General

Identity Management (1.0)

Download OpenAPI description
Users, Auth and Security
Single Sign-On
SCIM Provisioning
Entitlements
Entitlements Agent
Accounts (Tenants)
Overview
Languages
Servers
EU Region
https://api.frontegg.com/identity/
US Region
https://api.us.frontegg.com/identity/
CA Region
https://api.ca.frontegg.com/identity/
AU Region
https://api.au.frontegg.com/identity/
https://{domain}.frontegg.com/identity/

API token

Operations

General

Operations

Authenticate user with password

Request

This route authenticates a local user using email and password. Send the frontegg-vendor-host as a header to declare which vendor. This is your domain name in the Frontegg Portal âžś Workspace Settings âžś Domains âžś Domain Name. Optionally, send login information for the user as POST body params. Include the invitation token if the user is signing up by invitation. Send the recaptcha token if the recaptcha is enabled for login.

Headers
frontegg-vendor-hoststring

The vendor host domain

Bodyapplication/jsonrequired
emailstringrequired
passwordstringrequired
recaptchaTokenstring
invitationTokenstring
curl -i -X POST \
  https://api.frontegg.com/identity/resources/auth/v1/user \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "email": "string",
    "password": "string",
    "recaptchaToken": "string",
    "invitationToken": "string"
  }'

Responses

Bodyapplication/json
tokenTypestring
Default "bearer"
mfaRequiredbooleanrequired
mfaTokenstring
mfaEnrolledboolean
mfaDevicesobject(UserMFADevicesResponse)
mfaStrategiesobject
qrCodestring
recoveryCodestring
accessTokenstringrequired
refreshTokenstringrequired
expiresInnumberrequired
expiresstringrequired
userIdstring
userEmailstring
emailVerifiedboolean
isBreachedPasswordboolean
Response
application/json
{
  "tokenType": "bearer",
  "mfaRequired": true,
  "mfaToken": "string",
  "mfaEnrolled": true,
  "mfaDevices": {
    "webauthn": [ … ],
    "phones": [ … ],
    "authenticators": [ … ],
    "emails": [ … ]
  },
  "mfaStrategies": {},
  "qrCode": "string",
  "recoveryCode": "string",
  "accessToken": "string",
  "refreshToken": "string",
  "expiresIn": 0,
  "expires": "string",
  "userId": "string",
  "userEmail": "string",
  "emailVerified": true,
  "isBreachedPassword": true
}

Refresh user JWT token

Request

This route refreshes a JWT based on the refresh token expiration time. If the refresh token is valid, the route returns a new JWT and refresh token. Please note that the route expects the refresh cookie of the logged in user as well. Send the frontegg-vendor-host as a header to declare which vendor. This is your domain name in the Frontegg Portal âžś Workspace Settings âžś Domains âžś Domain Name. Configure your JWT settings in the Frontegg Portal.

Headers
frontegg-vendor-hoststringrequired
Bodyapplication/jsonrequired
object(RefreshTokenDto)
curl -i -X POST \
  https://api.frontegg.com/identity/resources/auth/v1/user/token/refresh \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -H 'frontegg-vendor-host: string' \
  -d '{}'

Responses

Bodyapplication/json
tokenTypestring
Default "bearer"
mfaRequiredbooleanrequired
mfaTokenstring
mfaEnrolledboolean
mfaDevicesobject(UserMFADevicesResponse)
mfaStrategiesobject
qrCodestring
recoveryCodestring
accessTokenstringrequired
refreshTokenstringrequired
expiresInnumberrequired
expiresstringrequired
userIdstring
userEmailstring
emailVerifiedboolean
isBreachedPasswordboolean
Response
application/json
{
  "tokenType": "bearer",
  "mfaRequired": true,
  "mfaToken": "string",
  "mfaEnrolled": true,
  "mfaDevices": {
    "webauthn": [ … ],
    "phones": [ … ],
    "authenticators": [ … ],
    "emails": [ … ]
  },
  "mfaStrategies": {},
  "qrCode": "string",
  "recoveryCode": "string",
  "accessToken": "string",
  "refreshToken": "string",
  "expiresIn": 0,
  "expires": "string",
  "userId": "string",
  "userEmail": "string",
  "emailVerified": true,
  "isBreachedPassword": true
}

Logout user

Request

This route logs out a user using the refresh token that is passed as a cookie. Send the frontegg-vendor-host as a header to declare which vendor. This route is designed for Frontegg embedded login or integrations that use only Frontegg APIs

Headers
frontegg-vendor-hoststringrequired
curl -i -X POST \
  https://api.frontegg.com/identity/resources/auth/v1/logout \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'frontegg-vendor-host: string'

Responses

MFA

Operations

Users

Operations