FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    How to Authenticate API Clients and End Users in the Same FusionAuth Tenant Using Entities

    Scheduled Pinned Locked Moved Solved
    Frequently Asked Questions (FAQ)
    login
    1
    2
    3
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wesley
      last edited by

      We are evaluating FusionAuth for JWT-based API authentication and would like to better understand how this fits alongside end-user authentication.

      Specifically:

      1. Is it possible to authenticate API clients and end users within the same tenant, given that some controls (such as MFA) are configured at the tenant level?
      2. If so, what is the recommended approach for structuring API authentication separately from end-user authentication?
      3. Are there any licensing or cost implications associated with these approaches (for example, using separate tenants, applications, or service accounts)?
      W 1 Reply Last reply Reply Quote 0
      • W
        wesley @wesley
        last edited by

        Yes, you can mix API clients and end-user logins within the same tenant. Tenant-level controls such as MFA do not prevent this when the authentication flows are properly separated.

        Recommended Approach: Use Entities for API Clients

        The most common and recommended pattern is to use Entities for API authentication:

        • End users authenticate using the Authorization Code grant, which can enforce MFA and other user-facing security requirements.
        • API clients authenticate using the Client Credentials grant via Entities.
        • Because these are different OAuth grants and flows, tenant-level requirements like MFA apply to users but do not apply to API clients using client credentials.

        This allows both authentication types to coexist cleanly within the same tenant while maintaining appropriate security boundaries.

        Cost and Licensing

        There are no additional licensing or cost implications for using this approach:

        • Entities and the Client Credentials flow are included in FusionAuth plans.
        • API clients authenticated via Entities do not count as end users for MAU-based billing.

        Additional Resources

        These resources provide detailed guidance and examples:

        • API Authorization with FusionAuth
        • Entity Management Concepts
        • Using Entities for API Authorization (Video)

        This setup is widely used and should cover your use case well.

        1 Reply Last reply Reply Quote 0
        • W wesley has marked this topic as solved
        • First post
          Last post