Skip to content

Management Apps

View, create, and update your management applications. These are typically backend services accessing our platform to perform administrative actions. They can be used to generate client credentials that have tenant-level access to users, roles, apps, settings, and more.

Download OpenAPI description
management-apps.openapi.json
management-apps.openapi.yaml
Languages
Servers
Sandbox environment
https://api.sbx.transmitsecurity.io/cis/
Production environment (US)
https://api.transmitsecurity.io/cis/
Production environment (EU)
https://api.eu.transmitsecurity.io/cis/
Production environment (CA)
https://api.ca.transmitsecurity.io/cis/
Production environment (AU)
https://api.au.transmitsecurity.io/cis/

Create management app

Request

Create a management application

Security
ClientAccessToken or AdminAccessToken
Bodyapplication/jsonrequired
app_namestringrequired

Name of the application

Example: "My App"
app_descriptionstring

Short description of the application

login_uristring

URI used to redirect the user to the login page of the application (when needed)

Example: "https://www.example.com/login"
invite_member_uristring

URI used to redirect the member to the login page of the application (when needed)

Example: "https://www.example.com/login"
invite_member_email_expiration_minutesnumber

Member invite email link expiration in minutes

Default 2880
refresh_token_invalidation_trigger_configurationobject
first_client_authentication_protocolstring

Defines the first client authentication protocol.

Enum"oidc""saml"
first_clientobject
One of:

Creates first client for the application. Client can be OIDC or SAML, depending what is set in first_client_authentication_protocol

subdomainstring

Subdomain of Org admin portal that can be offered for organizations to manage their users (when needed)

Example: "myapp"
custom_domainstring

Domain of the application that can be offered for the application to be accessed from

Example: "myapp.com"
pkcestring

PKCE configuration for client

Enum"enforcePkceInsteadOfClientCredentials""enforcePkceAlongsideClientCredentials""allowPkceAlongsideClientCredentials"
should_delete_signing_keyboolean

Determines whether the application-specific signing key should be deleted when disabled. If deleted, any tokens previously issued with this key will no longer be valid.

Default false
signing_key_enabledboolean

Determines if application specific signing key is enabled

Default false
invite_client_idstring

Client used for the email magic link invitation flow

curl -i -X POST \
  https://api.sbx.transmitsecurity.io/cis/v1/management/applications \
  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "app_name": "My App",
    "app_description": "string",
    "login_uri": "https://www.example.com/login",
    "invite_member_uri": "https://www.example.com/login",
    "invite_member_email_expiration_minutes": 2880,
    "refresh_token_invalidation_trigger_configuration": {
      "invalidateOnMemberSuspension": true,
      "invalidateOnMemberPasswordReset": true,
      "invalidateOnMemberRoleUpdate": true
    },
    "first_client_authentication_protocol": "oidc",
    "first_client": {
      "name": "My Client",
      "description": "string",
      "resources": [
        "string"
      ],
      "authentication_protocol": "oidc",
      "client_group_id": "string",
      "default_custom_claims": [
        "tid"
      ],
      "short_cookies_samesite_type": "lax",
      "redirect_uris": [
        "https://www.example.com/login"
      ],
      "client_type": "web",
      "device_authorization": {
        "enabled": false,
        "approval_uri": "https://www.example.com/device/approval",
        "success_uri": "https://www.example.com/device/complete",
        "input_uri": "https://www.example.com/device/start"
      },
      "ciba_authorization": {
        "enabled": false,
        "login_uri": "https://www.example.com/ciba/login"
      },
      "is_third_party": true,
      "allowed_scopes": [
        "string"
      ],
      "consent_uri": "string",
      "consent_validity_period": 0,
      "pkce": "enforcePkceInsteadOfClientCredentials",
      "supported_prompts": [
        "login",
        "consent",
        "none"
      ],
      "token_expiration": {
        "access_token_ttl": 0,
        "refresh_token_ttl": 0,
        "max_refresh_rotate": 0
      },
      "session_expiration": 0,
      "enforce_par": true,
      "role_ids": [
        "string"
      ],
      "fapi_version_compliancy": true,
      "token_endpoint_auth_method": "client_secret_basic",
      "response_types": [
        "code"
      ],
      "authentication_configuration": {
        "method": "client_secret_basic",
        "tls_client_auth": {
          "certificate_chain": "string",
          "distinguished_name": 6,
          "ocsp_on": true,
          "ocsp_responder_uri": "string",
          "ocsp_responder_certificate": "string",
          "ocsp_fail_open": true
        },
        "isMtlsCertTokenBound": true,
        "jwks": {}
      }
    },
    "subdomain": "myapp",
    "custom_domain": "myapp.com",
    "pkce": "enforcePkceInsteadOfClientCredentials",
    "should_delete_signing_key": false,
    "signing_key_enabled": false,
    "invite_client_id": "string"
  }'

Responses

Bodyapplication/json
resultobjectrequired
result.​app_idstringrequired

Application ID

result.​tenant_idstringrequired

Tenant ID

result.​app_namestringrequired

Application name displayed in the Admin Portal

result.​app_descriptionstringrequired

Short description of your application, displayed in the Admin Portal

result.​logostringrequired

URI of your application's logo, such as for email templates

result.​login_preferencesobjectrequired
result.​login_preferences.​auth_methodsobjectrequired
result.​login_preferences.​auth_methods.​googleobject
result.​login_preferences.​auth_methods.​facebookobject
result.​login_preferences.​auth_methods.​emailobject
result.​login_preferences.​auth_methods.​email_otpobject
result.​login_preferences.​auth_methods.​appleobject
result.​login_preferences.​auth_methods.​smsobject
result.​login_preferences.​auth_methods.​webauthn_apiobject
result.​login_preferences.​auth_methods.​lineobject
result.​login_preferences.​auth_methods.​passwordobject
result.​login_preferences.​auth_methods.​totpobject
result.​login_preferences.​auth_methods.​pushobject
result.​login_preferences.​auth_methods.​tiktokobject
result.​login_preferences.​auth_methods.​pin_authenticatorobject
result.​login_preferences.​auth_methods.​faceobject
result.​created_atstring(date-time)required

Date the application was created

result.​created_bystringrequired

The user that created the application

result.​updated_atstring(date-time)required

Date the application was last updated

result.​service_providersArray of stringsrequired

List of service providers this application is allowed to explicitly redirect to

result.​authenticator_preferencesobjectrequired
result.​authenticator_preferences.​is_centralizedbooleanrequired

Indicates whether to set the application as the Authentication Hub for this tenant

Default false
result.​authenticator_preferences.​login_uristringrequired

URI of the application that will initiate an authentication flow when centralized login is requested

Example: "https://www.example.com/login"
result.​allow_public_signupbooleanrequired

Determines if the application is allowed to request to create new users via login flows

result.​pkcestring

PKCE configuration

Enum"enforcePkceInsteadOfClientCredentials""enforcePkceAlongsideClientCredentials""allowPkceAlongsideClientCredentials"
result.​password_sharing_group_idstring

If the app has opted in to password sharing, this identifies the group of apps that it shares passwords with.

result.​login_uristring

URI used to redirect the user to the login page of the application (when needed)

Example: "https://www.example.com/login"
result.​invite_member_uristring

URI used to redirect the member to the login page of the application (when needed)

Example: "https://www.example.com/login"
result.​invite_client_idstring

Client used for the email magic link invitation flow

result.​subdomainstring

Subdomain of Org admin portal that can be offered for organizations to manage their users (when needed)

Example: "myapp"
result.​invite_member_email_expiration_minutesnumber

Member invite email link expiration in minutes

Default 2880
result.​custom_domainobject
result.​external_communicationobject
result.​signing_key_enabledboolean

Determines if application specific signing key is enabled

result.​refresh_token_invalidation_trigger_configurationobject
result.​client_typestringDeprecated

Type of the default client

Default "web"
Enum"web""native"
result.​client_idstringDeprecated

Client ID of the default client used for API requests

result.​client_display_namestringDeprecated

Client name of the default client to display when needed

result.​client_descriptionstringDeprecated

Short description of the default client

result.​client_secretstringDeprecated

Client secret of the default client used to obtain tokens for API authorization

result.​redirect_urisArray of stringsDeprecated

List of URI approved for redirects for your default client

result.​resourcesArray of stringsDeprecated

List of resources the default client is allowed to explicitly request access to

result.​client_auth_methodstringDeprecated

This field is deprecated- to configure pkce use "pkce" field instead

Enum"client_secret_basic""self_signed_tls_client_auth""tls_client_auth""none""private_key_jwt"
result.​device_authorizationobjectDeprecated
result.​ciba_authorizationobjectDeprecated
Response
application/json
{
  "result": {
    "app_id": "string",
    "tenant_id": "string",
    "app_name": "string",
    "app_description": "string",
    "client_type": "web",
    "logo": "string",
    "client_id": "string",
    "client_display_name": "string",
    "client_description": "string",
    "client_secret": "string",
    "redirect_uris": [],
    "login_preferences": {},
    "created_at": "2019-08-24T14:15:22Z",
    "created_by": "string",
    "updated_at": "2019-08-24T14:15:22Z",
    "resources": [],
    "service_providers": [],
    "authenticator_preferences": {},
    "allow_public_signup": true,
    "client_auth_method": "client_secret_basic",
    "pkce": "enforcePkceInsteadOfClientCredentials",
    "device_authorization": {},
    "ciba_authorization": {},
    "password_sharing_group_id": "string",
    "login_uri": "https://www.example.com/login",
    "invite_member_uri": "https://www.example.com/login",
    "invite_client_id": "string",
    "subdomain": "myapp",
    "invite_member_email_expiration_minutes": 2880,
    "custom_domain": {},
    "external_communication": {},
    "signing_key_enabled": true,
    "refresh_token_invalidation_trigger_configuration": {}
  }
}

Get management apps

Request

Retrieve a list of all management applications

Security
ClientAccessToken or AdminAccessToken
curl -i -X GET \
  https://api.sbx.transmitsecurity.io/cis/v1/management/applications \
  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>'

Responses

Bodyapplication/json
resultArray of objectsrequired
result[].​app_idstringrequired

Application ID

result[].​tenant_idstringrequired

Tenant ID

result[].​app_namestringrequired

Application name displayed in the Admin Portal

result[].​app_descriptionstringrequired

Short description of your application, displayed in the Admin Portal

result[].​login_preferencesobjectrequired
result[].​login_preferences.​auth_methodsobjectrequired
result[].​login_preferences.​auth_methods.​googleobject
result[].​login_preferences.​auth_methods.​facebookobject
result[].​login_preferences.​auth_methods.​emailobject
result[].​login_preferences.​auth_methods.​email_otpobject
result[].​login_preferences.​auth_methods.​appleobject
result[].​login_preferences.​auth_methods.​smsobject
result[].​login_preferences.​auth_methods.​webauthn_apiobject
result[].​login_preferences.​auth_methods.​lineobject
result[].​login_preferences.​auth_methods.​passwordobject
result[].​login_preferences.​auth_methods.​totpobject
result[].​login_preferences.​auth_methods.​pushobject
result[].​login_preferences.​auth_methods.​tiktokobject
result[].​login_preferences.​auth_methods.​pin_authenticatorobject
result[].​login_preferences.​auth_methods.​faceobject
result[].​created_atstring(date-time)required

Date the application was created

result[].​created_bystringrequired

The user that created the application

result[].​updated_atstring(date-time)required

Date the application was last updated

result[].​service_providersArray of stringsrequired

List of service providers this application is allowed to explicitly redirect to

result[].​authenticator_preferencesobjectrequired
result[].​authenticator_preferences.​is_centralizedbooleanrequired

Indicates whether to set the application as the Authentication Hub for this tenant

Default false
result[].​authenticator_preferences.​login_uristringrequired

URI of the application that will initiate an authentication flow when centralized login is requested

Example: "https://www.example.com/login"
result[].​allow_public_signupbooleanrequired

Determines if the application is allowed to request to create new users via login flows

result[].​pkcestring

PKCE configuration

Enum"enforcePkceInsteadOfClientCredentials""enforcePkceAlongsideClientCredentials""allowPkceAlongsideClientCredentials"
result[].​password_sharing_group_idstring

If the app has opted in to password sharing, this identifies the group of apps that it shares passwords with.

result[].​login_uristring

URI used to redirect the user to the login page of the application (when needed)

Example: "https://www.example.com/login"
result[].​invite_member_uristring

URI used to redirect the member to the login page of the application (when needed)

Example: "https://www.example.com/login"
result[].​invite_client_idstring

Client used for the email magic link invitation flow

result[].​subdomainstring

Subdomain of Org admin portal that can be offered for organizations to manage their users (when needed)

Example: "myapp"
result[].​invite_member_email_expiration_minutesnumber

Member invite email link expiration in minutes

Default 2880
result[].​custom_domainobject
result[].​external_communicationobject
result[].​signing_key_enabledboolean

Determines if application specific signing key is enabled

result[].​refresh_token_invalidation_trigger_configurationobject
result[].​client_typestringDeprecated

Type of the default client

Default "web"
Enum"web""native"
result[].​client_idstringDeprecated

Client ID of the default client used for API requests

result[].​client_display_namestringDeprecated

Client name of the default client to display when needed

result[].​client_descriptionstringDeprecated

Short description of the default client

result[].​client_secretstringDeprecated

Client secret of the default client used to obtain tokens for API authorization

result[].​redirect_urisArray of stringsDeprecated

List of URI approved for redirects for your default client

result[].​resourcesArray of stringsDeprecated

List of resources the default client is allowed to explicitly request access to

result[].​client_auth_methodstringDeprecated

This field is deprecated- to configure pkce use "pkce" field instead

Enum"client_secret_basic""self_signed_tls_client_auth""tls_client_auth""none""private_key_jwt"
result[].​device_authorizationobjectDeprecated
result[].​ciba_authorizationobjectDeprecated
Response
application/json
{
  "result": [
    {}
  ]
}

Update management app

Request

Update a management application. Note: Fields that are objects cannot be partially updated, since the new value you set will just replace the current one.

Security
ClientAccessToken or AdminAccessToken
Path
app_idstringrequired
Bodyapplication/jsonrequired
app_namestring

Name of the application

Example: "My App"
app_descriptionstring

Short description of the application

login_uristring

URI used to redirect the user to the login page of the application (when needed)

Example: "https://www.example.com/login"
invite_member_uristring

URI used to redirect the member to the login page of the application (when needed)

Example: "https://www.example.com/login"
invite_member_email_expiration_minutesnumber

Member invite email link expiration in minutes

Default 2880
refresh_token_invalidation_trigger_configurationobject
first_client_authentication_protocolstring

Defines the first client authentication protocol.

Enum"oidc""saml"
first_clientobject
One of:

Creates first client for the application. Client can be OIDC or SAML, depending what is set in first_client_authentication_protocol

subdomainstring

Subdomain of Org admin portal that can be offered for organizations to manage their users (when needed)

Example: "myapp"
custom_domainstring

Domain of the application that can be offered for the application to be accessed from

Example: "myapp.com"
pkcestring

PKCE configuration for client

Enum"enforcePkceInsteadOfClientCredentials""enforcePkceAlongsideClientCredentials""allowPkceAlongsideClientCredentials"
should_delete_signing_keyboolean

Determines whether the application-specific signing key should be deleted when disabled. If deleted, any tokens previously issued with this key will no longer be valid.

Default false
signing_key_enabledboolean

Determines if application specific signing key is enabled

Default false
invite_client_idstring

Client used for the email magic link invitation flow

curl -i -X PUT \
  'https://api.sbx.transmitsecurity.io/cis/v1/management/applications/{app_id}' \
  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "app_name": "My App",
    "app_description": "string",
    "login_uri": "https://www.example.com/login",
    "invite_member_uri": "https://www.example.com/login",
    "invite_member_email_expiration_minutes": 2880,
    "refresh_token_invalidation_trigger_configuration": {
      "invalidateOnMemberSuspension": true,
      "invalidateOnMemberPasswordReset": true,
      "invalidateOnMemberRoleUpdate": true
    },
    "first_client_authentication_protocol": "oidc",
    "first_client": {
      "name": "My Client",
      "description": "string",
      "resources": [
        "string"
      ],
      "authentication_protocol": "oidc",
      "client_group_id": "string",
      "default_custom_claims": [
        "tid"
      ],
      "short_cookies_samesite_type": "lax",
      "redirect_uris": [
        "https://www.example.com/login"
      ],
      "client_type": "web",
      "device_authorization": {
        "enabled": false,
        "approval_uri": "https://www.example.com/device/approval",
        "success_uri": "https://www.example.com/device/complete",
        "input_uri": "https://www.example.com/device/start"
      },
      "ciba_authorization": {
        "enabled": false,
        "login_uri": "https://www.example.com/ciba/login"
      },
      "is_third_party": true,
      "allowed_scopes": [
        "string"
      ],
      "consent_uri": "string",
      "consent_validity_period": 0,
      "pkce": "enforcePkceInsteadOfClientCredentials",
      "supported_prompts": [
        "login",
        "consent",
        "none"
      ],
      "token_expiration": {
        "access_token_ttl": 0,
        "refresh_token_ttl": 0,
        "max_refresh_rotate": 0
      },
      "session_expiration": 0,
      "enforce_par": true,
      "role_ids": [
        "string"
      ],
      "fapi_version_compliancy": true,
      "token_endpoint_auth_method": "client_secret_basic",
      "response_types": [
        "code"
      ],
      "authentication_configuration": {
        "method": "client_secret_basic",
        "tls_client_auth": {
          "certificate_chain": "string",
          "distinguished_name": 6,
          "ocsp_on": true,
          "ocsp_responder_uri": "string",
          "ocsp_responder_certificate": "string",
          "ocsp_fail_open": true
        },
        "isMtlsCertTokenBound": true,
        "jwks": {}
      }
    },
    "subdomain": "myapp",
    "custom_domain": "myapp.com",
    "pkce": "enforcePkceInsteadOfClientCredentials",
    "should_delete_signing_key": false,
    "signing_key_enabled": false,
    "invite_client_id": "string"
  }'

Responses

Bodyapplication/json
resultobjectrequired
result.​app_idstringrequired

Application ID

result.​tenant_idstringrequired

Tenant ID

result.​app_namestringrequired

Application name displayed in the Admin Portal

result.​app_descriptionstringrequired

Short description of your application, displayed in the Admin Portal

result.​logostringrequired

URI of your application's logo, such as for email templates

result.​login_preferencesobjectrequired
result.​login_preferences.​auth_methodsobjectrequired
result.​login_preferences.​auth_methods.​googleobject
result.​login_preferences.​auth_methods.​facebookobject
result.​login_preferences.​auth_methods.​emailobject
result.​login_preferences.​auth_methods.​email_otpobject
result.​login_preferences.​auth_methods.​appleobject
result.​login_preferences.​auth_methods.​smsobject
result.​login_preferences.​auth_methods.​webauthn_apiobject
result.​login_preferences.​auth_methods.​lineobject
result.​login_preferences.​auth_methods.​passwordobject
result.​login_preferences.​auth_methods.​totpobject
result.​login_preferences.​auth_methods.​pushobject
result.​login_preferences.​auth_methods.​tiktokobject
result.​login_preferences.​auth_methods.​pin_authenticatorobject
result.​login_preferences.​auth_methods.​faceobject
result.​created_atstring(date-time)required

Date the application was created

result.​created_bystringrequired

The user that created the application

result.​updated_atstring(date-time)required

Date the application was last updated

result.​service_providersArray of stringsrequired

List of service providers this application is allowed to explicitly redirect to

result.​authenticator_preferencesobjectrequired
result.​authenticator_preferences.​is_centralizedbooleanrequired

Indicates whether to set the application as the Authentication Hub for this tenant

Default false
result.​authenticator_preferences.​login_uristringrequired

URI of the application that will initiate an authentication flow when centralized login is requested

Example: "https://www.example.com/login"
result.​allow_public_signupbooleanrequired

Determines if the application is allowed to request to create new users via login flows

result.​pkcestring

PKCE configuration

Enum"enforcePkceInsteadOfClientCredentials""enforcePkceAlongsideClientCredentials""allowPkceAlongsideClientCredentials"
result.​password_sharing_group_idstring

If the app has opted in to password sharing, this identifies the group of apps that it shares passwords with.

result.​login_uristring

URI used to redirect the user to the login page of the application (when needed)

Example: "https://www.example.com/login"
result.​invite_member_uristring

URI used to redirect the member to the login page of the application (when needed)

Example: "https://www.example.com/login"
result.​invite_client_idstring

Client used for the email magic link invitation flow

result.​subdomainstring

Subdomain of Org admin portal that can be offered for organizations to manage their users (when needed)

Example: "myapp"
result.​invite_member_email_expiration_minutesnumber

Member invite email link expiration in minutes

Default 2880
result.​custom_domainobject
result.​external_communicationobject
result.​signing_key_enabledboolean

Determines if application specific signing key is enabled

result.​refresh_token_invalidation_trigger_configurationobject
result.​client_typestringDeprecated

Type of the default client

Default "web"
Enum"web""native"
result.​client_idstringDeprecated

Client ID of the default client used for API requests

result.​client_display_namestringDeprecated

Client name of the default client to display when needed

result.​client_descriptionstringDeprecated

Short description of the default client

result.​client_secretstringDeprecated

Client secret of the default client used to obtain tokens for API authorization

result.​redirect_urisArray of stringsDeprecated

List of URI approved for redirects for your default client

result.​resourcesArray of stringsDeprecated

List of resources the default client is allowed to explicitly request access to

result.​client_auth_methodstringDeprecated

This field is deprecated- to configure pkce use "pkce" field instead

Enum"client_secret_basic""self_signed_tls_client_auth""tls_client_auth""none""private_key_jwt"
result.​device_authorizationobjectDeprecated
result.​ciba_authorizationobjectDeprecated
Response
application/json
{
  "result": {
    "app_id": "string",
    "tenant_id": "string",
    "app_name": "string",
    "app_description": "string",
    "client_type": "web",
    "logo": "string",
    "client_id": "string",
    "client_display_name": "string",
    "client_description": "string",
    "client_secret": "string",
    "redirect_uris": [],
    "login_preferences": {},
    "created_at": "2019-08-24T14:15:22Z",
    "created_by": "string",
    "updated_at": "2019-08-24T14:15:22Z",
    "resources": [],
    "service_providers": [],
    "authenticator_preferences": {},
    "allow_public_signup": true,
    "client_auth_method": "client_secret_basic",
    "pkce": "enforcePkceInsteadOfClientCredentials",
    "device_authorization": {},
    "ciba_authorization": {},
    "password_sharing_group_id": "string",
    "login_uri": "https://www.example.com/login",
    "invite_member_uri": "https://www.example.com/login",
    "invite_client_id": "string",
    "subdomain": "myapp",
    "invite_member_email_expiration_minutes": 2880,
    "custom_domain": {},
    "external_communication": {},
    "signing_key_enabled": true,
    "refresh_token_invalidation_trigger_configuration": {}
  }
}

Delete management app

Request

Delete a management application and remove role assignments belonging to it.

Security
ClientAccessToken or AdminAccessToken
Path
app_idstringrequired
curl -i -X DELETE \
  'https://api.sbx.transmitsecurity.io/cis/v1/management/applications/{app_id}' \
  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>'

Responses

Response
No content