Frontegg offers a comprehensive suite of authentication, user management, and security features to streamline identity management and enhance application security. This section provides an overview of all relevant API endpoints, organized into Authentication, Management, and Self-Service categories.
Authentication Endpoints: Enable secure user login, multi-factor authentication (MFA), passwordless options, and social login integrations, allowing for a flexible and robust sign-in experience.
Management Endpoints: Require environment-level authorization and provide full control over SSO (SAML and OpenID Connect) resources, user roles, permissions, and configurations. These endpoints are designed for administrative use, allowing for centralized identity and access management.
Self-Service Endpoints: Accessible with a user token (JWT), these endpoints empower users to manage their SSO connections and other account settings. Users with the necessary permissions can create, update, or delete SSO configurations directly, ensuring they have the tools to manage their access securely and independently.
Each category in this section helps you configure and extend Frontegg’s capabilities, providing the flexibility to manage user identities, authentication protocols, and access controls as per your application’s needs.
https://api.frontegg.com/identity/
https://api.us.frontegg.com/identity/
https://api.ca.frontegg.com/identity/
https://api.au.frontegg.com/identity/
https://{domain}.frontegg.com/identity/
Authenticate a local user using their email and password.
Include the user's login credentials in the request body. This endpoint supports optional parameters such as an invitation token (for sign-up flows via invitation) and a reCAPTCHA token (if reCAPTCHA is enabled for login).
If the credentials are valid, the response includes a signed JWT and a refresh token that can be used for future authenticated requests.
https://api.frontegg.com/identity/resources/auth/v1/user
https://api.us.frontegg.com/identity/resources/auth/v1/user
https://api.ca.frontegg.com/identity/resources/auth/v1/user
https://api.au.frontegg.com/identity/resources/auth/v1/user
https://app-xxx.frontegg.com/identity/resources/auth/v1/user
curl -i -X POST \
https://api.frontegg.com/identity/resources/auth/v1/user \
-H 'Authorization: Bearer <YOUR_JWT_HERE>' \
-H 'Content-Type: application/json' \
-d '{
"email": "string",
"username": "string",
"password": "string",
"recaptchaToken": "string",
"invitationToken": "string"
}'{ "tokenType": "bearer", "otcToken": "string", "mfaRequired": true, "mfaToken": "string", "resetPasswordToken": "string", "passwordExpiresIn": 0, "notificationPeriod": 0, "mfaEnrolled": true, "mfaDevices": { "webauthn": [ … ], "phones": [ … ], "authenticators": [ … ], "emails": [ … ] }, "mfaStrategies": {}, "qrCode": "string", "recoveryCode": "string", "accessToken": "string", "refreshToken": "string", "expiresIn": 0, "expires": "string", "userId": "string", "userEmail": "string", "emailVerified": true, "isBreachedPassword": true }
Refresh a JWT based on the refresh token's expiration time.
This endpoint returns a new JWT and refresh token if the existing refresh token is valid and not expired. The request must include the refresh token cookie for the currently logged-in user.
Ensure your JWT settings are properly configured in the Frontegg Portal to support this flow.
https://api.frontegg.com/identity/resources/auth/v1/user/token/refresh
https://api.us.frontegg.com/identity/resources/auth/v1/user/token/refresh
https://api.ca.frontegg.com/identity/resources/auth/v1/user/token/refresh
https://api.au.frontegg.com/identity/resources/auth/v1/user/token/refresh
https://app-xxx.frontegg.com/identity/resources/auth/v1/user/token/refresh
curl -i -X POST \
https://api.frontegg.com/identity/resources/auth/v1/user/token/refresh \
-H 'Authorization: Bearer <YOUR_JWT_HERE>' \
-H 'Content-Type: application/json' \
-H 'frontegg-vendor-host: string' \
-d '{}'{ "tokenType": "bearer", "otcToken": "string", "mfaRequired": true, "mfaToken": "string", "resetPasswordToken": "string", "passwordExpiresIn": 0, "notificationPeriod": 0, "mfaEnrolled": true, "mfaDevices": { "webauthn": [ … ], "phones": [ … ], "authenticators": [ … ], "emails": [ … ] }, "mfaStrategies": {}, "qrCode": "string", "recoveryCode": "string", "accessToken": "string", "refreshToken": "string", "expiresIn": 0, "expires": "string", "userId": "string", "userEmail": "string", "emailVerified": true, "isBreachedPassword": true }
Log out a user by invalidating their refresh token.
This endpoint logs out the currently authenticated user by invalidating the refresh token provided in the refresh token cookie.
This route is intended for applications using Frontegg's embedded login experience or for integrations that interact exclusively with Frontegg APIs.
https://api.frontegg.com/identity/resources/auth/v1/logout
https://api.us.frontegg.com/identity/resources/auth/v1/logout
https://api.ca.frontegg.com/identity/resources/auth/v1/logout
https://api.au.frontegg.com/identity/resources/auth/v1/logout
https://app-xxx.frontegg.com/identity/resources/auth/v1/logout
curl -i -X POST \
https://api.frontegg.com/identity/resources/auth/v1/logout \
-H 'Authorization: Bearer <YOUR_JWT_HERE>' \
-H 'frontegg-vendor-host: string'