Accounts module
/
Sub-accounts

Account Management Overview

Frontegg is built with multi-tenancy in mind, allowing the creation and management of multiple accounts (tenants) within an environment. This section provides an overview of relevant API endpoints, organized into Management and Self-Service categories, supporting the creation of accounts, hierarchies, and sub-accounts.

Management Endpoints: Require environment-level authorization and offer full control over resources, including SSO (SAML and OIDC) configurations, account hierarchies, and sub-accounts.

Self-Service Endpoints: Accessible with a user token (JWT), enabling users with the appropriate permissions to create, update, and delete sub-accounts from ah hierarchy.

Download OpenAPI description
Users, Auth and Security
Single Sign-On
SCIM Provisioning
Entitlements
Entitlements Agent
Accounts (Tenants)
Languages
Servers
EU Region
https://api.frontegg.com/tenants/
US Region
https://api.us.frontegg.com/tenants/
CA Region
https://api.ca.frontegg.com/tenants/
AU Region
https://api.au.frontegg.com/tenants/
Frontegg sub-domain for use with user tokens
https://{domain}.frontegg.com/tenants/

Accounts

Operations

Sub-accounts and hierarchy

Operations

Account migration

Operations

Account settings

Operations

Sub-accounts

Operations

Create sub-account

Request

Create a new sub-account (tenant). If an account with given ID had existed before and was removed, then this action will reactivate that account. A user or vendor token is required for this route. A user token can be obtained after user authentication.

Bodyapplication/jsonrequired
tenantIdstringrequired
namestringrequired
parentTenantIdstringrequired
statusstring

This field can be used for custom logic, it is not enforced in Frontegg flows

logostring

Base64-encoded image to use as logo.

logoUrlstring
creatorNamestring
creatorEmailstring
isResellerboolean
curl -i -X POST \
  https://api.frontegg.com/tenants/resources/sub-tenants/v1 \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "tenantId": "string",
    "name": "string",
    "parentTenantId": "string",
    "status": "string",
    "logo": "string",
    "logoUrl": "string",
    "creatorName": "string",
    "creatorEmail": "string",
    "isReseller": true
  }'

Responses

When tenant ID does not pass validation.

Update sub-account (tenant) management

Request

Enable sub-account to give child accounts multi-seller management capabilities. Send isReseller: true to update sub-accounts with this capability

Path
tenantIdstringrequired
Bodyapplication/jsonrequired
object(UpdateSubTenantManagementRequest)
curl -i -X PUT \
  'https://api.frontegg.com/tenants/resources/sub-tenants/v1/{tenantId}/management' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{}'

Responses

Update sub-account hierarchy settings

Request

Set the default behavior of sub-account access in a account (tenant). Set subAccountAccessType to defaultOff or defaultOn to allow sub-account access to be changed, or alwaysOn to force sub-account access on all users.

Path
tenantIdstringrequired
Bodyapplication/jsonrequired
object(UpdateSubTenantHierarchySettingsRequest)
curl -i -X PUT \
  'https://api.frontegg.com/tenants/resources/sub-tenants/v1/{tenantId}/hierarchy-settings' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{}'

Responses

Delete a sub-account by ID

Request

Delete a sub-account. A user or vendor token is required for this route. A user token can be obtained after user authentication.

Path
tenantIdstringrequired
curl -i -X DELETE \
  'https://api.frontegg.com/tenants/resources/sub-tenants/v1/{tenantId}' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>'

Responses

When the given tenant doesn't exist.

Get sub-accounts (tenants)

Request

Get all sub-accounts from the hierarchy. A user token or vendor token are required for this route. A user token can be obtained after user authentication. A vendor token is required for this route, it can be obtained from the vendor authentication route.

Headers
frontegg-tenant-idstringrequired

The tenant ID identifier

curl -i -X GET \
  https://api.frontegg.com/tenants/resources/hierarchy/v1 \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'frontegg-tenant-id: string'

Responses

Get parent accounts (tenants)

Request

Get all parent accounts from the hierarchy. Tenant ID header is required. A user token or vendor token are required for this route. A user token can be obtained after user authentication. A vendor token can be obtained from the vendor authentication route.

Headers
frontegg-tenant-idstringrequired

The tenant ID identifier

curl -i -X GET \
  https://api.frontegg.com/tenants/resources/hierarchy/v1/parents \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'frontegg-tenant-id: string'

Responses

Get sub-accounts (tenanants) hierarchy tree

Request

Get all sub-accounts hierarchy as a tree structure. A user token or vendor token are required for this route. A user token can be obtained after user authentication. A vendor token is required for this route, it can be obtained from the vendor authentication route.

Headers
frontegg-tenant-idstringrequired

The tenant ID identifier

curl -i -X GET \
  https://api.frontegg.com/tenants/resources/hierarchy/v1/tree \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'frontegg-tenant-id: string'

Responses

When circular dependency is detected in the hierarchy