There are 4 different types of tokens on frontegg:
- Vendor Token
- User Token
- User API Token
- Tenant API Token
The follow article will detail the different types of tokens, when each one should be used, and show a sample of the structure of each token.
Vendor Token
Vendor tokens are created the clientId and secret of a specific environment from the frontegg portal. A vendor token can be used for any action a Frontegg customer would like to perform, such as creating new tenants, inviting users, creating roles & permissions and so on.
A vendor token has the following structure:
{
"scopes": string[],
"type": "vendor",
"vendorId": string,
"iat": Date,
"exp": Date
}
Note - you will generally use a vendor token for requests to api.frontegg.com
Use the Vendor authentication API endpoint to get a vendor token, pass the Client ID and API Key from Frontegg Portal ➜ [ENVIRONMENT] ➜ Settings page
User Token
A user token will be used in all request made by a user. This token is generally returned after a user has completed a login, or from any of the password/passwordless/social authentication APIs.
Requests with a user token will generally be used in requests to a customers unique subdomain, such as customer.frontegg.com, rather than api.frontegg.com .
A user token has the following structure:
{ sub: string; name: string; email: string; email_verified: boolean; metadata: Record<string, unknown>; roles: string[]; permissions: string[]; tenantId: string; tenantIds: string[]; profilePictureUrl: string; sid: string; type: 'userToken' | 'userApiToken' | 'tenantApiToken'; aud: string; iss: string; iat: Date; exp: Date; customClaims?: Record<string, unknown>; samlAttributes?: any; }
API Tokens
API tokens or Machine to Machine tokens have a similar structure to the user token with some differences.
The general structure can be seen here
{
sub: string;
tenantId: string;
roles: string[];
permissions: string[];
metadata: Record<string, unknown>;
userMetadata?: Record<string, unknown>;
createdByUserId: string;
type: 'userToken' | 'userApiToken' | 'tenantApiToken';
customClaims?: Record<string, unknown>;
aud: string;
iss: string;
iat: Date;
exp: Date;
}
The main difference between API Token JWT and a user token is the value of the metadata on the token. API tokens can have their own dedicated metadata when created via API. Due to this a user API tokens has both a userMetadata and metadata field - the userMetadata being the metadata of the user, and the metadata field being the metadata created on the API Token. Tenant API Tokens have only the metadata field.
API Tokens can be created on a specific tenant from the Admin Portal UI, or you can create tokens for your Frontegg account by clicking on your profile picture in the Frontegg Portal ➜ Administration
Client Credential API tokens can be authenticated via this API.
API Tokens on the Frontegg Portal
You can create API tokens from the Frontegg Portal by clicking on your profile picture ➜ Administration ➜ API tokens.
These tokens have access to all 4 environments in your Frontegg account.
You need to add the frontegg-environment-id header to tell Frontegg which environment you are making the change on.
The value is the Client ID of the environment you are calling.
(If you don’t add the frontegg-environment-id header, then we apply the call to the Dev ENV by default)