# Authenticate WebAuthn

Authenticate a user using their WebAuthn credentials. Retrieves tokens based on a the encoded result of the webauthn authentication.

Endpoint: POST /v1/auth/webauthn/authenticate
Security: ClientAccessToken

## Request fields (application/json):

  - `resource` (string)
    Resource URI the authentication request is attempting to access, which is reflected in the audience (aud claim) of the access token. This must be configured as resource for the application.

  - `claims` (object)
    Used to request additional claims in the ID token, such as roles, permissions, and other user profile data. The structure is per the [OIDC Standard](https://openid.net/specs/openid-connect-core-1_0-final.html#ClaimsParameter). For supported claims and how to request custom claims, see the [ID Token Reference](https://developer.transmitsecurity.com/openapi/id_token_reference/).
    Example: {"id_token":{"roles":null}}

  - `org_id` (string)
    Organization ID, used for member login in B2B scenarios

  - `client_attributes` (object)
    Client attributes

  - `client_attributes.user_agent` (string)

  - `client_attributes.ip_address` (string)

  - `device_id` (string)
    Identifier of the device from which the authentication request originates

  - `session_id` (string)
    Used to associate the authentication with an existing session (such as for MFA). If unspecified, a new session is created and the session ID is returned.

  - `webauthn_encoded_result` (string, required)
    WebAuthn assertion data (base64 encoded)

## Response 200 fields (application/json):

  - `access_token` (string, required)
    User access token for accessing endpoints on behalf of the authenticated user.

  - `id_token` (string)
    ID token that identifies the user.

  - `refresh_token` (string)
    Refresh token used to refresh an expired access token.

  - `token_type` (string, required)
    Bearer.

  - `expires_in` (number, required)
    Expiration time of the access token in seconds.

  - `session_id` (string, required)
    ID of the session in which the authentication occurs.

## Response 400 fields (application/json):

  - `error_code` (string)
    Enum: "user_not_found", "client_not_exist", "auth_webauthn_invalid_encoded_result", "auth_locked"

  - `message` (string)

## Response 500 fields (application/json):

  - `error_code` (string)
    Enum: "auth_webauthn_invalid_encoded_result"

  - `message` (string)