sandbox environment ``` https://api.sbx.transmitsecurity.io/cis ``` Production environment (US) ``` https://api.transmitsecurity.io/cis ``` Production environment (EU) ``` https://api.eu.transmitsecurity.io/cis ``` Production environment (CA) ``` https://api.ca.transmitsecurity.io/cis ``` Production environment (AU) ``` https://api.au.transmitsecurity.io/cis ``` ## Security ### bearer Type: http Scheme: bearer Bearer Format: JWT ### UserAccessToken A token returned upon end-user authentication, which provides access to resources and data for the user and app for which it was generated Type: http Scheme: bearer Bearer Format: JWT ### AdminAccessToken A token generated by a management application using the [token endpoint](/openapi/token.openapi/other/getaccesstoken). It provides access to all resources for the tenant and its apps Type: oauth2 ### ClientAccessToken A token generated by an end-user application using the [token endpoint](/openapi/token.openapi/other/getaccesstoken). It provides access to resources and data on the tenant level or associated with the specific application (but not other apps in the tenant) Type: oauth2 ### OrgAdminAccessToken A token returned upon B2B authentication for a user that has the organizationAdmin or organizationCreator role. Type: oauth2 ## Download OpenAPI description [Mobile Biometrics](https://developer.transmitsecurity.com/_bundle/openapi/user/backend-mobile-biometrics.openapi.yaml) ## Other ### Create mobile biometrics challenge - [POST /v1/auth/mobile-biometrics/start](https://developer.transmitsecurity.com/openapi/user/backend-mobile-biometrics.openapi/other/nativemobilebiometricsbackendinitialize.md): Creates a challenge for the user to sign for the mobile biometrics flow. ### Authenticate with mobile biometrics - [POST /v1/auth/mobile-biometrics/authenticate](https://developer.transmitsecurity.com/openapi/user/backend-mobile-biometrics.openapi/other/authenticatenativemobilebiometrics.md): Completes authentication in Transmit. Before calling this API, invoke the client-side SDK provided by Transmit to sign a challenge using the private key stored by the device, which only occurs after the user verifies themselves with biometrics. Returns an access token for the user associated with the key. ### Register mobile biometrics - [POST /v1/auth/mobile-biometrics/register](https://developer.transmitsecurity.com/openapi/user/backend-mobile-biometrics.openapi/other/mobile-biometrics-registration.md): Completes mobile biometrics registration in Transmit. Before calling this API, create an authenticator (cryptographic key-pair) on the end-user's device by invoking the client-side SDK provided by Transmit. This API must be called from the backend using the user access token returned upon successful authentication. If successful, the mobile biometrics authenticator will be registered for the user that corresponds to the authorization token. ### Delete mobile biometrics - [DELETE /v1/auth/mobile-biometrics/delete](https://developer.transmitsecurity.com/openapi/user/backend-mobile-biometrics.openapi/other/mobile-biometrics-deletion.md): Deletes mobile biometrics authenticator for a user that is currently logged in. This API must be called from the backend using the user access token. If successful, the key will be deleted for the user that corresponds to the authorization token.