Users, auth and security module
/
Password settings

Authentication and Identity Management

Frontegg offers a comprehensive suite of authentication, user management, and security features to streamline identity management and enhance application security. This section provides an overview of all relevant API endpoints, organized into Authentication, Management, and Self-Service categories.

Authentication Endpoints: Enable secure user login, multi-factor authentication (MFA), passwordless options, and social login integrations, allowing for a flexible and robust sign-in experience.

Management Endpoints: Require environment-level authorization and provide full control over SSO (SAML and OpenID Connect) resources, user roles, permissions, and configurations. These endpoints are designed for administrative use, allowing for centralized identity and access management.

Self-Service Endpoints: Accessible with a user token (JWT), these endpoints empower users to manage their SSO connections and other account settings. Users with the necessary permissions can create, update, or delete SSO configurations directly, ensuring they have the tools to manage their access securely and independently.

Each category in this section helps you configure and extend Frontegg’s capabilities, providing the flexibility to manage user identities, authentication protocols, and access controls as per your application’s needs.

Download OpenAPI description
Users, Auth and Security
Single Sign-On
SCIM Provisioning
Entitlements
Entitlements Agent
Accounts (Tenants)
Languages
Servers
EU Region
https://api.frontegg.com/identity/
US Region
https://api.us.frontegg.com/identity/
CA Region
https://api.ca.frontegg.com/identity/
AU Region
https://api.au.frontegg.com/identity/
Frontegg sub-domain for use with user tokens
https://{domain}.frontegg.com/identity/

API token

Operations

General

Operations

MFA

Operations

Passwordless

Operations

SMS

Operations

Account invitations settings

Operations

Core settings

Operations

Custom social OAuth provider

Operations

Data migration

Operations

Delegation

Operations

Email configuration

Operations

Email templates

Operations

M2M tokens

Operations

MFA configuration

Operations

Permissions categories

Operations

Permissions

Operations

Roles

Operations

SMS configuration

Operations

SMS templates

Operations

Sessions configuration

Operations

User pools

Operations

Users

Operations

Account invitations

Operations

Account roles

Operations

API tokens

Operations

Domain restrictions

Operations

IP restrictions

Operations

Lockout policy

Operations

MFA settings

Operations

Password settings

Operations

Update password configuration

Request

This route updates the password policy for all tenants. To update the password policy for a specific tenant, send the tenant’s ID in the frontegg-tenant-id header. Send the updated values as POST body params.

Headers
frontegg-tenant-idstring

The tenant ID identifier

Bodyapplication/jsonrequired
allowPassphrasesboolean
maxLengthnumber
minLengthnumber
minPhraseLengthnumber
minOptionalTestsToPassnumber
blockPwnedPasswordsboolean
curl -i -X POST \
  https://api.frontegg.com/identity/resources/configurations/v1/password \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "allowPassphrases": true,
    "maxLength": 0,
    "minLength": 0,
    "minPhraseLength": 0,
    "minOptionalTestsToPass": 0,
    "blockPwnedPasswords": true
  }'

Responses

Bodyapplication/json
allowPassphrasesboolean
maxLengthnumber
minLengthnumber
minPhraseLengthnumber
minOptionalTestsToPassnumber
blockPwnedPasswordsbooleanrequired
Response
application/json
{
  "allowPassphrases": true,
  "maxLength": 0,
  "minLength": 0,
  "minPhraseLength": 0,
  "minOptionalTestsToPass": 0,
  "blockPwnedPasswords": true
}

Gets password policy configuration

Request

This route gets the password policy for all tenants. To get the password policy for a specific tenant, send the tenant’s ID in the frontegg-tenant-id header.

Headers
frontegg-tenant-idstring

The tenant ID identifier

curl -i -X GET \
  https://api.frontegg.com/identity/resources/configurations/v1/password \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>'

Responses

Bodyapplication/json
allowPassphrasesboolean
maxLengthnumber
minLengthnumber
minPhraseLengthnumber
minOptionalTestsToPassnumber
blockPwnedPasswordsbooleanrequired
Response
application/json
{
  "allowPassphrases": true,
  "maxLength": 0,
  "minLength": 0,
  "minPhraseLength": 0,
  "minOptionalTestsToPass": 0,
  "blockPwnedPasswords": true
}

Create password history policy

Request

This route creates the password history policy for all tenants. To create a password history policy for a specific tenant, send the tenant’s ID in the frontegg-tenant-id header. To enable the Password History, make sure to set the enabled variable to true and the password history size to a number between 1 to 10.

Headers
frontegg-tenant-idstring

The tenant ID identifier

Bodyapplication/jsonrequired
enabledbooleanrequired

Detemine whether the history policy is enbaled.

Default false
historySizenumber[ 1 .. 10 ]required

Number of passwords per user to remember in the history.

Default 1
curl -i -X POST \
  https://api.frontegg.com/identity/resources/configurations/v1/password-history-policy \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "enabled": false,
    "historySize": 1
  }'

Responses

Bodyapplication/json
idstringrequired
enabledbooleanrequired
historySizenumberrequired
createdAtstring(date-time)required
updatedAtstring(date-time)required
Response
application/json
{
  "id": "string",
  "enabled": true,
  "historySize": 0,
  "createdAt": "2019-08-24T14:15:22Z",
  "updatedAt": "2019-08-24T14:15:22Z"
}

Update password history policy

Request

This route updates the password history policy for all tenants. To update a password history policy for a specific tenant, send the tenant’s ID in the frontegg-tenant-id header. To disable the password history policy, make sure to set the enabled variable to false. The password history size can also be changed to a number between 1 to 10

Headers
frontegg-tenant-idstring

The tenant ID identifier

Bodyapplication/jsonrequired
enabledbooleanrequired

Detemine whether the history policy is enbaled.

Default false
historySizenumber[ 1 .. 10 ]required

Number of passwords per user to remember in the history.

Default 1
curl -i -X PATCH \
  https://api.frontegg.com/identity/resources/configurations/v1/password-history-policy \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "enabled": false,
    "historySize": 1
  }'

Responses

Bodyapplication/json
idstringrequired
enabledbooleanrequired
historySizenumberrequired
createdAtstring(date-time)required
updatedAtstring(date-time)required
Response
application/json
{
  "id": "string",
  "enabled": true,
  "historySize": 0,
  "createdAt": "2019-08-24T14:15:22Z",
  "updatedAt": "2019-08-24T14:15:22Z"
}

Get password history policy

Request

This route gets the password history policy for all tenants or one tenant specifically. To create a password history policy for a specific tenant, send the tenant’s ID in the frontegg-tenant-id header.

Headers
frontegg-tenant-idstring

The tenant ID identifier

curl -i -X GET \
  https://api.frontegg.com/identity/resources/configurations/v1/password-history-policy \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>'

Responses

Bodyapplication/json
idstringrequired
enabledbooleanrequired
historySizenumberrequired
createdAtstring(date-time)required
updatedAtstring(date-time)required
Response
application/json
{
  "id": "string",
  "enabled": true,
  "historySize": 0,
  "createdAt": "2019-08-24T14:15:22Z",
  "updatedAt": "2019-08-24T14:15:22Z"
}

Reset password

Request

This route sends a reset password email to the user. Send the user’s email in the POST body. If your email template uses metadata, send email metadata in the POST body, too.

Bodyapplication/jsonrequired
emailstring(email)required
emailMetadataobject
curl -i -X POST \
  https://api.frontegg.com/identity/resources/users/v1/passwords/reset \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "email": "user@example.com",
    "emailMetadata": {}
  }'

Responses

Verify password

Request

This route verifies a user’s password using a verification token. Send the userId, token, and password in the POST body. For the token, see the route under users for generating user password reset token.

Bodyapplication/jsonrequired
userIdstringrequired
tokenstringrequired
passwordstringrequired
curl -i -X POST \
  https://api.frontegg.com/identity/resources/users/v1/passwords/reset/verify \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "userId": "string",
    "token": "string",
    "password": "string"
  }'

Responses

Change password

Request

This route changes the password for a logged-in user. Send the frontegg-user-id and frontegg-tenant-id headers to declare which user and which tenant. Send the current and new passwords in the POST body.

Headers
frontegg-user-idstringrequired

The user ID identifier

Bodyapplication/jsonrequired
passwordstringrequired
newPasswordstringrequired
curl -i -X POST \
  https://api.frontegg.com/identity/resources/users/v1/passwords/change \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -H 'frontegg-user-id: string' \
  -d '{
    "password": "string",
    "newPassword": "string"
  }'

Responses

Get strictest password configuration

Request

This route gets the user’s hardest password configuration. This is useful when a user belongs to multiple tenants and does not have the same password complexity for all of them. The route returns the strictest setting the user is subject to.

Query
userIdstring
curl -i -X GET \
  https://api.frontegg.com/identity/resources/users/v1/passwords/config \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>'

Responses

Bodyapplication/json
allowPassphrasesboolean
maxLengthnumber
minLengthnumber
minPhraseLengthnumber
minOptionalTestsToPassnumber
blockPwnedPasswordsbooleanrequired
Response
application/json
{
  "allowPassphrases": true,
  "maxLength": 0,
  "minLength": 0,
  "minPhraseLength": 0,
  "minOptionalTestsToPass": 0,
  "blockPwnedPasswords": true
}

Get password rotation-period configuration

Request

This route allows vendors or tenants to get the configuration of their password rotation period.

curl -i -X GET \
  https://api.frontegg.com/identity/resources/configurations/v1/password-rotation \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>'

Responses

Bodyapplication/json
createdAtstring(date-time)required
updatedAtstring(date-time)required
isActivebooleanrequired
rotationPeriodnumberrequired
notificationPeriodnumberrequired
tenantIdstringrequired
Response
application/json
{
  "createdAt": "2019-08-24T14:15:22Z",
  "updatedAt": "2019-08-24T14:15:22Z",
  "isActive": true,
  "rotationPeriod": 0,
  "notificationPeriod": 0,
  "tenantId": "string"
}

Update or Create password rotation-period configuration

Request

This route allows vendors or tenants to update or create configuration for a password rotation-period. If no rotation-period was previously configured, a new configuration will be created with a default value.

Bodyapplication/jsonrequired
isActiveboolean

Indicates if the password rotation is active

Default false
rotationPeriodnumber[ 1 .. 2628000 ]

The period for password rotation in minutes

Default 129600
notificationPeriodnumber[ 0 .. 2628000 ]

The period for notification before password rotation in minutes

Default 10080
curl -i -X POST \
  https://api.frontegg.com/identity/resources/configurations/v1/password-rotation \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "isActive": false,
    "rotationPeriod": 129600,
    "notificationPeriod": 10080
  }'

Responses

Get vendor password rotation-period configuration

Request

This route allows vendors or tenants to get the configuration of their password rotation period.

curl -i -X GET \
  https://api.frontegg.com/identity/resources/configurations/v1/password-rotation/vendor \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>'

Responses

Bodyapplication/json
createdAtstring(date-time)required
updatedAtstring(date-time)required
isActivebooleanrequired
rotationPeriodnumberrequired
notificationPeriodnumberrequired
tenantIdstringrequired
Response
application/json
{
  "createdAt": "2019-08-24T14:15:22Z",
  "updatedAt": "2019-08-24T14:15:22Z",
  "isActive": true,
  "rotationPeriod": 0,
  "notificationPeriod": 0,
  "tenantId": "string"
}

Personal tokens

Operations

Sessions management

Operations

User groups

Operations

User management

Operations

User sessions

Operations

Users-applications management

Operations