> ## Documentation Index
> Fetch the complete documentation index at: https://stytch.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Search Members

> Search Members using the Stytch B2B API.

export const action_0 = "search"

export const resource_0 = "stytch.member"

export const organization = "Represents an instance or tenant in your application, typically mapping to each of your top-level customers.";

export const member = "Represents an individual end user's account within a given Organization, uniquely identified within that Organization by their email address.";

<Warning>
  This endpoint is not recommended for use in login flows. Scaling issues may occur, as search performance may vary from \~150 milliseconds to 9 seconds depending on query complexity and rate limits are set to 100 requests/second.
</Warning>

Search for <Tooltip tip={member}>Members</Tooltip> within specified <Tooltip tip={organization}>Organizations</Tooltip>.

<Note>
  **RBAC Enforced API**

  If a Member Session is passed in the Authorization headers, Stytch will enforce that the Member has permission to take the **{action_0} Action** on the **{resource_0} Resource** prior to honoring the request.

  To learn more, see the [RBAC guide](/multi-tenant-auth/enterprise-ready/rbac).
</Note>

Submitting an empty `query` returns all non-deleted Members within the specified Organizations.

By default, this endpoint will not return `deleted` Members. To include deleted Members in the search results, explicitly include the `deleted` status in the `statuses` filter.

<Info>
  All fuzzy search filters require a minimum of three characters.
</Info>

## Filter Reference

Each query operand requires a `filter_name` and `filter_value`. The table below shows all available filters, their value types, and descriptions.

| Filter Name                     | Value Type      | Description                                                                                                                                      | Example                                                |
| ------------------------------- | --------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------ |
| `member_ids`                    | `array[string]` | Filter by one or more exact member IDs.                                                                                                          | `["member-test-16d9ba61-97a1-4ba4-9720-b03761dc50c6"]` |
| `member_emails`                 | `array[string]` | Filter by one or more exact member email addresses.                                                                                              | `["member@example.com"]`                               |
| `member_email_fuzzy`            | `string`        | Fuzzy search for member by email address. Requires a minimum of three characters.                                                                | `"john"`                                               |
| `member_mfa_phone_numbers`      | `array[string]` | Filter by one or more exact member MFA phone numbers.                                                                                            | `["+12025550162"]`                                     |
| `member_mfa_phone_number_fuzzy` | `string`        | Fuzzy search for member by MFA phone number. Requires a minimum of three characters.                                                             | `"415"`                                                |
| `member_password_exists`        | `boolean`       | Filter members by whether they have a password set.                                                                                              | `true`                                                 |
| `statuses`                      | `array[string]` | Filter by one or more member statuses (`active`, `invited`, `pending`, `deleted`). Note: `deleted` only works alone or with `member_ids` filter. | `["active", "invited"]`                                |
| `member_roles`                  | `array[string]` | Filter by one or more member roles. Searches across both [explicit and implicit assigned Roles](/docs/b2b/guides/rbac/role-assignment).          | `["admin", "editor"]`                                  |


## OpenAPI

````yaml POST /v1/b2b/organizations/members/search
openapi: 3.0.3
info:
  title: Stytch API
  description: The Stytch API provides endpoints for authentication and user management.
  version: 2.1.1
  contact:
    name: Stytch Support
    url: https://stytch.com/docs
    email: support@stytch.com
servers:
  - url: https://api.stytch.com
    description: Production server
  - url: https://test.stytch.com
    description: Test server
security:
  - basicAuth: []
paths:
  /v1/b2b/organizations/members/search:
    post:
      tags:
        - Organizations
      summary: Search
      description: >-

        **Warning**: This endpoint is not recommended for use in login flows.
        Scaling issues may occur, as search performance may vary from ~150
        milliseconds to 9 seconds depending on query complexity and rate limits
        are set to 100 requests/minute.


        Search for Members within specified Organizations. An array with at
        least one `organization_id` is required. Submitting an empty `query`
        returns all non-deleted Members within the specified Organizations.


        All fuzzy search filters require a minimum of three characters.
      operationId: api_organization_v1_organizations_members_Search
      parameters:
        - name: X-Stytch-Member-Session
          in: header
          required: false
          description: >-
            A Stytch session that can be used to run the request with the given
            member's permissions.
          schema:
            type: string
        - name: X-Stytch-Member-SessionJWT
          in: header
          required: false
          description: >-
            A Stytch Session JSON Web Token (JWT) that can be used to run the
            request with the given member's permissions.
          schema:
            type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: >-
                #/components/schemas/api_organization_v1_organizations_members_SearchRequest
      responses:
        '200':
          description: Successful response
          content:
            application/json:
              schema:
                $ref: >-
                  #/components/schemas/api_organization_v1_organizations_members_SearchResponse
        '400':
          description: Bad request
        '401':
          description: Unauthorized
          content:
            application/json:
              example:
                status_code: 401
                request_id: request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141
                error_type: unauthorized_credentials
                error_message: Unauthorized credentials.
                error_url: https://stytch.com/docs/api/errors/401
        '429':
          description: Too Many Requests
          content:
            application/json:
              example:
                status_code: 429
                request_id: request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141
                error_type: too_many_requests
                error_message: Too many requests have been made.
                error_url: https://stytch.com/docs/api/errors/429
        '500':
          description: Internal server error
          content:
            application/json:
              example:
                status_code: 500
                request_id: request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141
                error_type: internal_server_error
                error_message: >-
                  Oops, something seems to have gone wrong, please reach out to
                  support@stytch.com to let us know what went wrong.
                error_url: https://stytch.com/docs/api/errors/500
      x-code-samples:
        - lang: csharp
          label: C#
          source: |-
            // POST /v1/b2b/organizations/members/search
            const stytch = require('stytch');

            const client = new stytch.B2BClient({
              project_id: '${projectId}',
              secret: '${secret}',
            });

            const params = {
              organization_ids: ["organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931"],
            };

            const options = {
              authorization: {
                session_token: '${sessionToken}',
              },
            };

            client.Organizations.Members.Search(params, options)
              .then(resp => { console.log(resp) })
              .catch(err => { console.log(err) });
        - lang: go
          label: Go
          source: "// POST /v1/b2b/organizations/members/search\npackage main\n\nimport (\n\t\"context\"\n\t\"log\"\n\n\t\"github.com/stytchauth/stytch-go/v18/stytch/b2b/b2bstytchapi\"\n\t\"github.com/stytchauth/stytch-go/v18/stytch/b2b/organizations/members\"\n\t\"github.com/stytchauth/stytch-go/v18/stytch/methodoptions\"\n)\n\nfunc main() {\n\tclient, err := b2bstytchapi.NewClient(\n\t\t\"${projectId}\",\n\t\t\"${secret}\",\n\t)\n\tif err != nil {\n\t\tlog.Fatalf(\"error instantiating client: %v\", err)\n\t}\n\n\tparams := &members.SearchParams{\n\t\tOrganizationIds: []string{\"organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931\"},\n\t}\n\n\toptions := &members.SearchParamsOptions{\n\t\tAuthorization: methodoptions.Authorization{\n\t\t\tSessionToken: \"${sessionToken}\",\n\t\t},\n\t}\n\n\tresp, err := client.Organizations.Members.Search(context.Background(), params, options)\n\tif err != nil {\n\t\tlog.Fatalf(\"error in method call: %v\", err)\n\t}\n\n\tlog.Println(resp)\n}\n"
        - lang: java
          label: Java
          source: >-
            // POST /v1/b2b/organizations/members/search

            package com.example;


            import
            com.stytch.java.b2b.models.organizationsmembers.SearchRequest;

            import
            com.stytch.java.b2b.models.organizationsmembers.SearchRequestOptions;

            import com.stytch.java.b2b.StytchB2BClient;

            import com.stytch.java.common.methodoptions.Authorization;

            import com.stytch.java.common.StytchResult;


            public class Main {
                public static void main(String[] args) {
                    StytchB2BClient.configure("${projectId}", "${secret}");

                    SearchRequest params = new SearchRequest();
                    params.setOrganizationIds(new String("organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931"));

                    SearchRequestOptions options = new SearchRequestOptions();
                    Authorization authorization = new Authorization();
                    authorization.setSessionToken("${sessionToken}");
                    options.setAuthorization(authorization);

                    Object result = StytchB2BClient.getOrganizations().getMembers().search(params, options);
                    if (result instanceof StytchResult.Success) {
                      System.out.println(((StytchResult.Success) result).getValue());
                    } else {
                      System.out.println(((StytchResult.Error) result).getException());
                    }
                }
            }
        - lang: kotlin
          label: Kotlin
          source: >
            // POST /v1/b2b/organizations/members/search

            package com.example


            import com.stytch.java.b2b.StytchB2BClient

            import com.stytch.java.b2b.models.organizationsmembers.SearchRequest

            import
            com.stytch.java.b2b.models.organizationsmembers.SearchRequestOptions

            import com.stytch.java.common.methodoptions.Authorization


            fun main() {
                StytchB2BClient.configure(
                    projectId = "${projectId}",
                    secret = "${secret}",
                )

                when (
                    val result =
                        StytchB2BClient.organizations.members.search(
                            SearchRequest(
                                organizationIds = arrayOf("organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931"),
                            ),
                            SearchRequestOptions(
                                Authorization(
                                    sessionToken = "${sessionToken}",
                                ),
                            ),
                        )
                ) {
                    is StytchResult.Success -> println(result.value)
                    is StytchResult.Error -> println(result.exception)
                }
            }
        - lang: javascript
          label: Node.js
          source: |-
            // POST /v1/b2b/organizations/members/search
            const stytch = require('stytch');

            const client = new stytch.B2BClient({
              project_id: '${projectId}',
              secret: '${secret}',
            });

            const params = {
              organization_ids: ["organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931"],
            };

            const options = {
              authorization: {
                session_token: '${sessionToken}',
              },
            };

            client.organizations.members.search(params, options)
              .then(resp => { console.log(resp) })
              .catch(err => { console.log(err) });
        - lang: php
          label: PHP
          source: |-
            $response = $client->organizations->members->search([
                'organization_ids' => ['organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931'],
            ], [
                    'authorization' => ['session_token' => '${sessionToken}'],

            ]);
        - lang: python
          label: Python
          source: >
            # POST /v1/b2b/organizations/members/search

            from stytch import B2BClient

            from stytch.b2b.models.organizations_members import
            SearchRequestOptions

            from stytch.shared.method_options import Authorization


            client = B2BClient(
                project_id="${projectId}",
                secret="${secret}",
            )


            resp = client.organizations.members.search(
                organization_ids=["organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931"],
                method_options=SearchRequestOptions(
                    authorization=Authorization(
                        session_token="${sessionToken}",
                    ),
                ),
            )


            print(resp)
        - lang: ruby
          label: Ruby
          source: |-
            # frozen_string_literal: true

            # POST /v1/b2b/organizations/members/search
            require 'stytch'

            client = StytchB2B::Client.new(
              project_id: "${projectId}",
              secret: "${secret}"
            )

            resp = client.organizations.members.search(
              organization_ids: ['organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931'],
              method_options: StytchB2B::Organizations::Members::SearchRequestOptions.new(
                authorization: Stytch::MethodOptions::Authorization.new(session_token: '${sessionToken}')
              )
            )

            puts resp
        - lang: rust
          label: Rust
          source: |-
            // POST /v1/b2b/organizations/members/search
            use stytch::b2b::client::Client;
            use stytch::b2b::organizations_members::SearchRequest;

            fn main() {
                let client = Client::new("${projectId}", "${secret}").unwrap();
                let resp = client.organizations.members.search(
                    SearchRequest{
                        organization_ids: vec!["organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931"],
                        ..Default::default()
                    }
                ).await;
                println!("The response is {:?}", resp);
            }
        - lang: bash
          label: cURL
          source: |-
            # POST /v1/b2b/organizations/members/search
            curl --request POST \
              --url https://test.stytch.com/v1/b2b/organizations/members/search \
              -u '${projectId}:${secret}' \
              -H 'Content-Type: application/json' \
              -H "X-Stytch-Member-Session: ${sessionToken}" \
              -d '{
                "organization_ids": ["organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931"]
              }'
components:
  schemas:
    api_organization_v1_organizations_members_SearchRequest:
      type: object
      properties:
        organization_ids:
          type: array
          items:
            type: string
          description: An array of organization_ids. At least one value is required.
        cursor:
          type: string
          description: >-
            The `cursor` field allows you to paginate through your results. Each
            result array is limited to 1000 results. If your query returns more
            than 1000 results, you will need to paginate the responses using the
            `cursor`. If you receive a response that includes a non-null
            `next_cursor` in the `results_metadata` object, repeat the search
            call with the `next_cursor` value set to the `cursor` field to
            retrieve the next page of results. Continue to make search calls
            until the `next_cursor` in the response is null.
        limit:
          type: integer
          format: int32
          minimum: 0
          description: >-
            The number of search results to return per page. The default limit
            is 100. A maximum of 1000 results can be returned by a single search
            request. If the total size of your result set is greater than one
            page size, you must paginate the response. See the `cursor` field.
        query:
          $ref: '#/components/schemas/api_organization_v1_SearchQuery'
          description: >-
            The optional query object contains the operator, i.e. `AND` or `OR`,
            and the operands that will filter your results. Only an operator is
            required. If you include no operands, no filtering will be applied.
            If you include no query object, it will return all Members with no
            filtering applied.
      description: Request type
      required:
        - organization_ids
    api_organization_v1_organizations_members_SearchResponse:
      type: object
      properties:
        request_id:
          type: string
          description: >-
            Globally unique UUID that is returned with every API call. This
            value is important to log for debugging purposes; we may ask for
            this value to help identify a specific API call when helping you
            debug an issue.
        members:
          type: array
          items:
            $ref: '#/components/schemas/api_organization_v1_Member'
          description: >-
            An array of [Member
            objects](https://stytch.com/docs/b2b/api/member-object).
        results_metadata:
          $ref: '#/components/schemas/api_organization_v1_ResultsMetadata'
          description: >-
            The search `results_metadata` object contains metadata relevant to
            your specific query like `total` and `next_cursor`.
        organizations:
          type: object
          additionalProperties:
            $ref: '#/components/schemas/api_organization_v1_Organization'
        status_code:
          type: integer
          format: int32
          description: >-
            The HTTP status code of the response. Stytch follows standard HTTP
            response status code patterns, e.g. 2XX values equate to success,
            3XX values are redirects, 4XX are client errors, and 5XX are server
            errors.
      required:
        - request_id
        - members
        - results_metadata
        - organizations
        - status_code
    api_organization_v1_SearchQuery:
      type: object
      properties:
        operator:
          $ref: >-
            #/components/schemas/api_organization_v1_organizations_SearchQueryOperator
          description: |-
            The action to perform on the operands. The accepted values are:

              `AND` – all the operand values provided must match.

              `OR` – **[DEPRECATED]** the operator will return any matches to at least one of the operand values you supply. This parameter is retained for legacy use cases only and is no longer supported. We strongly recommend breaking down complex queries into multiple search queries instead.
        operands:
          type: array
          items:
            type: object
            additionalProperties: true
          description: >-
            An array of operand objects that contains all of the filters and
            values to apply to your search query.
      required:
        - operator
        - operands
    api_organization_v1_Member:
      type: object
      properties:
        organization_id:
          type: string
          description: >-
            Globally unique UUID that identifies a specific Organization. The
            `organization_id` is critical to perform operations on an
            Organization, so be sure to preserve this value. You may also use
            the organization_slug or organization_external_id here as a
            convenience.
        member_id:
          type: string
          description: >-
            Globally unique UUID that identifies a specific Member. The
            `member_id` is critical to perform operations on a Member, so be
            sure to preserve this value. You may use an external_id here if one
            is set for the member.
        email_address:
          type: string
          description: The email address of the Member.
        status:
          type: string
          description: >-
            The status of the Member. The possible values are: `pending`,
            `invited`, `active`, or `deleted`.
        name:
          type: string
          description: The name of the Member.
        sso_registrations:
          type: array
          items:
            $ref: '#/components/schemas/api_organization_v1_SSORegistration'
          description: >-
            An array of registered [SAML
            Connection](https://stytch.com/docs/b2b/api/saml-connection-object)
            or [OIDC
            Connection](https://stytch.com/docs/b2b/api/oidc-connection-object)
            objects the Member has authenticated with.
        is_breakglass:
          type: boolean
          description: >-
            Identifies the Member as a break glass user - someone who has
            permissions to authenticate into an Organization by bypassing the
            Organization's settings. A break glass account is typically used for
            emergency purposes to gain access outside of normal authentication
            procedures. Refer to the [Organization
            object](https://stytch.com/docs/b2b/api/organization-object) and its
            `auth_methods` and `allowed_auth_methods` fields for more details.
        member_password_id:
          type: string
          description: Globally unique UUID that identifies a Member's password.
        oauth_registrations:
          type: array
          items:
            $ref: '#/components/schemas/api_organization_v1_OAuthRegistration'
          description: A list of OAuth registrations for this member.
        email_address_verified:
          type: boolean
          description: Whether or not the Member's email address is verified.
        mfa_phone_number_verified:
          type: boolean
          description: Whether or not the Member's phone number is verified.
        is_admin:
          type: boolean
          description: >-
            Whether or not the Member has the `stytch_admin` Role. This Role is
            automatically granted to Members
              who create an Organization through the [discovery flow](https://stytch.com/docs/b2b/api/create-organization-via-discovery). See the
              [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/stytch-default) for more details on this Role.
        totp_registration_id:
          type: string
          description: Globally unique UUID that identifies a TOTP instance.
        retired_email_addresses:
          type: array
          items:
            $ref: '#/components/schemas/api_organization_v1_RetiredEmail'
          description: |2-

              A list of retired email addresses for this member.
              A previously active email address can be marked as retired in one of two ways:
              - It's replaced with a new primary email address during an explicit Member update.
              - A new email address is surfaced by an OAuth, SAML or OIDC provider. In this case the new email address becomes the
              Member's primary email address and the old primary email address is retired.
             
              A retired email address cannot be used by other Members in the same Organization. However, unlinking retired email
              addresses allows them to be subsequently re-used by other Organization Members. Retired email addresses can be unlinked
              using the [Unlink Retired Email endpoint](https://stytch.com/docs/b2b/api/unlink-retired-member-email).
              
        is_locked:
          type: boolean
          description: >-
            Whether the Member is temporarily locked due to too many failed
            authentication attempts. See the [User Locking
            Guide](https://stytch.com/docs/resources/platform/user-locks) for
            more information.
        mfa_enrolled:
          type: boolean
          description: >-
            Sets whether the Member is enrolled in MFA. If true, the Member must
            complete an MFA step whenever they wish to log in to their
            Organization. If false, the Member only needs to complete an MFA
            step if the Organization's MFA policy is set to `REQUIRED_FOR_ALL`.
        mfa_phone_number:
          type: string
          description: >-
            The Member's phone number. A Member may only have one phone number.
            The phone number should be in E.164 format (i.e. +1XXXXXXXXXX).
        default_mfa_method:
          type: string
          description: >-
            The Member's default MFA method. This value is used to determine
            which secondary MFA method to use in the case of multiple methods
            registered for a Member. The current possible values are `sms_otp`
            and `totp`.
        roles:
          type: array
          items:
            $ref: '#/components/schemas/api_organization_v1_MemberRole'
          description: >-
            Explicit or implicit Roles assigned to this Member, along with
            details about the role assignment source.
               See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment.
        trusted_metadata:
          type: object
          additionalProperties: true
          description: >-
            An arbitrary JSON object for storing application-specific data or
            identity-provider-specific data.
        untrusted_metadata:
          type: object
          additionalProperties: true
          description: >-
            An arbitrary JSON object of application-specific data. These fields
            can be edited directly by the
              frontend SDK, and should not be used to store critical information. See the [Metadata resource](https://stytch.com/docs/b2b/api/metadata)
              for complete field behavior details.
        created_at:
          type: string
          description: >-
            The timestamp of the Member's creation. Values conform to the RFC
            3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`.
        updated_at:
          type: string
          description: >-
            The timestamp of when the Member was last updated. Values conform to
            the RFC 3339 standard and are expressed in UTC, e.g.
            `2021-12-29T12:33:09Z`.
        scim_registration:
          $ref: '#/components/schemas/api_organization_v1_SCIMRegistration'
          description: >-
            A scim member registration, referencing a [SCIM
            Connection](https://stytch.com/docs/b2b/api/scim-connection-object)
            object in use for the Member creation.
        external_id:
          type: string
          description: The ID of the member given by the identity provider.
        lock_created_at:
          type: string
          description: >-
            When the member lock was created, if there is one. Values conform to
            the RFC 3339 standard and are expressed in UTC, e.g.
            `2021-12-29T12:33:09Z`.
        lock_expires_at:
          type: string
          description: >-
            When the member lock expires, if there is one. Values conform to the
            RFC 3339 standard and are expressed in UTC, e.g.
            `2021-12-29T12:33:09Z`.
      required:
        - organization_id
        - member_id
        - email_address
        - status
        - name
        - sso_registrations
        - is_breakglass
        - member_password_id
        - oauth_registrations
        - email_address_verified
        - mfa_phone_number_verified
        - is_admin
        - totp_registration_id
        - retired_email_addresses
        - is_locked
        - mfa_enrolled
        - mfa_phone_number
        - default_mfa_method
        - roles
    api_organization_v1_ResultsMetadata:
      type: object
      properties:
        total:
          type: integer
          format: int32
          description: >-
            The total number of results returned by your search query. If totals
            have been disabled for your Stytch Workspace to improve search
            performance, the value will always be -1.
        next_cursor:
          type: string
          description: >-
            The `next_cursor` string is returned when your search result
            contains more than one page of results. This value is passed into
            your next search call in the `cursor` field.
      required:
        - total
    api_organization_v1_Organization:
      type: object
      properties:
        organization_id:
          type: string
          description: >-
            Globally unique UUID that identifies a specific Organization. The
            `organization_id` is critical to perform operations on an
            Organization, so be sure to preserve this value. You may also use
            the organization_slug or organization_external_id here as a
            convenience.
        organization_name:
          type: string
          description: >-
            The name of the Organization. Must be between 1 and 128 characters
            in length.
        organization_logo_url:
          type: string
          description: The image URL of the Organization logo.
        organization_slug:
          type: string
          description: >-
            The unique URL slug of the Organization. The slug only accepts
            alphanumeric characters and the following reserved characters: `-`
            `.` `_` `~`. Must be between 2 and 128 characters in length.
            Wherever an organization_id is expected in a path or request
            parameter, you may also use the organization_slug as a convenience.
        sso_jit_provisioning:
          type: string
          description: >-
            The authentication setting that controls the JIT provisioning of
            Members when authenticating via SSO. The accepted values are:
             
              `ALL_ALLOWED` – the default setting, new Members will be automatically provisioned upon successful authentication via any of the Organization's `sso_active_connections`.
             
              `RESTRICTED` – only new Members with SSO logins that comply with `sso_jit_provisioning_allowed_connections` can be provisioned upon authentication.
             
              `NOT_ALLOWED` – disable JIT provisioning via SSO.
              
        sso_jit_provisioning_allowed_connections:
          type: array
          items:
            type: string
          description: >-
            An array of `connection_id`s that reference [SAML Connection
            objects](https://stytch.com/docs/b2b/api/saml-connection-object).
              Only these connections will be allowed to JIT provision Members via SSO when `sso_jit_provisioning` is set to `RESTRICTED`.
        sso_active_connections:
          type: array
          items:
            $ref: '#/components/schemas/api_organization_v1_ActiveSSOConnection'
          description: >-
            An array of active [SAML Connection
            references](https://stytch.com/docs/b2b/api/saml-connection-object)
            or [OIDC Connection
            references](https://stytch.com/docs/b2b/api/oidc-connection-object).
        email_allowed_domains:
          type: array
          items:
            type: string
          description: >-
            An array of email domains that allow invites or JIT provisioning for
            new Members. This list is enforced when either `email_invites` or
            `email_jit_provisioning` is set to `RESTRICTED`.
               
               
                Common domains such as `gmail.com` are not allowed. See the [common email domains resource](https://stytch.com/docs/b2b/api/common-email-domains) for the full list.
        email_jit_provisioning:
          type: string
          description: >-
            The authentication setting that controls how a new Member can be
            provisioned by authenticating via Email Magic Link or OAuth. The
            accepted values are:
             
              `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be provisioned upon authentication via Email Magic Link or OAuth.
             
              `NOT_ALLOWED` – the default setting, disables JIT provisioning via Email Magic Link and OAuth.
              
        email_invites:
          type: string
          description: >-
            The authentication setting that controls how a new Member can be
            invited to an organization by email. The accepted values are:
             
              `ALL_ALLOWED` – any new Member can be invited to join via email.
             
              `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be invited via email.
             
              `NOT_ALLOWED` – disable email invites.
              
        auth_methods:
          type: string
          description: >-
            The setting that controls which authentication methods can be used
            by Members of an Organization. The accepted values are:
             
              `ALL_ALLOWED` – the default setting which allows all authentication methods to be used.
             
              `RESTRICTED` – only methods that comply with `allowed_auth_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`.
              
        allowed_auth_methods:
          type: array
          items:
            type: string
          description: >-
            An array of allowed authentication methods. This list is enforced
            when `auth_methods` is set to `RESTRICTED`.
              The list's accepted values are: `sso`, `magic_link`, `email_otp`, `password`, `google_oauth`, `microsoft_oauth`, `slack_oauth`, `github_oauth`, and `hubspot_oauth`.
              
        mfa_policy:
          type: string
          description: >-
            The setting that controls the MFA policy for all Members in the
            Organization. The accepted values are:
             
              `REQUIRED_FOR_ALL` – All Members within the Organization will be required to complete MFA every time they wish to log in. However, any active Session that existed prior to this setting change will remain valid.
             
              `OPTIONAL` – The default value. The Organization does not require MFA by default for all Members. Members will be required to complete MFA only if their `mfa_enrolled` status is set to true.
              
        rbac_email_implicit_role_assignments:
          type: array
          items:
            $ref: >-
              #/components/schemas/api_organization_v1_EmailImplicitRoleAssignment
          description: |-
            Implicit role assignments based off of email domains.
              For each domain-Role pair, all Members whose email addresses have the specified email domain will be granted the
              associated Role, regardless of their login method. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment)
              for more information about role assignment.
        mfa_methods:
          type: string
          description: >-
            The setting that controls which MFA methods can be used by Members
            of an Organization. The accepted values are:
             
              `ALL_ALLOWED` – the default setting which allows all authentication methods to be used.
             
              `RESTRICTED` – only methods that comply with `allowed_mfa_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`.
              
        allowed_mfa_methods:
          type: array
          items:
            type: string
          description: >-
            An array of allowed MFA authentication methods. This list is
            enforced when `mfa_methods` is set to `RESTRICTED`.
              The list's accepted values are: `sms_otp` and `totp`.
              
        oauth_tenant_jit_provisioning:
          type: string
          description: >-
            The authentication setting that controls how a new Member can JIT
            provision into an organization by tenant. The accepted values are:
             
              `RESTRICTED` – only new Members with tenants in `allowed_oauth_tenants` can JIT provision via tenant.
             
              `NOT_ALLOWED` – the default setting, disables JIT provisioning by OAuth Tenant.
              
        claimed_email_domains:
          type: array
          items:
            type: string
          description: A list of email domains that are claimed by the Organization.
        first_party_connected_apps_allowed_type:
          type: string
          description: >-
            The authentication setting that sets the Organization's policy
            towards first party Connected Apps. The accepted values are:
             
              `ALL_ALLOWED` – the default setting, any first party Connected App in the Project is permitted for use by Members.
             
              `RESTRICTED` – only first party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members.
             
              `NOT_ALLOWED` – no first party Connected Apps are permitted.
              
        allowed_first_party_connected_apps:
          type: array
          items:
            type: string
          description: >-
            An array of first party Connected App IDs that are allowed for the
            Organization. Only used when the Organization's
            `first_party_connected_apps_allowed_type` is `RESTRICTED`.
        third_party_connected_apps_allowed_type:
          type: string
          description: >-
            The authentication setting that sets the Organization's policy
            towards third party Connected Apps. The accepted values are:
             
              `ALL_ALLOWED` – the default setting, any third party Connected App in the Project is permitted for use by Members.
             
              `RESTRICTED` – only third party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members.
             
              `NOT_ALLOWED` – no third party Connected Apps are permitted.
              
        allowed_third_party_connected_apps:
          type: array
          items:
            type: string
          description: >-
            An array of third party Connected App IDs that are allowed for the
            Organization. Only used when the Organization's
            `third_party_connected_apps_allowed_type` is `RESTRICTED`.
        custom_roles:
          type: array
          items:
            $ref: '#/components/schemas/api_organization_v1_CustomRole'
        trusted_metadata:
          type: object
          additionalProperties: true
          description: >-
            An arbitrary JSON object for storing application-specific data or
            identity-provider-specific data.
        created_at:
          type: string
          description: >-
            The timestamp of the Organization's creation. Values conform to the
            RFC 3339 standard and are expressed in UTC, e.g.
            `2021-12-29T12:33:09Z`.
        updated_at:
          type: string
          description: >-
            The timestamp of when the Organization was last updated. Values
            conform to the RFC 3339 standard and are expressed in UTC, e.g.
            `2021-12-29T12:33:09Z`.
        organization_external_id:
          type: string
          description: A unique identifier for the organization.
        sso_default_connection_id:
          type: string
          description: >-
            The default connection used for SSO when there are multiple active
            connections.
        scim_active_connection:
          $ref: '#/components/schemas/api_organization_v1_ActiveSCIMConnection'
          description: >-
            An active [SCIM Connection
            references](https://stytch.com/docs/b2b/api/scim-connection-object).
        allowed_oauth_tenants:
          type: object
          additionalProperties: true
          description: >-
            A map of allowed OAuth tenants. If this field is not passed in, the
            Organization will not allow JIT provisioning by OAuth Tenant.
            Allowed keys are "slack", "hubspot", and "github".
      required:
        - organization_id
        - organization_name
        - organization_logo_url
        - organization_slug
        - sso_jit_provisioning
        - sso_jit_provisioning_allowed_connections
        - sso_active_connections
        - email_allowed_domains
        - email_jit_provisioning
        - email_invites
        - auth_methods
        - allowed_auth_methods
        - mfa_policy
        - rbac_email_implicit_role_assignments
        - mfa_methods
        - allowed_mfa_methods
        - oauth_tenant_jit_provisioning
        - claimed_email_domains
        - first_party_connected_apps_allowed_type
        - allowed_first_party_connected_apps
        - third_party_connected_apps_allowed_type
        - allowed_third_party_connected_apps
        - custom_roles
    api_organization_v1_organizations_SearchQueryOperator:
      type: string
      enum:
        - OR
        - AND
    api_organization_v1_SSORegistration:
      type: object
      properties:
        connection_id:
          type: string
          description: >-
            Globally unique UUID that identifies a specific SSO `connection_id`
            for a Member.
        external_id:
          type: string
          description: The ID of the member given by the identity provider.
        registration_id:
          type: string
          description: The unique ID of an SSO Registration.
        sso_attributes:
          type: object
          additionalProperties: true
          description: >-
            An object for storing SSO attributes brought over from the identity
            provider.
      required:
        - connection_id
        - external_id
        - registration_id
    api_organization_v1_OAuthRegistration:
      type: object
      properties:
        provider_type:
          type: string
          description: >-
            Denotes the OAuth identity provider that the user has authenticated
            with, e.g. Google, Microsoft, GitHub etc.
        provider_subject:
          type: string
          description: >-
            The unique identifier for the User within a given OAuth provider.
            Also commonly called the `sub` or "Subject field" in OAuth
            protocols.
        member_oauth_registration_id:
          type: string
          description: The unique ID of an OAuth registration.
        profile_picture_url:
          type: string
          description: >-
            If available, the `profile_picture_url` is a URL of the User's
            profile picture set in OAuth identity the provider that the User has
            authenticated with, e.g. Google profile picture.
        locale:
          type: string
          description: >-
            If available, the `locale` is the Member's locale set in the OAuth
            identity provider that the user has authenticated with.
      required:
        - provider_type
        - provider_subject
        - member_oauth_registration_id
    api_organization_v1_RetiredEmail:
      type: object
      properties:
        email_id:
          type: string
          description: The globally unique UUID of a Member's email.
        email_address:
          type: string
          description: The email address of the Member.
      required:
        - email_id
        - email_address
    api_organization_v1_MemberRole:
      type: object
      properties:
        role_id:
          type: string
          description: >-
            The unique identifier of the RBAC Role, provided by the developer
            and intended to be human-readable.

              Reserved `role_id`s that are predefined by Stytch include:

              * `stytch_member`
              * `stytch_admin`

              Check out the [guide on Stytch default Roles](https://stytch.com/docs/b2b/guides/rbac/stytch-default) for a more detailed explanation.

              
        sources:
          type: array
          items:
            $ref: '#/components/schemas/api_organization_v1_MemberRoleSource'
          description: >-
            A list of sources for this role assignment. A role assignment can
            come from multiple sources - for example, the Role could be both
            explicitly assigned and implicitly granted from the Member's email
            domain.
      required:
        - role_id
        - sources
    api_organization_v1_SCIMRegistration:
      type: object
      properties:
        connection_id:
          type: string
          description: The ID of the SCIM connection.
        registration_id:
          type: string
          description: The unique ID of a SCIM Registration.
        external_id:
          type: string
          description: The ID of the member given by the identity provider.
        scim_attributes:
          $ref: '#/components/schemas/api_b2b_scim_v1_SCIMAttributes'
          description: >-
            An object for storing SCIM attributes brought over from the identity
            provider.
      required:
        - connection_id
        - registration_id
    api_organization_v1_ActiveSSOConnection:
      type: object
      properties:
        connection_id:
          type: string
          description: >-
            Globally unique UUID that identifies a specific SSO `connection_id`
            for a Member.
        display_name:
          type: string
          description: A human-readable display name for the connection.
        identity_provider:
          type: string
      required:
        - connection_id
        - display_name
        - identity_provider
    api_organization_v1_EmailImplicitRoleAssignment:
      type: object
      properties:
        domain:
          type: string
          description: Email domain that grants the specified Role.
        role_id:
          type: string
          description: >-
            The unique identifier of the RBAC Role, provided by the developer
            and intended to be human-readable.

              Reserved `role_id`s that are predefined by Stytch include:

              * `stytch_member`
              * `stytch_admin`

              Check out the [guide on Stytch default Roles](https://stytch.com/docs/b2b/guides/rbac/stytch-default) for a more detailed explanation.

              
      required:
        - domain
        - role_id
    api_organization_v1_CustomRole:
      type: object
      properties:
        role_id:
          type: string
        description:
          type: string
        permissions:
          type: array
          items:
            $ref: '#/components/schemas/api_organization_v1_CustomRolePermission'
      required:
        - role_id
        - description
        - permissions
    api_organization_v1_ActiveSCIMConnection:
      type: object
      properties:
        connection_id:
          type: string
          description: The ID of the SCIM connection.
        display_name:
          type: string
          description: A human-readable display name for the connection.
        bearer_token_last_four:
          type: string
        bearer_token_expires_at:
          type: string
      required:
        - connection_id
        - display_name
        - bearer_token_last_four
    api_organization_v1_MemberRoleSource:
      type: object
      properties:
        type:
          type: string
          description: |-
            The type of role assignment. The possible values are:
             
              `direct_assignment` – an explicitly assigned Role.

              Directly assigned roles can be updated by passing in the `roles` argument to the
              [Update Member](https://stytch.com/docs/b2b/api/update-member) endpoint.
             
              `email_assignment` – an implicit Role granted by the Member's email domain, regardless of their login method.

              Email implicit role assignments can be updated by passing in the `rbac_email_implicit_role_assignments` argument to
              the [Update Organization](https://stytch.com/docs/b2b/api/update-organization) endpoint.
             
              `sso_connection` – an implicit Role granted by the Member's SSO connection. This is currently only available
              for SAML connections and not for OIDC. If the Member has a SAML Member registration with the given connection, this
              role assignment will appear in the list. However, for authorization check purposes (in
              [sessions authenticate](https://stytch.com/docs/b2b/api/authenticate-session) or in any endpoint that enforces RBAC with session
              headers), the Member will only be granted the Role if their session contains an authentication factor with the
              specified SAML connection.

              SAML connection implicit role assignments can be updated by passing in the
              `saml_connection_implicit_role_assignments` argument to the
              [Update SAML connection](https://stytch.com/docs/b2b/api/update-saml-connection) endpoint.
             
              `sso_connection_group` – an implicit Role granted by the Member's SSO connection and group. This is currently only
              available for SAML connections and not for OIDC. If the Member has a SAML Member registration with the given
              connection, and belongs to a specific group within the IdP, this role assignment will appear in the list. However,
              for authorization check purposes (in [sessions authenticate](https://stytch.com/docs/b2b/api/authenticate-session) or in any endpoint
              that enforces RBAC with session headers), the Member will only be granted the role if their session contains an
              authentication factor with the specified SAML connection.

              SAML group implicit role assignments can be updated by passing in the `saml_group_implicit_role_assignments`
              argument to the [Update SAML connection](https://stytch.com/docs/b2b/api/update-saml-connection) endpoint.

                `scim_connection_group` – an implicit Role granted by the Member's SCIM connection and group. If the Member has
              a SCIM Member registration with the given connection, and belongs to a specific group within the IdP, this role assignment will appear in the list.

              SCIM group implicit role assignments can be updated by passing in the `scim_group_implicit_role_assignments`
              argument to the [Update SCIM connection](https://stytch.com/docs/b2b/api/update-scim-connection) endpoint.
              
        details:
          type: object
          additionalProperties: true
          description: >-
            An object containing additional metadata about the source
            assignment. The fields will vary depending
              on the role assignment type as follows:
             
              `direct_assignment` – no additional details.
             
              `email_assignment` – will contain the email domain that granted the assignment.
              
              `sso_connection` – will contain the `connection_id` of the SAML connection that granted the assignment.
             
              `sso_connection_group` – will contain the `connection_id` of the SAML connection and the name of the `group`
              that granted the assignment.
             
              `scim_connection_group` – will contain the `connection_id` of the SAML connection and the `group_id`
              that granted the assignment.
              
      required:
        - type
    api_b2b_scim_v1_SCIMAttributes:
      type: object
      properties:
        user_name:
          type: string
        id:
          type: string
        external_id:
          type: string
        active:
          type: boolean
        groups:
          type: array
          items:
            $ref: '#/components/schemas/api_b2b_scim_v1_Group'
        display_name:
          type: string
        nick_name:
          type: string
        profile_url:
          type: string
        user_type:
          type: string
        title:
          type: string
        preferred_language:
          type: string
        locale:
          type: string
        timezone:
          type: string
        emails:
          type: array
          items:
            $ref: '#/components/schemas/api_b2b_scim_v1_Email'
        phone_numbers:
          type: array
          items:
            $ref: '#/components/schemas/api_b2b_scim_v1_PhoneNumber'
        addresses:
          type: array
          items:
            $ref: '#/components/schemas/api_b2b_scim_v1_Address'
        ims:
          type: array
          items:
            $ref: '#/components/schemas/api_b2b_scim_v1_IMs'
        photos:
          type: array
          items:
            $ref: '#/components/schemas/api_b2b_scim_v1_Photo'
        entitlements:
          type: array
          items:
            $ref: '#/components/schemas/api_b2b_scim_v1_Entitlement'
        roles:
          type: array
          items:
            $ref: '#/components/schemas/api_b2b_scim_v1_Role'
        x509certificates:
          type: array
          items:
            $ref: '#/components/schemas/api_b2b_scim_v1_X509Certificate'
        name:
          $ref: '#/components/schemas/api_b2b_scim_v1_Name'
        enterprise_extension:
          $ref: '#/components/schemas/api_b2b_scim_v1_EnterpriseExtension'
      required:
        - user_name
        - id
        - external_id
        - active
        - groups
        - display_name
        - nick_name
        - profile_url
        - user_type
        - title
        - preferred_language
        - locale
        - timezone
        - emails
        - phone_numbers
        - addresses
        - ims
        - photos
        - entitlements
        - roles
        - x509certificates
    api_organization_v1_CustomRolePermission:
      type: object
      properties:
        resource_id:
          type: string
        actions:
          type: array
          items:
            type: string
      required:
        - resource_id
        - actions
    api_b2b_scim_v1_Group:
      type: object
      properties:
        value:
          type: string
        display:
          type: string
      required:
        - value
        - display
    api_b2b_scim_v1_Email:
      type: object
      properties:
        value:
          type: string
        type:
          type: string
        primary:
          type: boolean
      required:
        - value
        - type
        - primary
    api_b2b_scim_v1_PhoneNumber:
      type: object
      properties:
        value:
          type: string
        type:
          type: string
        primary:
          type: boolean
      required:
        - value
        - type
        - primary
    api_b2b_scim_v1_Address:
      type: object
      properties:
        formatted:
          type: string
        street_address:
          type: string
        locality:
          type: string
        region:
          type: string
        postal_code:
          type: string
        country:
          type: string
        type:
          type: string
        primary:
          type: boolean
      required:
        - formatted
        - street_address
        - locality
        - region
        - postal_code
        - country
        - type
        - primary
    api_b2b_scim_v1_IMs:
      type: object
      properties:
        value:
          type: string
        type:
          type: string
        primary:
          type: boolean
      required:
        - value
        - type
        - primary
    api_b2b_scim_v1_Photo:
      type: object
      properties:
        value:
          type: string
        type:
          type: string
        primary:
          type: boolean
      required:
        - value
        - type
        - primary
    api_b2b_scim_v1_Entitlement:
      type: object
      properties:
        value:
          type: string
        type:
          type: string
        primary:
          type: boolean
      required:
        - value
        - type
        - primary
    api_b2b_scim_v1_Role:
      type: object
      properties:
        value:
          type: string
        type:
          type: string
        primary:
          type: boolean
      required:
        - value
        - type
        - primary
    api_b2b_scim_v1_X509Certificate:
      type: object
      properties:
        value:
          type: string
        type:
          type: string
        primary:
          type: boolean
      required:
        - value
        - type
        - primary
    api_b2b_scim_v1_Name:
      type: object
      properties:
        formatted:
          type: string
        family_name:
          type: string
        given_name:
          type: string
        middle_name:
          type: string
        honorific_prefix:
          type: string
        honorific_suffix:
          type: string
      required:
        - formatted
        - family_name
        - given_name
        - middle_name
        - honorific_prefix
        - honorific_suffix
    api_b2b_scim_v1_EnterpriseExtension:
      type: object
      properties:
        employee_number:
          type: string
        cost_center:
          type: string
        division:
          type: string
        department:
          type: string
        organization:
          type: string
        manager:
          $ref: '#/components/schemas/api_b2b_scim_v1_Manager'
      required:
        - employee_number
        - cost_center
        - division
        - department
        - organization
    api_b2b_scim_v1_Manager:
      type: object
      properties:
        value:
          type: string
        ref:
          type: string
        display_name:
          type: string
      required:
        - value
        - ref
        - display_name
  securitySchemes:
    basicAuth:
      type: http
      scheme: basic

````