Skip to main content

To continue using the Axeptio API from July 10, 2026

On July 10, 2026, Axeptio will change its authentication system. Here's how to update your API integration before the deadline.

Written by Alexandre Dias Da Silva

As of July 10, 2026, tokens generated by the old authentication system will be invalidated and it will no longer be possible to generate an API access token via username and password. The current authentication endpoints will be deprecated. Any call to the Axeptio API presenting a token generated by the old system will be rejected — whether from code, a script, or a tool like Postman. If this applies to you, update your authentication method by following the steps below.

Who is affected?

This article applies to you if you call the Axeptio API directly — from code, a script, your integrations, a tool like Postman, or any other HTTP client.

If you only use Axeptio administration and do not call the API directly, no action is required from you.

Why this change?

Axeptio is migrating its authentication system to Frontegg. This migration lays the technical foundations for upcoming features: MFA, Social login, SSO, and audit logs. It also enables more robust and granular API access management.

What happens if you don't migrate

As of July 10, 2026, any call to the Axeptio API using the old authentication system will be rejected. Your already published consent banners are not affected — only programmatic integrations will stop working.

What's changing

The endpoint for obtaining a Bearer token changes, as do the associated credentials, but the way you pass the token in your requests remains the same — an Authorization: Bearer header. What changes in practice: you now obtain a short-lived token from Frontegg in exchange for a Client ID and Secret, rather than a long-lived token via your username and password.

Before

After

Endpoint

POST /auth/local/signin

Credentials

username + password

clientId + secret

Lifespan

Long-lived

1 hour — refresh automatically

Transmission

Authorization: Bearer

Authorization: Bearer (unchanged)

Global flow overview

  1. Generate an API access in Axeptio administration. You get a Client ID and Secret that identify your integration.

  2. Request a token from Frontegg by presenting your Client ID and Secret. You receive an access_token in return, valid for 1 hour.

  3. Call the Axeptio API by including this token in the Authorization: Bearer header of each request.

  4. Refresh the token before it expires via the dedicated endpoint, without having to re-enter the Client ID and Secret.

1. Generate an API access in Axeptio administration

  1. Log in to Axeptio administration.

  2. Go to Settings → API Access.

  3. Copy your Client ID and Secret.

Keep your secret in a safe place — it cannot be retrieved after generation. Never hardcode it in your code: store it in an environment variable.

2. Request a token from Frontegg

Call the Frontegg endpoint with your Client ID and Secret. You receive an access_token in return, valid for 1 hour, and a refresh_token to renew it.

curl -X POST https://login.axept.io/identity/resources/auth/v2/api-token \
-H "Content-Type: application/json" \
-d '{ "clientId": "<CLIENT_ID>", "secret": "<SECRET>" }'










Response:

{
"access_token": "eyJ...",
"refresh_token": "dGhp...",
"expires_in": 3600
}










3. Call the Axeptio API

Include the access_token in the Authorization header of each request.

curl https://api.axept.io/v1/<ENDPOINT> \
-H "Authorization: Bearer <ACCESS_TOKEN>"










4. Refresh the token before expiration

The token expires after 1 hour. Before each call, check if it is still valid and refresh it if necessary — without having to re-enter the Client ID and Secret.

curl -X POST https://login.axept.io/identity/resources/auth/v2/api-token/token/refresh \
-H "Content-Type: application/json" \
-d '{ "refreshToken": "<REFRESH_TOKEN>" }'










Complete code examples

TypeScript / Node.js

const FRONTEGG_URL = process.env.FRONTEGG_URL;

interface FronteggTokenResponse {
access_token: string;
refresh_token: string;
expires_in: number;
}

async function getAccessToken(clientId: string, secret: string): Promise<FronteggTokenResponse> {
const res = await fetch(`${FRONTEGG_URL}/identity/resources/auth/v2/api-token`, {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ clientId, secret }),
});
if (!res.ok) throw new Error(`Token fetch failed: ${res.status}`);
return res.json();
}

async function refreshAccessToken(refreshToken: string): Promise<FronteggTokenResponse> {
const res = await fetch(`${FRONTEGG_URL}/identity/resources/auth/v2/api-token/token/refresh`, {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ refreshToken }),
});
if (!res.ok) throw new Error(`Token refresh failed: ${res.status}`);
return res.json();
}

async function callAxeptioApi(accessToken: string, path: string) {
const res = await fetch(`https://api.axept.io/v1${path}`, {
headers: { Authorization: `Bearer ${accessToken}` },
});
if (!res.ok) throw new Error(`API call failed: ${res.status}`);
return res.json();
}

// Usage with automatic refresh
let token = await getAccessToken(CLIENT_ID, SECRET);

let expiresAt = Date.now() + token.expires_in * 1000;

async function apiCall(path: string) {
// Refreshes 60 s before expiration to avoid rejections due to network latency
if (Date.now() > expiresAt - 60_000) {
token = await refreshAccessToken(token.refresh_token);
expiresAt = Date.now() + token.expires_in * 1000;
}
return callAxeptioApi(token.access_token, path);
}










Python

import time
import requests

FRONTEGG_URL = "https://login.axept.io"
AXEPTIO_API = "https://api.axept.io/v1"

def get_access_token(client_id: str, secret: str) -> dict:
res = requests.post(
f"{FRONTEGG_URL}/identity/resources/auth/v2/api-token",
json={"clientId": client_id, "secret": secret},
)
res.raise_for_status()
return res.json()

def refresh_access_token(refresh_token: str) -> dict:
res = requests.post(
f"{FRONTEGG_URL}/identity/resources/auth/v2/api-token/token/refresh",
json={"refreshToken": refresh_token},
)
res.raise_for_status()
return res.json()

def call_axeptio_api(access_token: str, path: str) -> dict:
res = requests.get(
f"{AXEPTIO_API}{path}",
headers={"Authorization": f"Bearer {access_token}"},
)
res.raise_for_status()
return res.json()

# Usage with automatic refresh
token = get_access_token(CLIENT_ID, SECRET)

expires_at = time.time() + token["expires_in"]

def api_call(path: str) -> dict:
global token, expires_at
if time.time() > expires_at - 60: # 60 s margin to avoid rejections due to network latency
token = refresh_access_token(token["refresh_token"])
expires_at = time.time() + token["expires_in"]
return call_axeptio_api(token["access_token"], path)










Reference

The complete list of available endpoints is documented in the Axeptio Swagger.

Need help?

If your calls fail after migration, if your credentials are not visible in Axeptio administration, or for any other question, please contact our support team.

Did this answer your question?