# Authentication and Identity Management Frontegg offers a comprehensive suite of authentication, user management, and security features to streamline identity management and enhance application security. This section provides an overview of all relevant API endpoints, organized into Authentication, Management, and Self-Service categories. **Authentication Endpoints**: Enable secure user login, multi-factor authentication (MFA), passwordless options, and social login integrations, allowing for a flexible and robust sign-in experience. **Management Endpoints**: Require environment-level authorization and provide full control over SSO (SAML and OpenID Connect) resources, user roles, permissions, and configurations. These endpoints are designed for administrative use, allowing for centralized identity and access management. **Self-Service Endpoints**: Accessible with a user token (JWT), these endpoints empower users to manage their SSO connections and other account settings. Users with the necessary permissions can create, update, or delete SSO configurations directly, ensuring they have the tools to manage their access securely and independently. Each category in this section helps you configure and extend Frontegg’s capabilities, providing the flexibility to manage user identities, authentication protocols, and access controls as per your application’s needs. ## Servers EU Region ``` https://api.frontegg.com/identity ``` US Region ``` https://api.us.frontegg.com/identity ``` CA Region ``` https://api.ca.frontegg.com/identity ``` AU Region ``` https://api.au.frontegg.com/identity ``` Frontegg sub-domain for use with user tokens ``` https://{domain}.frontegg.com/identity ``` Variables: - `domain` Default: "app-xxx" ## Security ### bearer Type: http Scheme: bearer Bearer Format: JWT ## Download OpenAPI description [Authentication and Identity Management](https://developers.frontegg.com/_bundle/ciam/api/identity.yaml) ## API token ### Authenticate using API token - [POST /resources/auth/v2/api-token](https://developers.frontegg.com/ciam/api/identity/api-token/authenticationapitokencontrollerv2_authapitoken.md): Authenticates using an account (tenant) or user API token. Obtain your clientId and secret from Admin Portal → API Tokens, then provide them in the request body. Send the request to your Frontegg environment (e.g., https://.frontegg.com). Note: By default, this endpoint enforces refresh token rotation. Each API token is limited to 100 active refresh tokens. When authenticating with the same API token for the 101st time, the oldest refresh token is automatically invalidated. Use this endpoint to securely authenticate automated services, back-end clients, or integrations that rely on static credentials. ### Refresh API token - [POST /resources/auth/v2/api-token/token/refresh](https://developers.frontegg.com/ciam/api/identity/api-token/authenticationapitokencontrollerv2_refreshtoken.md): Refreshes a JWT access token using a refresh token. If the refresh token is valid, returns a new JWT and refresh token pair. This maintains an authenticated session without requiring the user to log in again. If the refresh token is invalid, expired, or has been revoked due to rotation limits, the request will fail with an authentication error. ## General ### Authenticate user with password - [POST /resources/auth/v1/user](https://developers.frontegg.com/ciam/api/identity/general/authenticatioauthenticationcontrollerv1_authenticatelocaluser.md): Authenticate a local user using their email and password. Include the user's login credentials in the request body. This endpoint supports optional parameters such as an invitation token (for sign-up flows via invitation) and a reCAPTCHA token (if reCAPTCHA is enabled for login). If the credentials are valid, the response includes a signed JWT and a refresh token that can be used for future authenticated requests. ### Refresh user JWT token - [POST /resources/auth/v1/user/token/refresh](https://developers.frontegg.com/ciam/api/identity/general/authenticatioauthenticationcontrollerv1_refreshtoken.md): Refresh a JWT based on the refresh token's expiration time. This endpoint returns a new JWT and refresh token if the existing refresh token is valid and not expired. The request must include the refresh token cookie for the currently logged-in user. Ensure your JWT settings are properly configured in the Frontegg Portal to support this flow. ### Logout user - [POST /resources/auth/v1/logout](https://developers.frontegg.com/ciam/api/identity/general/authenticatioauthenticationcontrollerv1_logout.md): Log out a user by invalidating their refresh token. This endpoint logs out the currently authenticated user by invalidating the refresh token provided in the refresh token cookie. This route is intended for applications using Frontegg's embedded login experience or for integrations that interact exclusively with Frontegg APIs. ### Signup user - [POST /resources/users/v1/signUp](https://developers.frontegg.com/ciam/api/identity/general/userscontrollerv1_signupuser.md): Sign up a new user and create a new account (tenant). This endpoint registers a user with authentication details such as email, password, and the provider used for authentication (e.g., local, saml, google, github). Refer to the documentation or dropdown menu for the full list of supported provider values. Additional optional fields such as user metadata may also be included. If not needed, metadata can be passed as an empty object (e.g., {}). This endpoint is typically used during account (tenant) onboarding or self-sign-up flows. ### Signup user with username - [POST /resources/users/v1/signUp/username](https://developers.frontegg.com/ciam/api/identity/general/userssignupcontrollerv1_signupuserusername.md): Sign up a new user and create a new account (tenant). Include the frontegg-vendor-host header (your domain name from Portal → Workspace Settings → Domains). Required fields: email, provider (authentication method: local, saml, google, github), companyName, and metadata (can be empty {}). Requires an environment authentication token. ## MFA ### Recover MFA - [POST /resources/auth/v1/user/mfa/recover](https://developers.frontegg.com/ciam/api/identity/mfa/authenticationmfacontrollerv1_recovermfa.md): Recover multi-factor authentication (MFA) for a non-logged-in user. This endpoint verifies a user's identity using a backup recovery code, typically generated by the user's MFA authenticator app during initial setup. Use this when a user cannot access their MFA device and needs to authenticate with their recovery code. ### Disable authenticator app MFA - [POST /resources/users/v1/mfa/authenticator/{deviceId}/disable/verify](https://developers.frontegg.com/ciam/api/identity/mfa/usersmfacontrollerv1_disableauthenticatormfa.md): Disable multi-factor authentication (MFA) enrollment for a logged-in user within a specific account (tenant). This endpoint removes MFA for a user, typically used in administrative contexts where a backend system or admin manages user security settings. The request must include the mfaToken, which is the time-based one-time password (TOTP) generated by the user's authenticator app. Use this endpoint to programmatically disable MFA for a specific user within an account (tenant). ### Pre-disable SMS MFA - [POST /resources/users/v1/mfa/sms/{deviceId}/disable](https://developers.frontegg.com/ciam/api/identity/mfa/usersmfacontrollerv1_predisablesmsmfa.md): Initiate the process of disabling SMS-based multi-factor authentication (MFA) for a specific device. Provide the target deviceId in the request path to mark the SMS MFA device for pre-disablement. This action prepares the device for subsequent steps required to complete the removal. Use this route as part of the MFA management flow for disabling SMS-based MFA on a per-device basis. ### Disable SMS MFA - [POST /resources/users/v1/mfa/sms/{deviceId}/disable/verify](https://developers.frontegg.com/ciam/api/identity/mfa/usersmfacontrollerv1_disablesmsmfa.md): Complete the process of disabling SMS-based multi-factor authentication (MFA) for a specific device. This step finalizes MFA deactivation for the given deviceId after a prior pre-disable action. The request must include: - otcToken: The one-time challenge token obtained during the pre-disable step. - code: The SMS verification code received by the user. Use this endpoint as the second step in the SMS MFA removal flow to verify the user's identity and confirm the disable action. ### Request verify MFA using email code - [POST /resources/auth/v1/user/mfa/emailcode](https://developers.frontegg.com/ciam/api/identity/mfa/authenticationmfacontrollerv1_preverifyemailotcmfa.md): Verify multi-factor authentication (MFA) using a code sent to the user's email. This endpoint completes the email-based MFA verification step. The request must include: - mfaToken: The token provided after the user initiates MFA via email. Use this endpoint to confirm the email-based MFA challenge and finalize the login or authentication process. ### Verify MFA using email code - [POST /resources/auth/v1/user/mfa/emailcode/verify](https://developers.frontegg.com/ciam/api/identity/mfa/authenticationmfacontrollerv1_verifyemailotcmfa.md): Verify a multi-factor authentication (MFA) challenge using a code sent to the user's email address. This endpoint finalizes the email-based MFA verification and completes the authentication process. The request must include: - otcToken: One-time challenge token received during the email MFA initiation. - code: The MFA code sent to the user's email. - mfaToken: Token returned from the original MFA setup or step-up authentication request. - rememberDevice (optional): If set to true, the device will be remembered to reduce MFA prompts on future logins from the same client. Use this endpoint to confirm the MFA challenge and optionally remember the current device for future sessions. ### Pre enroll MFA using Authenticator App - [POST /resources/auth/v1/user/mfa/authenticator/enroll](https://developers.frontegg.com/ciam/api/identity/mfa/authenticationmfacontrollerv1_preenrollauthenticatormfa.md): Initiate enrollment in multi-factor authentication (MFA) using an authenticator app (e.g., Google Authenticator, Authy). This endpoint begins the MFA setup process and returns the necessary data for configuring an authenticator app, such as a QR code or secret key. The request must include: - mfaToken: A token received from the initial authentication flow that authorizes the MFA setup. Use this endpoint to generate the configuration required for linking an authenticator app before completing verification. ### Enroll MFA using Authenticator App - [POST /resources/auth/v1/user/mfa/authenticator/enroll/verify](https://developers.frontegg.com/ciam/api/identity/mfa/authenticationmfacontrollerv1_enrollauthenticatormfa.md): Complete enrollment in multi-factor authentication (MFA) using an authenticator app. This endpoint verifies the MFA setup by validating the time-based one-time password (TOTP) generated by the authenticator app. The request must include: - token: The 6-digit TOTP code generated by the authenticator app. - mfaToken: Token from the initial MFA enrollment initiation. - rememberDevice (optional): If set to true, the device will be remembered and may skip MFA on future logins from the same browser or device. Use this endpoint to finalize MFA enrollment and activate the authenticator app for the user's account. ### Verify MFA using authenticator app - [POST /resources/auth/v1/user/mfa/authenticator/{deviceId}/verify](https://developers.frontegg.com/ciam/api/identity/mfa/authenticationmfacontrollerv1_verifyauthenticatormfa.md): Verify multi-factor authentication (MFA) during the authentication process. This endpoint is typically used after a primary login attempt when MFA is enabled for the user or account (tenant). The request must include: - value: The MFA service name (e.g., authenticator, email, sms) configured under Authentication Settings. - mfaToken: The token or code provided by the user's MFA method (e.g., code from an authenticator app). Use this endpoint to complete the MFA verification step as part of the overall login flow. ### Pre-enroll MFA using sms - [POST /resources/auth/v1/user/mfa/sms/enroll](https://developers.frontegg.com/ciam/api/identity/mfa/authenticationmfacontrollerv1_preenrollsmsmfa.md): Initiate multi-factor authentication (MFA) enrollment using SMS. This endpoint begins the SMS-based MFA setup by sending a verification code to the provided phone number. The request must include: - phoneNumber: The user's mobile phone number in international format. It must match the format defined in your organization's phone number validation pattern (phoneNumberRegexp). Use this endpoint as the first step in enabling SMS-based MFA for a user. ### Enroll MFA using sms - [POST /resources/auth/v1/user/mfa/sms/enroll/verify](https://developers.frontegg.com/ciam/api/identity/mfa/authenticationmfacontrollerv1_enrollsmsmfa.md): Complete enrollment in multi-factor authentication (MFA) using SMS. This endpoint finalizes the SMS-based MFA setup for the user by verifying the code sent to their phone number. The request must include: - otcToken: Token received from the initial SMS MFA enrollment step. - code: The numeric code sent via SMS to the user's registered phone number. Use this endpoint to verify the user's phone number and activate SMS-based MFA on their account. ### Request to verify MFA using sms - [POST /resources/auth/v1/user/mfa/sms/{deviceId}](https://developers.frontegg.com/ciam/api/identity/mfa/authenticationmfacontrollerv1_preverifysmsmfa.md): Verify multi-factor authentication (MFA) using an SMS-based device. This endpoint confirms the SMS MFA challenge as part of the authentication or step-up verification process for a specific registered device. Path parameters: - deviceId: The unique identifier of the SMS MFA device being verified. Request body must include: - mfaToken: Token provided during the authentication or challenge flow. Use this endpoint to complete SMS-based MFA verification for the specified device. ### Verify MFA using sms - [POST /resources/auth/v1/user/mfa/sms/{deviceId}/verify](https://developers.frontegg.com/ciam/api/identity/mfa/authenticationmfacontrollerv1_verifysmsmfa.md): Verify a multi-factor authentication (MFA) challenge using an SMS code for a specific registered device. This endpoint finalizes the MFA step by validating the SMS code and may mark the device as trusted if specified. Path parameters: - deviceId: The unique identifier of the SMS MFA device being verified. Request body must include: - otcToken: Token received from the SMS MFA challenge initiation. - code: The verification code sent to the user's phone via SMS. - mfaToken: MFA token issued during the initial login or step-up challenge. - rememberDevice (optional): Set to true to remember the device and reduce future MFA prompts on this device. Use this endpoint to complete SMS-based MFA verification and optionally trust the device for future logins. ### Pre enroll MFA using WebAuthN - [POST /resources/auth/v1/user/mfa/webauthn/enroll](https://developers.frontegg.com/ciam/api/identity/mfa/authenticationmfacontrollerv1_preenrollwebauthnmfa.md): Initiate multi-factor authentication (MFA) enrollment using WebAuthn (e.g., security keys, biometrics). This endpoint begins the WebAuthn MFA setup by returning a browser-based challenge needed to link a trusted device, such as a biometric reader or hardware security key. The request must include: - mfaToken: Token issued during the authentication flow to authorize MFA setup. Use this endpoint as the first step when enrolling a user in WebAuthn-based MFA. ### Enroll MFA using WebAuthN - [POST /resources/auth/v1/user/mfa/webauthn/enroll/verify](https://developers.frontegg.com/ciam/api/identity/mfa/authenticationmfacontrollerv1_enrollwebauthnmfa.md): Complete enrollment in multi-factor authentication (MFA) using WebAuthn. This endpoint verifies and registers a WebAuthn device, such as a biometric sensor (Platform) or hardware security key (CrossPlatform), finalizing the setup after the initial challenge. The request must include: - deviceType: Type of device being enrolled. Accepts Platform (e.g., fingerprint scanner) or CrossPlatform (e.g., USB security key). - webauthnToken: Token received during the WebAuthn pre-enrollment step. - options: WebAuthn attestation data collected from the client. - id: Device identifier. - response: WebAuthn attestation response. - clientDataJSON: Base64-encoded client data from the browser. - attestationObject: Base64-encoded attestation object from the authenticator. - deviceType (optional): May repeat the selected device type. - mfaToken: Token used to authorize MFA enrollment. - rememberDevice (optional): Set to true to remember the device and reduce MFA prompts on future logins. Use this endpoint to complete WebAuthn-based MFA enrollment and register the user's trusted device. ### Request verify MFA using WebAuthN - [POST /resources/auth/v1/user/mfa/webauthn/{deviceId}](https://developers.frontegg.com/ciam/api/identity/mfa/authenticationmfacontrollerv1_preverifywebauthnmfa.md): Verify a multi-factor authentication (MFA) challenge using a registered WebAuthn device. This endpoint completes WebAuthn-based MFA verification, typically following primary authentication when WebAuthn is required as a second factor. Path parameters: - deviceId: The unique identifier of the WebAuthn device to be verified. Request body must include: - mfaToken: Token issued during the login or step-up authentication flow. Use this endpoint to validate a WebAuthn device and complete the MFA step during authentication. ### Verify MFA using webauthn - [POST /resources/auth/v1/user/mfa/webauthn/{deviceId}/verify](https://developers.frontegg.com/ciam/api/identity/mfa/authenticationmfacontrollerv1_verifywebauthnmfa.md): Verify a multi-factor authentication (MFA) challenge using a WebAuthn device. This endpoint completes MFA verification using a previously registered WebAuthn device such as a biometric sensor or hardware security key. Path parameters: - deviceId: The unique identifier of the registered WebAuthn device to be verified. Request body must include: - webauthnToken: Token received from the server to initiate the WebAuthn challenge. - options: WebAuthn authentication response returned by the browser. - id: The credential ID of the WebAuthn device. - response: Object containing attestation data from the authenticator. - clientDataJSON: Base64-encoded client data. - authenticatorData: Base64-encoded data from the authenticator. - signature: Signature from the authenticator, proving user presence. - userHandle: The user's handle used during registration. - recaptchaToken (optional): Token to verify human interaction, if reCAPTCHA is enabled. - invitationToken (optional): Used when completing an MFA challenge as part of an invitation flow. - mfaToken: Token issued during the initial authentication step. - rememberDevice (optional): If set to true, this device will be remembered for future logins to reduce MFA prompts. Use this endpoint to complete WebAuthn-based MFA verification and confirm the user's identity using a secure hardware or platform authenticator. ### Check if remember device allowed - [GET /resources/configurations/v1/mfa-policy/allow-remember-device](https://developers.frontegg.com/ciam/api/identity/mfa/securitypolicycontroller_checkifallowtorememberdevice.md): Check whether the 'remember device' feature is allowed for MFA verification. This endpoint returns whether device remembering is enabled globally or for a specific account (tenant), based on the request context. Query parameters: - mfaToken: Token generated from the authenticator app or MFA challenge step. Use this endpoint to determine whether the user should be prompted with the option to remember their device during MFA verification. ### Enroll authenticator app MFA - [POST /resources/users/v1/mfa/authenticator/enroll](https://developers.frontegg.com/ciam/api/identity/mfa/usersmfacontrollerv1_enrollauthenticatormfa.md): Enroll a logged-in user in multi-factor authentication (MFA) for a specific account (tenant). This endpoint initiates MFA enrollment on behalf of a user within a specific account (tenant) context. Use this route to programmatically trigger MFA enrollment, typically as part of an administrative or backend workflow. ### Verify authenticator app MFA enrollment - [POST /resources/users/v1/mfa/authenticator/enroll/verify](https://developers.frontegg.com/ciam/api/identity/mfa/usersmfacontrollerv1_verifyauthenticatormfaenrollment.md): Verify multi-factor authentication (MFA) enrollment using a QR code for a specific user within an account (tenant). This endpoint completes MFA enrollment after the user scans a QR code with an authenticator app (e.g., Google Authenticator, Authy). Request body must include: - mfaToken: The time-based one-time password (TOTP) generated by the authenticator app after scanning the QR code. Use this endpoint to confirm that the user has successfully registered their authenticator app and to activate MFA for their account. ### Enroll SMS MFA - [POST /resources/users/v1/mfa/sms/enroll](https://developers.frontegg.com/ciam/api/identity/mfa/usersmfacontrollerv1_preenrollsmsmfa.md): Enroll a user in SMS-based multi-factor authentication (MFA). This endpoint initiates SMS MFA enrollment by sending a verification code to the user's phone number. Request body must include: - phoneNumber: The user's mobile number in international format. Must match the validation pattern defined by phoneNumberRegexp. Use this endpoint to begin the SMS MFA setup process for a specific user. The next step is to verify the SMS code to complete enrollment. ### Verify MFA enrollment - [POST /resources/users/v1/mfa/sms/enroll/verify](https://developers.frontegg.com/ciam/api/identity/mfa/usersmfacontrollerv1_enrollsmsmfa.md): Complete SMS-based multi-factor authentication (MFA) enrollment for a user. This endpoint finalizes SMS MFA setup by verifying the code sent to the user's phone. Request body must include: - otcToken: One-time challenge token received from the initial enrollment step. - code: The verification code sent to the user's phone via SMS. Use this endpoint to verify the user's phone number and activate SMS-based MFA for their account. ### Disable authenticator app MFA (deprecated) - [POST /resources/users/v1/mfa/disable](https://developers.frontegg.com/ciam/api/identity/mfa/usersmfacontrollerv1_disableauthappmfa.md): Disable MFA enrollment for a logged-in user within a specific account (tenant). This endpoint disables multi-factor authentication for a user, using the mfaToken obtained from the user's authenticator app. Use this endpoint to programmatically disable MFA when managing authentication settings at the account (tenant) level. ### Verify MFA using code from authenticator app (deprecated) - [POST /resources/auth/v1/user/mfa/verify](https://developers.frontegg.com/ciam/api/identity/mfa/authenticationmfacontrollerv1_verifyauthenticatormfacode.md): Verify a multi-factor authentication (MFA) code generated by an authenticator app during the authentication process. This endpoint completes the MFA step by validating the provided code. The request must include: - value: The MFA service name (e.g., authenticator), as configured in your Authentication Settings. - mfaToken: The time-based one-time password (TOTP) generated by the user's authenticator app. Use this endpoint to verify the user's MFA code during an authentication challenge, typically after the primary login step. ### Enroll authenticator app MFA (deprecated) - [POST /resources/users/v1/mfa/enroll](https://developers.frontegg.com/ciam/api/identity/mfa/usersmfacontrollerv1_enrollauthappmfa.md): Enroll a logged-in user in multi-factor authentication (MFA) for a specific account (tenant). This endpoint initiates MFA enrollment on behalf of a user within a specific account (tenant) context. Use this route to programmatically trigger MFA enrollment, typically as part of an administrative or backend workflow. ### Verify authenticator app MFA enrollment (deprecated) - [POST /resources/users/v1/mfa/enroll/verify](https://developers.frontegg.com/ciam/api/identity/mfa/usersmfacontrollerv1_verifyauthappmfaenrollment.md): Verify multi-factor authentication (MFA) enrollment using a QR code for a specific user. This endpoint completes MFA setup after the user scans a QR code with their authenticator app (e.g., Google Authenticator, Authy). Request body must include: - mfaToken: The time-based one-time password (TOTP) generated by the user's authenticator app after scanning the QR code. Use this endpoint to confirm that the user has successfully linked their authenticator app and to activate MFA for their account. ## Passwordless ### SMS code prelogin - [POST /resources/auth/v1/passwordless/smscode/prelogin](https://developers.frontegg.com/ciam/api/identity/passwordless/authenticationpasswordlesscontrollerv1_smscodeprelogin.md): Initiate SMS-based passwordless authentication by sending a one-time code (OTC) to the user's phone. This is the first step in the SMS OTC passwordless login flow. The system sends an SMS to the user associated with the provided email address. Request body must include: - email: The email address of the user initiating the login. - invitationToken (optional): Include if the user is signing up through an invitation. - recaptchaToken (optional): Required if reCAPTCHA is enabled for login. Use this endpoint to begin the passwordless login process using SMS verification. ### SMS code postlogin - [POST /resources/auth/v1/passwordless/smscode/postlogin](https://developers.frontegg.com/ciam/api/identity/passwordless/authenticationpasswordlesscontrollerv1_smscodepostlogin.md): Complete passwordless authentication using a one-time code (OTC) sent via SMS. This is the second step in the SMS OTC passwordless login flow. After the user receives the code, this endpoint finalizes authentication and returns a valid JWT and refresh cookie. Request body must include: - token: The token ID associated with the SMS OTC sent to the user. - invitationToken (optional): Include if the user is signing up through an invitation. - recaptchaToken (optional): Required if reCAPTCHA is enabled for login. Use this endpoint to complete passwordless login via SMS and receive authentication tokens for the session. ### Magic link prelogin - [POST /resources/auth/v1/passwordless/magiclink/prelogin](https://developers.frontegg.com/ciam/api/identity/passwordless/authenticationpasswordlesscontrollerv1_magiclinkprelogin.md): Initiate passwordless authentication by sending a magic link to the user's email address. This is the first step in the magic link passwordless login flow for local users. The system sends an email containing a secure login link to the provided address. Request body must include: - email: The email address of the user initiating the login. - invitationToken (optional): Include if the user is signing up through an invitation. - recaptchaToken (optional): Required if reCAPTCHA is enabled for login. Use this endpoint to start the magic link authentication process by delivering a login link to the user's email inbox. ### Magic link postlogin - [POST /resources/auth/v1/passwordless/magiclink/postlogin](https://developers.frontegg.com/ciam/api/identity/passwordless/authenticationpasswordlesscontrollerv1_magiclinkpostlogin.md): Complete passwordless authentication using a magic link. This is the second step in the magic link passwordless login flow for local users. After the user clicks the link in their email, this endpoint validates the token and authenticates the user. Request body must include: - token: The token ID extracted from the magic link. - invitationToken (optional): Include if the user is signing up through an invitation. - recaptchaToken (optional): Required if reCAPTCHA is enabled for login. Use this endpoint to complete the magic link login flow and receive authentication credentials, including a JWT and a refresh cookie. ### OTC (One-Time Code) prelogin - [POST /resources/auth/v1/passwordless/code/prelogin](https://developers.frontegg.com/ciam/api/identity/passwordless/authenticationpasswordlesscontrollerv1_emailcodeprelogin.md): Initiate passwordless authentication by sending a one-time code (OTC) to the user's email address. This is the first step in the email OTC (one-time code) passwordless login flow for local users. The system sends a time-sensitive code to the specified email address. Request body must include: - email: The email address of the user initiating the login. - invitationToken (optional): Include if the user is signing up through an invitation. - recaptchaToken (optional): Required if reCAPTCHA is enabled for login. Use this endpoint to start the passwordless login process via an email-based one-time code. ### OTC (One-Time Code) postlogin - [POST /resources/auth/v1/passwordless/code/postlogin](https://developers.frontegg.com/ciam/api/identity/passwordless/authenticationpasswordlesscontrollerv1_emailcodepostlogin.md): Complete passwordless authentication using a one-time code (OTC) sent to the user's email. This is the second step in the email OTC passwordless login flow. After the user receives and enters the code, this endpoint validates the token and finalizes authentication. Request body must include: - token: The token ID associated with the email OTC sent to the user. - invitationToken (optional): Include if the user is signing up via an invitation. - recaptchaToken (optional): Required if reCAPTCHA is enabled for login. Use this endpoint to validate the email-based one-time code and receive authentication credentials, including a JWT and refresh cookie. ## SMS ### Set phone number for a user - [POST /resources/users/phone-numbers/v1](https://developers.frontegg.com/ciam/api/identity/sms/userphonenumberscontrollerv1_createuserphonenumber.md): Assign a new phone number to a user and optionally trigger a verification code. By default, the system sends an SMS verification code to the provided phone number. To skip verification (e.g., for internal setup), set the verify field to false. Request body must include: - phoneNumber: The new phone number to assign to the user. Must follow international format. - verify (optional): Whether to send an SMS verification code. Defaults to true if not provided. Use this endpoint to set or update a user's phone number, with optional control over verification. ### Pre-verify user's phone number - [POST /resources/users/phone-numbers/v1/preverify](https://developers.frontegg.com/ciam/api/identity/sms/userphonenumberscontrollerv1_preverifyuserphonenumber.md): Send a one-time code (OTC) to the specified phone number to initiate verification. This endpoint is used to pre-verify a phone number before associating it with a user account. It sends an SMS-based one-time code to the provided number. Request body must include: - phoneNumber: The phone number to verify, in international format. Use this endpoint to validate ownership of a phone number by sending a one-time code for user input during onboarding or account setup. ### Verify creation of phone number for user - [POST /resources/users/phone-numbers/v1/verify](https://developers.frontegg.com/ciam/api/identity/sms/userphonenumberscontrollerv1_verifycreateuserphonenumber.md): Verify a user's phone number using a one-time code (OTC) that was sent via SMS. This is the final step in the phone number verification process. After initiating verification via the pre-verification route, use this endpoint to confirm the phone number by submitting the OTC and code. Request body must include: - otcToken: The token issued when the OTC was sent. - code: The one-time code the user received on their phone. Use this endpoint to validate the user's ownership of the phone number and complete the verification process. ### Delete user's phone number - [DELETE /resources/users/phone-numbers/v1/{id}](https://developers.frontegg.com/ciam/api/identity/sms/userphonenumberscontrollerv1_deleteuserphonenumber.md): Initiate the deletion process for a user's phone number. This endpoint begins the phone number removal workflow by sending a verification code to the user. The phone number will not be deleted until the verification step is completed. Path parameters: - id: The unique identifier of the phone number to be deleted. Use this endpoint to trigger the secure deletion process for a user's phone number. A follow-up verification step is required to finalize the removal. ### Verify delete user's phone number - [POST /resources/users/phone-numbers/v1/{id}/delete/verify](https://developers.frontegg.com/ciam/api/identity/sms/userphonenumberscontrollerv1_verifydeleteuserphonenumber.md): Verify the deletion of a user's phone number using a one-time code (OTC). This is the final step in the phone number deletion process. After initiating deletion, the system sends a verification code to the user's phone. This endpoint confirms the deletion by validating the OTC and code. Path parameters: - id: The unique identifier of the phone number to delete. Request body must include: - otcToken: The token issued during the deletion request. - code: The one-time code sent to the user via SMS. Use this endpoint to securely complete the deletion of a user's phone number. ### Get current user's phone numbers - [GET /resources/users/phone-numbers/v1/me](https://developers.frontegg.com/ciam/api/identity/sms/userphonenumberscontrollerv1_getuserownphonenumbers.md): Retrieve all phone numbers associated with the current user. This endpoint returns a list of phone numbers linked to the authenticated user, including verification status and timestamps. The response includes metadata such as verification status and timestamps for creation and last update. Use this endpoint to display or manage the user's registered phone numbers in your application. ### Get all phone numbers v2 - [GET /resources/users/phone-numbers/v2](https://developers.frontegg.com/ciam/api/identity/sms/userphonenumberscontrollerv2_getallphonenumbers.md): This route returns all user phone numbers. ### Get all phone numbers (deprecated) - [GET /resources/users/phone-numbers/v1](https://developers.frontegg.com/ciam/api/identity/sms/userphonenumberscontrollerv1_getallphonenumbers.md): Retrieve a paginated list of all user phone numbers associated with your environment. This endpoint returns user phone numbers along with pagination metadata and navigation links. It supports filtering, sorting, and offset-based pagination for efficient querying. Query parameters (optional): - _limit (number ≥ 1): Maximum number of items to return per page. - _offset (number ≥ 0): The page number to retrieve. For example, use 0 for the first page, 1 for the second page. - _sortBy (string): Field to sort by. Allowed values: userId, phoneNumber. - _order (string): Sort order. Allowed values: ASC, DESC. - _phoneNumber (string): Filter by a specific phone number. Use this endpoint to list or search user phone numbers in a paginated format, ideal for administrative tools or reporting. ## Account invitations settings ### Create account (tenant) invite - [POST /resources/tenants/invites/v1](https://developers.frontegg.com/ciam/api/identity/account-invitations-settings/tenantinvitescontroller_createtenantinvite.md): Create a general or account (tenant)-specific invitation token. Use this endpoint to generate invitation tokens for accounts (tenants) or individual users. To create a general invitation token, send the request without specifying an account (tenant) or user. To create an account (tenant)-specific token, include the account (tenant) ID in the request body. To create a token for a specific user of an account (tenant), also include the user ID in the body parameters. If a user ID is provided, you can control whether an invitation email is sent by setting the shouldSendEmail parameter. To set a custom expiration time for the invitation, use the expiresInMinutes parameter to define when the token will expire. A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route. ### Get all account (tenant) invites - [GET /resources/tenants/invites/v1/all](https://developers.frontegg.com/ciam/api/identity/account-invitations-settings/tenantinvitescontroller_getallinvites.md): Retrieve all invitation tokens across all accounts (tenants). A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route. ### Delete an account (tenant) invite - [DELETE /resources/tenants/invites/v1/token/{id}](https://developers.frontegg.com/ciam/api/identity/account-invitations-settings/tenantinvitescontroller_deletetenantinvite.md): Delete an invitation for an account (tenant) using the invitation ID. Use this endpoint to delete a specific invitation by providing its invitation ID as a path parameter. You can obtain the invitation ID via the Get all account (tenant) invites API. A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route. ### Get activation strategies - [GET /resources/configurations/v1/activation/strategies](https://developers.frontegg.com/ciam/api/identity/account-invitations-settings/activationstrategycontrollerv1_getactivationstrategy.md) ### Create or update activation strategy - [POST /resources/configurations/v1/activation/strategies](https://developers.frontegg.com/ciam/api/identity/account-invitations-settings/activationstrategycontrollerv1_createorupdateactivationstrategy.md) ### Get invitation strategies - [GET /resources/configurations/v1/invitation/strategies](https://developers.frontegg.com/ciam/api/identity/account-invitations-settings/invitationstrategycontrollerv1_getinvitationstrategy.md) ### Create or update invitation strategy - [POST /resources/configurations/v1/invitation/strategies](https://developers.frontegg.com/ciam/api/identity/account-invitations-settings/invitationstrategycontrollerv1_createorupdateinvitationstrategy.md) ## Core settings ### Update identity management configuration - [POST /resources/configurations/v1](https://developers.frontegg.com/ciam/api/identity/core-settings/vendorconfigcontroller_addorupdateconfig.md): Update the identity management configuration for your environment. Use this endpoint to add or update identity management parameters by sending the desired values in the request body. Refer to the parameter documentation for the list of supported values. ### Get identity management configuration - [GET /resources/configurations/v1](https://developers.frontegg.com/ciam/api/identity/core-settings/vendorconfigcontroller_getvendorconfig.md): Retrieve the identity management configuration for your environment. Use this endpoint to get the current identity management settings configured in your environment. ### Create captcha policy - [POST /resources/configurations/v1/captcha-policy](https://developers.frontegg.com/ciam/api/identity/core-settings/captchapolicycontroller_createcaptchapolicy.md): Create a CAPTCHA policy for all accounts (tenants). Provide the required settings in the request body. To enable the policy, set the enabled parameter to true, and provide the siteKey and secretKey obtained from reCAPTCHA. You can also set the minimumScore parameter to a value between 0 and 1 to define the minimum score threshold. ### Update captcha policy - [PUT /resources/configurations/v1/captcha-policy](https://developers.frontegg.com/ciam/api/identity/core-settings/captchapolicycontroller_updatecaptchapolicy.md): Update the CAPTCHA policy for all accounts (tenants). Provide the desired settings in the request body. To enable the policy, set the enabled parameter to true, and provide the siteKey and secretKey obtained from reCAPTCHA. You can also set the minimumScore parameter to a value between 0 and 1 to define the minimum score threshold. ### Get captcha policy - [GET /resources/configurations/v1/captcha-policy](https://developers.frontegg.com/ciam/api/identity/core-settings/captchapolicycontroller_getcaptchapolicy.md): Retrieve the CAPTCHA policy for your environment. The response includes the policy ID, siteKey, secretKey, minimumScore, list of ignored emails, and whether the policy is enabled. ### Get JWT template targeting configuration - [GET /resources/configurations/v1/jwt-template-targeting](https://developers.frontegg.com/ciam/api/identity/core-settings/jwttemplatetargetingcontrollerv1_getjwttemplatetargeting.md): Retrieves the JWT template targeting configuration for your environment. Note: This feature must be enabled by request. ### Create JWT template targeting configuration - [POST /resources/configurations/v1/jwt-template-targeting](https://developers.frontegg.com/ciam/api/identity/core-settings/jwttemplatetargetingcontrollerv1_createjwttemplatetargeting.md): Creates a new JWT template targeting configuration for your environment. Note: This feature must be enabled by request. ### Update or create JWT template targeting configuration - [PUT /resources/configurations/v1/jwt-template-targeting](https://developers.frontegg.com/ciam/api/identity/core-settings/jwttemplatetargetingcontrollerv1_updatejwttemplatetargeting.md): Updates or creates a JWT template targeting configuration for your environment. Note: This feature must be enabled by request. ### Update JWT template targeting configuration by ID - [PATCH /resources/configurations/v1/jwt-template-targeting/{id}](https://developers.frontegg.com/ciam/api/identity/core-settings/jwttemplatetargetingcontrollerv1_patchjwttemplatetargeting.md): Updates a specific JWT template targeting configuration by ID. Note: This feature must be enabled by request. ### Delete JWT template targeting configuration by ID - [DELETE /resources/configurations/v1/jwt-template-targeting/{id}](https://developers.frontegg.com/ciam/api/identity/core-settings/jwttemplatetargetingcontrollerv1_deletejwttemplatetargeting.md): Deletes a specific JWT template targeting configuration by ID. Note: This feature must be enabled by request. ### Create JWT template - [POST /resources/jwt-templates/v1](https://developers.frontegg.com/ciam/api/identity/core-settings/jwttemplatescontroller_createjwttemplate.md): Creates a new JWT template for your environment. Note: This feature must be enabled by request. ### Get all JWT templates - [GET /resources/jwt-templates/v1](https://developers.frontegg.com/ciam/api/identity/core-settings/jwttemplatescontroller_getjwttemplates.md): Retrieves all JWT templates for your environment. Note: This feature must be enabled by request. ### Get JWT template by ID - [GET /resources/jwt-templates/v1/{id}](https://developers.frontegg.com/ciam/api/identity/core-settings/jwttemplatescontroller_getjwttemplatebyid.md): Retrieves a specific JWT template by ID. Note: This feature must be enabled by request. ### Update JWT template - [PUT /resources/jwt-templates/v1/{id}](https://developers.frontegg.com/ciam/api/identity/core-settings/jwttemplatescontroller_updatejwttemplate.md): Updates an existing JWT template. Note: This feature must be enabled by request. ### Delete JWT template - [DELETE /resources/jwt-templates/v1/{id}](https://developers.frontegg.com/ciam/api/identity/core-settings/jwttemplatescontroller_deletejwttemplate.md): Deletes an existing JWT template. Note: This feature must be enabled by request. ### Get identity management configuration - [GET /resources/configurations/v1/basic](https://developers.frontegg.com/ciam/api/identity/core-settings/vendorconfigcontroller_getvendorconfigbasic.md): Retrieve the identity management configuration for your environment. ## Custom social OAuth provider ### Create custom oauth provider - [POST /resources/sso/custom/v1](https://developers.frontegg.com/ciam/api/identity/custom-social-oauth-provider/customssov1controller_createssoprovider.md): Create a custom social login provider using the OAuth details of the identity provider. Provide the required OAuth parameters in the request body. ### Get custom oauth provider - [GET /resources/sso/custom/v1](https://developers.frontegg.com/ciam/api/identity/custom-social-oauth-provider/ssov2controller_getssoproviders.md): Retrieve the custom social login providers configured in your environment. ### Update custom oauth provider - [PATCH /resources/sso/custom/v1/{id}](https://developers.frontegg.com/ciam/api/identity/custom-social-oauth-provider/customssov1controller_updatessoprovider.md): Update a custom social login provider in your environment by ID. Provide the ID of the custom social login provider and the desired OAuth parameters in the request body. ### Delete custom oauth provider - [DELETE /resources/sso/custom/v1/{id}](https://developers.frontegg.com/ciam/api/identity/custom-social-oauth-provider/customssov1controller_deletecustomssoconfig.md): Delete a custom social login provider in your environment by ID. Provide the ID of the custom social login provider to delete. ## Data migration ### Migrate from Auth0 - [POST /resources/migrations/v1/auth0](https://developers.frontegg.com/ciam/api/identity/data-migration/userscontrollerv1_migrateuserfromauth0.md): Migrate users from Auth0 into your environment. Provide the domain, clientId, secret, and tenantIdFieldName parameters in the request body. These values can be obtained from your Auth0 account (tenant) configuration. ### Migrate a single user - [POST /resources/migrations/v1/local](https://developers.frontegg.com/ciam/api/identity/data-migration/userscontrollerv1_migrateuserforvendor.md): Migrate a user into your environment. Provide the required fields: user's email, tenantId, and metadata. You can also include additional properties such as the user's name, phone number, hashed password, and other optional attributes. ### Migrate users in bulk - [POST /resources/migrations/v1/local/bulk](https://developers.frontegg.com/ciam/api/identity/data-migration/userscontrollerv1_bulkmigrateuserforvendor.md): Migrate users in bulk into your environment. Provide an array of users in the request body. Each user object must include the user's email and tenantId, which specifies the user's parent account. You can include additional fields as needed to store more information. If you need to store custom data, use the metadata property. ### Check status of bulk migration - [GET /resources/migrations/v1/local/bulk/status/{migrationId}](https://developers.frontegg.com/ciam/api/identity/data-migration/userscontrollerv1_checkbulkmigrationstatus.md): Retrieve the status of a pending or completed migration. The response includes the migration's state, the number of migrated users, and any errors that occurred during the migration. The response payload is limited to 1,000 users. ### Migrate vendor users in bulk - [POST /resources/migrations/v2/local/bulk](https://developers.frontegg.com/ciam/api/identity/data-migration/userscontrollerv2_bulkmigrateuserforvendor.md): Migrate users in bulk to your environment. Provide an array of user objects, each containing email and tenantId. Use the metadata property to store custom information for each user. ## Delegation ### Get delegation configuration - [GET /resources/configurations/v1/delegation](https://developers.frontegg.com/ciam/api/identity/delegation/delegationconfigurationcontrollerv1_getdelegationconfiguration.md): Retrieve the delegation configuration for your environment. A valid environment token is required to call this endpoint. ### Create or update delegation configuration - [POST /resources/configurations/v1/delegation](https://developers.frontegg.com/ciam/api/identity/delegation/delegationconfigurationcontrollerv1_createorupdatedelegationconfiguration.md): Enable or disable delegation in the token exchange flow. Use this endpoint to update the delegation configuration by enabling or disabling delegation for the token exchange flow. A valid environment token is required to call this endpoint. ## Email configuration ### Get configuration - [GET /resources/mail/v1/configurations](https://developers.frontegg.com/ciam/api/identity/email-configuration/mailconfigcontroller_getmailconfig.md): Retrieve the mail configuration for your SendGrid account. A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route. ### Delete configuration - [DELETE /resources/mail/v1/configurations](https://developers.frontegg.com/ciam/api/identity/email-configuration/mailconfigcontroller_deletemailconfig.md): Delete the mail configuration for your SendGrid account. A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route. ### Create or update configuration v2 - [POST /resources/mail/v2/configurations](https://developers.frontegg.com/ciam/api/identity/email-configuration/mailconfigcontroller_createorupdatemailconfigv2.md): Configure email settings for your environment, supporting SES, Mailgun, and SendGrid. Provide the email provider, sender details, and any additional parameters in the request body. A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route. ### Create or update configuration (deprecated) - [POST /resources/mail/v1/configurations](https://developers.frontegg.com/ciam/api/identity/email-configuration/mailconfigcontroller_createorupdatemailconfig.md): Configure your SendGrid account to send emails from your environment. Provide your SendGrid secret key in the request body. A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route. ## Email templates ### Add or update template - [POST /resources/mail/v1/configs/templates](https://developers.frontegg.com/ciam/api/identity/email-templates/mailv1controller_addorupdatetemplate.md): Create or update an email template for your environment. Specify the email template using the type parameter. The value of type must match one of the predefined Frontegg email templates. Set the sender using the senderEmail parameter, and optionally include values for the other available body parameters. Provide the template information in the request body. A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route. ### Get template - [GET /resources/mail/v1/configs/templates](https://developers.frontegg.com/ciam/api/identity/email-templates/mailv1controller_gettemplateconfiguration.md): Retrieve all email templates for your environment. To retrieve a specific template, pass its type as a query parameter. A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route. ### Delete template - [DELETE /resources/mail/v1/configs/templates/{templateId}](https://developers.frontegg.com/ciam/api/identity/email-templates/mailv1controller_deletetemplate.md): Delete a specified email template. Provide the ID of the template to delete. You can obtain the template ID via the Get template API. A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route. ### Get default template by type - [GET /resources/mail/v1/configs/{type}/default](https://developers.frontegg.com/ciam/api/identity/email-templates/mailv1controller_getdefaulttemplateconfiguration.md): Retrieve the default email template by type. Pass the required type as a query parameter. ## M2M tokens ### Get active access tokens list - [GET /resources/vendor-only/users/access-tokens/v1/active](https://developers.frontegg.com/ciam/api/identity/m2m-tokens/vendoronlyuseraccesstokensv1controller_getactiveaccesstokens.md): Retrieve the list of active access tokens for a specified account (tenant). Pass the account's frontegg-tenant-id as a query parameter. ### Get user access token data - [GET /resources/vendor-only/users/access-tokens/v1/{id}](https://developers.frontegg.com/ciam/api/identity/m2m-tokens/vendoronlyuseraccesstokensv1controller_getuseraccesstokendata.md): Retrieve data for a specific user access token. Pass the account's frontegg-tenant-id as a query parameter and the access token id as a path parameter. ### Get account (tenant) access token data - [GET /resources/vendor-only/tenants/access-tokens/v1/{id}](https://developers.frontegg.com/ciam/api/identity/m2m-tokens/vendoronlytenantaccesstokensv1controller_gettenantaccesstokendata.md): Retrieve data for a specific account (tenant) access token. Pass the account's frontegg-tenant-id as a query parameter and the access token id as a path parameter. ## MFA configuration ### Update MFA configuration - [POST /resources/configurations/v1/mfa](https://developers.frontegg.com/ciam/api/identity/mfa-configuration/mfacontroller_upsertmfaconfig.md): Update the MFA configuration for your environment. Provide the desired configuration values as objects in the request body. Refer to the parameter documentation for the list of supported values. ### Get MFA configuration - [GET /resources/configurations/v1/mfa](https://developers.frontegg.com/ciam/api/identity/mfa-configuration/mfacontroller_getmfaconfig.md): Retrieve the MFA configuration for your environment. ## Permissions categories ### Get permissions categories - [GET /resources/permissions/v1/categories](https://developers.frontegg.com/ciam/api/identity/permissions-categories/permissionscategoriescontroller_getallcategorieswithpermissions.md): Retrieves all permission categories for your environment. Each category includes its name, description, associated permissions, and metadata. ### Create category - [POST /resources/permissions/v1/categories](https://developers.frontegg.com/ciam/api/identity/permissions-categories/permissionscategoriescontroller_createpermissioncategory.md): Add a new permissions category. Provide the category information in the request body. Note that categories are not associated with permissions in this route — you can associate permissions by sending the category ID in the add or update permission routes. ### Update category - [PATCH /resources/permissions/v1/categories/{categoryId}](https://developers.frontegg.com/ciam/api/identity/permissions-categories/permissionscategoriescontroller_updatecategory.md): Update an existing permissions category. Provide the category ID as a path parameter to specify which category to update, and send the updated category information in the request body. This route does not update the permissions associated with the category. Use the add or update permissions routes to manage permission associations. ### Delete category - [DELETE /resources/permissions/v1/categories/{categoryId}](https://developers.frontegg.com/ciam/api/identity/permissions-categories/permissionscategoriescontroller_deletecategory.md): Delete a permissions category. Provide the category ID as a path parameter to specify which category to delete. You can obtain the category ID using the Get categories API. ## Permissions ### Get permissions - [GET /resources/permissions/v1](https://developers.frontegg.com/ciam/api/identity/permissions/permissionscontrollerv1_getallpermissions.md): Retrieve all permissions configured for your environment. Each permission object includes the name, description, assigned roles, categories, and other defining information. ### Create permissions - [POST /resources/permissions/v1](https://developers.frontegg.com/ciam/api/identity/permissions/permissionscontrollerv1_addpermissions.md): Add a new permission. Provide the permission information in the request body. This route does not associate permissions with roles. Use the associate permission to roles route to manage role associations. ### Delete permission - [DELETE /resources/permissions/v1/{permissionId}](https://developers.frontegg.com/ciam/api/identity/permissions/permissionscontrollerv1_deletepermission.md): Delete a permission. Provide the permission ID as a path parameter to specify which permission to delete. You can obtain the permission ID using the Get permissions API. ### Update permission - [PATCH /resources/permissions/v1/{permissionId}](https://developers.frontegg.com/ciam/api/identity/permissions/permissionscontrollerv1_updatepermission.md): Update an existing permission. Provide the permission ID as a path parameter to specify which permission to update, and send the updated permission information in the request body. This route does not update role associations for the permission. Use the associate permission to roles route to manage role associations. ### Set a permission to multiple roles - [PUT /resources/permissions/v1/{permissionId}/roles](https://developers.frontegg.com/ciam/api/identity/permissions/permissionscontrollerv1_setrolestopermission.md): Associate a permission with multiple roles. Provide the permission ID as a path parameter and include the role IDs in the request body as an array of strings. Any pre-existing role associations will remain. You can obtain role IDs using the Get roles API. ### Set permissions classification - [PUT /resources/permissions/v1/classification](https://developers.frontegg.com/ciam/api/identity/permissions/permissionscontrollerv1_updatepermissionsassignmenttype.md): Classify permissions for self-service usage. Provide an array of permissionIds and the classification type in the request body. This allows you to segregate which permissions will be used for self-service. ## Roles ### Get roles - [GET /resources/roles/v1](https://developers.frontegg.com/ciam/api/identity/roles/permissionscontrollerv1_getallroles.md): Retrieve all roles across all accounts (tenants). Each role object includes the name, permissions, and other defining information. ### Create roles - [POST /resources/roles/v1](https://developers.frontegg.com/ciam/api/identity/roles/permissionscontrollerv1_addroles.md): Add a new role across all accounts (tenants). This route does not assign permissions to the role. Use the attach permissions to role route to manage role permissions. ### Delete role - [DELETE /resources/roles/v1/{roleId}](https://developers.frontegg.com/ciam/api/identity/roles/permissionscontrollerv1_deleterole.md): Delete a role. Provide the role ID as a path parameter to specify which role to delete. ### Update role - [PATCH /resources/roles/v1/{roleId}](https://developers.frontegg.com/ciam/api/identity/roles/permissionscontrollerv1_updaterole.md): Update an existing role. Provide the role ID as a path parameter to specify which role to update, and send the updated role information in the request body. This route does not update permissions for the role. Use the attach permissions to role route to manage role permissions. You can obtain the role ID using the Get roles API. ### Assign permissions to a role - [PUT /resources/roles/v1/{roleId}/permissions](https://developers.frontegg.com/ciam/api/identity/roles/permissionscontrollerv1_setpermissionstorole.md): Assign permissions to a role. Provide the role ID as a path parameter and include the permission IDs in the request body as an array of strings. Any pre-existing permissions will be overridden by the new permissions. You can obtain role IDs using the Get roles API and permission IDs using the Get permissions API. ### Update role tenant - [PUT /resources/roles/v1/{roleId}/tenant](https://developers.frontegg.com/ciam/api/identity/roles/permissionscontrollerv1_updateroletenant.md): Updates the account (tenant) ID for a specific role. This is a management-only endpoint. ## SMS configuration ### Creates or updates a vendor SMS config - [POST /resources/configurations/v1/sms](https://developers.frontegg.com/ciam/api/identity/sms-configuration/vendorsmscontroller_createsmsvendorconfig.md): Create or update the SMS configuration for your environment. Provide the desired SMS configuration values in the request body. ### Deletes a vendor SMS config - [DELETE /resources/configurations/v1/sms](https://developers.frontegg.com/ciam/api/identity/sms-configuration/vendorsmscontroller_deletesmsvendorconfig.md): Delete the SMS configuration for your environment. ### Gets a vendor SMS config - [GET /resources/configurations/v1/sms](https://developers.frontegg.com/ciam/api/identity/sms-configuration/vendorsmscontroller_getsmsvendorconfig.md): Retrieve the SMS configuration for your environment. ## SMS templates ### Gets vendor SMS templates - [GET /resources/configurations/v1/sms/templates](https://developers.frontegg.com/ciam/api/identity/sms-templates/vendorsmscontroller_getallsmstemplates.md): Retrieve the SMS templates configured for your environment. ### Gets vendor SMS template by type - [GET /resources/configurations/v1/sms/templates/{type}](https://developers.frontegg.com/ciam/api/identity/sms-templates/vendorsmscontroller_getsmstemplate.md): Retrieve an SMS template by type. Provide the type as a path parameter to specify which SMS template to retrieve. ### Deletes vendor SMS template by type - [DELETE /resources/configurations/v1/sms/templates/{type}](https://developers.frontegg.com/ciam/api/identity/sms-templates/vendorsmscontroller_deletesmstemplate.md): Delete an SMS template by type. Provide the type as a path parameter to specify which SMS template to delete. ### Create or update a vendor SMS template - [POST /resources/configurations/v1/sms/templates/{type}](https://developers.frontegg.com/ciam/api/identity/sms-templates/vendorsmscontroller_createsmstemplate.md): Create or update an SMS template by type. Provide the type as a path parameter and include the SMS template details in the request body. ### Gets vendor default SMS template by type - [GET /resources/configurations/v1/sms/templates/{type}/default](https://developers.frontegg.com/ciam/api/identity/sms-templates/vendorsmscontroller_getsmsdefaulttemplate.md): Retrieve the default SMS template by type. Provide the type as a path parameter to specify which default SMS template to retrieve. ### Gets all vendor default SMS templates - [GET /resources/configurations/v1/sms/templates/default/all](https://developers.frontegg.com/ciam/api/identity/sms-templates/vendorsmscontroller_getallsmsdefaulttemplates.md) ## Sessions configuration ### Get environment session configuration - [GET /resources/configurations/sessions/v1/vendor](https://developers.frontegg.com/ciam/api/identity/sessions-configuration/sessionconfigurationcontrollerv1_getvendorsessionconfiguration.md): Retrieve the session configuration for your environment. ## User pools ### Get vendor user sources - [GET /resources/user-sources/v1](https://developers.frontegg.com/ciam/api/identity/user-pools/usersourcescontrollerv1_getusersources.md): Retrieve all user sources configured for your environment. A valid environment token is required to call this endpoint. ### Get vendor user source - [GET /resources/user-sources/v1/{id}](https://developers.frontegg.com/ciam/api/identity/user-pools/usersourcescontrollerv1_getusersource.md): Retrieve a user source by ID. A valid environment token is required to call this endpoint. ### Delete user source - [DELETE /resources/user-sources/v1/{id}](https://developers.frontegg.com/ciam/api/identity/user-pools/usersourcescontrollerv1_deleteusersource.md): Delete a user source. A valid environment token is required to call this endpoint. ### Create Auth0 external user source - [POST /resources/user-sources/v1/external/auth0](https://developers.frontegg.com/ciam/api/identity/user-pools/usersourcescontrollerv1_createauth0externalusersource.md): Create a new external user source. A valid environment token is required to call this endpoint. ### Create Cognito external user source - [POST /resources/user-sources/v1/external/cognito](https://developers.frontegg.com/ciam/api/identity/user-pools/usersourcescontrollerv1_createcognitoexternalusersource.md): Create a new external user source. A valid environment token is required to call this endpoint. ### Create Firebase external user source - [POST /resources/user-sources/v1/external/firebase](https://developers.frontegg.com/ciam/api/identity/user-pools/usersourcescontrollerv1_createfirebaseexternalusersource.md): Create a new external user source. A valid environment token is required to call this endpoint. ### Create Custom-Code external user source - [POST /resources/user-sources/v1/external/custom-code](https://developers.frontegg.com/ciam/api/identity/user-pools/usersourcescontrollerv1_createcustomcodeexternalusersource.md): Create a new external user source. A valid environment token is required to call this endpoint. ### Create Federation user source - [POST /resources/user-sources/v1/federation](https://developers.frontegg.com/ciam/api/identity/user-pools/usersourcescontrollerv1_createfederationusersource.md): Create a new federation user source. A valid environment token is required to call this endpoint. ### Update Auth0 external user source - [PUT /resources/user-sources/v1/external/auth0/{id}](https://developers.frontegg.com/ciam/api/identity/user-pools/usersourcescontrollerv1_updateauth0externalusersource.md): Update an external user source. A valid environment token is required to call this endpoint. ### Update Cognito external user source - [PUT /resources/user-sources/v1/external/cognito/{id}](https://developers.frontegg.com/ciam/api/identity/user-pools/usersourcescontrollerv1_updatecognitoexternalusersource.md): Update an external user source. A valid environment token is required to call this endpoint. ### Update Firebase external user source - [PUT /resources/user-sources/v1/external/firebase/{id}](https://developers.frontegg.com/ciam/api/identity/user-pools/usersourcescontrollerv1_updatefirebaseexternalusersource.md): Update an external user source. A valid environment token is required to call this endpoint. ### Update Custom-Code external user source - [PUT /resources/user-sources/v1/external/custom-code/{id}](https://developers.frontegg.com/ciam/api/identity/user-pools/usersourcescontrollerv1_updatecustomcodeexternalusersource.md): Update an external user source. A valid environment token is required to call this endpoint. ### Update Federation user source - [PUT /resources/user-sources/v1/federation/{id}](https://developers.frontegg.com/ciam/api/identity/user-pools/usersourcescontrollerv1_updatefederationusersource.md): Update a federation user source. A valid environment token is required to call this endpoint. ### Assign applications to a user source - [POST /resources/user-sources/v1/assign](https://developers.frontegg.com/ciam/api/identity/user-pools/usersourcescontrollerv1_assignusersource.md): Assign applications to a user source. A valid environment token is required to call this endpoint. ### Unassign applications from a user source - [POST /resources/user-sources/v1/unassign](https://developers.frontegg.com/ciam/api/identity/user-pools/usersourcescontrollerv1_unassignusersource.md): Unassign applications from a user source. A valid environment token is required to call this endpoint. ### Get user source users - [GET /resources/user-sources/v1/{id}/users](https://developers.frontegg.com/ciam/api/identity/user-pools/usersourcescontrollerv1_getusersourceusers.md): Retrieve all users of a user source. A valid environment token is required to call this endpoint. ## Users ### Set temporary users configuration - [PUT /resources/users/temporary/v1/configuration](https://developers.frontegg.com/ciam/api/identity/users/temporaryusersv1controller_updateconfiguration.md): This route updates the settings for temporary users, use it to enable or disable it for an environment ### Update user (global) - [PUT /resources/users/v1/{userId}](https://developers.frontegg.com/ciam/api/identity/users/userscontrollerv1_updateuserforvendor.md): Updates a user’s information globally. Provide the user ID as a path parameter and include the fields to update in the request body. The route supports partial updates—only the provided fields are changed. For identifier fields such as emails or phones, new items are added instead of replacing existing ones. ### Get user - [GET /resources/vendor-only/users/v1/{userId}](https://developers.frontegg.com/ciam/api/identity/users/vendoronlyusers_getuserbyid.md): Retrieve a user by ID, regardless of account (tenant). Provide the user's ID as a path parameter. This route is for management use only. ### Unenroll user from MFA globally - [POST /resources/vendor-only/users/v1/{userId}/mfa/unenroll](https://developers.frontegg.com/ciam/api/identity/users/vendoronlyusers_mfaunenroll.md): Unenroll a user from MFA, regardless of account (tenant). Provide the user's ID as a path parameter. This route is for manag use only. ### Verify user's password - [POST /resources/vendor-only/users/v1/passwords/verify](https://developers.frontegg.com/ciam/api/identity/users/vendoronlyusers_verifyuserpassword.md): Verify a user's email and password. Provide the user's email and password in the request body. The response will indicate true or false. This route is for management use only. ### Create user - [POST /resources/vendor-only/users/v1](https://developers.frontegg.com/ciam/api/identity/users/vendoronlyusers_createuser.md): Create a user and set the mfaBypass property for testing purposes. This route is for management use only. ### Get users account (tenant) statuses - [GET /resources/tenants/users/v1/statuses](https://developers.frontegg.com/ciam/api/identity/users/get.md): Retrieve the account (tenant) statuses of vendor users. Provide an array of userIds (maximum 200) and optionally an array of userTenantStatuses as query parameters. There is a limit of 2000 account (tenant) statuses per user. ### Create user phone number verified by default - [POST /resources/users/phone-numbers/v1/vendor/{userId}](https://developers.frontegg.com/ciam/api/identity/users/userphonenumberscontrollerv1_createuserphonenumbervendor.md): Creates a new phone number for a user. Phone numbers added via this management endpoint are automatically verified. ### Delete user phone number on an environment - [DELETE /resources/users/phone-numbers/v1/vendor/{userId}/{phoneId}](https://developers.frontegg.com/ciam/api/identity/users/userphonenumberscontrollerv1_deleteuserphonenumbervendor.md): Delete a user phone number without verification. ### Invite users to an account (tenant) in bulk - [POST /resources/users/bulk/v1/invite](https://developers.frontegg.com/ciam/api/identity/users/usersbulkcontrollerv1_bulkinviteusers.md): Invite users to an account (tenant) in bulk. Provide an array of users in the request body. Each entry must include a user's email. ### Get status of bulk invite task - [GET /resources/users/bulk/v1/status/{id}](https://developers.frontegg.com/ciam/api/identity/users/usersbulkcontrollerv1_getbulkinvitestatus.md): Invite users to an account (tenant) in bulk. Provide an array of users in the request body. Each entry must include a user's email. ### Get user by email - [GET /resources/users/v1/email](https://developers.frontegg.com/ciam/api/identity/users/userscontrollerv1_getuserbyemail.md): Retrieve a user by email. Provide the user's email as a query parameter. ### Get user by ID - [GET /resources/users/v1/{id}](https://developers.frontegg.com/ciam/api/identity/users/userscontrollerv1_getuserbyid.md): Retrieve a specific user from an account (tenant). A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route. ### Verify user - [POST /resources/users/v1/{userId}/verify](https://developers.frontegg.com/ciam/api/identity/users/userscontrollerv1_verifyuser.md): Mark a user as verified. Provide the user's ID as a path parameter. A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route. ### Make user invisible - [PUT /resources/users/v1/{userId}/invisible](https://developers.frontegg.com/ciam/api/identity/users/userscontrollerv1_setuserinvisiblemode.md): Set whether a user is invisible or visible. An invisible user remains part of the account (tenant) but will not appear in the list of users in the admin box. The user data remains in the system. Provide the user's ID as a path parameter and a Boolean invisible value in the request body (true for invisible, false for visible). A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route. ### Make user super-user - [PUT /resources/users/v1/{userId}/superuser](https://developers.frontegg.com/ciam/api/identity/users/userscontrollerv1_setusersuperusermode.md): Set a user as a super-user. Super-user functionality is no longer maintained due to incompatibility with newer features. A super-user has access to all accounts (tenants) within the workspace. Provide the user's ID as a path parameter and a Boolean superUser value in the request body (true for super-user, false for regular user). A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route. ### Set user's account (tenant) - [PUT /resources/users/v1/{userId}/tenant](https://developers.frontegg.com/ciam/api/identity/users/userscontrollerv1_updateusertenantforvendor.md): Set the active account (tenant) of a user. The active account (tenant) is the account (tenant) the user will see in their admin portal and the account (tenant) used by default for account (tenant)-specific API routes. Provide the user's ID as a path parameter and the account (tenant) ID as a tenantId value in the request body. If a non-existing account (tenant) ID is provided, an account (tenant) will be created for that ID. A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route. ### Add user to account (tenant) - [POST /resources/users/v1/{userId}/tenant](https://developers.frontegg.com/ciam/api/identity/users/userscontrollerv1_addusertotenantforvendor.md): Add a user to an account (tenant). Provide the user's ID as a path parameter and the account (tenant) ID as a tenantId value in the request body. To skip sending an invite email, include the optional skipInviteEmail parameter in the request body and set it to true. A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route. ### Update user email - [PUT /resources/users/v1/{userId}/email](https://developers.frontegg.com/ciam/api/identity/users/userscontrollerv1_updateuseremail.md): Update a user's email address globally, regardless of account (tenant). Provide the user's ID as a path parameter and the new email address as an email value in the request body. ### Generate activation token - [POST /resources/users/v1/{userId}/links/generate-activation-token](https://developers.frontegg.com/ciam/api/identity/users/userscontrollerv1_generateuseractivationlink.md): Generate a new activation token for a user. Provide the user's ID as a path parameter. This route does not send the activation email but returns the activation link and token. It can be used in combination with the routes under Users Activation. A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route. ### Generate password reset token - [POST /resources/users/v1/{userId}/links/generate-password-reset-token](https://developers.frontegg.com/ciam/api/identity/users/userscontrollerv1_generateuserpasswordresetlink.md): Generate a password reset token for a user. Provide the user's ID as a path parameter. This route does not send the reset password email but returns the reset link and token. It can be used in combination with the routes under Users Passwords. A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route. ### Unlock user - [POST /resources/users/v1/{userId}/unlock](https://developers.frontegg.com/ciam/api/identity/users/userscontrollerv1_unlockuser.md): Unlock a locked user. An unlocked user can sign in and use the system globally, regardless of account (tenant). Provide the user's ID as a path parameter. A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route. ### Lock user - [POST /resources/users/v1/{userId}/lock](https://developers.frontegg.com/ciam/api/identity/users/userscontrollerv1_lockuser.md): Lock a user. A locked user cannot sign in or use the system globally, regardless of account (tenant). Provide the user's ID as a path parameter. A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route. ### Move all users from one account (tenant) to another - [PUT /resources/users/v1/tenants/migrate](https://developers.frontegg.com/ciam/api/identity/users/userscontrollerv1_movealluserstenants.md): Migrate all users from a source account (tenant) to a target account (tenant). Specify srcTenantId (source account (tenant) ID) and targetTenantId (target account (tenant) ID) in the request body. A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route. ## Account invitations ### Get account (tenant) invite of user - [GET /resources/tenants/invites/v1/user](https://developers.frontegg.com/ciam/api/identity/account-invitations/tenantinvitescontroller_gettenantinviteforuser.md): Retrieve an invitation for a specific user to join an account (tenant). ### Create account (tenant) invite for user - [POST /resources/tenants/invites/v1/user](https://developers.frontegg.com/ciam/api/identity/account-invitations/tenantinvitescontroller_createtenantinviteforuser.md): Create an invitation for a specific user to join an account (tenant). To create a general invitation, use the general invitation route. ### Delete account (tenant) invite of user - [DELETE /resources/tenants/invites/v1/user](https://developers.frontegg.com/ciam/api/identity/account-invitations/tenantinvitescontroller_deletetenantinviteforuser.md): Delete an invitation for a specific user to join an account (tenant). To delete a general invitation, use the general invitation route. ### Update account (tenant) invite of user - [PATCH /resources/tenants/invites/v1/user](https://developers.frontegg.com/ciam/api/identity/account-invitations/tenantinvitescontroller_updatetenantinviteforuser.md): Update an invitation for a specific user to join an account (tenant). To set a specific expiration time, use the expiresInMinutes parameter to define when the invitation will be invalidated. Use the shouldSendEmail Boolean parameter to control whether an invitation email is sent. A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route. ### Verify account (tenant) invite - [POST /resources/tenants/invites/v1/verify](https://developers.frontegg.com/ciam/api/identity/account-invitations/tenantinvitescontroller_verifytenantinvite.md): Verify an account (tenant) invitation. Pass the invitation token as the token parameter. A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route. ### Get account (tenant) invite configuration - [GET /resources/tenants/invites/v1/configuration](https://developers.frontegg.com/ciam/api/identity/account-invitations/getinvitationconfiguration.md): Check whether account (tenant) invitations are enabled and whether notifications are active for your environment. A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route. ### Create tenant invite with roles for user - [POST /resources/tenants/invites/v2/user](https://developers.frontegg.com/ciam/api/identity/account-invitations/tenantinvitesv2controller_createtenantinviteforuser.md): Creates an invitation with assigned roles for a specific user to join an account (tenant). Provide the user's ID via the frontegg-user-id header and the account ID via the frontegg-tenant-id header. For general invitations without a specific user, use the general invitation endpoint instead. ## Account roles ### Get roles v2 - [GET /resources/roles/v2](https://developers.frontegg.com/ciam/api/identity/account-roles/permissionscontrollerv2_getallroles.md): Retrieve all roles for your environment. Each role object includes the name, permissions, and other defining information. ### Create a new role - [POST /resources/roles/v2](https://developers.frontegg.com/ciam/api/identity/account-roles/rolescontrollerv2_addrole.md): Add a new role for a specific account (tenant). Include the required permissions in the request body to customize the role. ### Get distinct levels of roles - [GET /resources/roles/v2/distinct-levels](https://developers.frontegg.com/ciam/api/identity/account-roles/rolescontrollerv2_getdistinctlevels.md): Retrieve all role levels for your environment. ### Get distinct assigned accounts (tenants) of roles - [GET /resources/roles/v2/distinct-tenants](https://developers.frontegg.com/ciam/api/identity/account-roles/rolescontrollerv2_getdistincttenants.md): Retrieve all assigned account (tenant) IDs from roles for your environment. ## API tokens ### Create account (tenant) access token - [POST /resources/tenants/access-tokens/v1](https://developers.frontegg.com/ciam/api/identity/api-tokens/tenantaccesstokensv1controller_createtenantaccesstoken.md): Create an access token for a specific account (tenant). ### Get account (tenant) access tokens - [GET /resources/tenants/access-tokens/v1](https://developers.frontegg.com/ciam/api/identity/api-tokens/tenantaccesstokensv1controller_gettenantaccesstokens.md): Retrieve all access tokens for a specific account (tenant). ### Delete account (tenant) access token - [DELETE /resources/tenants/access-tokens/v1/{id}](https://developers.frontegg.com/ciam/api/identity/api-tokens/tenantaccesstokensv1controller_deletetenantaccesstoken.md): Delete an account (tenant) access token. ### Get client credentials tokens - [GET /resources/tenants/api-tokens/v1](https://developers.frontegg.com/ciam/api/identity/api-tokens/tenantapitokensv1controller_gettenantsapitokens.md): Retrieve all API tokens for a specific account (tenant). ### Delete client credentials token - [DELETE /resources/tenants/api-tokens/v1/{id}](https://developers.frontegg.com/ciam/api/identity/api-tokens/tenantapitokensv1controller_deletetenantapitoken.md): Delete an account (tenant) API token. ### Update client credentials token - [PATCH /resources/tenants/api-tokens/v1/{id}](https://developers.frontegg.com/ciam/api/identity/api-tokens/tenantapitokensv1controller_updatetenantapitoken.md): Update an account (tenant) API token. ### Create client credentials token - [POST /resources/tenants/api-tokens/v2](https://developers.frontegg.com/ciam/api/identity/api-tokens/tenantapitokensv2controller_createtenantapitoken.md): Create an account (tenant) API token. You can retrieve roles and permissions via the API. ### Create client credentials token (deprecated) - [POST /resources/tenants/api-tokens/v1](https://developers.frontegg.com/ciam/api/identity/api-tokens/tenantapitokensv1controller_createtenantapitoken.md): Do not use. Instead, use v2 of this route. ## Domain restrictions ### Create domain restriction - [POST /resources/configurations/restrictions/v1/email-domain](https://developers.frontegg.com/ciam/api/identity/domain-restrictions/domainrestrictionscontroller_createdomainrestriction.md): Creates a new email domain restriction for an account (tenant). Provide the restriction configuration in the request body. See the schema below for available parameters and values. ### Get domain restrictions - [GET /resources/configurations/restrictions/v1/email-domain](https://developers.frontegg.com/ciam/api/identity/domain-restrictions/domainrestrictionscontroller_getdomainrestrictions.md): Retrieve the domain restrictions for an account (tenant). ### Get domain restrictions - [GET /resources/configurations/restrictions/v1/email-domain/config](https://developers.frontegg.com/ciam/api/identity/domain-restrictions/domainrestrictionscontroller_getdomainrestrictionsconfig.md): Retrieve the domain restrictions for an account (tenant). ### Change domain restrictions config list type and toggle it off/on - [POST /resources/configurations/restrictions/v1/email-domain/config](https://developers.frontegg.com/ciam/api/identity/domain-restrictions/domainrestrictionscontroller_updatedomainrestrictionsconfig.md): Update the domain restrictions configuration. You can toggle the domain restriction check on or off. ### Delete domain restriction - [DELETE /resources/configurations/restrictions/v1/email-domain/{id}](https://developers.frontegg.com/ciam/api/identity/domain-restrictions/domainrestrictionscontroller_deletedomainrestriction.md): Delete a domain restriction. ### Replace bulk domain restriction - [POST /resources/configurations/restrictions/v1/email-domain/replace-bulk](https://developers.frontegg.com/ciam/api/identity/domain-restrictions/domainrestrictionscontroller_createbulkdomainsrestriction.md): Replace all domain restrictions with the domains provided in the request body. ## IP restrictions ### Create or update IP restriction configuration (ALLOW/BLOCK) - [POST /resources/configurations/v1/restrictions/ip/config](https://developers.frontegg.com/ciam/api/identity/ip-restrictions/iprestrictionscontrollerv1_createdomainrestriction.md): Create or update the IP restriction configuration. You can configure IP restrictions as either ALLOW or BLOCK. ### Get IP restriction configuration (ALLOW/BLOCK) - [GET /resources/configurations/v1/restrictions/ip/config](https://developers.frontegg.com/ciam/api/identity/ip-restrictions/iprestrictionscontrollerv1_getiprestrictionconfig.md): Retrieve the IP restriction configuration for an account (tenant). The configuration defines whether IP restrictions are set to ALLOW or BLOCK. ### Get all IP restrictions - [GET /resources/configurations/v1/restrictions/ip](https://developers.frontegg.com/ciam/api/identity/ip-restrictions/iprestrictionscontrollerv1_getalliprestrictions.md): Retrieve the IP restrictions for an account (tenant). ### Create IP restriction - [POST /resources/configurations/v1/restrictions/ip](https://developers.frontegg.com/ciam/api/identity/ip-restrictions/iprestrictionscontrollerv1_createiprestriction.md): Create or update an IP restriction for an account (tenant). Provide the required values as objects in the request body. Refer to the parameter documentation for the list of supported values. ### Test Current IP - [POST /resources/configurations/v1/restrictions/ip/verify](https://developers.frontegg.com/ciam/api/identity/ip-restrictions/iprestrictionscontrollerv1_testcurrentip.md): Check if the current IP is allowed based on the IP restriction configuration. ### Test current IP is in allow list - [POST /resources/configurations/v1/restrictions/ip/verify/allow](https://developers.frontegg.com/ciam/api/identity/ip-restrictions/testcurrentipinallowlist.md): Verifies if the current IP address is in the allow list for your environment. ### Delete IP restriction by IP - [DELETE /resources/configurations/v1/restrictions/ip/{id}](https://developers.frontegg.com/ciam/api/identity/ip-restrictions/iprestrictionscontrollerv1_deleteiprestrictionbyid.md): Delete an IP restriction. Provide the IP restriction ID as a path parameter. ## Lockout policy ### Create lockout policy - [POST /resources/configurations/v1/lockout-policy](https://developers.frontegg.com/ciam/api/identity/lockout-policy/lockoutpolicycontroller_createlockoutpolicy.md): Create a lockout policy for all accounts (tenants). To enable the lockout policy, set the enabled parameter to true and configure the maximumAttempts value as desired. ### Update lockout policy - [PATCH /resources/configurations/v1/lockout-policy](https://developers.frontegg.com/ciam/api/identity/lockout-policy/lockoutpolicycontroller_updatelockoutpolicy.md): Update the lockout policy for all accounts (tenants). To disable the lockout policy, set the enabled parameter to false. You can also update the maximumAttempts value as desired. ### Get lockout policy - [GET /resources/configurations/v1/lockout-policy](https://developers.frontegg.com/ciam/api/identity/lockout-policy/lockoutpolicycontroller_getlockoutpolicy.md): Retrieve the lockout policy for all accounts (tenants) or for a specific account (tenant). ## MFA settings ### Create MFA policy - [POST /resources/configurations/v1/mfa-policy](https://developers.frontegg.com/ciam/api/identity/mfa-settings/securitypolicycontroller_createmfapolicy.md): Create an MFA policy globally or for a specific account (tenant). ### Update security policy - [PATCH /resources/configurations/v1/mfa-policy](https://developers.frontegg.com/ciam/api/identity/mfa-settings/securitypolicycontroller_updatesecuritypolicy.md): Update the MFA policy for all accounts (tenants). ### Upsert security policy - [PUT /resources/configurations/v1/mfa-policy](https://developers.frontegg.com/ciam/api/identity/mfa-settings/securitypolicycontroller_upsertsecuritypolicy.md): Create or update the MFA policy for all accounts (tenants). ### Get security policy - [GET /resources/configurations/v1/mfa-policy](https://developers.frontegg.com/ciam/api/identity/mfa-settings/securitypolicycontroller_getsecuritypolicy.md): This route gets the MFA policy for all accounts (tenants). ### Get MFA strategies - [GET /resources/configurations/v1/mfa/strategies](https://developers.frontegg.com/ciam/api/identity/mfa-settings/mfastrategiescontrollerv1_getmfastrategies.md): Retrieve the MFA strategies configured for your environment. ### Create or update MFA strategy - [POST /resources/configurations/v1/mfa/strategies](https://developers.frontegg.com/ciam/api/identity/mfa-settings/mfastrategiescontrollerv1_createorupdatemfastrategy.md): Create or update an MFA strategy. Provide the desired strategy configuration in the request body. ## Password settings ### Create or update password configuration - [POST /resources/configurations/v1/password](https://developers.frontegg.com/ciam/api/identity/password-settings/passwordpolicycontroller_addorupdatepasswordconfig.md): Create or update the password policy for the entire environment. ### Get password policy configuration - [GET /resources/configurations/v1/password](https://developers.frontegg.com/ciam/api/identity/password-settings/passwordpolicycontroller_getpasswordconfig.md): Retrieve the password policy for all accounts (tenants). ### Create password history policy - [POST /resources/configurations/v1/password-history-policy](https://developers.frontegg.com/ciam/api/identity/password-settings/passwordhistorypolicycontroller_createpolicy.md): Create a password history policy for all accounts (tenants). To enable the password history policy, set the enabled parameter to true and specify the passwordHistorySize as a number between 1 and 10. ### Update password history policy - [PATCH /resources/configurations/v1/password-history-policy](https://developers.frontegg.com/ciam/api/identity/password-settings/passwordhistorypolicycontroller_updatepolicy.md): Update the password history policy for all accounts (tenants). To disable the password history policy, set the enabled parameter to false. You can also update the passwordHistorySize value to a number between 1 and 10. ### Get password history policy - [GET /resources/configurations/v1/password-history-policy](https://developers.frontegg.com/ciam/api/identity/password-settings/passwordhistorypolicycontroller_getpolicy.md): Retrieve the password history policy for all accounts (tenants) or for a specific account (tenant). ### Reset password - [POST /resources/users/v1/passwords/reset](https://developers.frontegg.com/ciam/api/identity/password-settings/userspasswordcontrollerv1_resetpassword.md): Send a reset password email to a user. Provide the user's email in the request body. If your email template uses metadata, include the email metadata in the request body as well. ### Verify password - [POST /resources/users/v1/passwords/reset/verify](https://developers.frontegg.com/ciam/api/identity/password-settings/userspasswordcontrollerv1_verifyresetpassword.md): Verify a user's password using a verification token. Provide the userId, token, and password in the request body. The token can be obtained using the route for generating a user password reset token. ### Change password - [POST /resources/users/v1/passwords/change](https://developers.frontegg.com/ciam/api/identity/password-settings/userspasswordcontrollerv1_changepassword.md): Change the password for a logged-in user. Include the current and new passwords in the request body. ### Get strictest password configuration - [GET /resources/users/v1/passwords/config](https://developers.frontegg.com/ciam/api/identity/password-settings/userspasswordcontrollerv1_getuserpasswordconfig.md): Retrieve the user's strictest password configuration. This is useful when a user belongs to multiple accounts (tenants) with varying password complexity requirements. The route returns the strictest setting the user is subject to. ### Reset password via email - [POST /resources/users/v2/passwords/reset/email](https://developers.frontegg.com/ciam/api/identity/password-settings/userspasswordcontrollerv2_resetpasswordviaemail.md): Sends a password reset email to the user. Provide the user's email address in the request body to initiate the reset process. ### Reset password via SMS - [POST /resources/users/v2/passwords/reset/sms](https://developers.frontegg.com/ciam/api/identity/password-settings/userspasswordcontrollerv2_resetpasswordviasms.md): Sends a password reset SMS with a one-time code (OTP) to the user. Provide the user's phone number in the request body to initiate the reset process. ### Verify password reset code sent via SMS - [POST /resources/users/v2/passwords/reset/sms/verify](https://developers.frontegg.com/ciam/api/identity/password-settings/userspasswordcontrollerv2_verifyresetpasswordviasmsotc.md): Verifies the one-time code (OTP) sent via SMS for password reset. Provide the OTP in the request body. If valid, returns the user ID and reset token. ### Get password expiration period configuration - [GET /resources/configurations/v1/password-rotation](https://developers.frontegg.com/ciam/api/identity/password-settings/passwordrotationconfigcontrollerv1_getpasswordrotationconfiguration.md): Retrieve the password expiration period configuration for your environment or for a specific account (tenant). ### Manage password expiration - [POST /resources/configurations/v1/password-rotation](https://developers.frontegg.com/ciam/api/identity/password-settings/passwordrotationconfigcontrollerv1_upsertpasswordrotationconfiguration.md): Create or update the configuration for the password expiration policy. If no configuration exists, a default policy will be applied. ### Get environment configuration for password expiration period. - [GET /resources/configurations/v1/password-rotation/vendor](https://developers.frontegg.com/ciam/api/identity/password-settings/passwordrotationconfigcontrollerv1_getvendorpasswordrotationconfiguration.md): Retrieve the password expiration period configuration for your environment or for a specific account (tenant). ## Personal tokens ### Create user access token - [POST /resources/users/access-tokens/v1](https://developers.frontegg.com/ciam/api/identity/personal-tokens/useraccesstokensv1controller_createuseraccesstoken.md): Create an access token for a specific user. ### Get user access tokens - [GET /resources/users/access-tokens/v1](https://developers.frontegg.com/ciam/api/identity/personal-tokens/useraccesstokensv1controller_getuseraccesstokens.md): Retrieve all access tokens for a specific user. ### Delete user access token by token ID - [DELETE /resources/users/access-tokens/v1/{id}](https://developers.frontegg.com/ciam/api/identity/personal-tokens/useraccesstokensv1controller_deleteuseraccesstoken.md): Delete a user access token. ### Create user client credentials token - [POST /resources/users/api-tokens/v1](https://developers.frontegg.com/ciam/api/identity/personal-tokens/userapitokensv1controller_createtenantapitoken.md): Create a user-specific API token. ### Get user client credentials tokens - [GET /resources/users/api-tokens/v1](https://developers.frontegg.com/ciam/api/identity/personal-tokens/userapitokensv1controller_getapitokens.md): Retrieve a user-specific API token. ### Delete user client credentials token by token ID - [DELETE /resources/users/api-tokens/v1/{id}](https://developers.frontegg.com/ciam/api/identity/personal-tokens/userapitokensv1controller_deleteapitoken.md): Delete a user-specific API token. ## Sessions management ### Get account (tenant) or vendor default session configuration - [GET /resources/configurations/sessions/v1](https://developers.frontegg.com/ciam/api/identity/sessions-management/sessionconfigurationcontrollerv1_getsessionconfiguration.md): Retrieve the session configuration for the entire environment or for a specific account (tenant). ### Create or update account (tenant) or vendor default session configuration - [POST /resources/configurations/sessions/v1](https://developers.frontegg.com/ciam/api/identity/sessions-management/sessionconfigurationcontrollerv1_createsessionconfiguration.md): Create or update the session configuration for the entire environment or for a specific account (tenant). ## User groups ### Get all groups - [GET /resources/groups/v1](https://developers.frontegg.com/ciam/api/identity/user-groups/groupscontrollerv1_getallgroups.md): Retrieve all user groups for an account (tenant). ### Create group - [POST /resources/groups/v1](https://developers.frontegg.com/ciam/api/identity/user-groups/groupscontrollerv1_creategroup.md): Create a user group for an account (tenant). Provide the group details in the request body. ### Get groups by Ids - [POST /resources/groups/v1/bulkGet](https://developers.frontegg.com/ciam/api/identity/user-groups/groupscontrollerv1_getgroupsbyids.md): Retrieve user groups by given IDs for an account (tenant). Provide the group IDs in the request body. ### Update group - [PATCH /resources/groups/v1/{id}](https://developers.frontegg.com/ciam/api/identity/user-groups/groupscontrollerv1_updategroup.md): Update a user group by ID for an account (tenant). Provide the group ID as a path parameter and the updated group details in the request body. ### Delete group - [DELETE /resources/groups/v1/{id}](https://developers.frontegg.com/ciam/api/identity/user-groups/groupscontrollerv1_deletegroup.md): Delete a user group by ID for an account (tenant). Provide the group ID as a path parameter. ### Get group by ID - [GET /resources/groups/v1/{id}](https://developers.frontegg.com/ciam/api/identity/user-groups/groupscontrollerv1_getgroupbyid.md): Retrieve a user group by ID for an account (tenant). Provide the group ID as a path parameter. ### Get groups configuration - [GET /resources/groups/v1/config](https://developers.frontegg.com/ciam/api/identity/user-groups/groupscontrollerv1_getgroupsconfiguration.md): Retrieve the user group configuration for your environment. ### Create or update groups configuration - [POST /resources/groups/v1/config](https://developers.frontegg.com/ciam/api/identity/user-groups/groupscontrollerv1_createorupdategroupsconfiguration.md): Create or update the user group configuration for your environment. Provide the configuration details in the request body. ### Add roles to group - [POST /resources/groups/v1/{groupId}/roles](https://developers.frontegg.com/ciam/api/identity/user-groups/groupscontrollerv1_addrolestogroup.md): Add roles to an existing user group. A user can assign only roles that are lower than their own. ### Remove roles from group - [DELETE /resources/groups/v1/{groupId}/roles](https://developers.frontegg.com/ciam/api/identity/user-groups/groupscontrollerv1_removerolesfromgroup.md): Remove roles from an existing user group. Provide the roles to remove in the request body. ### Add users to group - [POST /resources/groups/v1/{groupId}/users](https://developers.frontegg.com/ciam/api/identity/user-groups/groupscontrollerv1_adduserstogroup.md): Add users to an existing user group. Only users with higher roles than the group's roles are allowed to perform this action. ### Remove users from group - [DELETE /resources/groups/v1/{groupId}/users](https://developers.frontegg.com/ciam/api/identity/user-groups/groupscontrollerv1_removeusersfromgroup.md): Remove users from an existing user group. Provide the users to remove in the request body. ### Get all groups paginated - [GET /resources/groups/v2](https://developers.frontegg.com/ciam/api/identity/user-groups/groupscontrollerv2_getallgroupspaginated.md): Retrieve all user groups for an account (tenant), with pagination. Use query parameters to control pagination and optionally include related group data. ## User management ### Disable user account (tenant) - [POST /resources/tenants/users/v1/{userId}/disable](https://developers.frontegg.com/ciam/api/identity/user-management/userstenantscontrollerv1_disableusertenant.md): Disable a user for an account (tenant). A disabled user cannot log in to the account (tenant) or use the system. Provide the user's ID as a path parameter. ### Enable user account (tenant) - [POST /resources/tenants/users/v1/{userId}/enable](https://developers.frontegg.com/ciam/api/identity/user-management/userstenantscontrollerv1_enableusertenant.md): Enable a disabled user for an account (tenant). An enabled user can log in and use the system. Provide the user's ID as a path parameter. ### Sets a permanent user to temporary - [PUT /resources/users/temporary/v1/{userId}](https://developers.frontegg.com/ciam/api/identity/user-management/temporaryusersv1controller_edittimelimit.md): Update the settings for temporary users. Use this route to enable or disable temporary users for your environment ### Sets a temporary user to permanent - [DELETE /resources/users/temporary/v1/{userId}](https://developers.frontegg.com/ciam/api/identity/user-management/temporaryusersv1controller_setuserpermanent.md): Set an existing temporary user as permanent. Provide the user's ID as a path parameter. ### Gets temporary users configuration - [GET /resources/users/temporary/v1/configuration](https://developers.frontegg.com/ciam/api/identity/user-management/temporaryusersv1controller_getconfiguration.md): Retrieve the settings for temporary users. Use this endpoint to check whether the policy is enabled or disabled. ### Get all user emails - [GET /resources/users/emails/v1](https://developers.frontegg.com/ciam/api/identity/user-management/useremailscontrollerv1_getallemails.md): This route returns all user emails. ### Create a user email - [POST /resources/users/emails/v1](https://developers.frontegg.com/ciam/api/identity/user-management/useremailscontrollerv1_createuseremail.md): This route creates a user email. ### Verify user email - [POST /resources/users/emails/v1/verify](https://developers.frontegg.com/ciam/api/identity/user-management/useremailscontrollerv1_verifyuseremail.md): This route verifies a user email. ### Delete a user email - [DELETE /resources/users/emails/v1/{emailId}](https://developers.frontegg.com/ciam/api/identity/user-management/useremailscontrollerv1_deleteuseremail.md): This route deletes a user email. ### Create a user email for vendor - [POST /resources/users/emails/v1/vendor/{userId}](https://developers.frontegg.com/ciam/api/identity/user-management/useremailscontrollerv1_createuseremailforvendor.md): Creates a new email address for a user. ### Delete a user email for vendor - [DELETE /resources/users/emails/v1/vendor/{userId}/{emailId}](https://developers.frontegg.com/ciam/api/identity/user-management/useremailscontrollerv1_deleteuseremailforvendor.md): This route deletes a user email. ### Mark email as primary for vendor - [POST /resources/users/emails/v1/vendor/{userId}/primary](https://developers.frontegg.com/ciam/api/identity/user-management/useremailscontrollerv1_markemailasprimary.md): This route marks an email as primary. ### Mark email as primary - [POST /resources/users/emails/v1/me/primary](https://developers.frontegg.com/ciam/api/identity/user-management/useremailscontrollerv1_markemailasprimaryme.md): This route marks an email as primary. ### Get current user`s emails - [GET /resources/users/emails/v1/me](https://developers.frontegg.com/ciam/api/identity/user-management/useremailscontrollerv1_getuserownemails.md): This route returns all user emails for the current user. ### Set sub-account access for a user - [PUT /resources/sub-tenants/users/v1/{userId}/access](https://developers.frontegg.com/ciam/api/identity/user-management/userscontrollerv1_setuserrolesfromsubtenants.md): Set sub-account access for a user. Use this endpoint to enable or disable sub-account access by setting the value to true or false. ### Reset user activation token - [POST /resources/users/v1/activate/reset](https://developers.frontegg.com/ciam/api/identity/user-management/usersactivationcontrollerv1_resetactivationtoken.md): Reset the activation token for a user and trigger a new activation email. Provide the user's ID as a path parameter. ### Reset invitation - [POST /resources/users/v1/invitation/reset](https://developers.frontegg.com/ciam/api/identity/user-management/userstenantmanagementcontrollerv1_resettenantinvitationtoken.md): Reset an invitation for a user to join a specific account (tenant). The response includes a new invitation link with a new token. ### Reset all invitation tokens - [POST /resources/users/v1/invitation/reset/all](https://developers.frontegg.com/ciam/api/identity/user-management/userstenantmanagementcontrollerv1_resetalltenantsinvitationtoken.md): Reset all invitations for a user to join all sub-accounts (tenants) that currently have an invitation token. The response includes new invitation links with new tokens. ### Get users - [GET /resources/users/v3](https://developers.frontegg.com/ciam/api/identity/user-management/userscontrollerv3_getusers.md): Retrieve all users for an account (tenant) or for the entire environment. ### Get users roles - [GET /resources/users/v3/roles](https://developers.frontegg.com/ciam/api/identity/user-management/userscontrollerv3_getusersroles.md): Retrieve all user roles for an account (tenant). ### Get users groups - [GET /resources/users/v3/groups](https://developers.frontegg.com/ciam/api/identity/user-management/userscontrollerv3_getusersgroups.md): Retrieve all user groups for an account (tenant). ### Unlock user - [POST /resources/users/v3/me/unlock](https://developers.frontegg.com/ciam/api/identity/user-management/userscontrollerv3_unlock.md): Unlock your user account. Provide the required information in the request body to unlock the account. ### Invite user - [POST /resources/users/v2](https://developers.frontegg.com/ciam/api/identity/user-management/userscontrollerv2_createuser.md): Create a user for a specific account (tenant). Include the user's information in the request body. The email and metadata fields are required. The metadata field can be empty (e.g., {}). ### Update user profile - [PUT /resources/users/v2/me](https://developers.frontegg.com/ciam/api/identity/user-management/userscontrollerv2_updateuserprofile.md): Update the profile of a logged-in user. Provide the updated values in the request body. Use your Frontegg subdomain or custom domain as the host. A user token is required for this route and can be obtained after user authentication. ### Get user profile - [GET /resources/users/v2/me](https://developers.frontegg.com/ciam/api/identity/user-management/userscontrollerv2_getuserprofile.md): Retrieve the profile of a logged-in user. No parameters are required. Use your Frontegg subdomain or custom domain as the host. A user token is required for this route and can be obtained after user authentication. ### Update user - [PUT /resources/users/v1](https://developers.frontegg.com/ciam/api/identity/user-management/userscontrollerv1_updateuser.md): TUpdate a user's information for a specific account (tenant). Include the updated user information in the request body. ### Remove user - [DELETE /resources/users/v1/{userId}](https://developers.frontegg.com/ciam/api/identity/user-management/userscontrollerv1_removeuserfromtenant.md): Remove a user globally or from a specific account (tenant). An environment token is required for this route and can be obtained from the environment authentication route. ### Assign roles to user - [POST /resources/users/v1/{userId}/roles](https://developers.frontegg.com/ciam/api/identity/user-management/userscontrollerv1_addrolestouser.md): Associate roles to a specific user for a specific account (tenant). ### Unassign roles from user - [DELETE /resources/users/v1/{userId}/roles](https://developers.frontegg.com/ciam/api/identity/user-management/userscontrollerv1_deleterolesfromuser.md): Disassociate roles from a specific user for a specific account (tenant). Include the role IDs in the request body as an array of strings. ### Update user's active account (tenant) - [PUT /resources/users/v1/tenant](https://developers.frontegg.com/ciam/api/identity/user-management/userscontrollerv1_updateusertenant.md): Update the current account (tenant) for a logged-in user. Use this endpoint when a user belongs to multiple accounts (tenants) and wants to change the active account (tenant). Include the target account (tenant) ID in the request body. ### Get users with fuzzy search - [GET /resources/users/v1/query/phrase](https://developers.frontegg.com/ciam/api/identity/user-management/userscontrollerv1_searchusers.md): Retrieve all users for a specific account (tenant) or for the entire environment. In addition to all standard Get users query parameters, this route supports phrase search, enabling complex queries with options such as contains, excludes, optional, and approximate matching. ### Get usernames for users - [GET /resources/usernames/v1](https://developers.frontegg.com/ciam/api/identity/user-management/usernamescontrollerv1_getusersusernames.md): This route gets usernames for users. ### Create a username for user - [POST /resources/usernames/v1](https://developers.frontegg.com/ciam/api/identity/user-management/usernamescontrollerv1_createusername.md): This route creates a username for a user. ### Delete a username for user - [DELETE /resources/usernames/v1/{username}](https://developers.frontegg.com/ciam/api/identity/user-management/usernamescontrollerv1_deleteusername.md): This route deletes a username for a user. ### Get authenticated user's username - [GET /resources/usernames/v1/me](https://developers.frontegg.com/ciam/api/identity/user-management/usernamescontrollerv1_getmeusernames.md) ### Update user email - [POST /resources/users/v1/email/me](https://developers.frontegg.com/ciam/api/identity/user-management/selfemailupdatecontrollerv1_updateemailme.md): This route updates the email for a user. ### Verify user email - [POST /resources/users/v1/email/me/verify](https://developers.frontegg.com/ciam/api/identity/user-management/selfemailupdatecontrollerv1_verifyemailme.md): This route verifies the email for a user. ### Activate user - [POST /resources/users/v1/activate](https://developers.frontegg.com/ciam/api/identity/user-management/usersactivationcontrollerv1_activateuser.md): Activate a non-activated user. Include the userId and activationToken in the request body. If required by your environment's sign-in flow, also include the user's password and reCAPTCHA values. You can generate an activation token using the route under Users → Generate Activation Token. Alternatively, you can use the built-in email template for user activation. ### Activate user with code - [POST /resources/users/v1/activate/code](https://developers.frontegg.com/ciam/api/identity/user-management/usersactivationcontrollerv1_activateuserwithcode.md): Activate a non-activated user. Use this endpoint to implement a custom activation flow. Include the userId, activationToken, and code in the request body. If required by your environment's sign-in flow, also include the user's password and reCAPTCHA values. You can generate an activation token using the route under Users → Generate Activation Token. Alternatively, you can use the built-in email template for user activation. ### Get user activation strategy - [GET /resources/users/v1/activate/strategy](https://developers.frontegg.com/ciam/api/identity/user-management/usersactivationcontrollerv1_getactivationstrategy.md): Retrieve a user's activation strategy. The activation strategy indicates whether the user needs to set a password. Include the userId and activationToken in the request body. You can generate an activation token using the route under Users → Generate Activation Token. The response returns a Boolean field shouldSetPassword. If true, the user needs to set a password. If false, the user does not need to set a password (for example, SSO users do not set passwords). ### Accept invitation - [POST /resources/users/v1/invitation/accept](https://developers.frontegg.com/ciam/api/identity/user-management/userstenantmanagementcontrollerv1_acceptinvitation.md): Accept an invitation for a user to join a specific account (tenant). Include the userId and invitationToken in the request body. These values appear as query parameters in the URL that Frontegg sends to the user in the activation email. ### Accept invitation with code - [POST /resources/users/v1/invitation/accept/code](https://developers.frontegg.com/ciam/api/identity/user-management/userstenantmanagementcontrollerv1_acceptinvitationwithcode.md): Accept an invitation to join a specific account (tenant) using an invitation code. Include the required userId, invitationToken, and code in the request body. ### Get user profile - [GET /resources/users/v3/me](https://developers.frontegg.com/ciam/api/identity/user-management/userscontrollerv3_getuserprofile.md): Retrieve the profile of a logged-in user. No parameters are required. Use your Frontegg subdomain or custom domain as the host. A user token is required for this route and can be obtained after user authentication. ### Get user accounts (tenants) - [GET /resources/users/v2/me/tenants](https://developers.frontegg.com/ciam/api/identity/user-management/userscontrollerv2_getusertenants.md): Retrieve the list of accounts (tenants) that a logged-in user belongs to. No parameters are required. Use your Frontegg subdomain or custom domain as the host. A user token is required for this route and can be obtained after user authentication. ### Get user accounts (tenants) hierarchy - [GET /resources/users/v2/me/hierarchy](https://developers.frontegg.com/ciam/api/identity/user-management/userscontrollerv2_getusertenantshierarchy.md): Retrieve the list of accounts (tenants) with hierarchy metadata that a logged-in user belongs to. If the user is a member of multiple accounts (tenants) in a hierarchy, some entries may be reduced based on the hierarchy structure. No parameters are required. Use your Frontegg subdomain or custom domain as the host. A user token is required for this route and can be obtained after user authentication. ### Get user permissions and roles - [GET /resources/users/v1/me/authorization](https://developers.frontegg.com/ciam/api/identity/user-management/userscontrollerv1_getmeauthorization.md): Retrieve the list of permissions and roles that a logged-in user has. No parameters are required. Use your Frontegg subdomain or custom domain as the host. A user token is required for this route and can be obtained after user authentication. ### Get user accounts (tenants) - [GET /resources/users/v1/me/tenants](https://developers.frontegg.com/ciam/api/identity/user-management/userscontrollerv1_getusertenants.md): Retrieve the list of accounts (tenants) that a logged-in user belongs to. No parameters are required. Use your Frontegg subdomain or custom domain as the host. A user token is required for this route and can be obtained after user authentication. ### Create user (deprecated) - [POST /resources/users/v1](https://developers.frontegg.com/ciam/api/identity/user-management/userscontrollerv1_createuser.md): Use the V2 route for Invite User. This route is no longer relevant. ## User sessions ### Get user's active sessions - [GET /resources/users/sessions/v1/me](https://developers.frontegg.com/ciam/api/identity/user-sessions/usersessionscontrollerv1_getactivesessions.md): Retrieve all active sessions for a user. ### Delete all user sessions - [DELETE /resources/users/sessions/v1/me/all](https://developers.frontegg.com/ciam/api/identity/user-sessions/usersessionscontrollerv1_deletealluseractivesessions.md): Delete all active sessions for a user. ### Delete single user's session - [DELETE /resources/users/sessions/v1/me/{id}](https://developers.frontegg.com/ciam/api/identity/user-sessions/usersessionscontrollerv1_deleteusersession.md): Delete a specific active session for a user. ## Users-applications management ### Get users for application - [GET /resources/applications/v1/{appId}/users](https://developers.frontegg.com/ciam/api/identity/users-applications-management/applicationscontrollerv1_getusersforapplication.md): Retrieve users for an application. Provide the application ID as a path parameter. ### Get applications for user - [GET /resources/applications/v1/{userId}/apps](https://developers.frontegg.com/ciam/api/identity/users-applications-management/applicationscontrollerv1_getapplicationsforuser.md): Retrieve applications for a user. Provide the user's ID as a path parameter ### Assign users to application - [POST /resources/applications/v1](https://developers.frontegg.com/ciam/api/identity/users-applications-management/applicationscontrollerv1_assignuserstoapplication.md): Assign users to an application. Provide the application ID as a path parameter and the user IDs in the request body. ### Unassign users from application - [DELETE /resources/applications/v1](https://developers.frontegg.com/ciam/api/identity/users-applications-management/applicationscontrollerv1_unassignusersfromapplication.md): Unassign users from an application. Provide the application ID as a path parameter and the user IDs in the request body. ### Get user active accounts (tenants) in applications - [GET /resources/applications/user-tenants/active/v1](https://developers.frontegg.com/ciam/api/identity/users-applications-management/applicationsactiveusertenantscontrollerv1_getuserapplicationactivetenants.md): Retrieve the active accounts (tenants) of a user for an application. Provide the application ID and the user ID as path parameters. ### Switch users active account (tenant) in applications - [PUT /resources/applications/user-tenants/active/v1](https://developers.frontegg.com/ciam/api/identity/users-applications-management/applicationsactiveusertenantscontrollerv1_switchuserapplicationactivetenant.md): Update the active accounts (tenants) of a user for an application. Provide the application ID and the user ID as path parameters and the updated list of account (tenant) IDs in the request body.