M2M tokens
Overview
As a provider of authentication and authorization, we understand the importance of ensuring that connected devices are properly authenticated. Therefore, we offer tokens that allow for the verification of identities between devices, ensuring that data transmission is secure and protected from unauthorized access.
As a vendor
The first decision you have as a vendor is whether or not you want to offer machine-to-machine (M2M) tokens in your app.
If disabled, your accounts / users won’t be able to generate M2M tokens at all. In addition, if you were already using M2M tokens and decide to disable them, any existing tokens will be invalidated. However, re-enabling M2M tokens will make them valid again.
If you’ve decided you are enabling M2M tokens, you then have two more decisions to make:
Client credentials vs access tokens
Client credentials are a set of identification information provided by an application, such as a client ID and secret, which are used to authenticate the application and authorize access to a resource server. Access tokens, on the other hand, are tokens generated by an authorization server and sent to the client after successful authentication.
In practice, client credentials are generally considered a bit safer than access tokens but they can be less user-friendly because they require two pieces of identification. Access tokens only require one piece of identification and are therefore easier to use but a bit less secure.
It’s important to note that this decision of client credentials vs access tokens affects the kind of M2M token you and your end users can create.
To Enable the API Tokens tab in your application Experience ➜ Admin Portal ➜ Workspace ➜ API Tokens. If you have chosen Access Tokens, please upgrade your Frontegg Client Side package to the versions that are mentioned in the API Tokens section.
To make sure users can generate and delete tokens while using Frontegg’s role-based authorization, you’ll have to set up permissions for roles.
The Frontegg permissions that relate to API Tokens are:
Read user API tokens
fe.secure.read.userApiTokens
Write user API tokens
fe.secure.write.userApiTokens
Delete user API tokens
fe.secure.delete.userApiTokens
Read Tenant API tokens
fe.secure.read.tenantApiTokens
Write Tenant API tokens
fe.secure.write.tenantApiTokens
Delete Tenant API tokens
fe.secure.delete.tenantApiTokens
If, for some reason, you want to invalidate all API tokens (both account-level and personal), you can disable them in the builder or in the API by disabling M2M tokens altogether.
For a more in-depth overview of our M2M authentication process, including the technologies and methods used to ensure the security of your data, please read Machine-to-Machine Authentication
Updated 5 months ago