API tokens


This guide is the second step for setting M2M tokens for your application.

  1. Enable M2M Tokens in App Settings
  2. πŸ‘‰ Create an API token in the Admin portal or using Frontegg APIs. πŸ‘ˆ.
  3. Review Machine-to-Machine Authentication

Frontegg API tokens are tenant-specific role-based tokens generated and used by a tenant's customers for accessing protected routes in a tenant's application.

Frontegg's API tokens are a powerful way for a tenant to protect its application's data and functionality while simultaneously allowing its customers to give access to those routes to the customer users who need it. All this without the headache of building a full-fledged API system.


Tenant-specific means that a tenant's customers can create API tokens for the customer's users to use for accessing a specific tenant's routes through the customer's application.


Role-based means that the customer can restrict access to tenant routes based on the roles of the customer's users.

If API tokens in the admin portal are enabled, users with the right permissions should see an API Tokens tab in their admin portal. They will be able to see both kinds of tokens in the same list, if applicable. Users will be able to create either Client credentials or Access tokens, depending on what was configured on the application level by the vendor.


Tenant API tokens vs Personal API keys

Both Personal (User) and Tenant API tokens can be of Client credentials or Access token types.

Personal API keys are for authenticating requests to Frontegg services. Use your personal API key always gets the user's role and can for things like handling SAML flows, backend integration, using Frontegg SDKs, configuring social logins, and more. Each user has a personal API key in their Workspace Settings.

When creating a tenant API Token, the user can choose the role for that token and the expiration if the token is of access token type.

**Prerequisites for Access Tokens View in the Admin portal

Backend SDK
@frontegg/[email protected]
@frontegg/[email protected]

Client-side SDK
@frontegg/[email protected]
@frontegg/[email protected]
@frontegg/[email protected]
@frontegg/[email protected]
@frontegg/[email protected]

Manage Tenant API Tokens

The users on the account can generate and manage API tokens for the account by logging into the tenant's application and visiting the Admin portal.


If you like to restrict which of the account's users can generate API tokens, it can be done via assigning specific roles with the API tokens permissions that are listed in [M2M Tokens section (doc:m2m-tokens).

Even if a user can generate API tokens, their ability to assign roles to that token is limited to roles of the same level or lower than what that user has for the tenant.

After clicking that link, the user is taken to a page where they can generate API tokens. To generate an API token, the user just needs to click the generate token button and complete the ensuing form.


In the form, the user can add a description and assign roles and expiration if applicable to the API Token.

A user should assign roles, to the API tokens to control which of the customer's users can use the API token to gain access to tenant routes using that token.



API Token Roles

A user can only assign roles to an API token that are the same level or lower of the highest role assigned to that user for that tenant.


Roles and Permissions

Before a tenant allows its customers to creates API tokens, the tenant should create roles and permissions for its users. Read about managing roles and managing permissions.

After a customer's user enters a description and assigns roles to a token, the customer should see on the screen a Client ID and Secret Key for their new token if the token is of type Client Credentials, they will only see an Access token if the API token is of that type. The user needs to copy and save the Client ID and Secret OR the Access Token because Frontegg will not show these again.


The new token should now appear in the user's list of API tokens for that tenant.

To delete an API token, the user needs to click on token's menu and choose the delete option.



There is no option to undo deleting an API token.