The Core API uses API tokens to authenticate its user.

You MUST send the token for each request in the Authorization header. The token MUST be preceded by Bearer. See the Authorization header in the example request below.

curl --request GET \
  --header 'Authorization: Bearer [REQUEST_TOKEN]'

OAuth v Front API Tokens

There are two ways to get an API token — directly through the Front UI (Settings > Plugins & API > API) or via OAuth.

If you’re just building an integration for your own Front instance or a single Front customer, or have a development instance you want to begin making requests with, read our How to create and revoke API tokens guide for information on how to generate an API token.

For Partners looking to launch a public integration to all Front customers, if your integration can support OAuth you’ll want to check out our OAuth guide.


OAuth is required for public integrations available to all Front customers.


When you create a Front API token, the scopes you choose will restrict what data it can access through the API. You can choose from the following scopes:

Scope nameDescription
Shared resourcesAccess to all team resources. If you use multiple Teams, this option gives API access across all Teams.
Private resourcesAccess to private resources (individual channels, contacts, conversations, inboxes, messages, rules and tags) of your individual users. However, each user must also grant permission for the API to access their private resources in their individual preferences, or you can do this for them in the Teammates section.
ProvisioningUsed to allow control over teammate access to teams and inboxes as well as manage shifts in the public API.
Auto-provisioningAccess to Front's SCIM server, which is used to sync users across various systems. You will only see the "Auto provisioning" option if you have an Enterprise plan.
Team: {Team name}Access to team resources only for that particular Team. You will only see "Team" options if you have purchased the Teams feature for your Front account.

Private resource access

By default, individual resources are private and the API does not let you interact with them nor with their content.

However, a user has the ability to allow access to their individual resources from the API in their settings (Settings > My preferences > "Allow access to my individual resources via the API").

OAuth access

Integrations relying on OAuth all have the same scope: “Shared resources”, and at this time cannot request more permissive scopes. This means that integrations that use OAuth will be able to access all team resources (teams, contacts, conversations, team channels, inboxes, messages in team inboxes, team tags etc.). Check out our OAuth guide for more details.


Individual Resources and OAuth apps

Individual resources are accessible only to tokens that have been generated by Front. OAuth clients are not authorized to access them.