## Token management Frontegg's Token management feature allows you to customize JWT tokens according to your application's specific requirements. You can create custom token templates that define which claims to include or exclude, set different expiration times, and apply targeting rules to control when specific templates are used. ## Key features ### Custom token templates Create multiple JWT token templates with different configurations: - **Template types**: Start from Frontegg's default JWT structure or create a blank template - **Custom claims**: Add, remove, or modify JWT claims based on your needs - **Flexible expiration**: Set different token expiration times per template - **Signing algorithms**: Choose between RS256 and HS256 signing algorithms ### Targeting rules Apply templates conditionally based on: - **User attributes**: User ID, email, application ID, tenant ID, role ID - **Token types**: User tokens, personal tokens, or account (tenant) tokens - **Advanced operators**: Support for various matching conditions (is, contains, ends with, etc.) ### Claims management Control JWT payload with precision: - **OIDC required claims**: Ensure compliance with OpenID Connect standards - **Frontegg required claims**: Maintain compatibility with Frontegg's authentication flow - **User claims**: Include user-specific information (name, email, metadata, etc.) - **Entitlements claims**: Add roles, permissions, plans, and feature flags - **Account claims**: Include tenant-specific information ## Default Frontegg JWT structure When no custom template is applied or as a fallback, Frontegg uses the following default JWT structure: ``` { "sub": "********-****-****-****-************", "name": "****************", "email": "****************", "email_verified": ****************, "metadata": {}, "roles": [ "****************" ], "permissions": [ "****************", "****************", "****************" ], "tenantId": "********-****-****-****-************", "tenantIds": [ "********-****-****-****-************", "********-****-****-****-************", "********-****-****-****-************" ], "profilePictureUrl": "****************", "sid": "********-****-****-****-************", "type": "****************", "applicationId": "********-****-****-****-************", "aud": "********-****-****-****-************", "iss": "****************", "iat": ****************, "exp": **************** } ``` br This structure includes all standard user information, entitlements, and session data that Frontegg applications typically require. ## Benefits ### Enhanced security - **Minimal token payload**: Remove sensitive or unnecessary claims to reduce token size - **Custom expiration**: Set appropriate token lifetimes for different use cases - **Targeted application**: Apply different security policies based on context ### Improved performance - **Reduced header size**: Smaller JWTs mean smaller HTTP headers and better performance - **Optimized claims**: Include only the claims your application actually needs - **Faster validation**: Smaller tokens are processed more quickly ### Flexible integration - **Multiple templates**: Support different token formats for various integrations - **Conditional logic**: Apply templates based on user, tenant, or application context - **Backward compatibility**: Maintain existing integrations while adding new capabilities ## Getting started To start using Token management: 1. **Navigate to Token management**: Go to [ENVIRONMENT] → Security → Token management 2. **Create a template**: Click "Create Template" to define your first custom token template 3. **Configure claims**: Add or remove claims based on your requirements 4. **Set targeting rules**: Define when the template should be applied 5. **Deploy**: Save your template and apply it to your environment Important considerations - **Fallback behavior**: If a template is missing or corrupted, Frontegg will always fall back to the [default JWT structure](#default-frontegg-jwt-structure) shown above - **Internal claims**: Frontegg-specific claims (like `act`, `amr`, `acr`) cannot be modified and will be overridden if included - **OIDC compliance**: Required OIDC claims (`iss`, `sub`, `aud`, `exp`, `iat`) must be included in all templates