# Delegated Access

Manage delegated access, which allows a user to perform actions on behalf of another user. These APIs allow logged-in users to request consent from other app users, grant consent requests, view all consents related to their account, and revoke any granted permissions.<br><br>To request delegated access, see [OAuth2.0 Token](/openapi/user/oidc.openapi/other/oidctoken).<br>To create a dependent user with delegated access, see [Create users](/openapi/user/user.openapi/other/createuser#other/createuser/t=request&path=delegated_access)


## Servers

Sandbox environment
```
https://api.sbx.transmitsecurity.io/cis
```

Production environment (US)
```
https://api.transmitsecurity.io/cis
```

Production environment (EU)
```
https://api.eu.transmitsecurity.io/cis
```

Production environment (CA)
```
https://api.ca.transmitsecurity.io/cis
```

Production environment (AU)
```
https://api.au.transmitsecurity.io/cis
```

## Security

### bearer

Type: http
Scheme: bearer
Bearer Format: JWT

### UserAccessToken

A token returned upon end-user authentication, which provides access to resources and data for the user and app for which it was generated

Type: http
Scheme: bearer
Bearer Format: JWT

### AdminAccessToken

A token generated by a management application using the [token endpoint](/openapi/token.openapi/other/getaccesstoken). It provides access to all resources for the tenant and its apps

Type: oauth2

### ClientAccessToken

A token generated by an end-user application using the [token endpoint](/openapi/token.openapi/other/getaccesstoken). It provides access to resources and data on the tenant level or associated with the specific application (but not other apps in the tenant)

Type: oauth2

### OrgAdminAccessToken

A token returned upon B2B authentication for a user that has the organizationAdmin or organizationCreator role.

Type: oauth2

## Download OpenAPI description

[Delegated Access](https://developer.transmitsecurity.com/_bundle/openapi/user/delegated-access.openapi.yaml)

## Other

### Grant consent

 - [POST /v1/delegated-access/consents/me/grant](https://developer.transmitsecurity.com/openapi/user/delegated-access.openapi/other/grantconsent.md): Grant the requested consent once it's approved by the user. This will provide the requesting user (the actor) permissions to act on behalf of the user that approved the consent (the subject). Since the approving user must be logged-in, this is authorized using a user access token of the subject.

### Request consent

 - [POST /v1/delegated-access/consents/me/request](https://developer.transmitsecurity.com/openapi/user/delegated-access.openapi/other/requestconsent.md): Send a consent request to give the requesting user (the actor) permissions to act on behalf of another user (the subject) when needed. An email will be sent to the subject with a link to your consent page. The consent URI will include a query param named consent_id used to grant the consent, permissions array, and the subject's user ID as subject_id. Since this call must be initiated by a logged-in user, it's authorized using a user access token of the actor.

### Get consents

 - [GET /v1/delegated-access/consents/me](https://developer.transmitsecurity.com/openapi/user/delegated-access.openapi/other/getuserconsents.md): Get all the consents that were granted or requested by the specified user. This call is authorized by a user access token of this user.

### Revoke permissions as actor

 - [DELETE /v1/delegated-access/consents/me/permissions/actor](https://developer.transmitsecurity.com/openapi/user/delegated-access.openapi/other/removesubjectpermissionsofloggedinactor.md): Revokes my permissions (the actor) to act on behalf of another user (the subject). This call is initiated by the actor who is logged-in, so it's authorized using a user access token.

### Revoke permissions as subject

 - [DELETE /v1/delegated-access/consents/me/permissions/subject](https://developer.transmitsecurity.com/openapi/user/delegated-access.openapi/other/removeactorpermissionsofloggedinsubject.md): Revokes permissions of another user (the actor) to act on my behalf (the subject). This call is initiated by the subject who is logged-in, so it's authorized using a user access token.