openapi: 3.0.3
info:
title: Applications
description: >-
Manage your applications and their clients. An application requires at least
one client, the first client is created automatically and set as default.
The application can be configured to use additional clients which can be
added later. Application APIs are authorized using an access token of a
relevant app or using an admin access token of the management application.
version: ''
servers:
- url: https://api.sbx.transmitsecurity.io/cis
description: Sandbox environment
- url: https://api.transmitsecurity.io/cis
description: Production environment (US)
- url: https://api.eu.transmitsecurity.io/cis
description: Production environment (EU)
- url: https://api.ca.transmitsecurity.io/cis
description: Production environment (CA)
- url: https://api.au.transmitsecurity.io/cis
description: Production environment (AU)
security: []
paths:
/v1/applications/{appId}/clients:
post:
operationId: createAppClient
summary: Create client
description: >-
Create a new client. <br><br>**Required permissions**: `apps:create`,
`apps:edit`.
parameters:
- name: appId
required: true
in: path
schema:
type: string
requestBody:
required: true
content:
application/json:
schema:
anyOf:
- $ref: '#/components/schemas/ApiCreateOidcClientInput'
- $ref: '#/components/schemas/ApiCreateSamlClientInput'
responses:
'201':
description: ''
content:
application/json:
schema:
anyOf:
- $ref: '#/components/schemas/ApiOidcClient'
- $ref: '#/components/schemas/ApiSamlClient'
'400':
description: ''
content:
application/json:
schema:
$ref: '#/components/schemas/BadRequestHttpError'
'409':
description: ''
content:
application/json:
schema:
$ref: '#/components/schemas/IdentifierIsTakenHttpError'
security:
- ClientAccessToken: []
- AdminAccessToken: []
get:
operationId: getAppClients
summary: Get all clients
description: >-
Retrieves a list of clients for an application. <br><br>**Required
permissions**: `apps:read`.
parameters:
- name: appId
required: true
in: path
schema:
type: string
responses:
'200':
description: ''
content:
application/json:
schema:
items:
anyOf:
- $ref: '#/components/schemas/ApiOidcClient'
- $ref: '#/components/schemas/ApiSamlClient'
type: array
'400':
description: ''
content:
application/json:
schema:
$ref: '#/components/schemas/BadRequestHttpError'
security:
- ClientAccessToken: []
- AdminAccessToken: []
delete:
operationId: deleteAppClients
summary: Delete all clients
description: Deletes all clients for an application.
parameters:
- name: appId
required: true
in: path
schema:
type: string
responses:
'204':
description: ''
'400':
description: ''
content:
application/json:
schema:
$ref: '#/components/schemas/BadRequestHttpError'
'404':
description: ''
content:
application/json:
schema:
$ref: '#/components/schemas/NotFoundHttpError'
security:
- ClientAccessToken: []
- AdminAccessToken: []
/v1/applications/{appId}/clients/{clientId}:
get:
operationId: getAppClientById
summary: Get client by ID
description: >-
Retrieves a client by client ID. <br><br>**Required permissions**:
`apps:read`.
parameters:
- name: clientId
required: true
in: path
description: ID of the client to retrieve
schema:
type: string
- name: appId
required: true
in: path
schema:
type: string
responses:
'200':
description: ''
content:
application/json:
schema:
anyOf:
- $ref: '#/components/schemas/ApiOidcClient'
- $ref: '#/components/schemas/ApiSamlClient'
'400':
description: ''
content:
application/json:
schema:
$ref: '#/components/schemas/BadRequestHttpError'
'404':
description: ''
content:
application/json:
schema:
$ref: '#/components/schemas/NotFoundHttpError'
security:
- ClientAccessToken: []
- AdminAccessToken: []
put:
operationId: updateAppClient
summary: Update client
description: >-
Update a client. Note: Fields that are objects cannot be partially
updated, since the new value you set will just replace the current one.
<br><br>**Required permissions**: `apps:edit`, `apps:create`.
parameters:
- name: clientId
required: true
in: path
description: ID of the client to update
schema:
type: string
- name: appId
required: true
in: path
schema:
type: string
requestBody:
required: true
content:
application/json:
schema:
anyOf:
- $ref: '#/components/schemas/ApiUpdateOidcClientInput'
- $ref: '#/components/schemas/ApiUpdateSamlClientInput'
responses:
'200':
description: ''
content:
application/json:
schema:
anyOf:
- $ref: '#/components/schemas/ApiOidcClient'
- $ref: '#/components/schemas/ApiSamlClient'
'400':
description: ''
content:
application/json:
schema:
$ref: '#/components/schemas/BadRequestHttpError'
'404':
description: ''
content:
application/json:
schema:
$ref: '#/components/schemas/NotFoundHttpError'
security:
- ClientAccessToken: []
- AdminAccessToken: []
delete:
operationId: deleteAppClient
summary: Delete client
description: >-
Delete a client. <br><br>**Required permissions**: `apps:delete`,
`apps:create`, `apps:edit`.
parameters:
- name: clientId
required: true
in: path
description: ID of the client to delete
schema:
type: string
- name: appId
required: true
in: path
schema:
type: string
responses:
'204':
description: ''
'400':
description: ''
content:
application/json:
schema:
$ref: '#/components/schemas/BadRequestHttpError'
'404':
description: ''
content:
application/json:
schema:
$ref: '#/components/schemas/NotFoundHttpError'
security:
- ClientAccessToken: []
- AdminAccessToken: []
/v1/applications/{appId}/clients/{clientId}/resources:
put:
operationId: updateAppClientResources
summary: Update client resources
description: >-
Update the list of resources that a client is allowed to explicitly
request access to
parameters:
- name: clientId
required: true
in: path
schema:
type: string
- name: appId
required: true
in: path
schema:
type: string
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/ApiUpdateResourceInAppInput'
responses:
'200':
description: ''
content:
application/json:
schema:
anyOf:
- $ref: '#/components/schemas/ApiOidcClient'
- $ref: '#/components/schemas/ApiSamlClient'
security:
- ClientAccessToken: []
- AdminAccessToken: []
/v1/applications:
post:
operationId: createApp
summary: Create app
description: >-
Create a new application with a default client. The fields marked as
deprecated are now managed on the client level. To update a default
client, create additional clients, or fetch all app clients, use
`/clients` or `applications/{appId}/clients` endpoints.
<br><br>**Required permissions**: `apps:create`, `[appId]:create`.
parameters: []
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/ApiCreateAppInput'
responses:
'201':
description: ''
content:
application/json:
schema:
title: ApiCreatedResponse-createApp
type: object
required:
- result
description: App successfully created
properties:
result:
$ref: '#/components/schemas/ApiApp'
'400':
description: ''
content:
application/json:
schema:
$ref: '#/components/schemas/BadRequestHttpError'
'409':
description: ''
content:
application/json:
schema:
$ref: '#/components/schemas/IdentifierIsTakenHttpError'
security:
- ClientAccessToken: []
get:
operationId: getAllApps
summary: Get all apps
description: >-
Retrieves a list of all applications with their default clients. The
fields marked as deprecated are now managed on the client level. To
update a default client, create additional clients, or fetch all app
clients, use `/clients` or `applications/{appId}/clients` endpoints.
<br><br>**Required permissions**: `apps:read`, `apps:list`,
`[appId]:read`, `[appId]:list`.
parameters: []
responses:
'200':
description: ''
content:
application/json:
schema:
title: ApiOkResponse-getAllApps
type: object
required:
- result
description: Successfully fetched apps
properties:
result:
type: array
items:
$ref: '#/components/schemas/ApiAppWithoutLogo'
'400':
description: ''
content:
application/json:
schema:
$ref: '#/components/schemas/BadRequestHttpError'
security:
- ClientAccessToken: []
/v1/applications/list:
get:
operationId: getAppsList
summary: Get all apps basic information
description: >-
Retrieves a list of all applications with their basic information.
<br><br>**Required permissions**: `apps:list`, `users:read`,
`organizations:read`, `roles:read`, `orgs:read`, `[appId]:list`.
parameters: []
responses:
'200':
description: ''
content:
application/json:
schema:
title: ApiOkResponse-getAppsList
type: object
required:
- result
description: Successfully fetched apps
properties:
result:
type: array
items:
$ref: '#/components/schemas/ApiBasicApp'
'400':
description: ''
content:
application/json:
schema:
$ref: '#/components/schemas/BadRequestHttpError'
security:
- ClientAccessToken: []
/v1/applications/{appId}:
get:
operationId: getAppById
summary: Get app by ID
description: >-
Retrieves an application by application ID with the default client. The
fields marked as deprecated are now managed on the client level. To
update a default client, create additional clients, or fetch all app
clients, use `/clients` or `applications/{appId}/clients` endpoints.
<br><br>**Required permissions**: `apps:read`, `[appId]:read`.
parameters:
- name: appId
required: true
in: path
description: ID of the application to retrieve
schema:
type: string
responses:
'200':
description: ''
content:
application/json:
schema:
title: ApiOkResponse-getAppById
type: object
required:
- result
description: Successfully fetched app
properties:
result:
$ref: '#/components/schemas/ApiApp'
'400':
description: ''
content:
application/json:
schema:
$ref: '#/components/schemas/BadRequestHttpError'
'404':
description: ''
content:
application/json:
schema:
$ref: '#/components/schemas/NotFoundHttpError'
security:
- ClientAccessToken: []
put:
operationId: updateApp
summary: Update app
description: >-
Updates an application. The fields marked as deprecated are now managed
on the client level. To update a default client, create additional
clients, or fetch all app clients, use `/clients` or
`applications/{appId}/clients` endpoints. Note: Fields that are objects
cannot be partially updated, since the new value you set will just
replace the current one. <br><br>**Required permissions**: `apps:edit`,
`[appId]:edit`.
parameters:
- name: appId
required: true
in: path
description: ID of the application to update
schema:
type: string
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/ApiUpdateAppInput'
responses:
'200':
description: ''
content:
application/json:
schema:
title: ApiOkResponse-updateApp
type: object
required:
- result
description: App successfully updated
properties:
result:
$ref: '#/components/schemas/ApiApp'
'400':
description: ''
content:
application/json:
schema:
$ref: '#/components/schemas/BadRequestHttpError'
'404':
description: ''
content:
application/json:
schema:
$ref: '#/components/schemas/NotFoundHttpError'
security:
- ClientAccessToken: []
delete:
operationId: deleteApp
summary: Delete app
description: >-
Delete an application. <br><br>**Required permissions**: `apps:delete`,
`[appId]:delete`.
parameters:
- name: appId
required: true
in: path
description: ID of the application to delete
schema:
type: string
responses:
'204':
description: ''
'400':
description: ''
content:
application/json:
schema:
$ref: '#/components/schemas/BadRequestHttpError'
'404':
description: ''
content:
application/json:
schema:
$ref: '#/components/schemas/NotFoundHttpError'
security:
- ClientAccessToken: []
/v1/applications/{appId}/resources:
put:
operationId: updateResourcesInApp
summary: Update app resources
description: >-
Update the list of resources that a default client of the application is
allowed to explicitly request access to
deprecated: true
parameters:
- name: appId
required: true
in: path
schema:
type: string
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/ApiUpdateResourceInAppInput'
responses:
'200':
description: ''
content:
application/json:
schema:
title: ApiOkResponse-updateResourcesInApp
type: object
required:
- result
description: Resources successfully updated in app
properties:
result:
$ref: '#/components/schemas/ApiApp'
security:
- ClientAccessToken: []
/v1/applications/signing-keys:
post:
operationId: createClientTokenSigningKey
summary: Create signing key
description: >-
Create a new signing key. <br><br>**Required permissions**:
`apps:create`, `[appId]:create`, `apps:edit`, `[appId]:edit`.
parameters: []
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreateTokenSigningKeyInput'
responses:
'400':
description: ''
content:
application/json:
schema:
$ref: '#/components/schemas/BadRequestHttpError'
'409':
description: ''
content:
application/json:
schema:
$ref: '#/components/schemas/IdentifierIsTakenHttpError'
security:
- ClientAccessToken: []
get:
operationId: getClientTokenSigningKeys
summary: Get all token signing keys
description: >-
Retrieves a list of token signing keys for an application.
<br><br>**Required permissions**: `apps:read`, `[appId]:read`.
parameters: []
responses:
'200':
description: ''
content:
application/json:
schema:
items:
anyOf:
- $ref: '#/components/schemas/ApiTokenSigningKey'
type: array
'400':
description: ''
content:
application/json:
schema:
$ref: '#/components/schemas/BadRequestHttpError'
security:
- ClientAccessToken: []
/v1/applications/signing-keys/upload:
post:
operationId: uploadClientTokenSigningKey
summary: Upload signing key
description: >-
Upload a new signing key. <br><br>**Required permissions**:
`apps:create`, `[appId]:create`, `apps:edit`, `[appId]:edit`.
parameters: []
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/UploadTokenSigningKey'
responses:
'400':
description: ''
content:
application/json:
schema:
$ref: '#/components/schemas/BadRequestHttpError'
'409':
description: ''
content:
application/json:
schema:
$ref: '#/components/schemas/IdentifierIsTakenHttpError'
security:
- ClientAccessToken: []
/v1/applications/signing-keys/{id}:
put:
operationId: updateTokenSigningKey
summary: Update a signing key
description: >-
Update a signing key. <br><br>**Required permissions**: `apps:create`,
`[appId]:create`, `apps:edit`, `[appId]:edit`.
parameters:
- name: id
required: true
in: path
schema:
type: string
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/UpdateTokenSigningKey'
responses:
'200':
description: ''
content:
application/json:
schema:
$ref: '#/components/schemas/ApiTokenSigningKey'
'400':
description: ''
content:
application/json:
schema:
$ref: '#/components/schemas/BadRequestHttpError'
security:
- ClientAccessToken: []
delete:
operationId: deleteClientTokenSigningKey
summary: Delete signing key
description: >-
Delete a signing key. <br><br>**Required permissions**: `apps:delete`,
`[appId]:delete`, `apps:create`, `[appId]:create`, `apps:edit`,
`[appId]:edit`.
parameters:
- name: id
required: true
in: path
description: ID of the signing key to delete
schema:
type: string
responses:
'204':
description: ''
'400':
description: ''
content:
application/json:
schema:
$ref: '#/components/schemas/BadRequestHttpError'
security:
- ClientAccessToken: []
components:
schemas:
BadRequestHttpError:
type: object
properties:
message:
example: Bad request
type: array
items:
type: string
error_code:
type: number
example: 400
required:
- message
- error_code
ApiOidcClient:
type: object
properties:
app_id:
type: string
description: Application ID
tenant_id:
type: string
description: Tenant ID
client_id:
type: string
description: Client ID used for API requests
client_secret:
type: string
description: Client secret used to obtain tokens for API authorization
name:
type: string
description: Client name displayed in the Admin Portal
description:
type: string
description: Short description of your client, displayed in the Admin Portal
resources:
description: >-
List of resources this client is allowed to explicitly request
access to
type: array
items:
type: string
created_at:
format: date-time
type: string
description: Date the client was created
updated_at:
format: date-time
type: string
description: Date the client was last updated
authentication_protocol:
type: string
description: Authentication protocol used by the client
enum:
- oidc
- saml
client_group_id:
type: string
description: Id of client group where client is assigned
default_custom_claims:
type: array
description: List of all the custom claims the client wants to receive by default
items:
type: string
enum:
- tid
- fname
- lname
- mname
- email
- email_verified
- phone_number
- phone_number_verified
- groups
- new_user
- birthday
- language
- city
- address
- country
- street_address
- address_type
- webauthn
- roles
- ts_roles
- role_values
- ts_permissions
- permissions
- approval_data
- custom_group_data
- username
- secondary_phone_numbers
- secondary_emails
- picture
- created_at
- last_auth
- auth_time
- external_account_id
- external_user_id
- app_name
- custom_data
- custom_app_data
- ai_actor
default_user_info_claims:
type: array
description: >-
List of client default custom claims returned by the UserInfo
endpoint
items:
type: string
enum:
- tid
- fname
- lname
- mname
- email
- email_verified
- phone_number
- phone_number_verified
- groups
- new_user
- birthday
- language
- city
- address
- country
- street_address
- address_type
- webauthn
- roles
- ts_roles
- role_values
- ts_permissions
- permissions
- approval_data
- custom_group_data
- username
- secondary_phone_numbers
- secondary_emails
- picture
- created_at
- last_auth
- auth_time
- external_account_id
- external_user_id
- app_name
- custom_data
- custom_app_data
- ai_actor
sync_id_token_claims_to_userinfo:
type: boolean
description: >-
When true, UserInfo custom claims are kept in sync with
default_custom_claims
default: false
short_cookies_samesite_type:
type: string
enum:
- lax
- none
description: >-
Short cookies samesite type. Possible values: "none", "lax",
"strict". Default: "lax"
default: lax
redirect_uris:
description: List of URIs approved for redirects for your client
type: array
items:
type: string
client_type:
type: string
enum:
- web
- native
description: Type of client
default: web
response_types:
type: array
default:
- code
- id_token
- none
example:
- code
items:
type: string
enum:
- code
- id_token
token_endpoint_auth_method:
type: string
enum:
- client_secret_basic
- self_signed_tls_client_auth
- tls_client_auth
- none
- private_key_jwt
description: This field is deprecated- to configure pkce use "pkce" field instead
deprecated: true
pkce:
type: string
enum:
- enforcePkceInsteadOfClientCredentials
- enforcePkceAlongsideClientCredentials
- allowPkceAlongsideClientCredentials
description: PKCE configuration
device_authorization:
description: >-
Configuration for an [OAuth Device Authorization
Flow](https://www.rfc-editor.org/rfc/rfc8628)
allOf:
- $ref: '#/components/schemas/ApiDeviceAuthConfiguration'
ciba_authorization:
description: CIBA authorization flow configuration
allOf:
- $ref: '#/components/schemas/ApiCibaAuthConfiguration'
supported_prompts:
type: array
description: Supported prompts for oidc authentication flow
items:
type: string
enum:
- login
- consent
- none
authentication_configuration:
description: JWKS configuration for mTLS authentication
allOf:
- $ref: '#/components/schemas/ApiClientAuthenticationConfiguration'
token_expiration:
description: Token expiration configuration
allOf:
- $ref: '#/components/schemas/ApiTokenExpirationConfiguration'
session_expiration:
type: number
description: Session expiration time (seconds)
enforce_par:
type: boolean
description: Enforce PAR (Pushed Authorization Request) for this client
fapi_version_compliancy:
type: boolean
description: FAPI compliance
id_token_encryption:
description: ID Token encryption configuration
allOf:
- $ref: '#/components/schemas/ApiIdTokenEncryptionConfiguration'
required:
- app_id
- tenant_id
- client_id
- client_secret
- name
- description
- resources
- created_at
- updated_at
- authentication_protocol
- client_group_id
- default_custom_claims
- redirect_uris
- device_authorization
- ciba_authorization
- supported_prompts
- token_expiration
- session_expiration
- enforce_par
- fapi_version_compliancy
ApiSamlClient:
type: object
properties:
app_id:
type: string
description: Application ID
tenant_id:
type: string
description: Tenant ID
client_id:
type: string
description: Client ID used for API requests
client_secret:
type: string
description: Client secret used to obtain tokens for API authorization
name:
type: string
description: Client name displayed in the Admin Portal
description:
type: string
description: Short description of your client, displayed in the Admin Portal
resources:
description: >-
List of resources this client is allowed to explicitly request
access to
type: array
items:
type: string
created_at:
format: date-time
type: string
description: Date the client was created
updated_at:
format: date-time
type: string
description: Date the client was last updated
authentication_protocol:
type: string
description: Authentication protocol used by the client
enum:
- oidc
- saml
client_group_id:
type: string
description: Id of client group where client is assigned
default_custom_claims:
type: array
description: List of all the custom claims the client wants to receive by default
items:
type: string
enum:
- tid
- fname
- lname
- mname
- email
- email_verified
- phone_number
- phone_number_verified
- groups
- new_user
- birthday
- language
- city
- address
- country
- street_address
- address_type
- webauthn
- roles
- ts_roles
- role_values
- ts_permissions
- permissions
- approval_data
- custom_group_data
- username
- secondary_phone_numbers
- secondary_emails
- picture
- created_at
- last_auth
- auth_time
- external_account_id
- external_user_id
- app_name
# --- truncated at 32 KB (114 KB total) ---
# Full source: https://raw.githubusercontent.com/api-evangelist/transmit-security/refs/heads/main/openapi/transmit-security-platform-administration-openapi.yml