Download OpenAPI specification:Download
Login users using WebAuthn biometrics integrated into your native login experience. Although WebAuthn authentication and registration is initiated in the frontend, the flows are completed using a backend-to-backend integration. The client-side integration can also be implemented using the Transmit Platform SDK.
Start a new webauthn authentication. If successful, the response will contain a credential_request_options field that should be passed in the WebAuthn navigator.credentials.get() API call. Note that some fields (challenge and each id in the allowCredentials list) in the credential_request_options object are base64 encoded and must first be decoded and converted to array buffer, it is recommended to use the webauthn-json library that handles this.
Authentication options
{- "client_id": "string",
- "timeout": 0,
- "username": "string",
- "approval_data": {
- "transaction_id": "eFII2y40uB9hQ98nXt3tc1IHkRt8GrRZiqZuRn_59wT",
- "sum": "200"
}
}{- "webauthn_session_id": "string",
- "credential_request_options": {
- "allowCredentials": [
- {
- "type": "public-key",
- "id": "string",
- "transports": [
- "internal"
]
}
], - "rawChallenge": "string",
- "challenge": "string",
- "timeout": 0,
- "rpId": "string",
- "attestation": "none",
- "userVerification": "preferred",
- "extensions": { }
}
}Authenticate a user using their WebAuthn credentials. Retrieves tokens based on a the encoded result of the webauthn authentication.
| resource | string Resource URI the authentication request is attempting to access, which is reflected in the audience ( |
| claims | object Used to request additional claims in the ID token, such as roles, permissions, and other user profile data. The structure is per the OIDC Standard. For supported claims and how to request custom claims, see the ID Token Reference. |
| org_id | string Organization ID, used for member login in B2B scenarios |
| session_id | string Used to associate the authentication with an existing session (such as for MFA). If unspecified, a new session is created and the session ID is returned. |
| webauthn_encoded_result required | string WebAuthn assertion data (base64 encoded) |
Returns user tokens
{- "resource": "string",
- "claims": {
- "id_token": {
- "roles": null
}
}, - "org_id": "string",
- "session_id": "string",
- "webauthn_encoded_result": "string"
}{- "access_token": "string",
- "id_token": "string",
- "refresh_token": "string",
- "token_type": "string",
- "expires_in": 3600,
- "session_id": "string"
}Initializes a hosted WebAuthn registration flow for a logged-out user (see Quickstart). This API is used to securely set the WebAuthn username in the backend, and returns a registration token used to start the registration flow. Relevant only for hosted login scenarios
Registered credential details
{- "webauthn_identifier": "string",
- "webauthn_display_name": "string",
- "external_user_id": "string",
- "redirect_uri": "string"
}{- "register_webauthn_cred_token": "string"
}Starts a registration of WebAuthn credentials for a specified user, returning a challenge to be signed by the client. If successful, the response will contain a credential_creation_options field that should be passed in the WebAuthn navigator.credentials.create() API call. Note that some fields (user.id and challenge) in the credential_creation_options object are base64 encoded and must first be decoded and converted to an array buffer. It is recommended to use the webauthn-json library that handles this.
Active WebAuthn session info
{- "client_id": "string",
- "username": "string",
- "display_name": "string",
- "timeout": 0,
- "limit_single_credential_to_device": false
}{- "webauthn_session_id": "string",
- "credential_creation_options": {
- "attestation": "none",
- "authenticatorSelection": {
- "authenticatorAttachment": "platform",
- "requireResidentKey": true,
- "residentKey": { },
- "userVerification": "preferred"
}, - "extensions": {
- "appid": "string",
- "credProps": true,
- "hmacCreateSecret": true
}, - "excludeCredentials": [
- "string"
], - "pubKeyCredParams": [
- {
- "alg": 0,
- "type": "public-key"
}
], - "timeout": 0,
- "challenge": "string",
- "user": {
- "id": "string",
- "name": "string",
- "displayName": "string"
}, - "rp": {
- "id": "string",
- "name": "string",
- "icon": "string"
}
}
}Complete WebAuthn credential registration for a user that is currently logged in using a different Transmit authentication method. This API must be called from the backend using the user access token returned upon successful authentication. If successful, the credential will be registered for the user that corresponds to the authorization token.
| webauthn_encoded_result required | string WebAuthn attestation data returned by the browser upon credential creation, which must be converted from array buffer to a base64 string. If webauthn-json |
Registered credential details
{- "webauthn_encoded_result": "string"
}{- "webauthn_session_id": "string",
- "user_id": "string",
- "webauthn_username": "string",
- "credential_id": "string",
- "authenticator_attachment": "platform"
}Complete WebAuthn credential registration for a new user (in Transmit) or a user that isn't currently logged in via Transmit. This API must be called from the backend using a client access token. If successful, the credentials will be registered for the user corresponding to the external user ID in the request. If no user is found, a new user will be created.
| webauthn_encoded_result required | string WebAuthn attestation data returned by the browser upon credential creation, which must be converted from array buffer to a base64 string. If webauthn-json |
| external_user_id required | string A unique identifier in the tenant, which corresponds to an identifier of the user in your system. |
| user_email | string The user's primary email address |
Registered credential details
{- "webauthn_encoded_result": "string",
- "external_user_id": "string",
- "user_email": "string"
}{- "webauthn_session_id": "string",
- "user_id": "string",
- "webauthn_username": "string",
- "credential_id": "string",
- "authenticator_attachment": "platform",
- "external_user_id": "string",
- "is_user_created": true
}