# API token

## Authenticate using API token

 - [POST /resources/auth/v2/api-token](https://developers.frontegg.com/ciam/api/identity/api-token/authenticationapitokencontrollerv2_authapitoken.md): Authenticates using an account (tenant) or user API token. Obtain your clientId and secret from Admin Portal → API Tokens, then provide them in the request body. Send the request to your Frontegg environment (e.g., https://.frontegg.com).

Note: By default, this endpoint enforces refresh token rotation. Each API token is limited to 100 active refresh tokens. When authenticating with the same API token for the 101st time, the oldest refresh token is automatically invalidated.

Use this endpoint to securely authenticate automated services, back-end clients, or integrations that rely on static credentials.

## Refresh API token

 - [POST /resources/auth/v2/api-token/token/refresh](https://developers.frontegg.com/ciam/api/identity/api-token/authenticationapitokencontrollerv2_refreshtoken.md): Refreshes a JWT access token using a refresh token. If the refresh token is valid, returns a new JWT and refresh token pair. This maintains an authenticated session without requiring the user to log in again.

If the refresh token is invalid, expired, or has been revoked due to rotation limits, the request will fail with an authentication error.