⚠️ This article is currently being written. Some information may change before the migration date.
Starting July 6, 2026, tokens generated by the old authentication system will be invalidated and it will no longer be possible to generate an API access token via username and password. The current authentication endpoints will be deprecated. Any call to the Axeptio API presenting a token generated by the old system will be rejected — whether from code, a script, or a tool like Postman. If this applies to you, update your authentication method by following the steps below.
Who is affected?
This article applies to you if you call the Axeptio API directly — from code, a script, your integrations, a tool like Postman, or any other HTTP client.
If you only use Axeptio administration and do not call the API directly, no action is required from you.
Why this change?
Axeptio is migrating its authentication system to Frontegg. This migration lays the technical foundation for upcoming features: MFA, Social login, SSO, and audit logs. It also enables more robust and fine-grained API access management.
What happens if you do not migrate
Starting July 6, 2026, any call to the Axeptio API using the old authentication system will be rejected. Your already published consent banners are not affected — only programmatic integrations will stop working.
What changes
The endpoint to obtain a Bearer token changes, as do the associated credentials, but the way you transmit the token in your requests remains the same — an Authorization: Bearer header. What changes in practice: you now obtain a short-lived token from Frontegg in exchange for a Client ID and Secret, rather than a long-lived token via your username and password.
Before | After | |
Endpoint | POST /auth/local/signin | POST /identity/resources/auth/v2/api-token |
Credentials | username + password | clientId + secret |
Lifespan | Long-lived | 1 hour — automatically refresh |
Transmission | Authorization: Bearer | Authorization: Bearer (unchanged) |
Overall flow overview
Generate API access in Axeptio administration. You obtain a Client ID and Secret that identify your integration.
Request a token from Frontegg by presenting your Client ID and Secret. You receive in return an
access_token, valid for 1 hour.Call the Axeptio API by including this token in the
Authorization: Bearerheader of each request.Refresh the token before it expires via the dedicated endpoint, without having to re-enter the Client ID and Secret.
1. Generate API access in Axeptio administration
Log in to Axeptio administration.
Go to Settings → API Access.
Copy your Client ID and Secret.
Keep your secret in a safe place — it cannot be recovered after generation. Never hardcode it in your code: store it in an environment variable.
2. Request a token from Frontegg
Call the Frontegg endpoint with your Client ID and Secret. You receive in return an access_token, valid for 1 hour, and a refresh_token to renew it.
curl -X POST https://<FRONTEGG_URL>/identity/resources/auth/v2/api-token \
-H "Content-Type: application/json" \
-d '{ "clientId": "<CLIENT_ID>", "secret": "<SECRET>" }'
Response:
{
"access_token": "eyJ...",
"refresh_token": "dGhp...",
"expires_in": 3600
}
3. Call the Axeptio API
Include the access_token in the Authorization header of each request.
curl https://api.axept.io/v1/<ENDPOINT> \
-H "Authorization: Bearer <ACCESS_TOKEN>"
4. Refresh the token before expiration
The token expires after 1 hour. Before each call, check if it is still valid and refresh it if necessary — without having to re-enter the Client ID and Secret.
curl -X POST https://<FRONTEGG_URL>/identity/resources/auth/v2/api-token/token/refresh \
-H "Content-Type: application/json" \
-d '{ "refreshToken": "<REFRESH_TOKEN>" }'
Complete code examples
TypeScript / Node.js
const FRONTEGG_URL = process.env.FRONTEGG_URL;
interface FronteggTokenResponse {
access_token: string;
refresh_token: string;
expires_in: number;
}
async function getAccessToken(clientId: string, secret: string): Promise<FronteggTokenResponse> {
const res = await fetch(`${FRONTEGG_URL}/identity/resources/auth/v2/api-token`, {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ clientId, secret }),
});
if (!res.ok) throw new Error(`Token fetch failed: ${res.status}`);
return res.json();
}
async function refreshAccessToken(refreshToken: string): Promise<FronteggTokenResponse> {
const res = await fetch(`${FRONTEGG_URL}/identity/resources/auth/v2/api-token/token/refresh`, {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ refreshToken }),
});
if (!res.ok) throw new Error(`Token refresh failed: ${res.status}`);
return res.json();
}
async function callAxeptioApi(accessToken: string, path: string) {
const res = await fetch(`https://api.axept.io/v1${path}`, {
headers: { Authorization: `Bearer ${accessToken}` },
});
if (!res.ok) throw new Error(`API call failed: ${res.status}`);
return res.json();
}
// Usage with automatic refresh
let token = await getAccessToken(CLIENT_ID, SECRET);
let expiresAt = Date.now() + token.expires_in * 1000;
async function apiCall(path: string) {
// Refreshes 60 s before expiration to avoid rejections in case of network latency
if (Date.now() > expiresAt - 60_000) {
token = await refreshAccessToken(token.refresh_token);
expiresAt = Date.now() + token.expires_in * 1000;
}
return callAxeptioApi(token.access_token, path);
}
Python
import time
import requests
FRONTEGG_URL = "https://<FRONTEGG_URL>"
AXEPTIO_API = "https://api.axept.io/v1"
def get_access_token(client_id: str, secret: str) -> dict:
res = requests.post(
f"{FRONTEGG_URL}/identity/resources/auth/v2/api-token",
json={"clientId": client_id, "secret": secret},
)
res.raise_for_status()
return res.json()
def refresh_access_token(refresh_token: str) -> dict:
res = requests.post(
f"{FRONTEGG_URL}/identity/resources/auth/v2/api-token/token/refresh",
json={"refreshToken": refresh_token},
)
res.raise_for_status()
return res.json()
def call_axeptio_api(access_token: str, path: str) -> dict:
res = requests.get(
f"{AXEPTIO_API}{path}",
headers={"Authorization": f"Bearer {access_token}"},
)
res.raise_for_status()
return res.json()
# Usage with automatic refresh
token = get_access_token(CLIENT_ID, SECRET)
expires_at = time.time() + token["expires_in"]
def api_call(path: str) -> dict:
global token, expires_at
if time.time() > expires_at - 60: # 60 s margin to avoid rejections in case of network latency
token = refresh_access_token(token["refresh_token"])
expires_at = time.time() + token["expires_in"]
return call_axeptio_api(token["access_token"], path)
Reference
The complete list of available endpoints is documented in the Axeptio Swagger.
Need help?
If your calls fail after the migration, if your credentials are not visible in Axeptio administration, or for any other question, do not hesitate to contact our support team.