> ## Documentation Index
> Fetch the complete documentation index at: https://conductorone-docs-mcp-bridge-private-server.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Set up a Frontegg connector

> C1 provides identity governance for Frontegg. Integrate your Frontegg environment with C1 for unified visibility and governance over user access.

C1 provides identity governance for Frontegg. Integrate your Frontegg
environment with C1 for unified visibility and governance over tenants, users,
roles, groups, and permissions.

## Capabilities

| Resource    | Sync                                                          | Provision |
| ----------- | ------------------------------------------------------------- | --------- |
| Tenants     | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |           |
| Users       | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |           |
| Permissions | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |           |
| Roles       | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |           |
| Groups      | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |           |

The connector reads tenants, users, environment-wide permissions, and
per-tenant roles and groups from the Frontegg management API. It syncs grant
relationships between users and tenants, roles, and groups.

This connector is read-only. It does not provision or modify access in
Frontegg.

## Gather Frontegg credentials

<Warning>
  Use Frontegg **vendor** credentials (client ID and secret) from your
  environment's **Keys & domains** page. Vendor credentials are region-scoped —
  the API base URL must match the region where the credentials were issued.
</Warning>

<Steps>
  <Step>
    Sign in to the [Frontegg Portal](https://portal.frontegg.com/) and open
    the environment you want to connect.
  </Step>

  <Step>
    Navigate to **Environment** > **Keys & domains**.
  </Step>

  <Step>
    Copy the vendor **Client ID** and **Client secret** for the environment.
    The connector uses these to mint a short-lived management JWT.
  </Step>

  <Step>
    Note the regional API gateway for your environment:

    * EU: `https://api.frontegg.com`
    * US: `https://api.us.frontegg.com`
    * CA: `https://api.ca.frontegg.com`
    * AU: `https://api.au.frontegg.com`
  </Step>
</Steps>

## Synced resource types

* **Tenants**: Frontegg accounts in the environment.
* **Users**: Environment-wide users, including per-tenant role assignments.
* **Permissions**: Environment-global permission definitions.
* **Roles**: Per-tenant roles; resource IDs encode tenant and role.
* **Groups**: Per-tenant groups; resource IDs encode tenant and group.

Grant relationships synced:

* User membership in tenants
* Direct role assignments to users
* Group membership
* Role assignments inherited through group membership

## Configure the Frontegg connector

<Tabs>
  <Tab title="Cloud-hosted">
    Follow these instructions to use a built-in, no-code connector hosted by C1.

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
      </Step>

      <Step>
        Search for **Frontegg** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new Frontegg connector.
      </Step>

      <Step>
        Set the owner for this connector.
      </Step>

      <Step>
        Click **Next**.
      </Step>

      <Step>
        Find the **Settings** area of the page and click **Edit**.
      </Step>

      <Step>
        Enter the Frontegg credentials:

        * **Frontegg Base URL**: The regional API gateway for your environment, for example `https://api.us.frontegg.com`.
        * **Frontegg Client ID**: The vendor client ID from Keys & domains.
        * **Frontegg Client Secret**: The vendor secret paired with the client ID.
      </Step>

      <Step>
        Click **Save**.
      </Step>

      <Step>
        The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing.
      </Step>
    </Steps>

    **Done.** Your Frontegg connector is now pulling access data into C1.
  </Tab>

  <Tab title="Self-hosted">
    Follow these instructions to run the Frontegg connector in your own
    environment.

    <Steps>
      <Step>
        Create secrets for the Frontegg vendor credentials.
      </Step>

      <Step>
        Configure the connector environment variables:

        ```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
        BATON_BASE_URL=https://api.us.frontegg.com
        BATON_FRONTEGG_CLIENT_ID=<vendor client ID>
        BATON_FRONTEGG_CLIENT_SECRET=<vendor client secret>
        ```
      </Step>

      <Step>
        Deploy the connector using your standard self-hosted connector process.
      </Step>
    </Steps>

    **Done.** Your Frontegg connector is now pulling access data into C1.
  </Tab>
</Tabs>

## Connector configuration reference

| Setting                | Environment variable           | Required | Description                                                                                                                 |
| ---------------------- | ------------------------------ | -------- | --------------------------------------------------------------------------------------------------------------------------- |
| Frontegg Base URL      | `BATON_BASE_URL`               | Yes      | Regional Frontegg API gateway origin, without a trailing slash. Must match the region where vendor credentials were issued. |
| Frontegg Client ID     | `BATON_FRONTEGG_CLIENT_ID`     | Yes      | Vendor client ID from Portal > Environment > Keys & domains.                                                                |
| Frontegg Client Secret | `BATON_FRONTEGG_CLIENT_SECRET` | Yes      | Vendor secret paired with the client ID. Stored as a secret.                                                                |