Skip to content

Credentials

Register and authenticate using WebAuthn APIs

Download OpenAPI description
webauthn-credentials.openapi.json
webauthn-credentials.openapi.yaml
Languages
Servers
Sandbox environment
https://api.sbx.transmitsecurity.io/cis/
Production environment (US)
https://api.transmitsecurity.io/cis/
Production environment (EU)
https://api.eu.transmitsecurity.io/cis/
Production environment (CA)
https://api.ca.transmitsecurity.io/cis/
Production environment (AU)
https://api.au.transmitsecurity.io/cis/

Start registrationDeprecated

Request

Start a registration of WebAuthn credentials for a specified user. This requires an authorized authentication session created by a server side call to /auth-session/start-with-authorization. If successful, the response will contain a credential_creation_options field that should be passed in the WebAuthn navigator.credentials.create() API call. Note that some fields (user.id and challenge) in the credential_creation_options object are base64 encoded and must first be decoded and converted to an array buffer. It is recommended to use the webauthn-json library that handles this.

Headers
x-ts-device-binding-tokenstring

Device binding token, returned by the first client-side request from a device in the session (in the set-device-binding-token response header)

User-Agentstring

Browser user agent. Allows adding device info to sessions if provided

Bodyapplication/jsonrequired
auth_session_idstringrequired

Session identifier that corresponds to an authorized session (created from the backend with an access token)

userobjectrequired
user.​usernamestring[ 1 .. 64 ] charactersrequired

Account name for this Relying Party. This is used both for display purposes, as well as during recovery flows where the user is asked for the account name. Must match the username in the auth session.

user.​display_namestring[ 1 .. 64 ] characters

Human-palatable name for the user account, only for display (max 64 characters)

curl -i -X POST \
  https://api.sbx.transmitsecurity.io/cis/v1/webauthn/register/start \
  -H 'Content-Type: application/json' \
  -H 'User-Agent: string' \
  -H 'x-ts-device-binding-token: string' \
  -d '{
    "auth_session_id": "string",
    "user": {
      "username": "string",
      "display_name": "string"
    }
  }'

Responses

Active WebAuthn session info

Headers
set-device-binding-tokenstring

A token that binds the device to the session

Example: "8ac0bdca-affb-4b1b-af50-2f834ad266b3"
Bodyapplication/json
webauthn_session_idstringrequired

WebAuthn session identifier

credential_creation_optionsobjectrequired
credential_creation_options.​attestationstring
Default "none"
Value"none"
credential_creation_options.​authenticatorSelectionobject
credential_creation_options.​extensionsobject
credential_creation_options.​excludeCredentialsArray of strings
credential_creation_options.​pubKeyCredParamsArray of objectsrequired
credential_creation_options.​pubKeyCredParams[].​algnumberrequired
credential_creation_options.​pubKeyCredParams[].​typestringrequired

Key type. Should always be public-key

Default "public-key"
Value"public-key"
Example: "public-key"
credential_creation_options.​timeoutnumber
credential_creation_options.​challengestringrequired
credential_creation_options.​userobjectrequired
credential_creation_options.​user.​idstringrequired

User handle

credential_creation_options.​user.​namestringrequired

The webauthn username

credential_creation_options.​user.​displayNamestringrequired

The user display name

credential_creation_options.​rpobjectrequired
credential_creation_options.​rp.​idstring/^[a-zA-Z0-9][a-zA-Z0-9-]{1,61}[a-zA-Z0-9]\.[...required

Relying Party ID. Must be a valid domain pre-configured in the Admin Portal for the application

credential_creation_options.​rp.​namestringrequired

Relying party displayable name

credential_creation_options.​rp.​iconstringrequired
Response
application/json
{
  "webauthn_session_id": "string",
  "credential_creation_options": {
    "attestation": "none",
    "authenticatorSelection": {},
    "extensions": {},
    "excludeCredentials": [],
    "pubKeyCredParams": [],
    "timeout": 0,
    "challenge": "string",
    "user": {},
    "rp": {}
  }
}

Complete registrationDeprecated

Request

Complete the WebAuthn credential registration, and obtain the authorization code to exchange for user tokens. It's required to provide the webauthn_session_id that was recieved in the registration start response. Note that some fields (clientDataJSON and attestationObject) must be converted from array buffer to base64 strings. If webauthn-json create() was used this is already taken care of.

Headers
x-ts-device-binding-tokenstring

Device binding token, returned by the first client-side request from a device in the session (in the set-device-binding-token response header)

User-Agentstring

Browser user agent. Allows adding device info to sessions if provided

Bodyapplication/jsonrequired
auth_session_idstringrequired

Session identifier

webauthn_session_idstringrequired

WebAuthn session identifier

public_key_credentialobjectrequired
public_key_credential.​idstringrequired

The credential ID

public_key_credential.​rawIdstringrequired

The credentials ID given as byte array

public_key_credential.​responseobjectrequired
public_key_credential.​response.​clientDataJSONstringrequired

The client JSON data passed to the authenticator to generate the attestation

public_key_credential.​response.​attestationObjectstringrequired

The attestation object containing the attestation statement and the authenticator and credential data

public_key_credential.​typestringrequired

Key type. Should always be public-key

Default "public-key"
Value"public-key"
Example: "public-key"
public_key_credential.​authenticatorAttachmentstring

The authenticators' attachment modalities. Cross-platform authenticator are external to the current device, such as a USB security key or a different device

Enum"platform""cross-platform"
double_signed_challengestring

The WebAuthn challenge signed with the device public key, Encoded as Base64. Allowed signing algorithms: SHA-256, SHA-384, SHA-512

curl -i -X POST \
  https://api.sbx.transmitsecurity.io/cis/v1/webauthn/register/complete \
  -H 'Content-Type: application/json' \
  -H 'User-Agent: string' \
  -H 'x-ts-device-binding-token: string' \
  -d '{
    "auth_session_id": "string",
    "webauthn_session_id": "string",
    "public_key_credential": {
      "id": "string",
      "rawId": "string",
      "response": {
        "clientDataJSON": "string",
        "attestationObject": "string"
      },
      "type": "public-key",
      "authenticatorAttachment": "platform"
    },
    "double_signed_challenge": "string"
  }'

Responses

Complete WebAuthn session info

Bodyapplication/json
credentialobjectrequired
credential.​credential_idstringrequired

Identifier of the credential generated by Transmit

credential.​public_keystringrequired

Public credential key for WebAuthn credentials

auth_codestringrequired

Authorization code to exchange for user tokens

Response
application/json
{
  "credential": {
    "credential_id": "string",
    "public_key": "string"
  },
  "auth_code": "string"
}

Start authenticationDeprecated

Request

Start a new webauthn authentication. This requires an authentication session, but it can be created from the client side without authorization by calling /auth-session/start-restricted. If successful, the response will contain a credential_request_options field that should be passed in the WebAuthn navigator.credentials.get() API call. Note that some fields (challenge and each id in the allowCredentials list) in the credential_request_options object are base64 encoded and must first be decoded and converted to array buffer, it is recommended to use the webauthn-json library that handles this.

Headers
x-ts-device-binding-tokenstringrequired

Device binding token, returned by the first client-side request from a device in the session (in the set-device-binding-token response header)

Bodyapplication/jsonrequired
auth_session_idstringrequired

Session identifier

usernamestringrequired

Name of user account, as used in the WebAuthn registration

curl -i -X POST \
  https://api.sbx.transmitsecurity.io/cis/v1/webauthn/authenticate/start \
  -H 'Content-Type: application/json' \
  -H 'x-ts-device-binding-token: string' \
  -d '{
    "auth_session_id": "string",
    "username": "string"
  }'

Responses

Active WebAuthn session info

Bodyapplication/json
webauthn_session_idstringrequired

WebAuthn session identifier

credential_request_optionsobjectrequired
credential_request_options.​allowCredentialsArray of objectsrequired
credential_request_options.​allowCredentials[].​typestringrequired

Key type. Should always be public-key

Default "public-key"
Value"public-key"
Example: "public-key"
credential_request_options.​allowCredentials[].​idstringrequired

The credential ID

credential_request_options.​allowCredentials[].​transportsArray of stringsrequired
Default ["internal"]
Items Value"internal"
Example: ["internal"]
credential_request_options.​rawChallengestring

Represents the natural WebAuthn challenge. Will Only be present in approval flows

credential_request_options.​challengestringrequired
credential_request_options.​timeoutnumber
credential_request_options.​rpIdstring/^[a-zA-Z0-9][a-zA-Z0-9-]{1,61}[a-zA-Z0-9]\.[...required

Relying Party ID. Must be a valid domain pre-configured in the Admin Portal for the application

credential_request_options.​attestationstring
Default "none"
Value"none"
Example: "none"
credential_request_options.​userVerificationstring
Default "preferred"
Enum"preferred""required"
Example: "preferred"
credential_request_options.​extensionsobject
Response
application/json
{
  "webauthn_session_id": "string",
  "credential_request_options": {
    "allowCredentials": [],
    "rawChallenge": "string",
    "challenge": "string",
    "timeout": 0,
    "rpId": "string",
    "attestation": "none",
    "userVerification": "preferred",
    "extensions": {}
  }
}

Complete authenticationDeprecated

Request

Complete the WebAuthn credential assertion, and obtain the authorization code to exchange for user tokens. It's required to provide the webauthn_session_id that was received in the authentication start response. Note that some fields in the public_key_credential.response object must be converted from array buffer to base64 strings (clientDataJSON, authenticatorData, signature and userHandle). If webauthn-json get() was used this is already taken care of.

Headers
x-ts-device-binding-tokenstringrequired

Device binding token, returned by the first client-side request from a device in the session (in the set-device-binding-token response header)

User-Agentstring

Browser user agent. Allows adding device info to sessions if provided

Bodyapplication/jsonrequired
auth_session_idstringrequired

Session identifier

webauthn_session_idstringrequired

WebAuthn session identifier

public_key_credentialobjectrequired
public_key_credential.​idstringrequired

The credential ID

public_key_credential.​rawIdstringrequired

The credential ID given as byte array

public_key_credential.​responseobject
public_key_credential.​typestringrequired

Key type. Should always be public-key

Default "public-key"
Value"public-key"
Example: "public-key"
public_key_credential.​authenticatorAttachmentstring

The authenticators' attachment modalities. Cross-platform authenticator are external to the current device, such as a USB security key or a different device

Enum"platform""cross-platform"
double_signed_challengestring

The WebAuthn challenge signed with the device public key, Encoded as Base64. Allowed signing algorithms: SHA-256, SHA-384, SHA-512

curl -i -X POST \
  https://api.sbx.transmitsecurity.io/cis/v1/webauthn/authenticate/complete \
  -H 'Content-Type: application/json' \
  -H 'User-Agent: string' \
  -H 'x-ts-device-binding-token: string' \
  -d '{
    "auth_session_id": "string",
    "webauthn_session_id": "string",
    "public_key_credential": {
      "id": "string",
      "rawId": "string",
      "response": {
        "authenticatorData": "string",
        "clientDataJSON": "string",
        "signature": "string",
        "userHandle": "string"
      },
      "type": "public-key",
      "authenticatorAttachment": "platform"
    },
    "double_signed_challenge": "string"
  }'

Responses

Complete WebAuthn session info

Bodyapplication/json
auth_codestringrequired

Authorization code to exchange for user tokens

credentialobjectrequired
credential.​credential_idstringrequired

Identifier of the credential generated by Transmit

credential.​public_keystringrequired

Public credential key for WebAuthn credentials

credential.​registered_atstringrequired

Date the credential was registered, in ISO 8601

credential.​last_usedstringrequired

Date the credential was last used to authenticate, in ISO 8601 (excludes current session)

Response
application/json
{
  "auth_code": "string",
  "credential": {
    "credential_id": "string",
    "public_key": "string",
    "registered_at": "string",
    "last_used": "string"
  }
}

Start passkey authenticationDeprecated

Request

Start a new webauthn passkey authentication. This requires an authentication session, but it can be created from the client side without authorization by calling /auth-session/start-restricted. If successful, the response will contain a credential_request_options field that should be passed in the WebAuthn navigator.credentials.get() API call. Note that some fields (challenge and each id in the allowCredentials list) in the credential_request_options object are base64 encoded and must first be decoded and converted to array buffer, it is recommended to use the webauthn-json library that handles this.

Headers
x-ts-device-binding-tokenstringrequired

Device binding token, returned by the first client-side request from a device in the session (in the set-device-binding-token response header)

Bodyapplication/jsonrequired
auth_session_idstringrequired

Session identifier

curl -i -X POST \
  https://api.sbx.transmitsecurity.io/cis/v1/webauthn/authenticate/passkey/start \
  -H 'Content-Type: application/json' \
  -H 'x-ts-device-binding-token: string' \
  -d '{
    "auth_session_id": "string"
  }'

Responses

Active WebAuthn session info

Bodyapplication/json
webauthn_session_idstringrequired

WebAuthn session identifier

credential_request_optionsobjectrequired
credential_request_options.​allowCredentialsArray of objectsrequired
credential_request_options.​allowCredentials[].​typestringrequired

Key type. Should always be public-key

Default "public-key"
Value"public-key"
Example: "public-key"
credential_request_options.​allowCredentials[].​idstringrequired

The credential ID

credential_request_options.​allowCredentials[].​transportsArray of stringsrequired
Default ["internal"]
Items Value"internal"
Example: ["internal"]
credential_request_options.​rawChallengestring

Represents the natural WebAuthn challenge. Will Only be present in approval flows

credential_request_options.​challengestringrequired
credential_request_options.​timeoutnumber
credential_request_options.​rpIdstring/^[a-zA-Z0-9][a-zA-Z0-9-]{1,61}[a-zA-Z0-9]\.[...required

Relying Party ID. Must be a valid domain pre-configured in the Admin Portal for the application

credential_request_options.​attestationstring
Default "none"
Value"none"
Example: "none"
credential_request_options.​userVerificationstring
Default "preferred"
Enum"preferred""required"
Example: "preferred"
credential_request_options.​extensionsobject
Response
application/json
{
  "webauthn_session_id": "string",
  "credential_request_options": {
    "allowCredentials": [],
    "rawChallenge": "string",
    "challenge": "string",
    "timeout": 0,
    "rpId": "string",
    "attestation": "none",
    "userVerification": "preferred",
    "extensions": {}
  }
}

Complete passkey authenticationDeprecated

Request

Complete the WebAuthn credential assertion, and obtain the authorization code to exchange for user tokens. It's required to provide the webauthn_session_id that was received in the authentication start response. Note that some fields in the public_key_credential.response object must be converted from array buffer to base64 strings (clientDataJSON, authenticatorData, signature and userHandle). If webauthn-json get() was used this is already taken care of.

Headers
x-ts-device-binding-tokenstringrequired

Device binding token, returned by the first client-side request from a device in the session (in the set-device-binding-token response header)

User-Agentstring

Browser user agent. Allows adding device info to sessions if provided

Bodyapplication/jsonrequired
auth_session_idstringrequired

Session identifier

webauthn_session_idstringrequired

WebAuthn session identifier

public_key_credentialobjectrequired
public_key_credential.​idstringrequired

The credential ID

public_key_credential.​rawIdstringrequired

The credential ID given as byte array

public_key_credential.​responseobject
public_key_credential.​typestringrequired

Key type. Should always be public-key

Default "public-key"
Value"public-key"
Example: "public-key"
public_key_credential.​authenticatorAttachmentstring

The authenticators' attachment modalities. Cross-platform authenticator are external to the current device, such as a USB security key or a different device

Enum"platform""cross-platform"
curl -i -X POST \
  https://api.sbx.transmitsecurity.io/cis/v1/webauthn/authenticate/passkey/complete \
  -H 'Content-Type: application/json' \
  -H 'User-Agent: string' \
  -H 'x-ts-device-binding-token: string' \
  -d '{
    "auth_session_id": "string",
    "webauthn_session_id": "string",
    "public_key_credential": {
      "id": "string",
      "rawId": "string",
      "response": {
        "authenticatorData": "string",
        "clientDataJSON": "string",
        "signature": "string",
        "userHandle": "string"
      },
      "type": "public-key",
      "authenticatorAttachment": "platform"
    }
  }'

Responses

Complete WebAuthn session info

Bodyapplication/json
auth_codestringrequired

Authorization code to exchange for user tokens

credentialobjectrequired
credential.​credential_idstringrequired

Identifier of the credential generated by Transmit

credential.​public_keystringrequired

Public credential key for WebAuthn credentials

credential.​registered_atstringrequired

Date the credential was registered, in ISO 8601

credential.​last_usedstringrequired

Date the credential was last used to authenticate, in ISO 8601 (excludes current session)

Response
application/json
{
  "auth_code": "string",
  "credential": {
    "credential_id": "string",
    "public_key": "string",
    "registered_at": "string",
    "last_used": "string"
  }
}