# WebAuthn Login users using WebAuthn biometrics integrated into your native login experience. Although WebAuthn authentication and registration is initiated in the frontend, the flows are completed using a backend-to-backend integration. The client-side integration can also be implemented using the Transmit Platform SDK. ## Servers Sandbox environment ``` https://api.sbx.transmitsecurity.io/cis ``` Production environment (US) ``` https://api.transmitsecurity.io/cis ``` Production environment (EU) ``` https://api.eu.transmitsecurity.io/cis ``` Production environment (CA) ``` https://api.ca.transmitsecurity.io/cis ``` Production environment (AU) ``` https://api.au.transmitsecurity.io/cis ``` ## Security ### bearer Type: http Scheme: bearer Bearer Format: JWT ### UserAccessToken A token returned upon end-user authentication, which provides access to resources and data for the user and app for which it was generated Type: http Scheme: bearer Bearer Format: JWT ### AdminAccessToken A token generated by a management application using the [token endpoint](/openapi/token.openapi/other/getaccesstoken). It provides access to all resources for the tenant and its apps Type: oauth2 ### ClientAccessToken A token generated by an end-user application using the [token endpoint](/openapi/token.openapi/other/getaccesstoken). It provides access to resources and data on the tenant level or associated with the specific application (but not other apps in the tenant) Type: oauth2 ### OrgAdminAccessToken A token returned upon B2B authentication for a user that has the organizationAdmin or organizationCreator role. Type: oauth2 ## Download OpenAPI description [WebAuthn](https://developer.transmitsecurity.com/_bundle/openapi/user/backend-webauthn.openapi.yaml) ## Other ### Start authentication - [POST /v1/auth/webauthn/authenticate/start](https://developer.transmitsecurity.com/openapi/user/backend-webauthn.openapi/other/authenticationstart.md): Start a new webauthn authentication. If successful, the response will contain a credential_request_options field that should be passed in the WebAuthn navigator.credentials.get() API call. Note that some fields (challenge and each id in the allowCredentials list) in the credential_request_options object are base64 encoded and must first be decoded and converted to array buffer, it is recommended to use the webauthn-json library that handles this. ### Authenticate WebAuthn - [POST /v1/auth/webauthn/authenticate](https://developer.transmitsecurity.com/openapi/user/backend-webauthn.openapi/other/authenticatewebauthncredential.md): Authenticate a user using their WebAuthn credentials. Retrieves tokens based on a the encoded result of the webauthn authentication. ### Init hosted registration - [POST /v1/auth/webauthn/external/register/hosted/hint](https://developer.transmitsecurity.com/openapi/user/backend-webauthn.openapi/other/hosted-webauthn-registration-hint.md): Initializes a hosted WebAuthn registration flow for a logged-out user (see Quickstart). This API is used to securely set the WebAuthn username in the backend, and returns a registration token used to start the registration flow. Relevant only for hosted login scenarios ### Start registration - [POST /v1/auth/webauthn/register/start](https://developer.transmitsecurity.com/openapi/user/backend-webauthn.openapi/other/webauthn-registration-start.md): Starts a registration of WebAuthn credentials for a specified user, returning a challenge to be signed by the client. If successful, the response will contain a credential_creation_options field that should be passed in the WebAuthn navigator.credentials.create() API call. Note that some fields (user.id and challenge) in the credential_creation_options object are base64 encoded and must first be decoded and converted to an array buffer. It is recommended to use the webauthn-json library that handles this. ### Register for logged-in user - [POST /v1/auth/webauthn/register](https://developer.transmitsecurity.com/openapi/user/backend-webauthn.openapi/other/webauthn-registration.md): Complete WebAuthn credential registration for a user that is currently logged in using a different Transmit authentication method. This API must be called from the backend using the user access token returned upon successful authentication. If successful, the credential will be registered for the user that corresponds to the authorization token. ### Register for logged-out user - [POST /v1/auth/webauthn/external/register](https://developer.transmitsecurity.com/openapi/user/backend-webauthn.openapi/other/webauthn-registration-external.md): Complete WebAuthn credential registration for a new user (in Transmit) or a user that isn't currently logged in via Transmit. This API must be called from the backend using a client access token. If successful, the credentials will be registered for the user corresponding to the external user ID in the request. If no user is found, a new user will be created.