Last updated

M2M tokens

Frontegg supports two types of Machine-to-Machine (M2M) tokens for authentication: Client Credentials Tokens and Access Tokens. These tokens can be used in two contexts: as User Tokens or Tenant Tokens, depending on your application's requirements.


Token contexts

User tokens

User tokens are tied to individual users and include the following:

  • The user context.
  • The roles and permissions assigned to the user on the active account (tenant).

User tokens are ideal for user-specific operations and are automatically deleted when the associated user is removed from the system.

Tenant tokens

Tenant tokens are associated with an account (tenant) rather than a specific user. These tokens are useful for account-wide operations and their roles and permissions are defined by the scopes granted during token creation.


Token types

Client credentials tokens

Client Credentials Tokens can be used in both User and Tenant contexts for passwordless authentication methods, such as magic codes or links. Key features include:

  • Time sensitivity: Tokens are valid for a limited period and are designed for short-term authentication.
  • Refresh token rotation: Supports up to 100 active refresh tokens simultaneously, ensuring security by invalidating the oldest token upon the 101st refresh.
  • Header usage: These credentials are used for generating a bearer token that should be passed in the Authorization header.

Access tokens

Access Tokens are versatile and can also be used in both User and Tenant contexts. They are designed for longer-term authentication and role-based access control. Key features include:

  • Flexible expiration: Tokens can be configured with specific validity periods to suit your application's requirements.
  • Direct usage: These tokens are JWTs that can be used immediately without additional exchange processes.
  • Header usage: These tokens are passed in the X-API-KEY header.