# Login with WebAuthn Hosted

Authenticate the user using secured biometrics. This endpoint should be called from the user's browser. It will redirect the User Agent to the login page and redirect back to Transmit upon successful authentication. Once Transmit verifies the authentication response, the User Agent will be redirected to the redirect_uri specified in the request. This URI will now include a code parameter in the query, which will be later exchanged for a token via the /token endpoint.

Endpoint: GET /v1/auth/webauthn

## Query parameters:

  - `client_id` (string, required)
    Client ID of the application requesting authentication, retrieved from the Transmit Admin Portal
    Example: "DgsdfhSDsdfhtSDFXCCXBVMKPws345yscv2345XCZV"

  - `redirect_uri` (string, required)
    URI to redirect to upon completion of the IDP flow. This is the server GET endpoint used to call the token endpoint, and should accept "code" as a query parameter. This URI must also be configured as an allowed redirect URI in the Transmit Admin Portal
    Example: "https://www.example.com/login"

  - `create_new_user` (boolean)
    Indicates if a new user should be created if no user with associated email was found. If enabled, public signups must also be configured as allowed for the application.

  - `resource` (string)
    Resource URI the login is attempting to access.

  - `require_mfa` (boolean)
    Require multi factor authentication for this authentication request.
    Example: true

  - `login_hint` (string)
    Hint for the user's login identifier.
    Example: "user@acme.com"

  - `custom_message` (string)
    Custom message to present on the consent screens, which provides authentication context details.
    Example: "Welcome to Acme"

  - `verifications` (string)
    List of data verifications to try and execute, specified as a space-delimited string. Email address will be verified by default, but this can be used to request a verified phone number (phone). If the data is already verified, it won't be verified again. The acr claim of the resulting ID token will indicate which data is verified.
    Example: "phone"

  - `ui_locales` (string)
    Preferred languages for the user interface, specified as a space-separated list of language tag values [RFC5646], ordered by preference.

  - `claims` (string)
    A stringified object used to request additional claims in the ID token, such as roles, permissions, and other user profile data.
The structure is per the OIDC Standard. For supported claims and how to request custom claims, see the ID Token Reference.
Note: You should stringify the value.
    Example: "{\"id_token\":{\"roles\":null}}"

  - `state` (string)
    An opaque string that is used to maintain state between the request and the callback. It will be added to the redirect URI as a query parameter, which should be validated by your server to protect against cross-site request forgery (CSRF) attacks

  - `nonce` (string)
    A random value that is included in the authentication request from the client (e.g. browser) to mitigate replay attacks. It will be added to the id_token and the backend service should only accept id_tokens that include the same nonce value as the one included in the original request

  - `org_id` (string)
    Organization ID, used for member login in B2B scenarios

## Response 400 fields (application/json):

  - `message` (string, required)
    Example: "Invalid redirect_uri"

  - `error_code` (number, required)
    Example: 400


## Response 302 fields