> ## Documentation Index
> Fetch the complete documentation index at: https://stytch.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# Update Organization
> Update an Organization using the Stytch B2B API.
export const action_0 = "update"
export const resource_0 = "Organization"
export const member = "Represents an individual end user's account within a given Organization, uniquely identified within that Organization by their email address.";
export const organization = "Represents an instance or tenant in your application, typically mapping to each of your top-level customers.";
Updates an Organization specified by `organization_id`.
An Organization must always have at least one authentication setting set to either `RESTRICTED` or `ALL_ALLOWED` in order to provision new Members. See the [Org management guides](/multi-tenant-auth/enterprise-ready/org-management/configure-auth-methods) for information on allowed authentication methods and member provisioning.
**RBAC Enforced API**
If a Member Session is passed in the Authorization headers, Stytch will enforce that the Member has permission to take the **{action_0} Action** on the **{resource_0} Resource** prior to honoring the request.
To learn more, see the [RBAC guide](/multi-tenant-auth/enterprise-ready/rbac).
## OpenAPI
````yaml PUT /v1/b2b/organizations/{organization_id}
openapi: 3.0.3
info:
title: Stytch API
description: The Stytch API provides endpoints for authentication and user management.
version: 2.1.1
contact:
name: Stytch Support
url: https://stytch.com/docs
email: support@stytch.com
servers:
- url: https://api.stytch.com
description: Production server
- url: https://test.stytch.com
description: Test server
security:
- basicAuth: []
paths:
/v1/b2b/organizations/{organization_id}:
put:
tags:
- Organization
summary: Update
description: >-
Updates an Organization specified by `organization_id`. An Organization
must always have at least one auth setting set to either `RESTRICTED` or
`ALL_ALLOWED` in order to provision new Members.
*See the [Organization authentication
settings](https://stytch.com/docs/b2b/api/org-auth-settings) resource to
learn more about fields like `email_jit_provisioning`, `email_invites`,
`sso_jit_provisioning`, etc., and their behaviors.
operationId: api_organization_v1_Update
parameters:
- name: organization_id
in: path
required: true
schema:
type: string
description: >-
Globally unique UUID that identifies a specific Organization. The
`organization_id` is critical to perform operations on an
Organization, so be sure to preserve this value. You may also use
the organization_slug or organization_external_id here as a
convenience.
description: >-
Globally unique UUID that identifies a specific Organization. The
`organization_id` is critical to perform operations on an
Organization, so be sure to preserve this value. You may also use
the organization_slug or organization_external_id here as a
convenience.
- name: X-Stytch-Member-Session
in: header
required: false
description: >-
A Stytch session that can be used to run the request with the given
member's permissions.
schema:
type: string
- name: X-Stytch-Member-SessionJWT
in: header
required: false
description: >-
A Stytch Session JSON Web Token (JWT) that can be used to run the
request with the given member's permissions.
schema:
type: string
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/api_organization_v1_UpdateRequest'
responses:
'200':
description: Successful response
content:
application/json:
schema:
$ref: '#/components/schemas/api_organization_v1_UpdateResponse'
'400':
description: Bad request
'401':
description: Unauthorized
content:
application/json:
example:
status_code: 401
request_id: request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141
error_type: unauthorized_credentials
error_message: Unauthorized credentials.
error_url: https://stytch.com/docs/api/errors/401
'429':
description: Too Many Requests
content:
application/json:
example:
status_code: 429
request_id: request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141
error_type: too_many_requests
error_message: Too many requests have been made.
error_url: https://stytch.com/docs/api/errors/429
'500':
description: Internal server error
content:
application/json:
example:
status_code: 500
request_id: request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141
error_type: internal_server_error
error_message: >-
Oops, something seems to have gone wrong, please reach out to
support@stytch.com to let us know what went wrong.
error_url: https://stytch.com/docs/api/errors/500
x-code-samples:
- lang: csharp
label: C#
source: |-
// PUT /v1/b2b/organizations/{organization_id}
const stytch = require('stytch');
const client = new stytch.B2BClient({
project_id: '${projectId}',
secret: '${secret}',
});
const params = {
organization_id: "organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
organization_name: "Example Org Inc.",
organization_external_id: "my-new-external-id",
email_jit_provisioning: "ALL_ALLOWED",
};
const options = {
authorization: {
session_token: '${sessionToken}',
},
};
client.Organizations.Update(params, options)
.then(resp => { console.log(resp) })
.catch(err => { console.log(err) });
- lang: go
label: Go
source: "// PUT /v1/b2b/organizations/{organization_id}\npackage main\n\nimport (\n\t\"context\"\n\t\"log\"\n\n\t\"github.com/stytchauth/stytch-go/v18/stytch/b2b/b2bstytchapi\"\n\t\"github.com/stytchauth/stytch-go/v18/stytch/b2b/organizations\"\n\t\"github.com/stytchauth/stytch-go/v18/stytch/methodoptions\"\n)\n\nfunc main() {\n\tclient, err := b2bstytchapi.NewClient(\n\t\t\"${projectId}\",\n\t\t\"${secret}\",\n\t)\n\tif err != nil {\n\t\tlog.Fatalf(\"error instantiating client: %v\", err)\n\t}\n\n\tparams := &organizations.UpdateParams{\n\t\tOrganizationID: \"organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931\",\n\t\tOrganizationName: \"Example Org Inc.\",\n\t\tOrganizationExternalID: \"my-new-external-id\",\n\t\tEmailJITProvisioning: \"ALL_ALLOWED\",\n\t}\n\n\toptions := &organizations.UpdateParamsOptions{\n\t\tAuthorization: methodoptions.Authorization{\n\t\t\tSessionToken: \"${sessionToken}\",\n\t\t},\n\t}\n\n\tresp, err := client.Organizations.Update(context.Background(), params, options)\n\tif err != nil {\n\t\tlog.Fatalf(\"error in method call: %v\", err)\n\t}\n\n\tlog.Println(resp)\n}\n"
- lang: java
label: Java
source: >-
// PUT /v1/b2b/organizations/{organization_id}
package com.example;
import com.stytch.java.b2b.models.organizations.UpdateRequest;
import
com.stytch.java.b2b.models.organizations.UpdateRequestOptions;
import com.stytch.java.b2b.StytchB2BClient;
import com.stytch.java.common.methodoptions.Authorization;
import com.stytch.java.common.StytchResult;
public class Main {
public static void main(String[] args) {
StytchB2BClient.configure("${projectId}", "${secret}");
UpdateRequest params = new UpdateRequest();
params.setOrganizationId("organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931");
params.setOrganizationName("Example Org Inc.");
params.setOrganizationExternalId("my-new-external-id");
params.setEmailJITProvisioning("ALL_ALLOWED");
UpdateRequestOptions options = new UpdateRequestOptions();
Authorization authorization = new Authorization();
authorization.setSessionToken("${sessionToken}");
options.setAuthorization(authorization);
Object result = StytchB2BClient.getOrganizations().update(params, options);
if (result instanceof StytchResult.Success) {
System.out.println(((StytchResult.Success) result).getValue());
} else {
System.out.println(((StytchResult.Error) result).getException());
}
}
}
- lang: kotlin
label: Kotlin
source: |
// PUT /v1/b2b/organizations/{organization_id}
package com.example
import com.stytch.java.b2b.StytchB2BClient
import com.stytch.java.b2b.models.organizations.UpdateRequest
import com.stytch.java.b2b.models.organizations.UpdateRequestOptions
import com.stytch.java.common.methodoptions.Authorization
fun main() {
StytchB2BClient.configure(
projectId = "${projectId}",
secret = "${secret}",
)
when (
val result =
StytchB2BClient.organizations.update(
UpdateRequest(
organizationId = "organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
organizationName = "Example Org Inc.",
organizationExternalId = "my-new-external-id",
emailJITProvisioning = "ALL_ALLOWED",
),
UpdateRequestOptions(
Authorization(
sessionToken = "${sessionToken}",
),
),
)
) {
is StytchResult.Success -> println(result.value)
is StytchResult.Error -> println(result.exception)
}
}
- lang: javascript
label: Node.js
source: |-
// PUT /v1/b2b/organizations/{organization_id}
const stytch = require('stytch');
const client = new stytch.B2BClient({
project_id: '${projectId}',
secret: '${secret}',
});
const params = {
organization_id: "organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
organization_name: "Example Org Inc.",
organization_external_id: "my-new-external-id",
email_jit_provisioning: "ALL_ALLOWED",
};
const options = {
authorization: {
session_token: '${sessionToken}',
},
};
client.organizations.update(params, options)
.then(resp => { console.log(resp) })
.catch(err => { console.log(err) });
- lang: php
label: PHP
source: |-
$response = $client->organizations->update([
'organization_id' => 'organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931',
'organization_name' => 'Example Org Inc.',
'organization_external_id' => 'my-new-external-id',
'email_jit_provisioning' => 'ALL_ALLOWED',
], [
'authorization' => ['session_token' => '${sessionToken}'],
]);
- lang: python
label: Python
source: |
# PUT /v1/b2b/organizations/{organization_id}
from stytch import B2BClient
from stytch.b2b.models.organizations import UpdateRequestOptions
from stytch.shared.method_options import Authorization
client = B2BClient(
project_id="${projectId}",
secret="${secret}",
)
resp = client.organizations.update(
organization_id="organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
organization_name="Example Org Inc.",
organization_external_id="my-new-external-id",
email_jit_provisioning="ALL_ALLOWED",
method_options=UpdateRequestOptions(
authorization=Authorization(
session_token="${sessionToken}",
),
),
)
print(resp)
- lang: ruby
label: Ruby
source: |-
# frozen_string_literal: true
# PUT /v1/b2b/organizations/{organization_id}
require 'stytch'
client = StytchB2B::Client.new(
project_id: "${projectId}",
secret: "${secret}"
)
resp = client.organizations.update(
organization_id: "organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
organization_name: "Example Org Inc.",
organization_external_id: "my-new-external-id",
email_jit_provisioning: "ALL_ALLOWED",
method_options: StytchB2B::Organizations::UpdateRequestOptions.new(
authorization: Stytch::MethodOptions::Authorization.new(session_token: '${sessionToken}')
)
)
puts resp
- lang: rust
label: Rust
source: |-
// PUT /v1/b2b/organizations/{organization_id}
use stytch::b2b::client::Client;
use stytch::b2b::organizations::UpdateRequest;
fn main() {
let client = Client::new("${projectId}", "${secret}").unwrap();
let resp = client.organizations.update(
UpdateRequest{
organization_id: "organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
organization_name: Some(String::from("Example Org Inc.")),
organization_external_id: Some(String::from("my-new-external-id")),
email_jit_provisioning: Some(String::from("ALL_ALLOWED")),
..Default::default()
}
).await;
println!("The response is {:?}", resp);
}
- lang: bash
label: cURL
source: |-
# PUT /v1/b2b/organizations/{organization_id}
curl --request PUT \
--url https://test.stytch.com/v1/b2b/organizations/organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931 \
-u '${projectId}:${secret}' \
-H 'Content-Type: application/json' \
-H "X-Stytch-Member-Session: ${sessionToken}" \
-d '{
"organization_name": "Example Org Inc.",
"organization_external_id": "my-new-external-id",
"email_jit_provisioning": "ALL_ALLOWED"
}'
components:
schemas:
api_organization_v1_UpdateRequest:
type: object
properties:
organization_name:
type: string
description: >-
The name of the Organization. Must be between 1 and 128 characters
in length.
If this field is provided and a session header is passed into the
request, the Member Session must have permission to perform the
`update.info.name` action on the `stytch.organization` Resource.
organization_slug:
type: string
description: >-
The unique URL slug of the Organization. The slug only accepts
alphanumeric characters and the following reserved characters: `-`
`.` `_` `~`. Must be between 2 and 128 characters in length.
Wherever an organization_id is expected in a path or request
parameter, you may also use the organization_slug as a convenience.
If this field is provided and a session header is passed into the
request, the Member Session must have permission to perform the
`update.info.slug` action on the `stytch.organization` Resource.
organization_logo_url:
type: string
description: >-
The image URL of the Organization logo.
If this field is provided and a session header is passed into the
request, the Member Session must have permission to perform the
`update.info.logo-url` action on the `stytch.organization` Resource.
trusted_metadata:
type: object
additionalProperties: true
description: >-
An arbitrary JSON object for storing application-specific data or
identity-provider-specific data.
If a session header is passed into the request, this field may **not** be passed into the request. You cannot
update trusted metadata when acting as a Member.
organization_external_id:
type: string
description: >-
An identifier that can be used in API calls wherever a
organization_id is expected. This is a string consisting of
alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length
of 128 characters. External IDs must be unique within a project, but
may be reused across different projects in the same workspace.
sso_default_connection_id:
type: string
description: >-
The default connection used for SSO when there are multiple active
connections.
If this field is provided and a session header is passed into the
request, the Member Session must have permission to perform the
`update.settings.default-sso-connection` action on the
`stytch.organization` Resource.
sso_jit_provisioning:
type: string
description: >-
The authentication setting that controls the JIT provisioning of
Members when authenticating via SSO. The accepted values are:
`ALL_ALLOWED` – the default setting, new Members will be automatically provisioned upon successful authentication via any of the Organization's `sso_active_connections`.
`RESTRICTED` – only new Members with SSO logins that comply with `sso_jit_provisioning_allowed_connections` can be provisioned upon authentication.
`NOT_ALLOWED` – disable JIT provisioning via SSO.
If this field is provided and a session header is passed into the
request, the Member Session must have permission to perform the
`update.settings.sso-jit-provisioning` action on the
`stytch.organization` Resource.
sso_jit_provisioning_allowed_connections:
type: array
items:
type: string
description: >-
An array of `connection_id`s that reference [SAML Connection
objects](https://stytch.com/docs/b2b/api/saml-connection-object).
Only these connections will be allowed to JIT provision Members via SSO when `sso_jit_provisioning` is set to `RESTRICTED`.
If this field is provided and a session header is passed into the
request, the Member Session must have permission to perform the
`update.settings.sso-jit-provisioning` action on the
`stytch.organization` Resource.
email_allowed_domains:
type: array
items:
type: string
description: >-
An array of email domains that allow invites or JIT provisioning for
new Members. This list is enforced when either `email_invites` or
`email_jit_provisioning` is set to `RESTRICTED`.
Common domains such as `gmail.com` are not allowed. See the [common email domains resource](https://stytch.com/docs/b2b/api/common-email-domains) for the full list.
If this field is provided and a session header is passed into the
request, the Member Session must have permission to perform the
`update.settings.allowed-domains` action on the
`stytch.organization` Resource.
email_jit_provisioning:
type: string
description: >-
The authentication setting that controls how a new Member can be
provisioned by authenticating via Email Magic Link or OAuth. The
accepted values are:
`RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be provisioned upon authentication via Email Magic Link or OAuth.
`NOT_ALLOWED` – the default setting, disables JIT provisioning via Email Magic Link and OAuth.
If this field is provided and a session header is passed into the
request, the Member Session must have permission to perform the
`update.settings.email-jit-provisioning` action on the
`stytch.organization` Resource.
email_invites:
type: string
description: >-
The authentication setting that controls how a new Member can be
invited to an organization by email. The accepted values are:
`ALL_ALLOWED` – any new Member can be invited to join via email.
`RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be invited via email.
`NOT_ALLOWED` – disable email invites.
If this field is provided and a session header is passed into the
request, the Member Session must have permission to perform the
`update.settings.email-invites` action on the `stytch.organization`
Resource.
auth_methods:
type: string
description: >-
The setting that controls which authentication methods can be used
by Members of an Organization. The accepted values are:
`ALL_ALLOWED` – the default setting which allows all authentication methods to be used.
`RESTRICTED` – only methods that comply with `allowed_auth_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`.
If this field is provided and a session header is passed into the
request, the Member Session must have permission to perform the
`update.settings.allowed-auth-methods` action on the
`stytch.organization` Resource.
allowed_auth_methods:
type: array
items:
type: string
description: >-
An array of allowed authentication methods. This list is enforced
when `auth_methods` is set to `RESTRICTED`.
The list's accepted values are: `sso`, `magic_link`, `email_otp`, `password`, `google_oauth`, `microsoft_oauth`, `slack_oauth`, `github_oauth`, and `hubspot_oauth`.
If this field is provided and a session header is passed into the
request, the Member Session must have permission to perform the
`update.settings.allowed-auth-methods` action on the
`stytch.organization` Resource.
mfa_policy:
type: string
description: >-
The setting that controls the MFA policy for all Members in the
Organization. The accepted values are:
`REQUIRED_FOR_ALL` – All Members within the Organization will be required to complete MFA every time they wish to log in. However, any active Session that existed prior to this setting change will remain valid.
`OPTIONAL` – The default value. The Organization does not require MFA by default for all Members. Members will be required to complete MFA only if their `mfa_enrolled` status is set to true.
If this field is provided and a session header is passed into the
request, the Member Session must have permission to perform the
`update.settings.mfa-policy` action on the `stytch.organization`
Resource.
rbac_email_implicit_role_assignments:
type: array
items:
$ref: >-
#/components/schemas/api_organization_v1_EmailImplicitRoleAssignment
description: >-
Implicit role assignments based off of email domains.
For each domain-Role pair, all Members whose email addresses have the specified email domain will be granted the
associated Role, regardless of their login method. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment)
for more information about role assignment.
If this field is provided and a session header is passed into the
request, the Member Session must have permission to perform the
`update.settings.implicit-roles` action on the `stytch.organization`
Resource.
mfa_methods:
type: string
description: >-
The setting that controls which MFA methods can be used by Members
of an Organization. The accepted values are:
`ALL_ALLOWED` – the default setting which allows all authentication methods to be used.
`RESTRICTED` – only methods that comply with `allowed_mfa_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`.
If this field is provided and a session header is passed into the
request, the Member Session must have permission to perform the
`update.settings.allowed-mfa-methods` action on the
`stytch.organization` Resource.
allowed_mfa_methods:
type: array
items:
type: string
description: >-
An array of allowed MFA authentication methods. This list is
enforced when `mfa_methods` is set to `RESTRICTED`.
The list's accepted values are: `sms_otp` and `totp`.
If this field is provided and a session header is passed into the
request, the Member Session must have permission to perform the
`update.settings.allowed-mfa-methods` action on the
`stytch.organization` Resource.
oauth_tenant_jit_provisioning:
type: string
description: >-
The authentication setting that controls how a new Member can JIT
provision into an organization by tenant. The accepted values are:
`RESTRICTED` – only new Members with tenants in `allowed_oauth_tenants` can JIT provision via tenant.
`NOT_ALLOWED` – the default setting, disables JIT provisioning by OAuth Tenant.
If this field is provided and a session header is passed into the
request, the Member Session must have permission to perform the
`update.settings.oauth-tenant-jit-provisioning` action on the
`stytch.organization` Resource.
allowed_oauth_tenants:
type: object
additionalProperties: true
description: >-
A map of allowed OAuth tenants. If this field is not passed in, the
Organization will not allow JIT provisioning by OAuth Tenant.
Allowed keys are "slack", "hubspot", and "github".
If this field is provided and a session header is passed into the
request, the Member Session must have permission to perform the
`update.settings.allowed-oauth-tenants` action on the
`stytch.organization` Resource.
claimed_email_domains:
type: array
items:
type: string
description: A list of email domains that are claimed by the Organization.
first_party_connected_apps_allowed_type:
$ref: >-
#/components/schemas/api_organization_v1_organizations_UpdateRequestFirstPartyConnectedAppsAllowedType
description: >-
The authentication setting that sets the Organization's policy
towards first party Connected Apps. The accepted values are:
`ALL_ALLOWED` – the default setting, any first party Connected App in the Project is permitted for use by Members.
`RESTRICTED` – only first party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members.
`NOT_ALLOWED` – no first party Connected Apps are permitted.
allowed_first_party_connected_apps:
type: array
items:
type: string
description: >-
An array of first party Connected App IDs that are allowed for the
Organization. Only used when the Organization's
`first_party_connected_apps_allowed_type` is `RESTRICTED`.
third_party_connected_apps_allowed_type:
$ref: >-
#/components/schemas/api_organization_v1_organizations_UpdateRequestThirdPartyConnectedAppsAllowedType
description: >-
The authentication setting that sets the Organization's policy
towards third party Connected Apps. The accepted values are:
`ALL_ALLOWED` – the default setting, any third party Connected App in the Project is permitted for use by Members.
`RESTRICTED` – only third party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members.
`NOT_ALLOWED` – no third party Connected Apps are permitted.
allowed_third_party_connected_apps:
type: array
items:
type: string
description: >-
An array of third party Connected App IDs that are allowed for the
Organization. Only used when the Organization's
`third_party_connected_apps_allowed_type` is `RESTRICTED`.
description: Request type
api_organization_v1_UpdateResponse:
type: object
properties:
request_id:
type: string
description: >-
Globally unique UUID that is returned with every API call. This
value is important to log for debugging purposes; we may ask for
this value to help identify a specific API call when helping you
debug an issue.
organization:
$ref: '#/components/schemas/api_organization_v1_Organization'
description: >-
The [Organization
object](https://stytch.com/docs/b2b/api/organization-object).
status_code:
type: integer
format: int32
description: >-
The HTTP status code of the response. Stytch follows standard HTTP
response status code patterns, e.g. 2XX values equate to success,
3XX values are redirects, 4XX are client errors, and 5XX are server
errors.
required:
- request_id
- organization
- status_code
api_organization_v1_EmailImplicitRoleAssignment:
type: object
properties:
domain:
type: string
description: Email domain that grants the specified Role.
role_id:
type: string
description: >-
The unique identifier of the RBAC Role, provided by the developer
and intended to be human-readable.
Reserved `role_id`s that are predefined by Stytch include:
* `stytch_member`
* `stytch_admin`
Check out the [guide on Stytch default Roles](https://stytch.com/docs/b2b/guides/rbac/stytch-default) for a more detailed explanation.
required:
- domain
- role_id
api_organization_v1_organizations_UpdateRequestFirstPartyConnectedAppsAllowedType:
type: string
enum:
- ALL_ALLOWED
- RESTRICTED
- NOT_ALLOWED
api_organization_v1_organizations_UpdateRequestThirdPartyConnectedAppsAllowedType:
type: string
enum:
- ALL_ALLOWED
- RESTRICTED
- NOT_ALLOWED
api_organization_v1_Organization:
type: object
properties:
organization_id:
type: string
description: >-
Globally unique UUID that identifies a specific Organization. The
`organization_id` is critical to perform operations on an
Organization, so be sure to preserve this value. You may also use
the organization_slug or organization_external_id here as a
convenience.
organization_name:
type: string
description: >-
The name of the Organization. Must be between 1 and 128 characters
in length.
organization_logo_url:
type: string
description: The image URL of the Organization logo.
organization_slug:
type: string
description: >-
The unique URL slug of the Organization. The slug only accepts
alphanumeric characters and the following reserved characters: `-`
`.` `_` `~`. Must be between 2 and 128 characters in length.
Wherever an organization_id is expected in a path or request
parameter, you may also use the organization_slug as a convenience.
sso_jit_provisioning:
type: string
description: >-
The authentication setting that controls the JIT provisioning of
Members when authenticating via SSO. The accepted values are:
`ALL_ALLOWED` – the default setting, new Members will be automatically provisioned upon successful authentication via any of the Organization's `sso_active_connections`.
`RESTRICTED` – only new Members with SSO logins that comply with `sso_jit_provisioning_allowed_connections` can be provisioned upon authentication.
`NOT_ALLOWED` – disable JIT provisioning via SSO.
sso_jit_provisioning_allowed_connections:
type: array
items:
type: string
description: >-
An array of `connection_id`s that reference [SAML Connection
objects](https://stytch.com/docs/b2b/api/saml-connection-object).
Only these connections will be allowed to JIT provision Members via SSO when `sso_jit_provisioning` is set to `RESTRICTED`.
sso_active_connections:
type: array
items:
$ref: '#/components/schemas/api_organization_v1_ActiveSSOConnection'
description: >-
An array of active [SAML Connection
references](https://stytch.com/docs/b2b/api/saml-connection-object)
or [OIDC Connection
references](https://stytch.com/docs/b2b/api/oidc-connection-object).
email_allowed_domains:
type: array
items:
type: string
description: >-
An array of email domains that allow invites or JIT provisioning for
new Members. This list is enforced when either `email_invites` or
`email_jit_provisioning` is set to `RESTRICTED`.
Common domains such as `gmail.com` are not allowed. See the [common email domains resource](https://stytch.com/docs/b2b/api/common-email-domains) for the full list.
email_jit_provisioning:
type: string
description: >-
The authentication setting that controls how a new Member can be
provisioned by authenticating via Email Magic Link or OAuth. The
accepted values are:
`RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be provisioned upon authentication via Email Magic Link or OAuth.
`NOT_ALLOWED` – the default setting, disables JIT provisioning via Email Magic Link and OAuth.
email_invites:
type: string
description: >-
The authentication setting that controls how a new Member can be
invited to an organization by email. The accepted values are:
`ALL_ALLOWED` – any new Member can be invited to join via email.
`RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be invited via email.
`NOT_ALLOWED` – disable email invites.
auth_methods:
type: string
description: >-
The setting that controls which authentication methods can be used
by Members of an Organization. The accepted values are:
`ALL_ALLOWED` – the default setting which allows all authentication methods to be used.
`RESTRICTED` – only methods that comply with `allowed_auth_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`.
allowed_auth_methods:
type: array
items:
type: string
description: >-
An array of allowed authentication methods. This list is enforced
when `auth_methods` is set to `RESTRICTED`.
The list's accepted values are: `sso`, `magic_link`, `email_otp`, `password`, `google_oauth`, `microsoft_oauth`, `slack_oauth`, `github_oauth`, and `hubspot_oauth`.
mfa_policy:
type: string
description: >-
The setting that controls the MFA policy for all Members in the
Organization. The accepted values are:
`REQUIRED_FOR_ALL` – All Members within the Organization will be required to complete MFA every time they wish to log in. However, any active Session that existed prior to this setting change will remain valid.
`OPTIONAL` – The default value. The Organization does not require MFA by default for all Members. Members will be required to complete MFA only if their `mfa_enrolled` status is set to true.
rbac_email_implicit_role_assignments:
type: array
items:
$ref: >-
#/components/schemas/api_organization_v1_EmailImplicitRoleAssignment
description: |-
Implicit role assignments based off of email domains.
For each domain-Role pair, all Members whose email addresses have the specified email domain will be granted the
associated Role, regardless of their login method. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment)
for more information about role assignment.
mfa_methods:
type: string
description: >-
The setting that controls which MFA methods can be used by Members
of an Organization. The accepted values are:
`ALL_ALLOWED` – the default setting which allows all authentication methods to be used.
`RESTRICTED` – only methods that comply with `allowed_mfa_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`.
allowed_mfa_methods:
type: array
items:
type: string
description: >-
An array of allowed MFA authentication methods. This list is
enforced when `mfa_methods` is set to `RESTRICTED`.
The list's accepted values are: `sms_otp` and `totp`.
oauth_tenant_jit_provisioning:
type: string
description: >-
The authentication setting that controls how a new Member can JIT
provision into an organization by tenant. The accepted values are:
`RESTRICTED` – only new Members with tenants in `allowed_oauth_tenants` can JIT provision via tenant.
`NOT_ALLOWED` – the default setting, disables JIT provisioning by OAuth Tenant.
claimed_email_domains:
type: array
items:
type: string
description: A list of email domains that are claimed by the Organization.
first_party_connected_apps_allowed_type:
type: string
description: >-
The authentication setting that sets the Organization's policy
towards first party Connected Apps. The accepted values are:
`ALL_ALLOWED` – the default setting, any first party Connected App in the Project is permitted for use by Members.
`RESTRICTED` – only first party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members.
`NOT_ALLOWED` – no first party Connected Apps are permitted.
allowed_first_party_connected_apps:
type: array
items:
type: string
description: >-
An array of first party Connected App IDs that are allowed for the
Organization. Only used when the Organization's
`first_party_connected_apps_allowed_type` is `RESTRICTED`.
third_party_connected_apps_allowed_type:
type: string
description: >-
The authentication setting that sets the Organization's policy
towards third party Connected Apps. The accepted values are:
`ALL_ALLOWED` – the default setting, any third party Connected App in the Project is permitted for use by Members.
`RESTRICTED` – only third party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members.
`NOT_ALLOWED` – no third party Connected Apps are permitted.
allowed_third_party_connected_apps:
type: array
items:
type: string
description: >-
An array of third party Connected App IDs that are allowed for the
Organization. Only used when the Organization's
`third_party_connected_apps_allowed_type` is `RESTRICTED`.
custom_roles:
type: array
items:
$ref: '#/components/schemas/api_organization_v1_CustomRole'
trusted_metadata:
type: object
additionalProperties: true
description: >-
An arbitrary JSON object for storing application-specific data or
identity-provider-specific data.
created_at:
type: string
description: >-
The timestamp of the Organization's creation. Values conform to the
RFC 3339 standard and are expressed in UTC, e.g.
`2021-12-29T12:33:09Z`.
updated_at:
type: string
description: >-
The timestamp of when the Organization was last updated. Values
conform to the RFC 3339 standard and are expressed in UTC, e.g.
`2021-12-29T12:33:09Z`.
organization_external_id:
type: string
description: A unique identifier for the organization.
sso_default_connection_id:
type: string
description: >-
The default connection used for SSO when there are multiple active
connections.
scim_active_connection:
$ref: '#/components/schemas/api_organization_v1_ActiveSCIMConnection'
description: >-
An active [SCIM Connection
references](https://stytch.com/docs/b2b/api/scim-connection-object).
allowed_oauth_tenants:
type: object
additionalProperties: true
description: >-
A map of allowed OAuth tenants. If this field is not passed in, the
Organization will not allow JIT provisioning by OAuth Tenant.
Allowed keys are "slack", "hubspot", and "github".
required:
- organization_id
- organization_name
- organization_logo_url
- organization_slug
- sso_jit_provisioning
- sso_jit_provisioning_allowed_connections
- sso_active_connections
- email_allowed_domains
- email_jit_provisioning
- email_invites
- auth_methods
- allowed_auth_methods
- mfa_policy
- rbac_email_implicit_role_assignments
- mfa_methods
- allowed_mfa_methods
- oauth_tenant_jit_provisioning
- claimed_email_domains
- first_party_connected_apps_allowed_type
- allowed_first_party_connected_apps
- third_party_connected_apps_allowed_type
- allowed_third_party_connected_apps
- custom_roles
api_organization_v1_ActiveSSOConnection:
type: object
properties:
connection_id:
type: string
description: >-
Globally unique UUID that identifies a specific SSO `connection_id`
for a Member.
display_name:
type: string
description: A human-readable display name for the connection.
identity_provider:
type: string
required:
- connection_id
- display_name
- identity_provider
api_organization_v1_CustomRole:
type: object
properties:
role_id:
type: string
description:
type: string
permissions:
type: array
items:
$ref: '#/components/schemas/api_organization_v1_CustomRolePermission'
required:
- role_id
- description
- permissions
api_organization_v1_ActiveSCIMConnection:
type: object
properties:
connection_id:
type: string
description: The ID of the SCIM connection.
display_name:
type: string
description: A human-readable display name for the connection.
bearer_token_last_four:
type: string
bearer_token_expires_at:
type: string
required:
- connection_id
- display_name
- bearer_token_last_four
api_organization_v1_CustomRolePermission:
type: object
properties:
resource_id:
type: string
actions:
type: array
items:
type: string
required:
- resource_id
- actions
securitySchemes:
basicAuth:
type: http
scheme: basic
````