Users, auth and security module
/
MFA

Authentication and Identity Management

Frontegg offers a comprehensive suite of authentication, user management, and security features to streamline identity management and enhance application security. This section provides an overview of all relevant API endpoints, organized into Authentication, Management, and Self-Service categories.

Authentication Endpoints: Enable secure user login, multi-factor authentication (MFA), passwordless options, and social login integrations, allowing for a flexible and robust sign-in experience.

Management Endpoints: Require environment-level authorization and provide full control over SSO (SAML and OpenID Connect) resources, user roles, permissions, and configurations. These endpoints are designed for administrative use, allowing for centralized identity and access management.

Self-Service Endpoints: Accessible with a user token (JWT), these endpoints empower users to manage their SSO connections and other account settings. Users with the necessary permissions can create, update, or delete SSO configurations directly, ensuring they have the tools to manage their access securely and independently.

Each category in this section helps you configure and extend Frontegg’s capabilities, providing the flexibility to manage user identities, authentication protocols, and access controls as per your application’s needs.

Download OpenAPI description
Users, Auth and Security
Single Sign-On
SCIM Provisioning
Entitlements
Entitlements Agent
Accounts (Tenants)
Languages
Servers
EU Region
https://api.frontegg.com/identity/
US Region
https://api.us.frontegg.com/identity/
CA Region
https://api.ca.frontegg.com/identity/
AU Region
https://api.au.frontegg.com/identity/
Frontegg sub-domain for use with user tokens
https://{domain}.frontegg.com/identity/

API token

Operations

General

Operations

MFA

Operations

Recover MFA

Request

This route recovers MFA for a non logged-in user. Send the user’s email and a recovery code as params in the POST body. The recovery code comes from the MFA authenticator app when you set up MFA.

Bodyapplication/jsonrequired
recoveryCodestringrequired
emailstringrequired
curl -i -X POST \
  https://api.frontegg.com/identity/resources/auth/v1/user/mfa/recover \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "recoveryCode": "string",
    "email": "string"
  }'

Responses

Disable authenticator app MFA

Request

This route disables MFA enrollment for a logged-in user for a specific tenant. Send the frontegg-user-id header to declare which user. The MFA token should be obtained from the authenticator app. A vendor token is required for this route, it can be obtained from the vendor authentication route.

Path
deviceIdstringrequired
Headers
frontegg-user-idstringrequired

The user ID identifier

Bodyapplication/jsonrequired
tokenstring
curl -i -X POST \
  'https://api.frontegg.com/identity/resources/users/v1/mfa/authenticator/{deviceId}/disable/verify' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -H 'frontegg-user-id: string' \
  -d '{
    "token": "string"
  }'

Responses

Pre-disable SMS MFA

Request

Path
deviceIdstringrequired
Headers
frontegg-user-idstringrequired

The user ID identifier

frontegg-tenant-idstringrequired

The tenant ID identifier

Bodyapplication/jsonrequired
object(RequestDisableMFARequest)
curl -i -X POST \
  'https://api.frontegg.com/identity/resources/users/v1/mfa/sms/{deviceId}/disable' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -H 'frontegg-tenant-id: string' \
  -H 'frontegg-user-id: string' \
  -d '{}'

Responses

Bodyapplication/json
object(RequestDisableMFASMSResponse)
Response
application/json
{}

Disable SMS MFA

Request

Path
deviceIdstringrequired
Headers
frontegg-user-idstringrequired

The user ID identifier

Bodyapplication/jsonrequired
otcTokenstringrequired
codestringrequired
curl -i -X POST \
  'https://api.frontegg.com/identity/resources/users/v1/mfa/sms/{deviceId}/disable/verify' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -H 'frontegg-user-id: string' \
  -d '{
    "otcToken": "string",
    "code": "string"
  }'

Responses

Request verify MFA using email code

Request

Bodyapplication/jsonrequired
mfaTokenstringrequired
curl -i -X POST \
  https://api.frontegg.com/identity/resources/auth/v1/user/mfa/emailcode \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "mfaToken": "string"
  }'

Responses

Verify MFA using email code

Request

Bodyapplication/jsonrequired
otcTokenstringrequired
codestringrequired
mfaTokenstringrequired
rememberDeviceboolean
curl -i -X POST \
  https://api.frontegg.com/identity/resources/auth/v1/user/mfa/emailcode/verify \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "otcToken": "string",
    "code": "string",
    "mfaToken": "string",
    "rememberDevice": true
  }'

Responses

Pre enroll MFA using Authenticator App

Request

Bodyapplication/jsonrequired
mfaTokenstringrequired
curl -i -X POST \
  https://api.frontegg.com/identity/resources/auth/v1/user/mfa/authenticator/enroll \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "mfaToken": "string"
  }'

Responses

Enroll MFA using Authenticator App

Request

Bodyapplication/jsonrequired
tokenstringrequired
mfaTokenstringrequired
rememberDeviceboolean
curl -i -X POST \
  https://api.frontegg.com/identity/resources/auth/v1/user/mfa/authenticator/enroll/verify \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "token": "string",
    "mfaToken": "string",
    "rememberDevice": true
  }'

Responses

Verify MFA using authenticator app

Request

This route verifies MFA as part of the authentication process. Send the frontegg-vendor-host as a header. This is your domain name in the Frontegg Portal âžś Workspace Settings âžś Domains âžś Domain Name. Send information required for MFA in the POST body. The value is the service name from your Authentication Settings in the Frontegg Portal. The MFA token is from the authenticator app.

Path
deviceIdstringrequired
Bodyapplication/jsonrequired
valuestringrequired
mfaTokenstringrequired
rememberDeviceboolean
curl -i -X POST \
  'https://api.frontegg.com/identity/resources/auth/v1/user/mfa/authenticator/{deviceId}/verify' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "value": "string",
    "mfaToken": "string",
    "rememberDevice": true
  }'

Responses

Pre-enroll MFA using sms

Request

Bodyapplication/jsonrequired
phoneNumberstringphoneNumberRegexprequired
curl -i -X POST \
  https://api.frontegg.com/identity/resources/auth/v1/user/mfa/sms/enroll \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "phoneNumber": "string"
  }'

Responses

Enroll MFA using sms

Request

Bodyapplication/jsonrequired
otcTokenstringrequired
codestringrequired
curl -i -X POST \
  https://api.frontegg.com/identity/resources/auth/v1/user/mfa/sms/enroll/verify \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "otcToken": "string",
    "code": "string"
  }'

Responses

Request to verify MFA using sms

Request

Path
deviceIdstringrequired
Bodyapplication/jsonrequired
mfaTokenstringrequired
curl -i -X POST \
  'https://api.frontegg.com/identity/resources/auth/v1/user/mfa/sms/{deviceId}' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "mfaToken": "string"
  }'

Responses

Verify MFA using sms

Request

Path
deviceIdstringrequired
Bodyapplication/jsonrequired
otcTokenstringrequired
codestringrequired
mfaTokenstringrequired
rememberDeviceboolean
curl -i -X POST \
  'https://api.frontegg.com/identity/resources/auth/v1/user/mfa/sms/{deviceId}/verify' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "otcToken": "string",
    "code": "string",
    "mfaToken": "string",
    "rememberDevice": true
  }'

Responses

Pre enroll MFA using WebAuthN

Request

Bodyapplication/jsonrequired
mfaTokenstringrequired
curl -i -X POST \
  https://api.frontegg.com/identity/resources/auth/v1/user/mfa/webauthn/enroll \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "mfaToken": "string"
  }'

Responses

Enroll MFA using WebAuthN

Request

Bodyapplication/jsonrequired
deviceTypestringrequired
Enum"Platform""CrossPlatform"
webauthnTokenstringrequired
optionsobject(VerifyNewWebAuthnDeviceRequest)required
options.​idstringrequired
options.​responseobject(WebAuthNClientResponse)required
options.​response.​clientDataJSONstringrequired
options.​response.​attestationObjectstringrequired
options.​deviceTypestring
Enum"Platform""CrossPlatform"
mfaTokenstringrequired
rememberDeviceboolean
curl -i -X POST \
  https://api.frontegg.com/identity/resources/auth/v1/user/mfa/webauthn/enroll/verify \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "deviceType": "Platform",
    "webauthnToken": "string",
    "options": {
      "id": "string",
      "response": {
        "clientDataJSON": "string",
        "attestationObject": "string"
      },
      "deviceType": "Platform"
    },
    "mfaToken": "string",
    "rememberDevice": true
  }'

Responses

Request verify MFA using WebAuthN

Request

Path
deviceIdstringrequired
Bodyapplication/jsonrequired
mfaTokenstringrequired
curl -i -X POST \
  'https://api.frontegg.com/identity/resources/auth/v1/user/mfa/webauthn/{deviceId}' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "mfaToken": "string"
  }'

Responses

Verify MFA using webauthn

Request

Path
deviceIdstringrequired
Bodyapplication/jsonrequired
webauthnTokenstringrequired
optionsobject(AuthenticateUserWebAuthNDto)required
options.​idstringrequired
options.​responseobject(WebAuthNResponse)required
options.​response.​clientDataJSONstringrequired
options.​response.​authenticatorDatastringrequired
options.​response.​signaturestringrequired
options.​response.​userHandlestringrequired
options.​recaptchaTokenstring
options.​invitationTokenstring
mfaTokenstringrequired
rememberDeviceboolean
curl -i -X POST \
  'https://api.frontegg.com/identity/resources/auth/v1/user/mfa/webauthn/{deviceId}/verify' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "webauthnToken": "string",
    "options": {
      "id": "string",
      "response": {
        "clientDataJSON": "string",
        "authenticatorData": "string",
        "signature": "string",
        "userHandle": "string"
      },
      "recaptchaToken": "string",
      "invitationToken": "string"
    },
    "mfaToken": "string",
    "rememberDevice": true
  }'

Responses

Check if remember device allowed

Request

This route checks if remember device is allowed for all tenants. To check if remember device is allowed for a specific tenant, send the tenant’s ID in the frontegg-tenant-id header. Get the mfa token from the authenticator app and send it as a query params.

Query
mfaTokenstringrequired

MFA token from the response body of the first factor authentication

Headers
frontegg-tenant-idstring

The tenant ID identifier

curl -i -X GET \
  'https://api.frontegg.com/identity/resources/configurations/v1/mfa-policy/allow-remember-device?mfaToken=string' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>'

Responses

Bodyapplication/json
object(CheckAllowRememberResponse)
Response
application/json
{}

Enroll authenticator app MFA

Request

This route enrolls MFA for a logged-in user for a specific tenant. Send the frontegg-user-id header to declare which user. A vendor token is required for this route, it can be obtained from the vendor authentication route.

Headers
frontegg-user-idstringrequired

The user ID identifier

curl -i -X POST \
  https://api.frontegg.com/identity/resources/users/v1/mfa/authenticator/enroll \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'frontegg-user-id: string'

Responses

Bodyapplication/json
qrCodestringrequired

QR code to be verified by authenticator app

Response
application/json
{
  "qrCode": "string"
}

Verify authenticator app MFA enrollment

Request

This route verifies MFA enrollment using a QR code. Send the frontegg-user-id header to declare which user. Send information required for MFA in the POST body. The MFA token should be obtained from the authenticator app after scanning the QR code received . A vendor token is required for this route, it can be obtained from the vendor authentication route.

Headers
frontegg-user-idstringrequired

The user ID identifier

Bodyapplication/jsonrequired
tokenstringrequired
curl -i -X POST \
  https://api.frontegg.com/identity/resources/users/v1/mfa/authenticator/enroll/verify \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -H 'frontegg-user-id: string' \
  -d '{
    "token": "string"
  }'

Responses

Bodyapplication/json
recoveryCodestringrequired
Response
application/json
{
  "recoveryCode": "string"
}

Enroll SMS MFA

Request

Headers
frontegg-user-idstringrequired

The user ID identifier

Bodyapplication/jsonrequired
phoneNumberstringphoneNumberRegexprequired
curl -i -X POST \
  https://api.frontegg.com/identity/resources/users/v1/mfa/sms/enroll \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -H 'frontegg-user-id: string' \
  -d '{
    "phoneNumber": "string"
  }'

Responses

Verify MFA enrollment

Request

Headers
frontegg-user-idstringrequired

The user ID identifier

Bodyapplication/jsonrequired
otcTokenstringrequired
codestringrequired
curl -i -X POST \
  https://api.frontegg.com/identity/resources/users/v1/mfa/sms/enroll/verify \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -H 'frontegg-user-id: string' \
  -d '{
    "otcToken": "string",
    "code": "string"
  }'

Responses

Disable authenticator app MFADeprecated

Request

This route disables MFA enrollment for a logged-in user for a specific tenant. Send the frontegg-user-id header to declare which user. The MFA token should be obtained from the authenticator app. A vendor token is required for this route, it can be obtained from the vendor authentication route.

Headers
frontegg-user-idstringrequired

The user ID identifier

Bodyapplication/jsonrequired
tokenstring
curl -i -X POST \
  https://api.frontegg.com/identity/resources/users/v1/mfa/disable \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -H 'frontegg-user-id: string' \
  -d '{
    "token": "string"
  }'

Responses

Verify MFA using code from authenticator appDeprecated

Request

This route verifies the MFA code from an authenticator app. Send the frontegg-vendor-host as a header. This is your domain name in the Frontegg Portal âžś Workspace Settings âžś Domains âžś Domain Name. Send information required for MFA in the POST body. The value is the service name from your Authentication Settings in the Frontegg Portal. The MFA token is from the authenticator app.

Bodyapplication/jsonrequired
valuestringrequired
mfaTokenstringrequired
rememberDeviceboolean
curl -i -X POST \
  https://api.frontegg.com/identity/resources/auth/v1/user/mfa/verify \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "value": "string",
    "mfaToken": "string",
    "rememberDevice": true
  }'

Responses

Enroll authenticator app MFADeprecated

Request

This route enrolls MFA for a logged-in user for a specific tenant. Send the frontegg-user-id header to declare which user. A vendor token is required for this route, it can be obtained from the vendor authentication route.

Headers
frontegg-user-idstringrequired

The user ID identifier

curl -i -X POST \
  https://api.frontegg.com/identity/resources/users/v1/mfa/enroll \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'frontegg-user-id: string'

Responses

Bodyapplication/json
qrCodestringrequired

QR code to be verified by authenticator app

Response
application/json
{
  "qrCode": "string"
}

Verify authenticator app MFA enrollmentDeprecated

Request

This route verifies MFA enrollment using a QR code. Send the frontegg-user-id header to declare which user. Send information required for MFA in the POST body. The MFA token should be obtained from the authenticator app after scanning the QR code received . A vendor token is required for this route, it can be obtained from the vendor authentication route.

Headers
frontegg-user-idstringrequired

The user ID identifier

Bodyapplication/jsonrequired
tokenstringrequired
curl -i -X POST \
  https://api.frontegg.com/identity/resources/users/v1/mfa/enroll/verify \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -H 'frontegg-user-id: string' \
  -d '{
    "token": "string"
  }'

Responses

Bodyapplication/json
recoveryCodestringrequired
Response
application/json
{
  "recoveryCode": "string"
}

Passwordless

Operations

SMS

Operations

Account invitations settings

Operations

Core settings

Operations

Custom social OAuth provider

Operations

Data migration

Operations

Delegation

Operations

Email configuration

Operations

Email templates

Operations

M2M tokens

Operations

MFA configuration

Operations

Permissions categories

Operations

Permissions

Operations

Roles

Operations

SMS configuration

Operations

SMS templates

Operations

Sessions configuration

Operations

User pools

Operations

Users

Operations

Account invitations

Operations

Account roles

Operations

API tokens

Operations

Domain restrictions

Operations

IP restrictions

Operations

Lockout policy

Operations

MFA settings

Operations

Password settings

Operations

Personal tokens

Operations

Sessions management

Operations

User groups

Operations

User management

Operations

User sessions

Operations

Users-applications management

Operations