# TOTP Login using time-based one-time passcodes (TOTP), which can be generated by authenticator apps like Google Authenticator. This provides passwordless, two-factor authentication using a single login method. ## Servers Sandbox environment ``` https://api.sbx.transmitsecurity.io/cis ``` Production environment (US) ``` https://api.transmitsecurity.io/cis ``` Production environment (EU) ``` https://api.eu.transmitsecurity.io/cis ``` Production environment (CA) ``` https://api.ca.transmitsecurity.io/cis ``` Production environment (AU) ``` https://api.au.transmitsecurity.io/cis ``` ## Security ### bearer Type: http Scheme: bearer Bearer Format: JWT ### UserAccessToken A token returned upon end-user authentication, which provides access to resources and data for the user and app for which it was generated Type: http Scheme: bearer Bearer Format: JWT ### AdminAccessToken A token generated by a management application using the [token endpoint](/openapi/token.openapi/other/getaccesstoken). It provides access to all resources for the tenant and its apps Type: oauth2 ### ClientAccessToken A token generated by an end-user application using the [token endpoint](/openapi/token.openapi/other/getaccesstoken). It provides access to resources and data on the tenant level or associated with the specific application (but not other apps in the tenant) Type: oauth2 ### OrgAdminAccessToken A token returned upon B2B authentication for a user that has the organizationAdmin or organizationCreator role. Type: oauth2 ## Download OpenAPI description [TOTP](https://developer.transmitsecurity.com/_bundle/openapi/user/backend-totp.openapi.yaml) ## Other ### Authenticate TOTP - [POST /v1/auth/totp/authenticate](https://developer.transmitsecurity.com/openapi/user/backend-totp.openapi/other/authenticatetotp.md): Authenticates a user using a TOTP code generated by the user's authenticator app. Once the TOTP is validated using the secret created upon registration and the TOTP method configuration, user tokens are returned. ### Start a transaction signing flow with TOTP - [POST /v1/auth/totp/transaction/start](https://developer.transmitsecurity.com/openapi/user/backend-totp.openapi/other/starttransactionsigningtotp.md): Start a transaction signing flow with TOTP. Receive a challenge to add to the authenticator app. ### Authenticate transaction signing TOTP - [POST /v1/auth/totp/transaction/authenticate](https://developer.transmitsecurity.com/openapi/user/backend-totp.openapi/other/authenticatetransactionsigningtotp.md): Authenticates a user using a TOTP code generated by the user's authenticator app with the challenge received from the transaction start. Once the TOTP is validated using the secret created upon registration and the TOTP method configuration, user tokens are returned. ### Register TOTP - [POST /v1/users/me/totp](https://developer.transmitsecurity.com/openapi/user/backend-totp.openapi/other/registertotp.md): Registers a TOTP authenticator for the logged-in user. The response contains the secret and other configuration that will be used to generate TOTP codes for authentication. The app must provide it to the user (such as via QR) so the user can complete the process using their authenticator app. Note: A TOTP authenticator is considered registered even if it wasn't added to an authenticator app.If multiple TOTPs are allowed per user per app (as configured in the authenticator settings), this API registers a new TOTP as long as the user has not reached the limit. Once the limit is reached, Mosaic will always block registration of new TOTPs.If the user is limited to single TOTP per app, attempting to register another will fail, unless your request enables override or you first revoke the authenticator that's currently registered. ### Revoke my TOTP - [POST /v1/users/me/totp/revoke](https://developer.transmitsecurity.com/openapi/user/backend-totp.openapi/other/revoketotp.md): Unregisters the TOTP authenticator of the currently logged-in user. ### Revoke TOTP - [POST /v1/users/{userId}/totp/revoke](https://developer.transmitsecurity.com/openapi/user/backend-totp.openapi/other/revoketotpmanagement.md): Unregisters a user's TOTP authenticator. Required permissions: apps:delete, [appId]:delete, authenticators:delete.