# Account Management Overview Frontegg is built with multi-tenancy in mind, allowing the creation and management of multiple accounts (tenants) within an environment. This section provides an overview of relevant API endpoints, organized into Management and Self-Service categories, supporting the creation of accounts, hierarchies, and sub-accounts. **Management Endpoints**: Require environment-level authorization and offer full control over resources, including SSO (SAML and OIDC) configurations, account hierarchies, and sub-accounts. **Self-Service Endpoints**: Accessible with a user token (JWT), enabling users with the appropriate permissions to create, update, and delete sub-accounts from ah hierarchy. ## Servers EU Region ``` https://api.frontegg.com/tenants ``` US Region ``` https://api.us.frontegg.com/tenants ``` CA Region ``` https://api.ca.frontegg.com/tenants ``` AU Region ``` https://api.au.frontegg.com/tenants ``` Frontegg sub-domain for use with user tokens ``` https://{domain}.frontegg.com/tenants ``` Variables: - `domain` Default: "app-xxx" ## Security ### bearer Type: http Scheme: bearer Bearer Format: JWT ## Download OpenAPI description [Account Management Overview](https://developers.frontegg.com/_bundle/ciam/api/tenants.yaml) ## Accounts ### Delete account (tenant) - [DELETE /resources/tenants/v1/{tenantId}](https://developers.frontegg.com/ciam/api/tenants/accounts/tenantcontrollerv1_deletetenant.md): Remove an account (tenant) and all its users. If the account is part of a hierarchy, all sub-accounts are reassigned to the deleted account's parent. Requires an environment token obtained from the environment authentication route. ### Create an account (tenant) - [POST /resources/tenants/v1](https://developers.frontegg.com/ciam/api/tenants/accounts/tenantcontrollerv1_createtenant.md): Create a new account (tenant). If an account with the given ID previously existed and was removed, this action will reactivate that account. Requires an environment token obtained from the environment authentication route. ### Delete current account (tenant) - [DELETE /resources/tenants/v1](https://developers.frontegg.com/ciam/api/tenants/accounts/tenantcontrollerv1_deletecurrenttenant.md): Delete the current account (tenant) and all users belonging to that account. Only users with the fe.account-settings.delete.account permission can perform this action. A user token is required for this route and can be obtained after user authentication. ### Add account (tenant) metadata - [POST /resources/tenants/v1/{tenantId}/metadata](https://developers.frontegg.com/ciam/api/tenants/accounts/tenantcontrollerv1_addtenantmetadata.md): Add metadata to an account (tenant). If a metadata key already exists, its value is overwritten. Provide the account (tenant) ID as a path parameter and the metadata object in the request body. An environment token is required for this route and can be obtained from the environment authentication route. ### Delete account (tenant) metadata - [DELETE /resources/tenants/v1/{tenantId}/metadata/{key}](https://developers.frontegg.com/ciam/api/tenants/accounts/tenantcontrollerv1_deletetenantmetadata.md): Remove a key-value pair from an account's (tenant's) metadata. Provide the account (tenant) ID and the metadata key as path parameters. An environment token is required for this route and can be obtained from the environment authentication route. ### Get accounts (tenants) - [GET /resources/tenants/v2](https://developers.frontegg.com/ciam/api/tenants/accounts/tenantcontrollerv2_gettenants.md): Retrieve all accounts (tenants) for an environment. Supports filtering, sorting, and pagination. You can filter by account name or account (tenant) ID, sort by createdAt, name, or tenantId, and specify the order (ASC or DESC). You can also provide specific account (tenant) IDs to retrieve only those accounts (tenants). The default limit is 50 accounts (tenants) per request; the maximum is 200. ### Get an account (tenant) - [GET /resources/tenants/v2/{tenantId}](https://developers.frontegg.com/ciam/api/tenants/accounts/tenantcontrollerv2_gettenant.md): Retrieve an account (tenant) by its identifier. If the account (tenant) cannot be found, an empty array is returned. Provide the account (tenant) ID as a path parameter. An environment token is required for this route and can be obtained from the environment authentication route. ### Update an account (tenant) - [PUT /resources/tenants/v2/{tenantId}](https://developers.frontegg.com/ciam/api/tenants/accounts/tenantcontrollerv2_updatetenant.md): Update an account (tenant). Provide the account (tenant) ID as a path parameter and the updated account (tenant) data in the request body. An environment token is required for this route and can be obtained from the environment authentication route. ### Get account (tenant) by ID (deprecated) - [GET /resources/tenants/v1/{tenantId}](https://developers.frontegg.com/ciam/api/tenants/accounts/tenantcontrollerv1_gettenant.md): Use the V2 route for Get account (tenant). This route is no longer relevant. ### Update account (tenant) (deprecated) - [PUT /resources/tenants/v1/{tenantId}](https://developers.frontegg.com/ciam/api/tenants/accounts/tenantcontrollerv1_updatetenant.md): Use the V2 route for update account (tenant). This route is no longer relevant. ## Sub-accounts and hierarchy ### Create sub-account (tenant) - [POST /resources/hierarchy/v1](https://developers.frontegg.com/ciam/api/tenants/sub-accounts-and-hierarchy/tenanthierarchycontrollerv1_createsubtenants.md): Assign an existing account (tenant) to the hierarchy as a sub-account of a given parent account. A vendor token is required for this route, it can be obtained from the vendor authentication route. ### Delete sub-account (tenant) - [DELETE /resources/hierarchy/v1](https://developers.frontegg.com/ciam/api/tenants/sub-accounts-and-hierarchy/tenanthierarchycontrollerv1_deletesubtenant.md): Delete given sub-account from the hierarchy. A vendor token is required for this route, it can be obtained from the vendor authentication route. ## Account migration ### Migrate accounts (tenants) - [POST /resources/migrations/v1/tenants](https://developers.frontegg.com/ciam/api/tenants/account-migration/migrationcontrollerv1_migratetenants.md): Migrate one or more existing accounts (tenants) into your current environment. Use this route to initiate migration for a list of account (tenant) IDs. This request requires an environment token for authentication. ### Accounts (tenants) migration status - [GET /resources/migrations/v1/tenants/status/{migrationId}](https://developers.frontegg.com/ciam/api/tenants/account-migration/migrationcontrollerv1_getmigratetenantsstatus.md): Retrieve the current status of an ongoing accounts (tenants) migration. Provide the migrationId to track the progress and outcome of the migration request. This route requires an environment token for authentication. ## Account settings ### Get account settings - [GET /resources/account-settings/v1](https://developers.frontegg.com/ciam/api/tenants/account-settings/accountsettingscontrollerv1_getsettings.md): Get account settings of an account (tenant). An account is determined by a given user token when using a user token and by the frontegg-tenant-id when using a vendor token. A user token or vendor token are required for this route. A user token can be obtained after user authentication. A vendor token is required for this route, it can be obtained from the vendor authentication route. ### Update account settings - [PUT /resources/account-settings/v1](https://developers.frontegg.com/ciam/api/tenants/account-settings/accountsettingscontrollerv1_updatesettings.md): Update account settings of an account (tenant). There has to be at least one setting passed on the body. An account is determined by a given user token when using a user token and by the frontegg-tenant-id when using a vendor token. A user token or vendor token are required for this route. A user token can be obtained after user authentication. A vendor token is required for this route, it can be obtained from the vendor authentication route. ### Get public settings - [GET /resources/account-settings/v1/public](https://developers.frontegg.com/ciam/api/tenants/account-settings/accountsettingscontrollerv1_getpublicsettings.md): Get account public settings of an account (tenant). An account is determined by a given user token when using a user token and by the frontegg-tenant-id when using a vendor token. A user token or vendor token are required for this route. A user token can be obtained after user authentication. A vendor token is required for this route, it can be obtained from the vendor authentication route. ## Sub-accounts ### Create sub-account - [POST /resources/sub-tenants/v1](https://developers.frontegg.com/ciam/api/tenants/sub-accounts/subtenantcontrollerv1_createsubtenant.md): Create a new sub-account (tenant). If an account with given ID had existed before and was removed, then this action will reactivate that account. A user or vendor token is required for this route. A user token can be obtained after user authentication. ### Update sub-account (tenant) management - [PUT /resources/sub-tenants/v1/{tenantId}/management](https://developers.frontegg.com/ciam/api/tenants/sub-accounts/subtenantcontrollerv1_updatesubtenantmanagement.md): Enable sub-account to give child accounts multi-seller management capabilities. Send isReseller: true to update sub-accounts with this capability ### Update sub-account hierarchy settings - [PUT /resources/sub-tenants/v1/{tenantId}/hierarchy-settings](https://developers.frontegg.com/ciam/api/tenants/sub-accounts/subtenantcontrollerv1_updatesubtenanthierarchysettings.md): Set the default behavior of sub-account access in an account (tenant). Set subAccountAccessType to defaultOff or defaultOn to allow sub-account access to be changed, or alwaysOn to force sub-account access on all users. ### Delete a sub-account by ID - [DELETE /resources/sub-tenants/v1/{tenantId}](https://developers.frontegg.com/ciam/api/tenants/sub-accounts/subtenantcontrollerv1_deletesubtenant.md): Delete a sub-account. A user or vendor token is required for this route. A user token can be obtained after user authentication. ### Get sub-accounts (tenants) - [GET /resources/hierarchy/v1](https://developers.frontegg.com/ciam/api/tenants/sub-accounts/tenanthierarchycontrollerv1_getsubtenants.md): Get all sub-accounts from the hierarchy. A user token or vendor token are required for this route. A user token can be obtained after user authentication. A vendor token is required for this route, it can be obtained from the vendor authentication route. ### Get parent accounts (tenants) - [GET /resources/hierarchy/v1/parents](https://developers.frontegg.com/ciam/api/tenants/sub-accounts/tenanthierarchycontrollerv1_getparenttenants.md): Get all parent accounts from the hierarchy. A user token or vendor token are required for this route. A user token can be obtained after user authentication. A vendor token can be obtained from the vendor authentication route. ### Get sub-accounts (tenanants) hierarchy tree - [GET /resources/hierarchy/v1/tree](https://developers.frontegg.com/ciam/api/tenants/sub-accounts/tenanthierarchycontrollerv1_getsubtenantstree.md): Get all sub-accounts hierarchy as a tree structure. A user token or vendor token are required for this route. A user token can be obtained after user authentication. A vendor token is required for this route, it can be obtained from the vendor authentication route.