generated: '2026-07-11' method: searched docs: https://developer.transmitsecurity.com/guides/user/auth_oidc note: Mosaic documents only standard OIDC scopes (openid, offline_access, email, phone) for user authentication; API access for client-credentials tokens is governed by client roles and requested resources rather than named scopes (see https://developer.transmitsecurity.com/openapi/client_access_tokens). source: openapi/transmit-security-backend-authentication-openapi.yml, openapi/transmit-security-identity-management-openapi.yml, openapi/transmit-security-oidc-hosted-authentication-openapi.yml, openapi/transmit-security-organizations-openapi.yml, openapi/transmit-security-platform-administration-openapi.yml schemes: - name: AdminAccessToken source: openapi/transmit-security-backend-authentication-openapi.yml flows: - flow: clientCredentials tokenUrl: /oidc/token description: A token generated by a management application using the [token endpoint](/openapi/token.openapi/other/getaccesstoken). It provides access to all resources for the tenant and its apps - name: ClientAccessToken source: openapi/transmit-security-backend-authentication-openapi.yml flows: - flow: clientCredentials tokenUrl: /oidc/token description: A token generated by an end-user application using the [token endpoint](/openapi/token.openapi/other/getaccesstoken). It provides access to resources and data on the tenant level or associated with the specific application (but not other apps in the tenant) - name: OrgAdminAccessToken source: openapi/transmit-security-backend-authentication-openapi.yml flows: - flow: clientCredentials tokenUrl: /oidc/token description: A token returned upon B2B authentication for a user that has the organizationAdmin or organizationCreator role. - name: AdminAccessToken source: openapi/transmit-security-identity-management-openapi.yml flows: - flow: clientCredentials tokenUrl: /oidc/token description: A token generated by a management application using the [token endpoint](/openapi/token.openapi/other/getaccesstoken). It provides access to all resources for the tenant and its apps - name: ClientAccessToken source: openapi/transmit-security-identity-management-openapi.yml flows: - flow: clientCredentials tokenUrl: /oidc/token description: A token generated by an end-user application using the [token endpoint](/openapi/token.openapi/other/getaccesstoken). It provides access to resources and data on the tenant level or associated with the specific application (but not other apps in the tenant) - name: OrgAdminAccessToken source: openapi/transmit-security-identity-management-openapi.yml flows: - flow: clientCredentials tokenUrl: /oidc/token description: A token returned upon B2B authentication for a user that has the organizationAdmin or organizationCreator role. - name: AdminAccessToken source: openapi/transmit-security-oidc-hosted-authentication-openapi.yml flows: - flow: clientCredentials tokenUrl: /oidc/token description: A token generated by a management application using the [token endpoint](/openapi/token.openapi/other/getaccesstoken). It provides access to all resources for the tenant and its apps - name: ClientAccessToken source: openapi/transmit-security-oidc-hosted-authentication-openapi.yml flows: - flow: clientCredentials tokenUrl: /oidc/token description: A token generated by an end-user application using the [token endpoint](/openapi/token.openapi/other/getaccesstoken). It provides access to resources and data on the tenant level or associated with the specific application (but not other apps in the tenant) - name: OrgAdminAccessToken source: openapi/transmit-security-oidc-hosted-authentication-openapi.yml flows: - flow: clientCredentials tokenUrl: /oidc/token description: A token returned upon B2B authentication for a user that has the organizationAdmin or organizationCreator role. - name: AdminAccessToken source: openapi/transmit-security-organizations-openapi.yml flows: - flow: clientCredentials tokenUrl: /oidc/token description: A token generated by a management application using the [token endpoint](/openapi/token.openapi/other/getaccesstoken). It provides access to all resources for the tenant and its apps - name: ClientAccessToken source: openapi/transmit-security-organizations-openapi.yml flows: - flow: clientCredentials tokenUrl: /oidc/token description: A token generated by an end-user application using the [token endpoint](/openapi/token.openapi/other/getaccesstoken). It provides access to resources and data on the tenant level or associated with the specific application (but not other apps in the tenant) - name: OrgAdminAccessToken source: openapi/transmit-security-organizations-openapi.yml flows: - flow: clientCredentials tokenUrl: /oidc/token description: A token returned upon B2B authentication for a user that has the organizationAdmin or organizationCreator role. - name: AdminAccessToken source: openapi/transmit-security-platform-administration-openapi.yml flows: - flow: clientCredentials tokenUrl: /oidc/token description: A token generated by a management application using the [token endpoint](/openapi/token.openapi/other/getaccesstoken). It provides access to all resources for the tenant and its apps - name: ClientAccessToken source: openapi/transmit-security-platform-administration-openapi.yml flows: - flow: clientCredentials tokenUrl: /oidc/token description: A token generated by an end-user application using the [token endpoint](/openapi/token.openapi/other/getaccesstoken). It provides access to resources and data on the tenant level or associated with the specific application (but not other apps in the tenant) - name: OrgAdminAccessToken source: openapi/transmit-security-platform-administration-openapi.yml flows: - flow: clientCredentials tokenUrl: /oidc/token description: A token returned upon B2B authentication for a user that has the organizationAdmin or organizationCreator role. scopes: - scope: openid description: Required scope for OIDC authentication requests to /oidc/auth; scopes are passed as a space-delimited string. sources: - https://developer.transmitsecurity.com/guides/user/auth_oidc - scope: offline_access description: Allows refreshing access tokens; must be explicitly requested (with prompt=consent) for refresh tokens to be returned in pure OIDC integrations. sources: - https://developer.transmitsecurity.com/guides/user/auth_oidc - https://developer.transmitsecurity.com/guides/user/auth_offline - scope: email description: Includes the user's email address in the ID token returned upon authentication. sources: - https://developer.transmitsecurity.com/guides/user/auth_oidc - scope: phone description: Documented as an allowed value of the scope parameter in OIDC authentication requests. sources: - https://developer.transmitsecurity.com/guides/user/auth_oidc