M2M tokens


As a provider of authentication and authorization, we understand the importance of ensuring that connected devices are properly authenticated. Therefore, we offer tokens that allow for the verification of identities between devices, ensuring that data transmission is secure and protected from unauthorized access.

As a vendor

The first decision you have as a vendor is whether or not you want to offer machine-to-machine (M2M) tokens in your app.

If disabled, your accounts / users won’t be able to generate M2M tokens at all. In addition, if you were already using M2M tokens and decide to disable them, any existing tokens will be invalidated. However, re-enabling M2M tokens will make them valid again.

If you’ve decided you are enabling M2M tokens, you then have two more decisions to make:

Client credentials vs access tokens

Client credentials are a set of identification information provided by an application, such as a client ID and secret, which are used to authenticate the application and authorize access to a resource server. Access tokens, on the other hand, are tokens generated by an authorization server and sent to the client after successful authentication.

In practice, client credentials are generally considered a bit safer than access tokens but they can be less user-friendly because they require two pieces of identification. Access tokens only require one piece of identification and are therefore easier to use but a bit less secure.


It’s important to note that this decision of client credentials vs access tokens affects the kind of M2M token you and your end users can create.

To Enable the API Tokens tab in your application Experience ➜ Admin Portal ➜ Workspace ➜ API Tokens. If you have chosen Access Tokens, please upgrade your Frontegg Client Side package to the versions that are mentioned in the API Tokens section.

To make sure users can generate and delete tokens while using Frontegg’s role-based authorization, you’ll have to set up permissions for roles.

The Frontegg permissions that relate to API Tokens are:

Read user API tokens

Write user API tokens

Delete user API tokens

Read Tenant API tokens

Write Tenant API tokens

Delete Tenant API tokens


If, for some reason, you want to invalidate all API tokens (both account-level and personal), you can disable them in the builder or in the API by disabling M2M tokens altogether.

For a more in-depth overview of our M2M authentication process, including the technologies and methods used to ensure the security of your data, please read Machine-to-Machine Authentication

What’s Next