Skip to content

Social Login

Login users using social login providers like Google Sign-In. This implements a backend-to-backend integration for authentication. Irrespective of the social login provider, the flow includes three steps: initiating a login, submitting the received code to Mosaic, and finally completing authentication with Mosaic.

Download OpenAPI description
backend-social-login.openapi.json
backend-social-login.openapi.yaml
Languages
Servers
Sandbox environment
https://api.sbx.transmitsecurity.io/cis/
Production environment (US)
https://api.transmitsecurity.io/cis/
Production environment (EU)
https://api.eu.transmitsecurity.io/cis/
Production environment (CA)
https://api.ca.transmitsecurity.io/cis/
Production environment (AU)
https://api.au.transmitsecurity.io/cis/

Start login with Google

Request

Starts the Google login flow. This call returns an authorization URL to redirect the user to.

Security
ClientAccessToken
Bodyapplication/jsonrequired
redirect_uristringrequired

The URI the identity provider will redirect the user to after authentication. Must match one of the pre-configured redirect URIs in the application's social login settings. This URI will receive the authorization code that can be exchanged for user information.

Example: "https://www.example.com/login"
statestring

An opaque string that is used to maintain state between the request and the callback. It will be added to the redirect URI as a query parameter, which should be validated by your server to protect against cross-site request forgery (CSRF) attacks

curl -i -X POST \
  https://api.sbx.transmitsecurity.io/cis/v1/auth/social/google/start \
  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "redirect_uri": "https://www.example.com/login",
    "state": "string"
  }'

Responses

Backend auth initialized successfully.

Bodyapplication/json
authorization_urlstringrequired

The social provider's authorization URL that the client should redirect the user to in order to authenticate with this social provider.

Example: "https://www.provider.com/auth"
Response
application/json
{
  "authorization_url": "https://www.provider.com/auth"
}

Complete login with Google

Request

Completes the Google social login flow and authenticates the user in Mosaic.

Security
ClientAccessToken
Bodyapplication/jsonrequired
resourcestring

Resource URI the authentication request is attempting to access, which is reflected in the audience (aud claim) of the access token. This must be configured as resource for the application.

claimsobject

Used to request additional claims in the ID token, such as roles, permissions, and other user profile data. The structure is per the OIDC Standard. For supported claims and how to request custom claims, see the ID Token Reference.

Example: {"id_token":{"roles":null}}
org_idstring

Organization ID, used for member login in B2B scenarios

client_attributesobject

Client attributes

session_idstring

Used to associate the authentication with an existing session (such as for MFA). If unspecified, a new session is created and the session ID is returned.

transaction_idstringrequired

The transaction identifier that was previously returned by the verification endpoint. This ID is required to associate this authentication request with the verified token information stored during the verification step.

user_idstringrequired

An identifier of the user for whom the token is being requested

curl -i -X POST \
  https://api.sbx.transmitsecurity.io/cis/v1/auth/social/google/authenticate \
  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "resource": "string",
    "claims": {
      "id_token": {
        "roles": null
      }
    },
    "org_id": "string",
    "client_attributes": {
      "user_agent": "string",
      "ip_address": "string"
    },
    "session_id": "string",
    "transaction_id": "string",
    "user_id": "string"
  }'

Responses

Returns user tokens

Bodyapplication/json
access_tokenstringrequired

User access token for accessing endpoints on behalf of the authenticated user.

id_tokenstring

ID token that identifies the user.

refresh_tokenstring

Refresh token used to refresh an expired access token.

token_typestringrequired

Bearer.

expires_innumberrequired

Expiration time of the access token in seconds.

Default 3600
session_idstringrequired

ID of the session in which the authentication occurs.

Response
application/json
{
  "access_token": "string",
  "id_token": "string",
  "refresh_token": "string",
  "token_type": "string",
  "expires_in": 3600,
  "session_id": "string"
}

Start login with Facebook

Request

Starts the Facebook login flow. This call returns an authorization URL to redirect the user to.

Security
ClientAccessToken
Bodyapplication/jsonrequired
redirect_uristringrequired

The URI the identity provider will redirect the user to after authentication. Must match one of the pre-configured redirect URIs in the application's social login settings. This URI will receive the authorization code that can be exchanged for user information.

Example: "https://www.example.com/login"
statestring

An opaque string that is used to maintain state between the request and the callback. It will be added to the redirect URI as a query parameter, which should be validated by your server to protect against cross-site request forgery (CSRF) attacks

curl -i -X POST \
  https://api.sbx.transmitsecurity.io/cis/v1/auth/social/facebook/start \
  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "redirect_uri": "https://www.example.com/login",
    "state": "string"
  }'

Responses

Backend auth initialized successfully.

Bodyapplication/json
authorization_urlstringrequired

The social provider's authorization URL that the client should redirect the user to in order to authenticate with this social provider.

Example: "https://www.provider.com/auth"
Response
application/json
{
  "authorization_url": "https://www.provider.com/auth"
}

Complete login with Facebook

Request

Completes the Facebook social login flow and authenticates the user in Mosaic.

Security
ClientAccessToken
Bodyapplication/jsonrequired
resourcestring

Resource URI the authentication request is attempting to access, which is reflected in the audience (aud claim) of the access token. This must be configured as resource for the application.

claimsobject

Used to request additional claims in the ID token, such as roles, permissions, and other user profile data. The structure is per the OIDC Standard. For supported claims and how to request custom claims, see the ID Token Reference.

Example: {"id_token":{"roles":null}}
org_idstring

Organization ID, used for member login in B2B scenarios

client_attributesobject

Client attributes

session_idstring

Used to associate the authentication with an existing session (such as for MFA). If unspecified, a new session is created and the session ID is returned.

transaction_idstringrequired

The transaction identifier that was previously returned by the verification endpoint. This ID is required to associate this authentication request with the verified token information stored during the verification step.

user_idstringrequired

An identifier of the user for whom the token is being requested

curl -i -X POST \
  https://api.sbx.transmitsecurity.io/cis/v1/auth/social/facebook/authenticate \
  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "resource": "string",
    "claims": {
      "id_token": {
        "roles": null
      }
    },
    "org_id": "string",
    "client_attributes": {
      "user_agent": "string",
      "ip_address": "string"
    },
    "session_id": "string",
    "transaction_id": "string",
    "user_id": "string"
  }'

Responses

Returns user tokens

Bodyapplication/json
access_tokenstringrequired

User access token for accessing endpoints on behalf of the authenticated user.

id_tokenstring

ID token that identifies the user.

refresh_tokenstring

Refresh token used to refresh an expired access token.

token_typestringrequired

Bearer.

expires_innumberrequired

Expiration time of the access token in seconds.

Default 3600
session_idstringrequired

ID of the session in which the authentication occurs.

Response
application/json
{
  "access_token": "string",
  "id_token": "string",
  "refresh_token": "string",
  "token_type": "string",
  "expires_in": 3600,
  "session_id": "string"
}

Start login with Apple

Request

Starts the Apple login flow. This call returns an authorization URL to redirect the user to.

Security
ClientAccessToken
Bodyapplication/jsonrequired
redirect_uristringrequired

The URI the identity provider will redirect the user to after authentication. Must match one of the pre-configured redirect URIs in the application's social login settings. This URI will receive the authorization code that can be exchanged for user information.

Example: "https://www.example.com/login"
statestring

An opaque string that is used to maintain state between the request and the callback. It will be added to the redirect URI as a query parameter, which should be validated by your server to protect against cross-site request forgery (CSRF) attacks

curl -i -X POST \
  https://api.sbx.transmitsecurity.io/cis/v1/auth/social/apple/start \
  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "redirect_uri": "https://www.example.com/login",
    "state": "string"
  }'

Responses

Backend auth initialized successfully.

Bodyapplication/json
authorization_urlstringrequired

The social provider's authorization URL that the client should redirect the user to in order to authenticate with this social provider.

Example: "https://www.provider.com/auth"
Response
application/json
{
  "authorization_url": "https://www.provider.com/auth"
}

Complete login with Apple

Request

Completes the Apple social login flow and authenticates the user in Mosaic.

Security
ClientAccessToken
Bodyapplication/jsonrequired
resourcestring

Resource URI the authentication request is attempting to access, which is reflected in the audience (aud claim) of the access token. This must be configured as resource for the application.

claimsobject

Used to request additional claims in the ID token, such as roles, permissions, and other user profile data. The structure is per the OIDC Standard. For supported claims and how to request custom claims, see the ID Token Reference.

Example: {"id_token":{"roles":null}}
org_idstring

Organization ID, used for member login in B2B scenarios

client_attributesobject

Client attributes

session_idstring

Used to associate the authentication with an existing session (such as for MFA). If unspecified, a new session is created and the session ID is returned.

transaction_idstringrequired

The transaction identifier that was previously returned by the verification endpoint. This ID is required to associate this authentication request with the verified token information stored during the verification step.

user_idstringrequired

An identifier of the user for whom the token is being requested

curl -i -X POST \
  https://api.sbx.transmitsecurity.io/cis/v1/auth/social/apple/authenticate \
  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "resource": "string",
    "claims": {
      "id_token": {
        "roles": null
      }
    },
    "org_id": "string",
    "client_attributes": {
      "user_agent": "string",
      "ip_address": "string"
    },
    "session_id": "string",
    "transaction_id": "string",
    "user_id": "string"
  }'

Responses

Returns user tokens

Bodyapplication/json
access_tokenstringrequired

User access token for accessing endpoints on behalf of the authenticated user.

id_tokenstring

ID token that identifies the user.

refresh_tokenstring

Refresh token used to refresh an expired access token.

token_typestringrequired

Bearer.

expires_innumberrequired

Expiration time of the access token in seconds.

Default 3600
session_idstringrequired

ID of the session in which the authentication occurs.

Response
application/json
{
  "access_token": "string",
  "id_token": "string",
  "refresh_token": "string",
  "token_type": "string",
  "expires_in": 3600,
  "session_id": "string"
}

Start login with Tiktok

Request

Starts the Tiktok login flow. This call returns an authorization URL to redirect the user to.

Security
ClientAccessToken
Bodyapplication/jsonrequired
redirect_uristringrequired

The URI the identity provider will redirect the user to after authentication. Must match one of the pre-configured redirect URIs in the application's social login settings. This URI will receive the authorization code that can be exchanged for user information.

Example: "https://www.example.com/login"
statestring

An opaque string that is used to maintain state between the request and the callback. It will be added to the redirect URI as a query parameter, which should be validated by your server to protect against cross-site request forgery (CSRF) attacks

curl -i -X POST \
  https://api.sbx.transmitsecurity.io/cis/v1/auth/social/tiktok/start \
  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "redirect_uri": "https://www.example.com/login",
    "state": "string"
  }'

Responses

Backend auth initialized successfully.

Bodyapplication/json
authorization_urlstringrequired

The social provider's authorization URL that the client should redirect the user to in order to authenticate with this social provider.

Example: "https://www.provider.com/auth"
Response
application/json
{
  "authorization_url": "https://www.provider.com/auth"
}

Complete login with Tiktok

Request

Completes the Tiktok social login flow and authenticates the user in Mosaic.

Security
ClientAccessToken
Bodyapplication/jsonrequired
resourcestring

Resource URI the authentication request is attempting to access, which is reflected in the audience (aud claim) of the access token. This must be configured as resource for the application.

claimsobject

Used to request additional claims in the ID token, such as roles, permissions, and other user profile data. The structure is per the OIDC Standard. For supported claims and how to request custom claims, see the ID Token Reference.

Example: {"id_token":{"roles":null}}
org_idstring

Organization ID, used for member login in B2B scenarios

client_attributesobject

Client attributes

session_idstring

Used to associate the authentication with an existing session (such as for MFA). If unspecified, a new session is created and the session ID is returned.

transaction_idstringrequired

The transaction identifier that was previously returned by the verification endpoint. This ID is required to associate this authentication request with the verified token information stored during the verification step.

user_idstringrequired

An identifier of the user for whom the token is being requested

curl -i -X POST \
  https://api.sbx.transmitsecurity.io/cis/v1/auth/social/tiktok/authenticate \
  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "resource": "string",
    "claims": {
      "id_token": {
        "roles": null
      }
    },
    "org_id": "string",
    "client_attributes": {
      "user_agent": "string",
      "ip_address": "string"
    },
    "session_id": "string",
    "transaction_id": "string",
    "user_id": "string"
  }'

Responses

Returns user tokens

Bodyapplication/json
access_tokenstringrequired

User access token for accessing endpoints on behalf of the authenticated user.

id_tokenstring

ID token that identifies the user.

refresh_tokenstring

Refresh token used to refresh an expired access token.

token_typestringrequired

Bearer.

expires_innumberrequired

Expiration time of the access token in seconds.

Default 3600
session_idstringrequired

ID of the session in which the authentication occurs.

Response
application/json
{
  "access_token": "string",
  "id_token": "string",
  "refresh_token": "string",
  "token_type": "string",
  "expires_in": 3600,
  "session_id": "string"
}

Submit code from Google

Request

Submits the authorization code returned by Google to exchange for user identity information

Security
ClientAccessToken
Bodyapplication/jsonrequired
codestringrequired

The code received from the social login provider

statestringrequired

An opaque string that is used to maintain state between the request and the callback. It will be added to the redirect URI as a query parameter, which should be validated by your server to protect against cross-site request forgery (CSRF) attacks

curl -i -X POST \
  https://api.sbx.transmitsecurity.io/cis/v1/auth/social/google/verify \
  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "code": "string",
    "state": "string"
  }'

Responses

Returns user claims and transaction ID

Bodyapplication/json
transaction_idstringrequired

A unique identifier generated during token verification that links this verification process to subsequent authentication requests. This transaction_id must be included in the authentication request to complete the social login flow.

claimsobjectrequired

An object containing user identity information extracted from the verified social provider token. This includes standard profile details such as name, email, and unique identifiers from the social provider.

Response
application/json
{
  "transaction_id": "string",
  "claims": {}
}

Submit code from Facebook

Request

Submits the authorization code returned by Facebook to exchange for user identity information

Security
ClientAccessToken
Bodyapplication/jsonrequired
codestringrequired

The code received from the social login provider

statestringrequired

An opaque string that is used to maintain state between the request and the callback. It will be added to the redirect URI as a query parameter, which should be validated by your server to protect against cross-site request forgery (CSRF) attacks

curl -i -X POST \
  https://api.sbx.transmitsecurity.io/cis/v1/auth/social/facebook/verify \
  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "code": "string",
    "state": "string"
  }'

Responses

Returns user claims and transaction ID

Bodyapplication/json
transaction_idstringrequired

A unique identifier generated during token verification that links this verification process to subsequent authentication requests. This transaction_id must be included in the authentication request to complete the social login flow.

claimsobjectrequired

An object containing user identity information extracted from the verified social provider token. This includes standard profile details such as name, email, and unique identifiers from the social provider.

Response
application/json
{
  "transaction_id": "string",
  "claims": {}
}

Submit code from Apple

Request

Submits the authorization code returned by Apple to exchange for user identity information

Security
ClientAccessToken
Bodyapplication/jsonrequired
codestringrequired

The code received from the social login provider

statestringrequired

An opaque string that is used to maintain state between the request and the callback. It will be added to the redirect URI as a query parameter, which should be validated by your server to protect against cross-site request forgery (CSRF) attacks

curl -i -X POST \
  https://api.sbx.transmitsecurity.io/cis/v1/auth/social/apple/verify \
  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "code": "string",
    "state": "string"
  }'

Responses

Returns user claims and transaction ID

Bodyapplication/json
transaction_idstringrequired

A unique identifier generated during token verification that links this verification process to subsequent authentication requests. This transaction_id must be included in the authentication request to complete the social login flow.

claimsobjectrequired

An object containing user identity information extracted from the verified social provider token. This includes standard profile details such as name, email, and unique identifiers from the social provider.

Response
application/json
{
  "transaction_id": "string",
  "claims": {}
}

Submit code from TikTok

Request

Submits the authorization code returned by TikTok to exchange for user identity information

Security
ClientAccessToken
Bodyapplication/jsonrequired
codestringrequired

The code received from the social login provider

statestringrequired

An opaque string that is used to maintain state between the request and the callback. It will be added to the redirect URI as a query parameter, which should be validated by your server to protect against cross-site request forgery (CSRF) attacks

curl -i -X POST \
  https://api.sbx.transmitsecurity.io/cis/v1/auth/social/tiktok/verify \
  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "code": "string",
    "state": "string"
  }'

Responses

Returns user claims and transaction ID

Bodyapplication/json
transaction_idstringrequired

A unique identifier generated during token verification that links this verification process to subsequent authentication requests. This transaction_id must be included in the authentication request to complete the social login flow.

claimsobjectrequired

An object containing user identity information extracted from the verified social provider token. This includes standard profile details such as name, email, and unique identifiers from the social provider.

Response
application/json
{
  "transaction_id": "string",
  "claims": {}
}