> ## Documentation Index
> Fetch the complete documentation index at: https://stytch.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Authenticate JWT

> Authenticate a session using a JSON Web Token (JWT)

export const getBySlug_0 = undefined

export const jwt = "JSON Web Token: an open standard for securely transmitting information between parties as a compact and self-contained JSON object.";

export const organization = "Represents an instance or tenant in your application, typically mapping to each of your top-level customers.";

export const member = "Represents an individual end user's account within a given Organization, uniquely identified within that Organization by their email address.";

Given a Session <Tooltip tip={jwt}>JWT</Tooltip>, this method authenticates a Session and updates its lifetime by the specified `session_duration_minutes`. If `session_duration_minutes` is not specified, the Session will not be extended.

<Note>
  This method is only available when using our backend SDKs.

  If you are looking for client side JWT authentication, please use the frontend SDKs' [Authenticate Session](/api-reference/b2b/api/sessions/authenticate-session) endpoint instead.
</Note>

If you provide a JWT that needs to be refreshed and is expired according to its `exp` claim, a new JWT will be returned if both the signature and the underlying Session are still valid. See our [JWT guides](/multi-tenant-auth/manage-sessions/jwts-and-tokens#using-session-jwts) for more information.

If the JWT is older than `max_token_age_seconds` or if the JWT is expired, this method will communicate with the Stytch API to authenticate the session. Otherwise, **the JWT will be validated locally**.

## Local JWT validation

If you do not provide a `max_token_age_seconds` parameter, then the `authenticateJwt` method will only communicate with the Stytch API if the JWT is expired (Stytch JWTs have an `exp` of five minutes). Specifying a `max_token_age_seconds` parameter of less than five minutes is one way to reduce security risks inherent to local JWT validation by forcing communication with the Stytch API more frequently.

We recommend relying primarily on this method over the [`authenticateSession`](/api-reference/b2b/api/sessions/authenticate-session) method, as it handles the local JWT validation vs. remote session authentication logic for you, improving latency when the JWT is less than `max_token_age_seconds` old and authenticating the underlying session with Stytch when necessary.

## Authorization

If an `authorization_check` is passed in, this method will also check if the <Tooltip tip={member}>Member</Tooltip> is authorized to perform the given action on the given Resource in the specified <Tooltip tip={organization}>Organization</Tooltip>. A Member is authorized if:

* their Member Session contains a Role, assigned [explicitly or implicitly](/multi-tenant-auth/enterprise-ready/rbac/assigning-roles-to-members), with adequate permissions.
* the `organization_id` passed in the authorization check matches Member Session's Organization.

If either of these conditions are not met, a `403` error will be thrown. Otherwise, the response will contain a list of Roles that satisfied the authorization check.

### Request Parameters

<ParamField path="session_jwt" type="string" required="true">
  The Session JWT to authenticate.
</ParamField>

<ParamField path="authorization_check" type="object">
  If included, this method will also check if the Member is authorized to perform the given action on the given Resource in the specified Organization. A Member is authorized if their Member Session contains a Role, assigned explicitly or implicitly, with adequate permissions. In addition, the `organization_id` passed in the authorization check must match the Member's Organization.

  <Expandable title="properties">
    <ParamField path="organization_id" type="string" required="true">
      The Organization ID in which to check the Member's authorization.
    </ParamField>

    <ParamField path="resource" type="string" required="true">
      The unique identifier of the RBAC Resource.
    </ParamField>

    <ParamField path="action" type="string" required="true">
      The action to take on the specified Resource.
    </ParamField>
  </Expandable>
</ParamField>

<ParamField path="max_token_age_seconds" type="number" required={false}>
  If set, remote verification will be forced if the JWT was issued more than that many seconds ago (based on the `iat` claim).
</ParamField>

### Response

<ResponseField name="member_session" type="string" required={true}>
  The [Session object](/api-reference/b2b/api/sessions/session-object) associated with the authenticated JWT.

  <Expandable title="properties">
    <ResponseField name="member_session_id" type="string">
      Globally unique UUID that identifies a specific member session.
    </ResponseField>

    <ResponseField name="member_id" type="string">
      The ID of the Member that the Member Session belongs to.
    </ResponseField>

    <ResponseField name="organization_id" type="string">
      The ID of the Organization that the Member Session belongs to.
    </ResponseField>

    <ResponseField name="started_at" type="string">
      The timestamp of the session's creation.
      Values conform to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`.
    </ResponseField>

    <ResponseField name="last_accessed_at" type="string">
      The timestamp of the last time the session was accessed.
      Values conform to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`.
    </ResponseField>

    <ResponseField name="expires_at" type="string">
      The timestamp of the session's expiration.
      Values conform to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`.
    </ResponseField>

    <ResponseField name="authentication_factors" type="array">
      All the authentication factors that have been associated with the current member session.

      <Expandable title="properties">
        <ResponseField name="delivery_method" type="string">
          The delivery method of the authentication factor. Possible values are:

          * `email`
          * `sms`
          * `whatsapp`
          * `oauth_google`
          * `oauth_microsoft`
          * `oauth_hubspot`
          * `oauth_slack`
          * `oauth_github`
        </ResponseField>

        <ResponseField name="type" type="string">
          The type of authentication factor.
        </ResponseField>

        <ResponseField name="last_authenticated_at" type="string">
          The timestamp of the last time the authentication factor was authenticated.
          Values conform to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`.
        </ResponseField>

        <ResponseField name="created_at" type="string">
          The timestamp of the creation of the authentication factor.
          Values conform to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`.
        </ResponseField>

        <ResponseField name="sequence_order" type="string">
          The sequence order of the authentication factor.  Value will be `PRIMARY` or `SECONDARY`.
        </ResponseField>

        <ResponseField name="email_factor" type="object">
          If `delivery_method` is `email`, this will be the email factor, else `null`.

          <Expandable title="properties">
            <ResponseField name="email_id" type="string">
              The ID of the email factor.
            </ResponseField>

            <ResponseField name="email_address" type="string">
              The email address of the email factor.
            </ResponseField>
          </Expandable>
        </ResponseField>

        <ResponseField name="phone_number_factor" type="object">
          If `delivery_method` is `sms` or `whatsapp`, this will be the phone number factor, else `null`.

          <Expandable title="properties">
            <ResponseField name="phone_id" type="string">
              The ID of the phone number factor.
            </ResponseField>

            <ResponseField name="phone_number" type="string">
              The phone number of the phone number factor.
            </ResponseField>
          </Expandable>
        </ResponseField>

        <ResponseField name="google_oauth_factor" type="object">
          If `delivery_method` is `oauth_google`, this will be the Google OAuth factor, else `null`.

          <Expandable title="properties">
            <ResponseField name="id" type="string">
              The ID of the Google OAuth factor.
            </ResponseField>

            <ResponseField name="email_id" type="string">
              The ID of the email factor.
            </ResponseField>

            <ResponseField name="provider_subject" type="string">
              The unique identifier for the User within a given OAuth provider. Also commonly called the sub or "Subject field" in OAuth protocols.
            </ResponseField>
          </Expandable>
        </ResponseField>

        <ResponseField name="microsoft_oauth_factor" type="object">
          If `delivery_method` is `oauth_microsoft`, this will be the Microsoft OAuth factor, else `null`.

          <Expandable title="properties">
            <ResponseField name="id" type="string">
              The ID of the Microsoft OAuth factor.
            </ResponseField>

            <ResponseField name="email_id" type="string">
              The ID of the email factor.
            </ResponseField>

            <ResponseField name="provider_subject" type="string">
              The unique identifier for the User within a given OAuth provider. Also commonly called the sub or "Subject field" in OAuth protocols.
            </ResponseField>
          </Expandable>
        </ResponseField>

        <ResponseField name="hubspot_oauth_factor" type="object">
          If `delivery_method` is `oauth_hubspot`, this will be the Hubspot OAuth factor, else `null`.

          <Expandable title="properties">
            <ResponseField name="id" type="string">
              The ID of the Hubspot OAuth factor.
            </ResponseField>

            <ResponseField name="email_id" type="string">
              The ID of the email factor.
            </ResponseField>

            <ResponseField name="provider_subject" type="string">
              The unique identifier for the User within a given OAuth provider. Also commonly called the sub or "Subject field" in OAuth protocols.
            </ResponseField>
          </Expandable>
        </ResponseField>

        <ResponseField name="slack_oauth_factor" type="object">
          If `delivery_method` is `oauth_slack`, this will be the Slack OAuth factor, else `null`.

          <Expandable title="properties">
            <ResponseField name="id" type="string">
              The ID of the Slack OAuth factor.
            </ResponseField>

            <ResponseField name="email_id" type="string">
              The ID of the email factor.
            </ResponseField>

            <ResponseField name="provider_subject" type="string">
              The unique identifier for the User within a given OAuth provider. Also commonly called the sub or "Subject field" in OAuth protocols.
            </ResponseField>
          </Expandable>
        </ResponseField>

        <ResponseField name="github_oauth_factor" type="object">
          If `delivery_method` is `oauth_github`, this will be the GitHub OAuth factor, else `null`.

          <Expandable title="properties">
            <ResponseField name="id" type="string">
              The ID of the GitHub OAuth factor.
            </ResponseField>

            <ResponseField name="email_id" type="string">
              The ID of the email factor.
            </ResponseField>

            <ResponseField name="provider_subject" type="string">
              The unique identifier for the User within a given OAuth provider. Also commonly called the sub or "Subject field" in OAuth protocols.
            </ResponseField>
          </Expandable>
        </ResponseField>
      </Expandable>
    </ResponseField>

    <ResponseField name="custom_claims" type="object | null">
      A map of the custom claims associated with the session.
      After claims have been added to a session, call `stytch.session.authenticate` to refresh the session state clientside.
      See our [Using Sessions Custom Claims](/multi-tenant-auth/manage-sessions/custom-claims) guide for more information.
      If no claims are set, this field will be `null`.
    </ResponseField>

    <ResponseField name="roles" type="string[]">
      The roles that have been assigned to the current member session.
    </ResponseField>

    <ResponseField name="organization_slug" type="string">
      The slug of the Organization that the Member Session belongs to.
    </ResponseField>
  </Expandable>
</ResponseField>

<ResponseField name="session_jwt" type="string" required={true}>
  A new JWT for the authenticated Session.
</ResponseField>

<ResponseField name="session_token" type="string">
  An opaque Session token for the authenticated Session.

  Will only be returned when remote JWT authentication occurs.
</ResponseField>

<ResponseField name="member" type="object">
  The Member object associated with the authenticated Session.

  Will only be returned when remote JWT authentication occurs.

  <Expandable title="properties">
    <ResponseField name="organization_id" type="string">
      Globally unique UUID that identifies a specific Organization.
    </ResponseField>

    <ResponseField name="member_id" type="string">
      Globally unique UUID that identifies a specific Member.
    </ResponseField>

    <ResponseField name="external_id" type="string">
      The ID of the Member given by the identity provider.
    </ResponseField>

    <ResponseField name="email_address" type="string">
      The email address of the Member.
    </ResponseField>

    <ResponseField name="email_address_verified" type="boolean">
      Whether or not the Member's email address is verified.
    </ResponseField>

    <ResponseField name="status" type="string">
      The status of the Member. The possible values are: `pending`, `invited`, `active`, or `deleted`.
    </ResponseField>

    <ResponseField name="name" type="string">
      The name of the Member.
    </ResponseField>

    <ResponseField name="sso_registration" type="object[]">
      An array of registered SAML Connection or OIDC Connection objects the Member has authenticated with.

      <Expandable title="sso_registration properties">
        <ResponseField name="connection_id" type="string">
          Globally unique UUID that identifies a specific SSO `connection_id` for a Member.
        </ResponseField>

        <ResponseField name="registration_id" type="string">
          The unique ID of an SSO Registration.
        </ResponseField>

        <ResponseField name="external_id" type="string">
          The ID of the Member given by the identity provider.
        </ResponseField>

        <ResponseField name="sso_attributes" type="object">
          An object for storing SSO attributes brought over from the identity provider.
        </ResponseField>
      </Expandable>
    </ResponseField>

    <ResponseField name="scim_registration" type="object">
      Sets whether the Member is enrolled in MFA.

      <Expandable title="sso_registration properties">
        <ResponseField name="connection_id" type="string">
          The id of the SCIM Connection.
        </ResponseField>

        <ResponseField name="registration_id" type="string">
          The unique ID of a SCIM Registration.
        </ResponseField>

        <ResponseField name="external_id" type="string">
          The ID of the Member given by the identity provider.
        </ResponseField>

        <ResponseField name="sso_attributes" type="object">
          An object for storing SCIM attributes brought over from the identity provider.
        </ResponseField>
      </Expandable>
    </ResponseField>

    <ResponseField name="is_breakglass" type="boolean">
      Identifies the Member as a break glass user - someone who has permissions to authenticate into an Organization by bypassing the Organization's settings.

      A break glass account is typically used for emergency purposes to gain access outside of normal authentication procedures. Refer to the [Organization object](/api-reference/b2b/api/organizations/organization-object) and its `auth_methods` and `allowed_auth_methods` fields for more details.
    </ResponseField>

    <ResponseField name="member_password_id" type="string">
      Globally unique UUID that identifies a Member's password.
    </ResponseField>

    <ResponseField name="oauth_registrations" type="object[]">
      A list of OAuth registrations for this Member.

      <Expandable title="oauth_registrations properties">
        <ResponseField name="provider_type" type="string">
          Denotes the OAuth identity provider that the user has authenticated with, e.g. Google, Microsoft, GitHub etc.
        </ResponseField>

        <ResponseField name="provider_subject" type="string">
          The unique identifier for the User within a given OAuth provider. Also commonly called the sub or "Subject field" in OAuth protocols.
        </ResponseField>

        <ResponseField name="profile_picture_url" type="string">
          If available, the `profile_picture_url` is a URL of the User's profile picture set in the OAuth identity provider that the User has authenticated with, e.g. Google profile picture.
        </ResponseField>

        <ResponseField name="locale" type="string">
          If available, the locale is the Member's locale set in the OAuth identity provider that the user has authenticated with.
        </ResponseField>

        <ResponseField name="member_oauth_registration_id" type="string">
          The unique ID of an OAuth registration.
        </ResponseField>
      </Expandable>
    </ResponseField>

    <ResponseField name="mfa_enrolled" type="boolean">
      Sets whether the Member is enrolled in MFA.

      If true, the Member must complete an MFA step whenever they wish to log in to their Organization.

      If false, the Member only needs to complete an MFA step if the Organization's MFA policy is set to `REQUIRED_FOR_ALL`.
    </ResponseField>

    <ResponseField name="mfa_phone_number" type="string">
      The Member's phone number. A Member may only have one phone number.

      The phone number should be in E.164 format (i.e. +1XXXXXXXXXX).
    </ResponseField>

    <ResponseField name="mfa_phone_number_verified" type="boolean">
      Whether or not the Member's phone number is verified.
    </ResponseField>

    <ResponseField name="retired_email_addresses" type="object[]">
      A list of retired email addresses for this Member. A previously active email address can be marked as retired in one of two ways:

      * It's replaced with a new primary email address during an explicit Member update.
      * A new email address is surfaced by an OAuth, SAML or OIDC provider. In this case the new email address becomes the Member's primary email address and the old primary email address is retired. A retired email address cannot be used by other Members in the same Organization. However, unlinking retired email addresses allows them to be subsequently re-used by other Organization Members. Retired email addresses can be unlinked using the [Unlink Retired Email endpoint](/api-reference/b2b/api/members/unlink-retired-email).

      <Expandable title="properties">
        <ResponseField name="email_id" type="string">
          The globally unique UUID of a Member's email.
        </ResponseField>

        <ResponseField name="email_address" type="string">
          The email address of the Member.
        </ResponseField>
      </Expandable>
    </ResponseField>

    <ResponseField name="trusted_metadata" type="object">
      An arbitrary JSON object for storing application-specific data or identity-provider-specific data.
    </ResponseField>

    <ResponseField name="untrusted_metadata" type="object">
      An arbitrary JSON object of application-specific data. These fields can be edited directly by the frontend SDK, and should not be used to store critical information. See the [Metadata resource](/api-reference/b2b/api/resources/object-update-behavior) for complete field behavior details.
    </ResponseField>

    <ResponseField name="roles" type="object[]">
      Explicit or implicit Roles assigned to this Member, along with details about the role assignment source. See the RBAC guide for more information about role assignment.

      <Expandable title="roles properties">
        <ResponseField name="role_id" type="string">
          The unique identifier of the RBAC Role, provided by the developer and intended to be human-readable.

          Reserved `role_ids` that are predefined by Stytch include:

          * `stytch_member`
          * `stytch_admin`

          Check out the [guide on Stytch default Roles](/multi-tenant-auth/enterprise-ready/rbac/create-rbac-policy#default-roles-and-resources) for a more detailed explanation.
        </ResponseField>

        <ResponseField name="sources" type="object[]">
          A list of sources for this role assignment. A role assignment can come from multiple sources - for example, the Role could be both explicitly assigned and implicitly granted from the Member's email domain.

          <Expandable title="sources properties">
            <ResponseField name="type" type="string">
              The type of role assignment. The possible values are:

              * `direct_assignment` – an explicitly assigned Role.  Directly assigned roles can be updated by passing in the roles argument to the Update Member endpoint.
              * `email_assignment` – an implicit Role granted by the Member's email domain, regardless of their login method.  Email implicit role assignments can be updated by passing in the `rbac_email_implicit_role_assignments` argument to the Update Organization endpoint.
              * `sso_connection` – an implicit Role granted by the Member's SSO connection. This is currently only available for SAML connections and not for OIDC. If the Member has a SAML Member registration with the given connection, this role assignment will appear in the list. However, for authorization check purposes (in sessions authenticate or in any endpoint that enforces RBAC with session headers), the Member will only be granted the Role if their session contains an authentication factor with the specified SAML connection.  SAML connection implicit role assignments can be updated by passing in the `saml_connection_implicit_role_assignments` argument to the Update SAML connection endpoint.
              * `sso_connection_group` – an implicit Role granted by the Member's SSO connection and group. This is currently only available for SAML connections and not for OIDC. If the Member has a SAML Member registration with the given connection, and belongs to a specific group within the IdP, this role assignment will appear in the list. However, for authorization check purposes (in sessions authenticate or in any endpoint that enforces RBAC with session headers), the Member will only be granted the role if their session contains an authentication factor with the specified SAML connection.
              * `scim_connection_group` – an implicit Role granted by the Member's SCIM connection and group. If the Member has a SCIM Member registration with the given connection, and belongs to a specific group within the IdP, this role assignment will appear in the list.  SCIM group implicit role assignments can be updated by passing in the `scim_group_implicit_role_assignments` argument to the Update SCIM connection endpoint.
            </ResponseField>

            <ResponseField name="details" type="object">
              An object containing additional metadata about the source assignment. The fields will vary depending on the role assignment type as follows:

              * `direct_assignment` – no additional details.
              * `email_assignment` – will contain the email domain that granted the assignment.
              * `sso_connection` – will contain the `connection_id` of the SAML connection that granted the assignment.
              * `sso_connection_group` – will contain the `connection_id` of the SAML connection and the name of the group that granted the assignment.
              * `scim_connection_group` – will contain the `connection_id` of the SAML connection and the `group_id` that granted the assignment.
            </ResponseField>
          </Expandable>
        </ResponseField>
      </Expandable>
    </ResponseField>

    <ResponseField name="is_admin" type="boolean">
      Whether or not the Member has the `stytch_admin` Role. This Role is automatically granted to Members who create an Organization through the discovery flow. See the [RBAC guide](/multi-tenant-auth/enterprise-ready/rbac/create-rbac-policy) for more details on this Role.
    </ResponseField>

    <ResponseField name="created_at" type="string">
      The date and time the Member was created.
    </ResponseField>

    <ResponseField name="updated_at" type="string">
      The date and time the Member was last updated.
    </ResponseField>
  </Expandable>
</ResponseField>

<ResponseField name="organization" type="object">
  The Organization object associated with the authenticated Session.

  Will only be returned when remote JWT authentication occurs.

  <Expandable title="properties">
    <ResponseField name="organization_id" type="string">
      Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the `organization_slug` or `organization_external_id` here as a convenience.
    </ResponseField>

    <ResponseField name="organization_name" type="string">
      The name of the Organization. Must be between 1 and 128 characters in length.
    </ResponseField>

    <ResponseField name="organization_logo_url" type="string">
      The image URL of the Organization logo.
    </ResponseField>

    <ResponseField name="organization_slug" type="string">
      The unique URL slug of the Organization.

      The slug only accepts alphanumeric characters and the following reserved characters: `- . _ ~`. Must be between 2 and 128 characters in length.

      Wherever an `organization_id` is expected in a path or request parameter, you may also use the `organization_slug` as a convenience.
    </ResponseField>

    {!getBySlug_0 && (
        <ResponseField name="organization_external_id" type="string">
        A unique identifier for the Organization.
        </ResponseField>
        )}

    {!getBySlug_0 && (
        <ResponseField name="sso_jit_provisioning" type="string">
        The authentication setting that controls the JIT provisioning of Members when authenticating via SSO. The accepted values are:
        <ul>
          <li><code>ALL_ALLOWED</code> – the default setting, new Members will be automatically provisioned upon successful authentication via any of the Organization's <code>sso_active_connections</code></li>
          <li><code>RESTRICTED</code> – only new Members with SSO logins that comply with <code>sso_jit_provisioning_allowed_connections</code> can be provisioned upon authentication</li>
          <li><code>NOT_ALLOWED</code> – disable JIT provisioning via SSO</li>
        </ul>
        </ResponseField>
        )}

    {!getBySlug_0 && (
        <ResponseField name="sso_jit_provisioning_allowed_connections" type="array[strings]">
        An array of <code>connection_ids</code> that reference <a href="/api-reference/b2b/api/sso/saml-connection-object">SAML Connection objects</a>. Only these
        connections will be allowed to JIT provision Members via SSO when <code>sso_jit_provisioning</code> is set to <code>RESTRICTED</code>.
        </ResponseField>
        )}

    <ResponseField name="sso_active_connections" type="array[objects]">
      An array of active [SAML Connection references](/api-reference/b2b/api/sso/saml-connection-object) or [OIDC Connection references](/api-reference/b2b/api/sso/oidc-connection-object).

      <Expandable title="sso_active_connections properties">
        <ResponseField name="connection_id" type="string">
          Globally unique UUID that identifies a specific SSO `connection_id` for a Member.
        </ResponseField>

        <ResponseField name="display_name" type="string">
          A human-readable display name for the connection.
        </ResponseField>
      </Expandable>
    </ResponseField>

    {!getBySlug_0 && (
        <ResponseField name="scim_active_connection" type="object">
        An active <a href="/api-reference/b2b/api/scim/overview">SCIM Connection references</a>.
        <Expandable title="scim_active_connection properties">
          <ResponseField name="connection_id" type="string">
            The ID of the SCIM connection.
          </ResponseField>

          <ResponseField name="display_name" type="string">
            A human-readable display name for the connection.
          </ResponseField>
        </Expandable>
        </ResponseField>
        )}

    <ResponseField name="email_allowed_domains" type="array[strings]">
      An array of email domains that allow invites or JIT provisioning for new Members. This list is enforced when either `email_invites` or `email_jit_provisioning` is set to `RESTRICTED`

      Common domains such as gmail.com are not allowed. See the [full list of disallowed common email domains](/multi-tenant-auth/enterprise-ready/org-management/jit-provision-members#by-email-domain).
    </ResponseField>

    <ResponseField name="email_jit_provisioning" type="string">
      The authentication setting that controls how a new Member can be provisioned by authenticating via Email Magic Link or OAuth. The accepted values are:

      * `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be provisioned upon authentication via Email Magic Link or OAuth
      * `NOT_ALLOWED` – the default setting, disables JIT provisioning via Email Magic Link and OAuth
    </ResponseField>

    {!getBySlug_0 && (
        <ResponseField name="email_invites" type="string">
        The authentication setting that controls how a new Member can be invited to an organization by email. The accepted values are:
        <ul>
          <li><code>ALL_ALLOWED</code> – any new Member can be invited to join via email</li>
          <li><code>RESTRICTED</code> – only new Members with verified emails that comply with <code>email_allowed_domains</code> can be invited via email</li>
          <li><code>NOT_ALLOWED</code> – disable email invites</li>
        </ul>
        </ResponseField>
        )}

    <ResponseField name="auth_methods" type="string">
      The setting that controls which authentication methods can be used by Members of an Organization. The accepted values are:

      * `ALL_ALLOWED` – the default setting which allows all authentication methods to be used
      * `RESTRICTED` – only methods that comply with `allowed_auth_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to true
    </ResponseField>

    <ResponseField name="allowed_auth_methods" type="array[strings]">
      An array of allowed authentication methods. This list is enforced when `auth_methods` is set to `RESTRICTED`. The list's accepted values are: `sso`, `magic_link`, `email_otp`, `password`, `google_oauth`, `microsoft_oauth`, `slack_oauth`, `github_oauth`, and `hubspot_oauth`.
    </ResponseField>

    {!getBySlug_0 && (
        <ResponseField name="mfa_methods" type="string">
        The setting that controls which MFA methods can be used by Members of an Organization. The accepted values are:
        <ul>
          <li><code>ALL_ALLOWED</code> – the default setting which allows all authentication methods to be used</li>
          <li><code>RESTRICTED</code> – only methods that comply with <code>allowed_mfa_methods</code> can be used for authentication. This setting does not apply to Members with <code>is_breakglass</code> set to true</li>
        </ul>
        </ResponseField>
        )}

    {!getBySlug_0 && (
        <ResponseField name="allowed_mfa_methods" type="array[strings]">
        An array of allowed MFA authentication methods. This list is enforced when <code>mfa_methods</code> is set to <code>RESTRICTED</code>. The
        list's accepted values are: <code>sms_otp</code> and <code>totp</code>.
        </ResponseField>
        )}

    {!getBySlug_0 && (
        <ResponseField name="trusted_metadata" type="object">
        An arbitrary JSON object for storing application-specific data or identity-provider-specific data.
        </ResponseField>
        )}

    <ResponseField name="sso_default_connection_id" type="string">
      The default connection used for SSO when there are multiple active connections.
    </ResponseField>

    {!getBySlug_0 && (
        <ResponseField name="rbac_email_implicit_role_assignments" type="array[object]">
        Implicit role assignments based off of email domains. For each domain-Role pair, all Members whose email addresses have the specified email domain will be granted the associated Role, regardless of their login method. See the <a href="/multi-tenant-auth/enterprise-ready/rbac/assigning-roles-to-members">RBAC guide</a> for more information about role assignment.

        <Expandable title="rbac_email_implicit_role_assignments properties">
          <ResponseField name="domain" type="string">
            Email domain that grants the specified Role.
          </ResponseField>

          <ResponseField name="role_id" type="string">
            The unique identifier of the RBAC Role, provided by the developer and intended to be human-readable.

            Reserved <code>role_ids</code> that are predefined by Stytch include:
            <ul>
              <li><code>stytch_member</code></li>
              <li><code>stytch_admin</code></li>
            </ul>

            Check out the <a href="/multi-tenant-auth/enterprise-ready/rbac/create-rbac-policy">guide on Stytch default Roles</a> for a more detailed explanation.
          </ResponseField>
        </Expandable>
        </ResponseField>
        )}

    <ResponseField name="oauth_tenant_jit_provisioning" type="string">
      The authentication setting that controls how a new Member can JIT provision into an Organization by tenant. The accepted values are:

      * `RESTRICTED` – only new Members with tenants in `allowed_oauth_tenants` can JIT provision via tenant
      * `NOT_ALLOWED` – the default setting, disables JIT provisioning by OAuth Tenant
    </ResponseField>

    <ResponseField name="allowed_oauth_tenants" type="object">
      A map of allowed OAuth tenants. If this field is not passed in, the Organization will not allow JIT provisioning by OAuth Tenant. Allowed keys are "slack", "hubspot", and "github".
    </ResponseField>

    {!getBySlug_0 && (
        <ResponseField name="first_party_connected_apps_allowed_type" type="string">
        The authentication setting that sets the Organization's policy towards first party Connected Apps. The accepted values are:
        <ul>
          <li><code>ALL_ALLOWED</code> – the default setting, any first party Connected App in the Project is permitted for use by Members</li>
          <li><code>RESTRICTED</code> – only first party Connected Apps with IDs in <code>allowed_first_party_connected_apps</code> can be used by Members</li>
          <li><code>NOT_ALLOWED</code> – no first party Connected Apps are permitted</li>
        </ul>
        </ResponseField>
        )}

    {!getBySlug_0 && (
        <ResponseField name="allowed_first_party_connected_apps" type="array[strings]">
        An array of first party Connected App IDs that are allowed for the Organization. Only used when the Organization's <code>first_party_connected_apps_allowed_type</code> is <code>RESTRICTED</code>.
        </ResponseField>
        )}

    {!getBySlug_0 && (
        <ResponseField name="third_party_connected_apps_allowed_type" type="string">
        The authentication setting that sets the Organization's policy towards third party Connected Apps. The accepted values are:
        <ul>
          <li><code>ALL_ALLOWED</code> – the default setting, any third party Connected App in the Project is permitted for use by Members</li>
          <li><code>RESTRICTED</code> – only third party Connected Apps with IDs in <code>allowed_third_party_connected_apps</code> can be used by Members</li>
          <li><code>NOT_ALLOWED</code> – no third party Connected Apps are permitted</li>
        </ul>
        </ResponseField>
        )}

    {!getBySlug_0 && (
        <ResponseField name="allowed_third_party_connected_apps" type="array[strings]">
        An array of third party Connected App IDs that are allowed for the Organization. Only used when the Organization's <code>third_party_connected_apps_allowed_type</code> is <code>RESTRICTED</code>.
        </ResponseField>
        )}

    {!getBySlug_0 && (
        <ResponseField name="created_at" type="string">
        The timestamp of the Organization's creation. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. <code>2021-12-29T12:33:09Z</code>.
        </ResponseField>
        )}

    {!getBySlug_0 && (
        <ResponseField name="updated_at" type="string">
        The timestamp of when the Organization was last updated. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. <code>2021-12-29T12:33:09Z</code>.
        </ResponseField>
        )}
  </Expandable>
</ResponseField>

<ResponseField name="verdict" type="object">
  If an `authorization_check` is provided in the request and the check succeeds, this field will return information about why the Member was granted permission.

  <Expandable title="properties">
    <ResponseField name="verdict.authorized" type="boolean" required="true">
      Whether the Member was authorized to perform the specified action on the specified Resource. Always true if the request succeeds.
    </ResponseField>

    <ResponseField name="verdict.granting_roles" type="string[]" required="true">
      The complete list of Roles that gave the Member permission to perform the specified action on the specified Resource.
    </ResponseField>
  </Expandable>
</ResponseField>

<ResponseField name="status_code" type="number">
  The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values
  equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
</ResponseField>

<ResponseField name="request_id" type="string">
  Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we
  may ask for this value to help identify a specific API call when helping you debug an issue.
</ResponseField>

<Panel>
  <RequestExample>
    ```python Python SDK theme={null}
    from stytch import B2BClient

    client = B2BClient(
      project_id="project-test-8aed2e54-0266-4793-9b5e-0cc9c56064da",
      secret="secret-test-IJ7zLTgXp8xoS7yXO2xavNxZTbYfvm-2nZM=",
    )

    resp = client.sessions.authenticate_jwt(
      session_jwt="eyJ...",
    )

    print(resp)
    ```

    ```javascript Node SDK theme={null}
    const stytch = require('stytch');

    const client = new stytch.B2BClient({
      project_id: 'project-test-8aed2e54-0266-4793-9b5e-0cc9c56064da',
      secret: 'secret-test-IJ7zLTgXp8xoS7yXO2xavNxZTbYfvm-2nZM=',
    });

    const params = {
      session_jwt: 'eyJ...',
    };

    client.sessions
      .authenticateJwt(params)
      .then((resp) => {
        console.log(resp);
      })
      .catch((err) => {
        console.log(err);
      });
    ```

    ```go Go SDK theme={null}
    package main

    import (
      "context"
      "log"

      "github.com/stytchauth/stytch-go/v13/stytch/b2b/b2bstytchapi"
      "github.com/stytchauth/stytch-go/v13/stytch/b2b/sessions"
    )

    func main() {
      client, err := b2bstytchapi.NewClient(
        "project-test-8aed2e54-0266-4793-9b5e-0cc9c56064da",
        "secret-test-IJ7zLTgXp8xoS7yXO2xavNxZTbYfvm-2nZM=",
      )
      if err != nil {
        log.Fatalf("error instantiating API client %s", err)
      }

      params := &sessions.AuthenticateJWTParams{
        Body: &sessions.AuthenticateParams{
          SessionJWT: "eyJ...",
        },
      }

      resp, err := client.Sessions.AuthenticateJWT(context.Background(), params)
      if err != nil {
        log.Println(err)
      }

      log.Println(resp)
    }
    ```

    ```ruby Ruby SDK theme={null}
    require 'stytch'

    client = StytchB2B::Client.new(
      project_id: "project-test-8aed2e54-0266-4793-9b5e-0cc9c56064da",
      secret: "secret-test-IJ7zLTgXp8xoS7yXO2xavNxZTbYfvm-2nZM="
    )

    resp = client.sessions.authenticate_jwt(
      session_jwt: "eyJ..."
    )

    puts resp
    ```

    ```bash cURL theme={null}
      # This is an SDK method that doesn't directly hit an API endpoint unless the JWT is expired.
      # It's only available via our backend SDKs.
    ```
  </RequestExample>

  <ResponseExample>
    ```json 200 - Local theme={null}
    {
      "member_session": {
        "member_session_id": "<string>",
        "member_id": "<string>",
        "started_at": "<string>",
        "last_accessed_at": "<string>",
        "expires_at": "<string>",
        "authentication_factors": [
          {
            "type": "magic_link",
            "delivery_method": "email",
            "last_authenticated_at": "<string>",
            "created_at": "<string>",
            "updated_at": "<string>",
            "email_factor": {
              "email_id": "<string>",
              "email_address": "<string>"
            },
          }
        ],
        "organization_id": "<string>",
        "roles": [
          "<string>"
        ],
        "organization_slug": "<string>",
        "custom_claims": "<string>"
      },
      "session_jwt": "<string>",
      "verdict": {
        "authorized": true,
        "granting_roles": [
          "<string>"
        ]
      }
    }
    ```

    ```json 200 - Remote theme={null}
    {
      "request_id": "<string>",
      "member_session": {
        "member_session_id": "<string>",
        "member_id": "<string>",
        "started_at": "<string>",
        "last_accessed_at": "<string>",
        "expires_at": "<string>",
        "authentication_factors": [
          {
            "type": "magic_link",
            "delivery_method": "email",
            "last_authenticated_at": "<string>",
            "created_at": "<string>",
            "updated_at": "<string>",
            "email_factor": {
              "email_id": "<string>",
              "email_address": "<string>"
            },
          }
        ],
        "organization_id": "<string>",
        "roles": [
          "<string>"
        ],
        "organization_slug": "<string>",
        "custom_claims": "<string>"
      },
      "session_token": "<string>",
      "session_jwt": "<string>",
      "member": {
        "organization_id": "<string>",
        "member_id": "<string>",
        "email_address": "<string>",
        "status": "<string>",
        "name": "<string>",
        "sso_registrations": [
          {
            "connection_id": "<string>",
            "external_id": "<string>",
            "registration_id": "<string>",
            "sso_attributes": "<string>"
          }
        ],
        "is_breakglass": true,
        "member_password_id": "<string>",
        "oauth_registrations": [
          {
            "provider_type": "<string>",
            "provider_subject": "<string>",
            "member_oauth_registration_id": "<string>",
            "profile_picture_url": "<string>",
            "locale": "<string>"
          }
        ],
        "email_address_verified": true,
        "mfa_phone_number_verified": true,
        "is_admin": true,
        "totp_registration_id": "<string>",
        "retired_email_addresses": [
          {
            "email_id": "<string>",
            "email_address": "<string>"
          }
        ],
        "is_locked": true,
        "mfa_enrolled": true,
        "mfa_phone_number": "<string>",
        "default_mfa_method": "<string>",
        "roles": [
          {
            "role_id": "<string>",
            "sources": [
              {
                "type": "<string>",
                "details": "<string>"
              }
            ]
          }
        ],
        "trusted_metadata": "<string>",
        "untrusted_metadata": "<string>",
        "created_at": "<string>",
        "updated_at": "<string>",
        "scim_registration": {...},
      },
      "organization": {
        "organization_id": "<string>",
        "organization_name": "<string>",
        "organization_logo_url": "<string>",
        "organization_slug": "<string>",
        "sso_jit_provisioning": "<string>",
        "sso_jit_provisioning_allowed_connections": [
          "<string>"
        ],
        "sso_active_connections": [
          {
            "connection_id": "<string>",
            "display_name": "<string>",
            "identity_provider": "<string>"
          }
        ],
        "email_allowed_domains": [
          "<string>"
        ],
        "email_jit_provisioning": "<string>",
        "email_invites": "<string>",
        "auth_methods": "<string>",
        "allowed_auth_methods": [
          "<string>"
        ],
        "mfa_policy": "<string>",
        "rbac_email_implicit_role_assignments": [
          {
            "domain": "<string>",
            "role_id": "<string>"
          }
        ],
        "mfa_methods": "<string>",
        "allowed_mfa_methods": [
          "<string>"
        ],
        "oauth_tenant_jit_provisioning": "<string>",
        "claimed_email_domains": [
          "<string>"
        ],
        "first_party_connected_apps_allowed_type": "<string>",
        "allowed_first_party_connected_apps": [
          "<string>"
        ],
        "third_party_connected_apps_allowed_type": "<string>",
        "allowed_third_party_connected_apps": [
          "<string>"
        ],
        "trusted_metadata": "<string>",
        "created_at": "<string>",
        "updated_at": "<string>",
        "organization_external_id": "<string>",
        "sso_default_connection_id": "<string>",
        "scim_active_connection": {
          "connection_id": "<string>",
          "display_name": "<string>",
          "bearer_token_last_four": "<string>",
          "bearer_token_expires_at": "<string>"
        },
        "allowed_oauth_tenants": "<string>"
      },
      "status_code": 200,
      "verdict": {
        "authorized": true,
        "granting_roles": [
          "<string>"
        ]
      }
    }
    ```

    ```json 401 theme={null}
    {
      "status_code": 401,
      "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
      "error_type": "unauthorized_credentials",
      "error_message": "Unauthorized credentials.",
      "error_url": "https://stytch.com/docs/api/errors/401"
    }
    ```

    ```json 429 theme={null}
    {
      "status_code": 429,
      "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
      "error_type": "too_many_requests",
      "error_message": "Too many requests have been made.",
      "error_url": "https://stytch.com/docs/api/errors/429"
    }
    ```

    ```json 500 theme={null}
    {
      "status_code": 500,
      "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
      "error_type": "internal_server_error",
      "error_message": "Oops, something seems to have gone wrong, please reach out to support@stytch.com to let us know what went wrong.",
      "error_url": "https://stytch.com/docs/api/errors/500"
    }
    ```
  </ResponseExample>
</Panel>
