> ## Documentation Index
> Fetch the complete documentation index at: https://stytch.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# Send Invite Email
> Send an invite email to a new member using the Stytch B2B API
export const action_0 = "create"
export const resource_0 = "stytch.member"
export const organization = "Represents an instance or tenant in your application, typically mapping to each of your top-level customers.";
export const member = "Represents an individual end user's account within a given Organization, uniquely identified within that Organization by their email address.";
Send an invite email to a new Member to join an Organization. The Member will be created with a status of `invited` until they successfully authenticate.
Sending invites to `pending` Members will update their status to `invited`. Sending invites to already `active` Members will return an error.
The magic link invite will be valid and can be [authenticated](/api-reference/b2b/api/email-magic-links/organization/authenticate-magic-link) for 1 week, after which the Member will need to to be sent a new invite email.
**RBAC Enforced API**
If a Member Session is passed in the Authorization headers, Stytch will enforce that the Member has permission to take the **{action_0} Action** on the **{resource_0} Resource** prior to honoring the request.
To learn more, see the [RBAC guide](/multi-tenant-auth/enterprise-ready/rbac).
### Revoke an invite
To revoke an existing invite, use the [Delete Member](/api-reference/b2b/api/members/delete-member) endpoint. This will both delete the invited Member from the target Organization and revoke all existing invite emails.
## OpenAPI
````yaml POST /v1/b2b/magic_links/email/invite
openapi: 3.0.3
info:
title: Stytch API
description: The Stytch API provides endpoints for authentication and user management.
version: 2.0.0
contact:
name: Stytch Support
url: https://stytch.com/docs
email: support@stytch.com
servers:
- url: https://api.stytch.com
description: Production server
- url: https://test.stytch.com
description: Test server
security:
- basicAuth: []
paths:
/v1/b2b/magic_links/email/invite:
post:
tags:
- B2B Magic Links
summary: Invite
description: >-
Send an invite email to a new Member to join an Organization. The Member
will be created with an `invited` status until they successfully
authenticate. Sending invites to `pending` Members will update their
status to `invited`. Sending invites to already `active` Members will
return an error.
The magic link invite will be valid for 1 week.
## Revoke an invite
To revoke an existing invite, use the [Delete
Member](https://stytch.com/docs/b2b/api/delete-member) endpoint. This
will both delete the invited Member from the target Organization and
revoke all existing invite emails.
operationId: api_b2b_magic_v1_b2b_magic_links_email_Invite
parameters:
- name: X-Stytch-Member-Session
in: header
required: false
description: >-
A Stytch session that can be used to run the request with the given
member's permissions.
schema:
type: string
- name: X-Stytch-Member-SessionJWT
in: header
required: false
description: >-
A Stytch Session JSON Web Token (JWT) that can be used to run the
request with the given member's permissions.
schema:
type: string
requestBody:
required: true
content:
application/json:
schema:
$ref: >-
#/components/schemas/api_b2b_magic_v1_b2b_magic_links_email_InviteRequest
responses:
'200':
description: Successful response
content:
application/json:
schema:
$ref: >-
#/components/schemas/api_b2b_magic_v1_b2b_magic_links_email_InviteResponse
'400':
description: Bad request
'401':
description: Unauthorized
content:
application/json:
example:
status_code: 401
request_id: request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141
error_type: unauthorized_credentials
error_message: Unauthorized credentials.
error_url: https://stytch.com/docs/api/errors/401
'429':
description: Too Many Requests
content:
application/json:
example:
status_code: 429
request_id: request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141
error_type: too_many_requests
error_message: Too many requests have been made.
error_url: https://stytch.com/docs/api/errors/429
'500':
description: Internal server error
content:
application/json:
example:
status_code: 500
request_id: request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141
error_type: internal_server_error
error_message: >-
Oops, something seems to have gone wrong, please reach out to
support@stytch.com to let us know what went wrong.
error_url: https://stytch.com/docs/api/errors/500
x-code-samples:
- lang: csharp
label: C#
source: |-
// POST /v1/b2b/magic_links/email/invite
const stytch = require('stytch');
const client = new stytch.B2BClient({
project_id: '${projectId}',
secret: '${secret}',
});
const params = {
organization_id: "${organizationId}",
email_address: "${email}",
};
const options = {
authorization: {
session_token: '${sessionToken}',
},
};
client.MagicLinks.Email.Invite(params, options)
.then(resp => { console.log(resp) })
.catch(err => { console.log(err) });
- lang: go
label: Go
source: "// POST /v1/b2b/magic_links/email/invite\npackage main\n\nimport (\n\t\"context\"\n\t\"log\"\n\n\t\"github.com/stytchauth/stytch-go/v17/stytch/b2b/b2bstytchapi\"\n\t\"github.com/stytchauth/stytch-go/v17/stytch/b2b/magiclinks/email\"\n\t\"github.com/stytchauth/stytch-go/v17/stytch/methodoptions\"\n)\n\nfunc main() {\n\tclient, err := b2bstytchapi.NewClient(\n\t\t\"${projectId}\",\n\t\t\"${secret}\",\n\t)\n\tif err != nil {\n\t\tlog.Fatalf(\"error instantiating client: %v\", err)\n\t}\n\n\tparams := &email.InviteParams{\n\t\tOrganizationID: \"${organizationId}\",\n\t\tEmailAddress: \"${email}\",\n\t}\n\n\toptions := &email.InviteParamsOptions{\n\t\tAuthorization: methodoptions.Authorization{\n\t\t\tSessionToken: \"${sessionToken}\",\n\t\t},\n\t}\n\n\tresp, err := client.MagicLinks.Email.Invite(context.Background(), params, options)\n\tif err != nil {\n\t\tlog.Fatalf(\"error in method call: %v\", err)\n\t}\n\n\tlog.Println(resp)\n}\n"
- lang: java
label: Java
source: >-
// POST /v1/b2b/magic_links/email/invite
package com.example;
import com.stytch.java.b2b.models.magiclinksemail.InviteRequest;
import
com.stytch.java.b2b.models.magiclinksemail.InviteRequestOptions;
import com.stytch.java.b2b.StytchB2BClient;
import com.stytch.java.common.methodoptions.Authorization;
import com.stytch.java.common.StytchResult;
public class Main {
public static void main(String[] args) {
StytchB2BClient.configure("${projectId}", "${secret}");
InviteRequest params = new InviteRequest();
params.setOrganizationId("${organizationId}");
params.setEmailAddress("${email}");
InviteRequestOptions options = new InviteRequestOptions();
Authorization authorization = new Authorization();
authorization.setSessionToken("${sessionToken}");
options.setAuthorization(authorization);
Object result = StytchB2BClient.getMagicLinks().getEmail().invite(params, options);
if (result instanceof StytchResult.Success) {
System.out.println(((StytchResult.Success) result).getValue());
} else {
System.out.println(((StytchResult.Error) result).getException());
}
}
}
- lang: kotlin
label: Kotlin
source: >
// POST /v1/b2b/magic_links/email/invite
package com.example
import com.stytch.java.b2b.StytchB2BClient
import com.stytch.java.b2b.models.magiclinksemail.InviteRequest
import
com.stytch.java.b2b.models.magiclinksemail.InviteRequestOptions
import com.stytch.java.common.methodoptions.Authorization
fun main() {
StytchB2BClient.configure(
projectId = "${projectId}",
secret = "${secret}",
)
when (
val result =
StytchB2BClient.magicLinks.email.invite(
InviteRequest(
organizationId = "${organizationId}",
emailAddress = "${email}",
),
InviteRequestOptions(
Authorization(
sessionToken = "${sessionToken}",
),
),
)
) {
is StytchResult.Success -> println(result.value)
is StytchResult.Error -> println(result.exception)
}
}
- lang: javascript
label: Node.js
source: |-
// POST /v1/b2b/magic_links/email/invite
const stytch = require('stytch');
const client = new stytch.B2BClient({
project_id: '${projectId}',
secret: '${secret}',
});
const params = {
organization_id: "${organizationId}",
email_address: "${email}",
};
const options = {
authorization: {
session_token: '${sessionToken}',
},
};
client.magicLinks.email.invite(params, options)
.then(resp => { console.log(resp) })
.catch(err => { console.log(err) });
- lang: php
label: PHP
source: |-
$response = $client->magic_links->email->invite([
'organization_id' => '${organizationId}',
'email_address' => '${email}',
], [
'authorization' => ['session_token' => '${sessionToken}'],
]);
- lang: python
label: Python
source: |
# POST /v1/b2b/magic_links/email/invite
from stytch import B2BClient
from stytch.b2b.models.magic_links_email import InviteRequestOptions
from stytch.shared.method_options import Authorization
client = B2BClient(
project_id="${projectId}",
secret="${secret}",
)
resp = client.magic_links.email.invite(
organization_id="${organizationId}",
email_address="${email}",
method_options=InviteRequestOptions(
authorization=Authorization(
session_token="${sessionToken}",
),
),
)
print(resp)
- lang: ruby
label: Ruby
source: |-
# POST /v1/b2b/magic_links/email/invite
require 'stytch'
client = StytchB2B::Client.new(
project_id: "${projectId}",
secret: "${secret}"
)
resp = client.magic_links.email.invite(
organization_id: "${organizationId}",
email_address: "${email}",
method_options: StytchB2B::MagicLinks::Email::InviteRequestOptions.new(
authorization: Stytch::MethodOptions::Authorization.new(session_token: '${sessionToken}')
)
)
puts resp
- lang: rust
label: Rust
source: |-
// POST /v1/b2b/magic_links/email/invite
use stytch::b2b::client::Client;
use stytch::b2b::magic_links_email::InviteRequest;
fn main() {
let client = Client::new("${projectId}", "${secret}").unwrap();
let resp = client.magic_links.email.invite(
InviteRequest{
organization_id: "${organizationId}",
email_address: "${email}",
..Default::default()
}
).await;
println!("The response is {:?}", resp);
}
- lang: bash
label: cURL
source: |-
# POST /v1/b2b/magic_links/email/invite
curl --request POST \
--url https://test.stytch.com/v1/b2b/magic_links/email/invite \
-u '${projectId}:${secret}' \
-H 'Content-Type: application/json' \
-H "X-Stytch-Member-Session: ${sessionToken}" \
-d '{
"organization_id": "${organizationId}",
"email_address": "${email}"
}'
components:
schemas:
api_b2b_magic_v1_b2b_magic_links_email_InviteRequest:
type: object
properties:
organization_id:
type: string
description: >-
Globally unique UUID that identifies a specific Organization. The
`organization_id` is critical to perform operations on an
Organization, so be sure to preserve this value. You may also use
the organization_slug or organization_external_id here as a
convenience.
email_address:
type: string
description: The email address of the Member.
invite_redirect_url:
type: string
description: >-
The URL that the Member clicks from the invite Email Magic Link.
This URL should be an endpoint in the backend server that verifies
the request by querying Stytch's authenticate endpoint and finishes the invite flow. If this value is not passed, the default `invite_redirect_url`
that you set in your Dashboard is used. If you have not set a default `invite_redirect_url`, an error is returned.
invited_by_member_id:
type: string
description: The `member_id` of the Member who sends the invite.
name:
type: string
description: The name of the Member.
trusted_metadata:
type: object
additionalProperties: true
description: >-
An arbitrary JSON object for storing application-specific data or
identity-provider-specific data.
untrusted_metadata:
type: object
additionalProperties: true
description: >-
An arbitrary JSON object of application-specific data. These fields
can be edited directly by the
frontend SDK, and should not be used to store critical information. See the [Metadata resource](https://stytch.com/docs/b2b/api/metadata)
for complete field behavior details.
invite_template_id:
type: string
description: >-
Use a custom template for invite emails. By default, it will use
your default email template. Templates can be added in the [Stytch
dashboard](https://stytch.com/dashboard/templates) using our
built-in customization options or custom HTML templates with type
“Magic Links - Invite”.
locale:
$ref: '#/components/schemas/api_b2b_magic_v1_InviteRequestLocale'
description: >
Used to determine which language to use when sending the user this
delivery method. Parameter is an [IETF BCP 47 language
tag](https://www.w3.org/International/articles/language-tags/), e.g.
`"en"`.
Currently supported languages are English (`"en"`), Spanish
(`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if
no value is provided, the copy defaults to English.
Request support for additional languages
[here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")!
roles:
type: array
items:
type: string
description: >-
Roles to explicitly assign to this Member. See the [RBAC
guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment)
for more information about role assignment.
invite_expiration_minutes:
type: integer
format: int32
minimum: 0
description: >-
The expiration time, in minutes, for an invite email. If not
accepted within this time frame, the invite will need to be resent.
Defaults to 10080 (1 week) with a minimum of 5 and a maximum of
10080.
description: Request type
required:
- organization_id
- email_address
api_b2b_magic_v1_b2b_magic_links_email_InviteResponse:
type: object
properties:
request_id:
type: string
description: >-
Globally unique UUID that is returned with every API call. This
value is important to log for debugging purposes; we may ask for
this value to help identify a specific API call when helping you
debug an issue.
member_id:
type: string
description: Globally unique UUID that identifies a specific Member.
member:
$ref: '#/components/schemas/api_organization_v1_Member'
description: The [Member object](https://stytch.com/docs/b2b/api/member-object)
organization:
$ref: '#/components/schemas/api_organization_v1_Organization'
description: >-
The [Organization
object](https://stytch.com/docs/b2b/api/organization-object).
status_code:
type: integer
format: int32
description: >-
The HTTP status code of the response. Stytch follows standard HTTP
response status code patterns, e.g. 2XX values equate to success,
3XX values are redirects, 4XX are client errors, and 5XX are server
errors.
required:
- request_id
- member_id
- member
- organization
- status_code
api_b2b_magic_v1_InviteRequestLocale:
type: string
enum:
- en
- es
- pt-br
- fr
api_organization_v1_Member:
type: object
properties:
organization_id:
type: string
description: >-
Globally unique UUID that identifies a specific Organization. The
`organization_id` is critical to perform operations on an
Organization, so be sure to preserve this value. You may also use
the organization_slug or organization_external_id here as a
convenience.
member_id:
type: string
description: >-
Globally unique UUID that identifies a specific Member. The
`member_id` is critical to perform operations on a Member, so be
sure to preserve this value. You may use an external_id here if one
is set for the member.
email_address:
type: string
description: The email address of the Member.
status:
type: string
description: >-
The status of the Member. The possible values are: `pending`,
`invited`, `active`, or `deleted`.
name:
type: string
description: The name of the Member.
sso_registrations:
type: array
items:
$ref: '#/components/schemas/api_organization_v1_SSORegistration'
description: >-
An array of registered [SAML
Connection](https://stytch.com/docs/b2b/api/saml-connection-object)
or [OIDC
Connection](https://stytch.com/docs/b2b/api/oidc-connection-object)
objects the Member has authenticated with.
is_breakglass:
type: boolean
description: >-
Identifies the Member as a break glass user - someone who has
permissions to authenticate into an Organization by bypassing the
Organization's settings. A break glass account is typically used for
emergency purposes to gain access outside of normal authentication
procedures. Refer to the [Organization
object](https://stytch.com/docs/b2b/api/organization-object) and its
`auth_methods` and `allowed_auth_methods` fields for more details.
member_password_id:
type: string
description: Globally unique UUID that identifies a Member's password.
oauth_registrations:
type: array
items:
$ref: '#/components/schemas/api_organization_v1_OAuthRegistration'
description: A list of OAuth registrations for this member.
email_address_verified:
type: boolean
description: Whether or not the Member's email address is verified.
mfa_phone_number_verified:
type: boolean
description: Whether or not the Member's phone number is verified.
is_admin:
type: boolean
description: >-
Whether or not the Member has the `stytch_admin` Role. This Role is
automatically granted to Members
who create an Organization through the [discovery flow](https://stytch.com/docs/b2b/api/create-organization-via-discovery). See the
[RBAC guide](https://stytch.com/docs/b2b/guides/rbac/stytch-default) for more details on this Role.
totp_registration_id:
type: string
description: Globally unique UUID that identifies a TOTP instance.
retired_email_addresses:
type: array
items:
$ref: '#/components/schemas/api_organization_v1_RetiredEmail'
description: |2-
A list of retired email addresses for this member.
A previously active email address can be marked as retired in one of two ways:
- It's replaced with a new primary email address during an explicit Member update.
- A new email address is surfaced by an OAuth, SAML or OIDC provider. In this case the new email address becomes the
Member's primary email address and the old primary email address is retired.
A retired email address cannot be used by other Members in the same Organization. However, unlinking retired email
addresses allows them to be subsequently re-used by other Organization Members. Retired email addresses can be unlinked
using the [Unlink Retired Email endpoint](https://stytch.com/docs/b2b/api/unlink-retired-member-email).
is_locked:
type: boolean
description: >-
Whether the Member is temporarily locked due to too many failed
authentication attempts. See the [User Locking
Guide](https://stytch.com/docs/resources/platform/user-locks) for
more information.
mfa_enrolled:
type: boolean
description: >-
Sets whether the Member is enrolled in MFA. If true, the Member must
complete an MFA step whenever they wish to log in to their
Organization. If false, the Member only needs to complete an MFA
step if the Organization's MFA policy is set to `REQUIRED_FOR_ALL`.
mfa_phone_number:
type: string
description: >-
The Member's phone number. A Member may only have one phone number.
The phone number should be in E.164 format (i.e. +1XXXXXXXXXX).
default_mfa_method:
type: string
description: >-
The Member's default MFA method. This value is used to determine
which secondary MFA method to use in the case of multiple methods
registered for a Member. The current possible values are `sms_otp`
and `totp`.
roles:
type: array
items:
$ref: '#/components/schemas/api_organization_v1_MemberRole'
description: >-
Explicit or implicit Roles assigned to this Member, along with
details about the role assignment source.
See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment.
trusted_metadata:
type: object
additionalProperties: true
description: >-
An arbitrary JSON object for storing application-specific data or
identity-provider-specific data.
untrusted_metadata:
type: object
additionalProperties: true
description: >-
An arbitrary JSON object of application-specific data. These fields
can be edited directly by the
frontend SDK, and should not be used to store critical information. See the [Metadata resource](https://stytch.com/docs/b2b/api/metadata)
for complete field behavior details.
created_at:
type: string
description: >-
The timestamp of the Member's creation. Values conform to the RFC
3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`.
updated_at:
type: string
description: >-
The timestamp of when the Member was last updated. Values conform to
the RFC 3339 standard and are expressed in UTC, e.g.
`2021-12-29T12:33:09Z`.
scim_registration:
$ref: '#/components/schemas/api_organization_v1_SCIMRegistration'
description: >-
A scim member registration, referencing a [SCIM
Connection](https://stytch.com/docs/b2b/api/scim-connection-object)
object in use for the Member creation.
external_id:
type: string
description: The ID of the member given by the identity provider.
lock_created_at:
type: string
description: >-
When the member lock was created, if there is one. Values conform to
the RFC 3339 standard and are expressed in UTC, e.g.
`2021-12-29T12:33:09Z`.
lock_expires_at:
type: string
description: >-
When the member lock expires, if there is one. Values conform to the
RFC 3339 standard and are expressed in UTC, e.g.
`2021-12-29T12:33:09Z`.
required:
- organization_id
- member_id
- email_address
- status
- name
- sso_registrations
- is_breakglass
- member_password_id
- oauth_registrations
- email_address_verified
- mfa_phone_number_verified
- is_admin
- totp_registration_id
- retired_email_addresses
- is_locked
- mfa_enrolled
- mfa_phone_number
- default_mfa_method
- roles
api_organization_v1_Organization:
type: object
properties:
organization_id:
type: string
description: >-
Globally unique UUID that identifies a specific Organization. The
`organization_id` is critical to perform operations on an
Organization, so be sure to preserve this value. You may also use
the organization_slug or organization_external_id here as a
convenience.
organization_name:
type: string
description: >-
The name of the Organization. Must be between 1 and 128 characters
in length.
organization_logo_url:
type: string
description: The image URL of the Organization logo.
organization_slug:
type: string
description: >-
The unique URL slug of the Organization. The slug only accepts
alphanumeric characters and the following reserved characters: `-`
`.` `_` `~`. Must be between 2 and 128 characters in length.
Wherever an organization_id is expected in a path or request
parameter, you may also use the organization_slug as a convenience.
sso_jit_provisioning:
type: string
description: >-
The authentication setting that controls the JIT provisioning of
Members when authenticating via SSO. The accepted values are:
`ALL_ALLOWED` – the default setting, new Members will be automatically provisioned upon successful authentication via any of the Organization's `sso_active_connections`.
`RESTRICTED` – only new Members with SSO logins that comply with `sso_jit_provisioning_allowed_connections` can be provisioned upon authentication.
`NOT_ALLOWED` – disable JIT provisioning via SSO.
sso_jit_provisioning_allowed_connections:
type: array
items:
type: string
description: >-
An array of `connection_id`s that reference [SAML Connection
objects](https://stytch.com/docs/b2b/api/saml-connection-object).
Only these connections will be allowed to JIT provision Members via SSO when `sso_jit_provisioning` is set to `RESTRICTED`.
sso_active_connections:
type: array
items:
$ref: '#/components/schemas/api_organization_v1_ActiveSSOConnection'
description: >-
An array of active [SAML Connection
references](https://stytch.com/docs/b2b/api/saml-connection-object)
or [OIDC Connection
references](https://stytch.com/docs/b2b/api/oidc-connection-object).
email_allowed_domains:
type: array
items:
type: string
description: >-
An array of email domains that allow invites or JIT provisioning for
new Members. This list is enforced when either `email_invites` or
`email_jit_provisioning` is set to `RESTRICTED`.
Common domains such as `gmail.com` are not allowed. See the [common email domains resource](https://stytch.com/docs/b2b/api/common-email-domains) for the full list.
email_jit_provisioning:
type: string
description: >-
The authentication setting that controls how a new Member can be
provisioned by authenticating via Email Magic Link or OAuth. The
accepted values are:
`RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be provisioned upon authentication via Email Magic Link or OAuth.
`NOT_ALLOWED` – the default setting, disables JIT provisioning via Email Magic Link and OAuth.
email_invites:
type: string
description: >-
The authentication setting that controls how a new Member can be
invited to an organization by email. The accepted values are:
`ALL_ALLOWED` – any new Member can be invited to join via email.
`RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be invited via email.
`NOT_ALLOWED` – disable email invites.
auth_methods:
type: string
description: >-
The setting that controls which authentication methods can be used
by Members of an Organization. The accepted values are:
`ALL_ALLOWED` – the default setting which allows all authentication methods to be used.
`RESTRICTED` – only methods that comply with `allowed_auth_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`.
allowed_auth_methods:
type: array
items:
type: string
description: >-
An array of allowed authentication methods. This list is enforced
when `auth_methods` is set to `RESTRICTED`.
The list's accepted values are: `sso`, `magic_link`, `email_otp`, `password`, `google_oauth`, `microsoft_oauth`, `slack_oauth`, `github_oauth`, and `hubspot_oauth`.
mfa_policy:
type: string
description: >-
The setting that controls the MFA policy for all Members in the
Organization. The accepted values are:
`REQUIRED_FOR_ALL` – All Members within the Organization will be required to complete MFA every time they wish to log in. However, any active Session that existed prior to this setting change will remain valid.
`OPTIONAL` – The default value. The Organization does not require MFA by default for all Members. Members will be required to complete MFA only if their `mfa_enrolled` status is set to true.
rbac_email_implicit_role_assignments:
type: array
items:
$ref: >-
#/components/schemas/api_organization_v1_EmailImplicitRoleAssignment
description: |-
Implicit role assignments based off of email domains.
For each domain-Role pair, all Members whose email addresses have the specified email domain will be granted the
associated Role, regardless of their login method. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment)
for more information about role assignment.
mfa_methods:
type: string
description: >-
The setting that controls which MFA methods can be used by Members
of an Organization. The accepted values are:
`ALL_ALLOWED` – the default setting which allows all authentication methods to be used.
`RESTRICTED` – only methods that comply with `allowed_mfa_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`.
allowed_mfa_methods:
type: array
items:
type: string
description: >-
An array of allowed MFA authentication methods. This list is
enforced when `mfa_methods` is set to `RESTRICTED`.
The list's accepted values are: `sms_otp` and `totp`.
oauth_tenant_jit_provisioning:
type: string
description: >-
The authentication setting that controls how a new Member can JIT
provision into an organization by tenant. The accepted values are:
`RESTRICTED` – only new Members with tenants in `allowed_oauth_tenants` can JIT provision via tenant.
`NOT_ALLOWED` – the default setting, disables JIT provisioning by OAuth Tenant.
claimed_email_domains:
type: array
items:
type: string
description: A list of email domains that are claimed by the Organization.
first_party_connected_apps_allowed_type:
type: string
description: >-
The authentication setting that sets the Organization's policy
towards first party Connected Apps. The accepted values are:
`ALL_ALLOWED` – the default setting, any first party Connected App in the Project is permitted for use by Members.
`RESTRICTED` – only first party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members.
`NOT_ALLOWED` – no first party Connected Apps are permitted.
allowed_first_party_connected_apps:
type: array
items:
type: string
description: >-
An array of first party Connected App IDs that are allowed for the
Organization. Only used when the Organization's
`first_party_connected_apps_allowed_type` is `RESTRICTED`.
third_party_connected_apps_allowed_type:
type: string
description: >-
The authentication setting that sets the Organization's policy
towards third party Connected Apps. The accepted values are:
`ALL_ALLOWED` – the default setting, any third party Connected App in the Project is permitted for use by Members.
`RESTRICTED` – only third party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members.
`NOT_ALLOWED` – no third party Connected Apps are permitted.
allowed_third_party_connected_apps:
type: array
items:
type: string
description: >-
An array of third party Connected App IDs that are allowed for the
Organization. Only used when the Organization's
`third_party_connected_apps_allowed_type` is `RESTRICTED`.
custom_roles:
type: array
items:
$ref: '#/components/schemas/api_organization_v1_CustomRole'
trusted_metadata:
type: object
additionalProperties: true
description: >-
An arbitrary JSON object for storing application-specific data or
identity-provider-specific data.
created_at:
type: string
description: >-
The timestamp of the Organization's creation. Values conform to the
RFC 3339 standard and are expressed in UTC, e.g.
`2021-12-29T12:33:09Z`.
updated_at:
type: string
description: >-
The timestamp of when the Organization was last updated. Values
conform to the RFC 3339 standard and are expressed in UTC, e.g.
`2021-12-29T12:33:09Z`.
organization_external_id:
type: string
description: A unique identifier for the organization.
sso_default_connection_id:
type: string
description: >-
The default connection used for SSO when there are multiple active
connections.
scim_active_connection:
$ref: '#/components/schemas/api_organization_v1_ActiveSCIMConnection'
description: >-
An active [SCIM Connection
references](https://stytch.com/docs/b2b/api/scim-connection-object).
allowed_oauth_tenants:
type: object
additionalProperties: true
description: >-
A map of allowed OAuth tenants. If this field is not passed in, the
Organization will not allow JIT provisioning by OAuth Tenant.
Allowed keys are "slack", "hubspot", and "github".
required:
- organization_id
- organization_name
- organization_logo_url
- organization_slug
- sso_jit_provisioning
- sso_jit_provisioning_allowed_connections
- sso_active_connections
- email_allowed_domains
- email_jit_provisioning
- email_invites
- auth_methods
- allowed_auth_methods
- mfa_policy
- rbac_email_implicit_role_assignments
- mfa_methods
- allowed_mfa_methods
- oauth_tenant_jit_provisioning
- claimed_email_domains
- first_party_connected_apps_allowed_type
- allowed_first_party_connected_apps
- third_party_connected_apps_allowed_type
- allowed_third_party_connected_apps
- custom_roles
api_organization_v1_SSORegistration:
type: object
properties:
connection_id:
type: string
description: >-
Globally unique UUID that identifies a specific SSO `connection_id`
for a Member.
external_id:
type: string
description: The ID of the member given by the identity provider.
registration_id:
type: string
description: The unique ID of an SSO Registration.
sso_attributes:
type: object
additionalProperties: true
description: >-
An object for storing SSO attributes brought over from the identity
provider.
required:
- connection_id
- external_id
- registration_id
api_organization_v1_OAuthRegistration:
type: object
properties:
provider_type:
type: string
description: >-
Denotes the OAuth identity provider that the user has authenticated
with, e.g. Google, Microsoft, GitHub etc.
provider_subject:
type: string
description: >-
The unique identifier for the User within a given OAuth provider.
Also commonly called the `sub` or "Subject field" in OAuth
protocols.
member_oauth_registration_id:
type: string
description: The unique ID of an OAuth registration.
profile_picture_url:
type: string
description: >-
If available, the `profile_picture_url` is a URL of the User's
profile picture set in OAuth identity the provider that the User has
authenticated with, e.g. Google profile picture.
locale:
type: string
description: >-
If available, the `locale` is the Member's locale set in the OAuth
identity provider that the user has authenticated with.
required:
- provider_type
- provider_subject
- member_oauth_registration_id
api_organization_v1_RetiredEmail:
type: object
properties:
email_id:
type: string
description: The globally unique UUID of a Member's email.
email_address:
type: string
description: The email address of the Member.
required:
- email_id
- email_address
api_organization_v1_MemberRole:
type: object
properties:
role_id:
type: string
description: >-
The unique identifier of the RBAC Role, provided by the developer
and intended to be human-readable.
Reserved `role_id`s that are predefined by Stytch include:
* `stytch_member`
* `stytch_admin`
Check out the [guide on Stytch default Roles](https://stytch.com/docs/b2b/guides/rbac/stytch-default) for a more detailed explanation.
sources:
type: array
items:
$ref: '#/components/schemas/api_organization_v1_MemberRoleSource'
description: >-
A list of sources for this role assignment. A role assignment can
come from multiple sources - for example, the Role could be both
explicitly assigned and implicitly granted from the Member's email
domain.
required:
- role_id
- sources
api_organization_v1_SCIMRegistration:
type: object
properties:
connection_id:
type: string
description: The ID of the SCIM connection.
registration_id:
type: string
description: The unique ID of a SCIM Registration.
external_id:
type: string
description: The ID of the member given by the identity provider.
scim_attributes:
$ref: '#/components/schemas/api_b2b_scim_v1_SCIMAttributes'
description: >-
An object for storing SCIM attributes brought over from the identity
provider.
required:
- connection_id
- registration_id
api_organization_v1_ActiveSSOConnection:
type: object
properties:
connection_id:
type: string
description: >-
Globally unique UUID that identifies a specific SSO `connection_id`
for a Member.
display_name:
type: string
description: A human-readable display name for the connection.
identity_provider:
type: string
required:
- connection_id
- display_name
- identity_provider
api_organization_v1_EmailImplicitRoleAssignment:
type: object
properties:
domain:
type: string
description: Email domain that grants the specified Role.
role_id:
type: string
description: >-
The unique identifier of the RBAC Role, provided by the developer
and intended to be human-readable.
Reserved `role_id`s that are predefined by Stytch include:
* `stytch_member`
* `stytch_admin`
Check out the [guide on Stytch default Roles](https://stytch.com/docs/b2b/guides/rbac/stytch-default) for a more detailed explanation.
required:
- domain
- role_id
api_organization_v1_CustomRole:
type: object
properties:
role_id:
type: string
description:
type: string
permissions:
type: array
items:
$ref: '#/components/schemas/api_organization_v1_CustomRolePermission'
required:
- role_id
- description
- permissions
api_organization_v1_ActiveSCIMConnection:
type: object
properties:
connection_id:
type: string
description: The ID of the SCIM connection.
display_name:
type: string
description: A human-readable display name for the connection.
bearer_token_last_four:
type: string
bearer_token_expires_at:
type: string
required:
- connection_id
- display_name
- bearer_token_last_four
api_organization_v1_MemberRoleSource:
type: object
properties:
type:
type: string
description: |-
The type of role assignment. The possible values are:
`direct_assignment` – an explicitly assigned Role.
Directly assigned roles can be updated by passing in the `roles` argument to the
[Update Member](https://stytch.com/docs/b2b/api/update-member) endpoint.
`email_assignment` – an implicit Role granted by the Member's email domain, regardless of their login method.
Email implicit role assignments can be updated by passing in the `rbac_email_implicit_role_assignments` argument to
the [Update Organization](https://stytch.com/docs/b2b/api/update-organization) endpoint.
`sso_connection` – an implicit Role granted by the Member's SSO connection. This is currently only available
for SAML connections and not for OIDC. If the Member has a SAML Member registration with the given connection, this
role assignment will appear in the list. However, for authorization check purposes (in
[sessions authenticate](https://stytch.com/docs/b2b/api/authenticate-session) or in any endpoint that enforces RBAC with session
headers), the Member will only be granted the Role if their session contains an authentication factor with the
specified SAML connection.
SAML connection implicit role assignments can be updated by passing in the
`saml_connection_implicit_role_assignments` argument to the
[Update SAML connection](https://stytch.com/docs/b2b/api/update-saml-connection) endpoint.
`sso_connection_group` – an implicit Role granted by the Member's SSO connection and group. This is currently only
available for SAML connections and not for OIDC. If the Member has a SAML Member registration with the given
connection, and belongs to a specific group within the IdP, this role assignment will appear in the list. However,
for authorization check purposes (in [sessions authenticate](https://stytch.com/docs/b2b/api/authenticate-session) or in any endpoint
that enforces RBAC with session headers), the Member will only be granted the role if their session contains an
authentication factor with the specified SAML connection.
SAML group implicit role assignments can be updated by passing in the `saml_group_implicit_role_assignments`
argument to the [Update SAML connection](https://stytch.com/docs/b2b/api/update-saml-connection) endpoint.
`scim_connection_group` – an implicit Role granted by the Member's SCIM connection and group. If the Member has
a SCIM Member registration with the given connection, and belongs to a specific group within the IdP, this role assignment will appear in the list.
SCIM group implicit role assignments can be updated by passing in the `scim_group_implicit_role_assignments`
argument to the [Update SCIM connection](https://stytch.com/docs/b2b/api/update-scim-connection) endpoint.
details:
type: object
additionalProperties: true
description: >-
An object containing additional metadata about the source
assignment. The fields will vary depending
on the role assignment type as follows:
`direct_assignment` – no additional details.
`email_assignment` – will contain the email domain that granted the assignment.
`sso_connection` – will contain the `connection_id` of the SAML connection that granted the assignment.
`sso_connection_group` – will contain the `connection_id` of the SAML connection and the name of the `group`
that granted the assignment.
`scim_connection_group` – will contain the `connection_id` of the SAML connection and the `group_id`
that granted the assignment.
required:
- type
api_b2b_scim_v1_SCIMAttributes:
type: object
properties:
user_name:
type: string
id:
type: string
external_id:
type: string
active:
type: boolean
groups:
type: array
items:
$ref: '#/components/schemas/api_b2b_scim_v1_Group'
display_name:
type: string
nick_name:
type: string
profile_url:
type: string
user_type:
type: string
title:
type: string
preferred_language:
type: string
locale:
type: string
timezone:
type: string
emails:
type: array
items:
$ref: '#/components/schemas/api_b2b_scim_v1_Email'
phone_numbers:
type: array
items:
$ref: '#/components/schemas/api_b2b_scim_v1_PhoneNumber'
addresses:
type: array
items:
$ref: '#/components/schemas/api_b2b_scim_v1_Address'
ims:
type: array
items:
$ref: '#/components/schemas/api_b2b_scim_v1_IMs'
photos:
type: array
items:
$ref: '#/components/schemas/api_b2b_scim_v1_Photo'
entitlements:
type: array
items:
$ref: '#/components/schemas/api_b2b_scim_v1_Entitlement'
roles:
type: array
items:
$ref: '#/components/schemas/api_b2b_scim_v1_Role'
x509certificates:
type: array
items:
$ref: '#/components/schemas/api_b2b_scim_v1_X509Certificate'
name:
$ref: '#/components/schemas/api_b2b_scim_v1_Name'
enterprise_extension:
$ref: '#/components/schemas/api_b2b_scim_v1_EnterpriseExtension'
required:
- user_name
- id
- external_id
- active
- groups
- display_name
- nick_name
- profile_url
- user_type
- title
- preferred_language
- locale
- timezone
- emails
- phone_numbers
- addresses
- ims
- photos
- entitlements
- roles
- x509certificates
api_organization_v1_CustomRolePermission:
type: object
properties:
resource_id:
type: string
actions:
type: array
items:
type: string
required:
- resource_id
- actions
api_b2b_scim_v1_Group:
type: object
properties:
value:
type: string
display:
type: string
required:
- value
- display
api_b2b_scim_v1_Email:
type: object
properties:
value:
type: string
type:
type: string
primary:
type: boolean
required:
- value
- type
- primary
api_b2b_scim_v1_PhoneNumber:
type: object
properties:
value:
type: string
type:
type: string
primary:
type: boolean
required:
- value
- type
- primary
api_b2b_scim_v1_Address:
type: object
properties:
formatted:
type: string
street_address:
type: string
locality:
type: string
region:
type: string
postal_code:
type: string
country:
type: string
type:
type: string
primary:
type: boolean
required:
- formatted
- street_address
- locality
- region
- postal_code
- country
- type
- primary
api_b2b_scim_v1_IMs:
type: object
properties:
value:
type: string
type:
type: string
primary:
type: boolean
required:
- value
- type
- primary
api_b2b_scim_v1_Photo:
type: object
properties:
value:
type: string
type:
type: string
primary:
type: boolean
required:
- value
- type
- primary
api_b2b_scim_v1_Entitlement:
type: object
properties:
value:
type: string
type:
type: string
primary:
type: boolean
required:
- value
- type
- primary
api_b2b_scim_v1_Role:
type: object
properties:
value:
type: string
type:
type: string
primary:
type: boolean
required:
- value
- type
- primary
api_b2b_scim_v1_X509Certificate:
type: object
properties:
value:
type: string
type:
type: string
primary:
type: boolean
required:
- value
- type
- primary
api_b2b_scim_v1_Name:
type: object
properties:
formatted:
type: string
family_name:
type: string
given_name:
type: string
middle_name:
type: string
honorific_prefix:
type: string
honorific_suffix:
type: string
required:
- formatted
- family_name
- given_name
- middle_name
- honorific_prefix
- honorific_suffix
api_b2b_scim_v1_EnterpriseExtension:
type: object
properties:
employee_number:
type: string
cost_center:
type: string
division:
type: string
department:
type: string
organization:
type: string
manager:
$ref: '#/components/schemas/api_b2b_scim_v1_Manager'
required:
- employee_number
- cost_center
- division
- department
- organization
api_b2b_scim_v1_Manager:
type: object
properties:
value:
type: string
ref:
type: string
display_name:
type: string
required:
- value
- ref
- display_name
securitySchemes:
basicAuth:
type: http
scheme: basic
````