# WebAuthn Cross-Device APIs to manage cross-device flow for WebAuthn registration and authentication. ## Servers Sandbox environment ``` https://api.sbx.transmitsecurity.io/cis ``` Production environment (US) ``` https://api.transmitsecurity.io/cis ``` Production environment (EU) ``` https://api.eu.transmitsecurity.io/cis ``` Production environment (CA) ``` https://api.ca.transmitsecurity.io/cis ``` Production environment (AU) ``` https://api.au.transmitsecurity.io/cis ``` ## Security ### bearer Type: http Scheme: bearer Bearer Format: JWT ### UserAccessToken A token returned upon end-user authentication, which provides access to resources and data for the user and app for which it was generated Type: http Scheme: bearer Bearer Format: JWT ### AdminAccessToken A token generated by a management application using the [token endpoint](/openapi/token.openapi/other/getaccesstoken). It provides access to all resources for the tenant and its apps Type: oauth2 ### ClientAccessToken A token generated by an end-user application using the [token endpoint](/openapi/token.openapi/other/getaccesstoken). It provides access to resources and data on the tenant level or associated with the specific application (but not other apps in the tenant) Type: oauth2 ### OrgAdminAccessToken A token returned upon B2B authentication for a user that has the organizationAdmin or organizationCreator role. Type: oauth2 ## Download OpenAPI description [WebAuthn Cross-Device](https://developer.transmitsecurity.com/_bundle/openapi/user/backend-webauthn-cross-device.openapi.yaml) ## Other ### Start registration - [POST /v1/auth/webauthn/cross-device/register/start](https://developer.transmitsecurity.com/openapi/user/backend-webauthn-cross-device.openapi/other/webauthn-cross-device-registration-start.md): Starts a WebAuthn registration process on a secondary device, and returns a challenge for the client to sign. If successful, the response will contain a credential_creation_options field that should be passed in the WebAuthn navigator.credentials.create() API call. Note: Some fields (user.id and challenge) in the credential_creation_options object are base64 encoded and must first be decoded and converted to an array buffer. It is recommended to use the webauthn-json library that handles this. ### Init logged-in registration - [POST /v1/auth/webauthn/cross-device/register/init](https://developer.transmitsecurity.com/openapi/user/backend-webauthn-cross-device.openapi/other/webauthn-cross-device-registration-init.md): Initializes a flow that will register WebAuthn credentials using a secondary device. Requested by the access device (e.g., desktop) and requires a logged-in user. Returns cross_device_ticket_id, which should be passed to the biometric device to start the device registration, such as by encoding it in a QR code. ### Init logged-out registration - [POST /v1/auth/webauthn/cross-device/external/register/init](https://developer.transmitsecurity.com/openapi/user/backend-webauthn-cross-device.openapi/other/webauthn-cross-device-external-registration-init.md): Initializes a flow that will register WebAuthn credentials using a secondary device. Requested by the access device (e.g., desktop) for a user that isn't logged in via Transmit (e.g., after password login via an external identity provider). Returns cross_device_ticket_id, which should be passed to the biometric device to start the device registration, such as by encoding it in a QR code. Required permissions: apps:execute, [appId]:execute, auth:execute. ### Complete registration - [POST /v1/auth/webauthn/cross-device/register](https://developer.transmitsecurity.com/openapi/user/backend-webauthn-cross-device.openapi/other/webauthn-cross-device-registration.md): Completes WebAuthn credential registration for the user on a secondary device. For a logged-in registration flow, the user is derived from the access token. For a logged-out registration flow, the user corresponds to the requested external user ID. If no user is found, a new user will be created. Required permissions: apps:execute, [appId]:execute, auth:execute. ### Abort cross-device flow - [POST /v1/auth/webauthn/cross-device/abort](https://developer.transmitsecurity.com/openapi/user/backend-webauthn-cross-device.openapi/other/webauthn-cross-device-abort.md): Terminates the cross-device flow from the auth device, and updates the status to aborted. Required permissions: apps:execute, [appId]:execute, auth:execute. ### Get cross-device status - [GET /v1/auth/webauthn/cross-device/status](https://developer.transmitsecurity.com/openapi/user/backend-webauthn-cross-device.openapi/other/webauthn-cross-device-status.md): Checks the status of a cross-device flow. This is used by the access device. ### Attach device - [POST /v1/auth/webauthn/cross-device/attach-device](https://developer.transmitsecurity.com/openapi/user/backend-webauthn-cross-device.openapi/other/webauthn-cross-device-attach-device.md): Indicates that the auth device has engaged in the flow, such as when the user scans a QR encoding the cross-device ticket ID. This updates the flow status to scanned. ### Init authentication - [POST /v1/auth/webauthn/cross-device/authenticate/init](https://developer.transmitsecurity.com/openapi/user/backend-webauthn-cross-device.openapi/other/webauthn-cross-device-authentication-init.md): Initializes a flow that will authenticate WebAuthn credentials using a secondary device. Requested by the access device (e.g., desktop) before delegating authentication to another device. Returns a cross-device ticket ID that should be passed to the biometric device to start the authentication (e.g., by encoding it in a QR code). ### Start authentication - [POST /v1/auth/webauthn/cross-device/authenticate/start](https://developer.transmitsecurity.com/openapi/user/backend-webauthn-cross-device.openapi/other/webauthn-cross-device-authenticate-start.md): Start a WebAuthn authentication process using a secondary device. If successful, the response will contain a credential_request_options field that should be passed in the WebAuthn navigator.credentials.get() API call. Note: Some fields (challenge and each id in the allowCredentials list) in the credential_request_options object are base64 encoded and must first be decoded and converted to array buffer. It is recommended to use the webauthn-json library that handles this.