## M2M tokens

Frontegg supports two types of Machine-to-Machine (M2M) tokens for authentication: **Client Credentials Tokens** and **Access Tokens**. These tokens can be used in two contexts: as **User Tokens** or **Tenant Tokens**, depending on your application's requirements.

## Token contexts

### User tokens

User tokens are tied to individual users and include the following:

- The user context.
- The roles and permissions assigned to the user on the active account (tenant).


User tokens are ideal for user-specific operations and are automatically deleted when the associated user is removed from the system.

### Tenant tokens

Tenant tokens are associated with an account (tenant) rather than a specific user. These tokens are useful for account-wide operations, and their roles and permissions are defined by the scopes granted during token creation.

## Token types

### Client credentials tokens

Client Credentials Tokens can be used in both **User** and **Tenant** contexts for **passwordless authentication** methods, such as magic codes or links. Key features include:

- **Time sensitivity:** Tokens are valid for a limited period and are designed for short-term authentication.
- **Refresh token rotation:** Supports up to 100 active refresh tokens simultaneously, ensuring security by invalidating the oldest token upon the 101st refresh.
- **Header usage:** These credentials are used for generating a bearer token that should be passed in the `Authorization` header.


### Access tokens

Access Tokens are versatile and can also be used in both **User** and **Tenant** contexts. They are designed for **longer-term authentication** and **role-based access control**. Key features include:

- **Flexible expiration:** Tokens can be configured with specific validity periods to suit your application's requirements.
- **Direct usage:** These tokens are JWTs that can be used immediately without additional exchange processes.
- **Header usage:** These tokens are passed in the `X-API-KEY` header.