# Credentials Register and authenticate using WebAuthn APIs ## Servers Sandbox environment ``` https://api.sbx.transmitsecurity.io/cis ``` Production environment (US) ``` https://api.transmitsecurity.io/cis ``` Production environment (EU) ``` https://api.eu.transmitsecurity.io/cis ``` Production environment (CA) ``` https://api.ca.transmitsecurity.io/cis ``` Production environment (AU) ``` https://api.au.transmitsecurity.io/cis ``` ## Security ### bearer Type: http Scheme: bearer Bearer Format: JWT ### UserAccessToken A token returned upon end-user authentication, which provides access to resources and data for the user and app for which it was generated Type: http Scheme: bearer Bearer Format: JWT ### AdminAccessToken A token generated by a management application using the [token endpoint](/openapi/token.openapi/other/getaccesstoken). It provides access to all resources for the tenant and its apps Type: oauth2 ### ClientAccessToken A token generated by an end-user application using the [token endpoint](/openapi/token.openapi/other/getaccesstoken). It provides access to resources and data on the tenant level or associated with the specific application (but not other apps in the tenant) Type: oauth2 ### OrgAdminAccessToken A token returned upon B2B authentication for a user that has the organizationAdmin or organizationCreator role. Type: oauth2 ## Download OpenAPI description [Credentials](https://developer.transmitsecurity.com/_bundle/openapi/user/webauthn-credentials.openapi.yaml) ## Other ### Start registration (deprecated) - [POST /v1/webauthn/register/start](https://developer.transmitsecurity.com/openapi/user/webauthn-credentials.openapi/other/registration-start.md): Start a registration of WebAuthn credentials for a specified user. This requires an authorized authentication session created by a server side call to /auth-session/start-with-authorization. If successful, the response will contain a credential_creation_options field that should be passed in the WebAuthn navigator.credentials.create() API call. Note that some fields (user.id and challenge) in the credential_creation_options object are base64 encoded and must first be decoded and converted to an array buffer. It is recommended to use the webauthn-json library that handles this. ### Complete registration (deprecated) - [POST /v1/webauthn/register/complete](https://developer.transmitsecurity.com/openapi/user/webauthn-credentials.openapi/other/registration-complete.md): Complete the WebAuthn credential registration, and obtain the authorization code to exchange for user tokens. It's required to provide the webauthn_session_id that was recieved in the registration start response. Note that some fields (clientDataJSON and attestationObject) must be converted from array buffer to base64 strings. If webauthn-json create() was used this is already taken care of. ### Start authentication (deprecated) - [POST /v1/webauthn/authenticate/start](https://developer.transmitsecurity.com/openapi/user/webauthn-credentials.openapi/other/startauthentication.md): Start a new webauthn authentication. This requires an authentication session, but it can be created from the client side without authorization by calling /auth-session/start-restricted. If successful, the response will contain a credential_request_options field that should be passed in the WebAuthn navigator.credentials.get() API call. Note that some fields (challenge and each id in the allowCredentials list) in the credential_request_options object are base64 encoded and must first be decoded and converted to array buffer, it is recommended to use the webauthn-json library that handles this. ### Complete authentication (deprecated) - [POST /v1/webauthn/authenticate/complete](https://developer.transmitsecurity.com/openapi/user/webauthn-credentials.openapi/other/authentication-complete.md): Complete the WebAuthn credential assertion, and obtain the authorization code to exchange for user tokens. It's required to provide the webauthn_session_id that was received in the authentication start response. Note that some fields in the public_key_credential.response object must be converted from array buffer to base64 strings (clientDataJSON, authenticatorData, signature and userHandle). If webauthn-json get() was used this is already taken care of. ### Start passkey authentication (deprecated) - [POST /v1/webauthn/authenticate/passkey/start](https://developer.transmitsecurity.com/openapi/user/webauthn-credentials.openapi/other/passkeystart.md): Start a new webauthn passkey authentication. This requires an authentication session, but it can be created from the client side without authorization by calling /auth-session/start-restricted. If successful, the response will contain a credential_request_options field that should be passed in the WebAuthn navigator.credentials.get() API call. Note that some fields (challenge and each id in the allowCredentials list) in the credential_request_options object are base64 encoded and must first be decoded and converted to array buffer, it is recommended to use the webauthn-json library that handles this. ### Complete passkey authentication (deprecated) - [POST /v1/webauthn/authenticate/passkey/complete](https://developer.transmitsecurity.com/openapi/user/webauthn-credentials.openapi/other/passkeycomplete.md): Complete the WebAuthn credential assertion, and obtain the authorization code to exchange for user tokens. It's required to provide the webauthn_session_id that was received in the authentication start response. Note that some fields in the public_key_credential.response object must be converted from array buffer to base64 strings (clientDataJSON, authenticatorData, signature and userHandle). If webauthn-json get() was used this is already taken care of.