Create Organization via Discovery
Create a new Organization and Member via the B2B Discovery flow
intermediate_session_token returned when the user successfully completes a Discovery authentication flow to create a new Organization and Member, then log the user in. If the user wants to log into an existing Organization, use the Exchange Intermediate Session endpoint instead.
Multi-factor authentication (MFA) and step-up requirements
member_authenticated: false and an intermediate_session_token to indicate that the user must perform additional authentication via one of the options listed in primary_required.allowed_auth_methods to finish logging in.
If you specified an mfa_policy: REQUIRED_FOR_ALL in the request, this API will return member_authenticated: false, an intermediate_session_token, and mfa_required in order to indicate that you must prompt the user to enroll in MFA.
Include the intermediate_session_token when calling the authenticate() method that the user needed to perform to verify their email or enroll in MFA. Once the user has completed the authentication requirements they were missing, they will be granted a full session_token and session_jwt and be successfully logged in.
If the user logged in with a method that does provide real-time email verification (Email Magic Links, Email OTP, Google/Microsoft OAuth, initial email verification when creating a new password) this API will return member_authenticated: true and a session_jwt and session_token to indicate that the user has successfully logged in.
The Member created by this endpoint will automatically be granted the stytch_admin Role. See the RBAC guide for more details on this Role.Authorizations
Basic authentication header of the form Basic <encoded-value>, where <encoded-value> is the base64-encoded string username:password.
Body
Request type
The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the OTP SMS Authenticate endpoint, TOTP Authenticate endpoint, or Recovery Codes Recover endpoint to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the Exchange Intermediate Session endpoint to join a specific Organization that allows the factors represented by the intermediate session token; or the Create Organization via Discovery endpoint to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes.
Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist,
returning both an opaque session_token and session_jwt for this session. Remember that the session_jwt will have a fixed lifetime of
five minutes regardless of the underlying session duration, and will need to be refreshed over time.
This value must be a minimum of 5 and a maximum of 527040 minutes (366 days).
If a session_token or session_jwt is provided then a successful authentication will continue to extend the session this many minutes.
If the session_duration_minutes parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want
to use the Stytch session product, you can ignore the session fields in the response.
Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in
session_duration_minutes. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To
delete a key, supply a null value. Custom claims made with reserved claims (iss, sub, aud, exp, nbf, iat, jti) will be ignored.
Total custom claims size cannot exceed four kilobytes.
The name of the Organization. If the name is not specified, a default name will be created based on the email used to initiate the discovery flow. If the email domain is a common email provider such as gmail.com, or if the email is a .edu email, the organization name will be generated based on the name portion of the email. Otherwise, the organization name will be generated based on the email domain.
The unique URL slug of the Organization. A minimum of two characters is required. The slug only accepts alphanumeric characters and the following reserved characters: - . _ ~. If the slug is not specified, a default slug will be created based on the email used to initiate the discovery flow. If the email domain is a common email provider such as gmail.com, or if the email is a .edu email, the organization slug will be generated based on the name portion of the email. Otherwise, the organization slug will be generated based on the email domain.
An identifier that can be used in API calls wherever a organization_id is expected. This is a string consisting of alphanumeric, ., _, -, or | characters with a maximum length of 128 characters. External IDs must be unique within a project, but may be reused across different projects in the same workspace.
The image URL of the Organization logo.
An arbitrary JSON object for storing application-specific data or identity-provider-specific data.
The authentication setting that controls the JIT provisioning of Members when authenticating via SSO. The accepted values are:
ALL_ALLOWED – the default setting, new Members will be automatically provisioned upon successful authentication via any of the Organization's sso_active_connections.
RESTRICTED – only new Members with SSO logins that comply with sso_jit_provisioning_allowed_connections can be provisioned upon authentication.
NOT_ALLOWED – disable JIT provisioning via SSO.
An array of email domains that allow invites or JIT provisioning for new Members. This list is enforced when either email_invites or email_jit_provisioning is set to RESTRICTED.
Common domains such as `gmail.com` are not allowed. See the [common email domains resource](https://stytch.com/docs/b2b/api/common-email-domains) for the full list.The authentication setting that controls how a new Member can be provisioned by authenticating via Email Magic Link or OAuth. The accepted values are:
RESTRICTED – only new Members with verified emails that comply with email_allowed_domains can be provisioned upon authentication via Email Magic Link or OAuth.
NOT_ALLOWED – the default setting, disables JIT provisioning via Email Magic Link and OAuth.
The authentication setting that controls how a new Member can be invited to an organization by email. The accepted values are:
ALL_ALLOWED – any new Member can be invited to join via email.
RESTRICTED – only new Members with verified emails that comply with email_allowed_domains can be invited via email.
NOT_ALLOWED – disable email invites.
The setting that controls which authentication methods can be used by Members of an Organization. The accepted values are:
ALL_ALLOWED – the default setting which allows all authentication methods to be used.
RESTRICTED – only methods that comply with allowed_auth_methods can be used for authentication. This setting does not apply to Members with is_breakglass set to true.
An array of allowed authentication methods. This list is enforced when auth_methods is set to RESTRICTED.
The list's accepted values are: sso, magic_link, email_otp, password, google_oauth, microsoft_oauth, slack_oauth, github_oauth, and hubspot_oauth.
The setting that controls the MFA policy for all Members in the Organization. The accepted values are:
REQUIRED_FOR_ALL – All Members within the Organization will be required to complete MFA every time they wish to log in. However, any active Session that existed prior to this setting change will remain valid.
OPTIONAL – The default value. The Organization does not require MFA by default for all Members. Members will be required to complete MFA only if their mfa_enrolled status is set to true.
Implicit role assignments based off of email domains. For each domain-Role pair, all Members whose email addresses have the specified email domain will be granted the associated Role, regardless of their login method. See the RBAC guide for more information about role assignment.
The setting that controls which MFA methods can be used by Members of an Organization. The accepted values are:
ALL_ALLOWED – the default setting which allows all authentication methods to be used.
RESTRICTED – only methods that comply with allowed_mfa_methods can be used for authentication. This setting does not apply to Members with is_breakglass set to true.
An array of allowed MFA authentication methods. This list is enforced when mfa_methods is set to RESTRICTED.
The list's accepted values are: sms_otp and totp.
The authentication setting that controls how a new Member can JIT provision into an organization by tenant. The accepted values are:
RESTRICTED – only new Members with tenants in allowed_oauth_tenants can JIT provision via tenant.
NOT_ALLOWED – the default setting, disables JIT provisioning by OAuth Tenant.
A map of allowed OAuth tenants. If this field is not passed in, the Organization will not allow JIT provisioning by OAuth Tenant. Allowed keys are "slack", "hubspot", and "github".
The authentication setting that sets the Organization's policy towards first party Connected Apps. The accepted values are:
ALL_ALLOWED – the default setting, any first party Connected App in the Project is permitted for use by Members.
RESTRICTED – only first party Connected Apps with IDs in allowed_first_party_connected_apps can be used by Members.
NOT_ALLOWED – no first party Connected Apps are permitted.
ALL_ALLOWED, RESTRICTED, NOT_ALLOWED An array of first party Connected App IDs that are allowed for the Organization. Only used when the Organization's first_party_connected_apps_allowed_type is RESTRICTED.
The authentication setting that sets the Organization's policy towards third party Connected Apps. The accepted values are:
ALL_ALLOWED – the default setting, any third party Connected App in the Project is permitted for use by Members.
RESTRICTED – only third party Connected Apps with IDs in allowed_first_party_connected_apps can be used by Members.
NOT_ALLOWED – no third party Connected Apps are permitted.
ALL_ALLOWED, RESTRICTED, NOT_ALLOWED An array of third party Connected App IDs that are allowed for the Organization. Only used when the Organization's third_party_connected_apps_allowed_type is RESTRICTED.
If the telemetry_id is passed, as part of this request, Stytch will call the Fingerprint Lookup API and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature.
Response
Successful response
Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
Globally unique UUID that identifies a specific Member.
A secret token for a given Stytch Session.
The JSON Web Token (JWT) for a given Stytch Session.
The Member object
Indicates whether the Member is fully authenticated. If false, the Member needs to complete an MFA step to log in to the Organization.
The returned Intermediate Session Token is identical to the one that was originally passed in to the request. If this value is non-empty, the member must complete an MFA step to finish logging in to the Organization. The token can be used with the OTP SMS Authenticate endpoint, TOTP Authenticate endpoint, or Recovery Codes Recover endpoint to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the Exchange Intermediate Session endpoint to join a specific Organization that allows the factors represented by the intermediate session token; or the Create Organization via Discovery endpoint to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes.
The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
The Session object.
The Organization object.
Information about the MFA requirements of the Organization and the Member's options for fulfilling MFA.
Information about the primary authentication requirements of the Organization.
If a valid telemetry_id was passed in the request and the Fingerprint Lookup API returned results, the member_device response field will contain information about the member's device attributes.