WebAuthn Hosted

Download OpenAPI specification:Download

Login users using WebAuthn biometrics and a hosted login experience. This implements a frontend integration for authentication, where the client obtains an authorization code that your app can exchange in the backend for user tokens.

Login with WebAuthn Hosted

Authenticate the user using secured biometrics. This endpoint should be called from the user's browser. It will redirect the User Agent to the login page and redirect back to Transmit upon successful authentication. Once Transmit verifies the authentication response, the User Agent will be redirected to the redirect_uri specified in the request. This URI will now include a code parameter in the query, which will be later exchanged for a token via the /token endpoint.

Request
query Parameters
client_id
required
string <= 150 characters

Client ID of the application requesting authentication, retrieved from the Transmit Admin Portal

Example: client_id=DgsdfhSDsdfhtSDFXCCXBVMKPws345yscv2345XCZV
redirect_uri
required
string

URI to redirect to upon completion of the IDP flow. This is the server GET endpoint used to call the token endpoint, and should accept "code" as a query parameter. This URI must also be configured as an allowed redirect URI in the Transmit Admin Portal

Example: redirect_uri=https://www.example.com/login
create_new_user
boolean
Default: true

Indicates if a new user should be created if no user with associated email was found. If enabled, public signups must also be configured as allowed for the application.

resource
string

Resource URI the login is attempting to access.

require_mfa
boolean
Default: false

Require multi factor authentication for this authentication request.

Example: require_mfa=true
login_hint
string

Hint for the user's login identifier.

Example: login_hint=user@acme.com
custom_message
string

Custom message to present on the consent screens, which provides authentication context details.

Example: custom_message=Welcome to Acme
verifications
string

List of data verifications to try and execute, specified as a space-delimited string. Email address will be verified by default, but this can be used to request a verified phone number (phone). If the data is already verified, it won't be verified again. The acr claim of the resulting ID token will indicate which data is verified.

Example: verifications=phone
ui_locales
string

Preferred languages for the user interface, specified as a space-separated list of language tag values [RFC5646], ordered by preference.

claims
string

A stringified object used to request additional claims in the ID token, such as roles, permissions, and other user profile data. The structure is per the OIDC Standard. For supported claims and how to request custom claims, see the ID Token Reference. Note: You should stringify the value.

Example: claims={"id_token":{"roles":null}}
state
string

An opaque string that is used to maintain state between the request and the callback. It will be added to the redirect URI as a query parameter, which should be validated by your server to protect against cross-site request forgery (CSRF) attacks

nonce
string

A random value that is included in the authentication request from the client (e.g. browser) to mitigate replay attacks. It will be added to the id_token and the backend service should only accept id_tokens that include the same nonce value as the one included in the original request

org_id
string

Organization ID, used for member login in B2B scenarios

Responses
302

Redirect with code

400
get/v1/auth/webauthn
Request samples 
Response samples 
application/json
{
  • "message": "Invalid redirect_uri",
  • "error_code": 400
}
Exchange code for tokenDeprecated
Retrieve ID and access tokens. This API is used to retrieve ID and access tokens using the code that was returned in the redirect URI as a query parameter (for example, when the user clicks a magic link). It may also create a new user if create_new_user was set to true in the send request and no user exists for the email address or phone number (depending on the flow).


Request 
Request Body schema: application/json
required
code
required
string
Authorization code returned in the redirect URI as a query parameter upon successful authentication


 
client_id
required
string  <= 50 characters 
Client ID of the application requesting the token


 
client_secret
required
string  <= 50 characters 
Client Secret of the application requesting the token


 
Responses 
200
400
post/v1/token
Request samples 
application/json
{
  • "code": "GZxLFKTDCnlANVTxNvaWz7AIGPpXqZYSXdAwjiWRuOH",
  • "client_id": "DgsdfhSDsdfhtSDFXCCXBVMKPws345yscv2345XCZV",
  • "client_secret": "FzxvdDMbvxnc45sdfb789XCVGEW6usazxcvbw3KPsb23"
}
Response samples 
application/json
{
  • "id_token": "string",
  • "access_token": "string",
  • "refresh_token": "string",
  • "is_user_created": true
}
Logout
Logout the user from a specific session. The user and session are derived from the access token used to authorize the request (which was issued based on the authentication that created the session)


SecurityHTTP: bearer 
Responses 
200
Sessions deleted Successfully


400
401
post/v1/auth/logout
Request samples 
Response samples 
application/json
{
  • "sessions_count": 0
}