The Member created by this endpoint will automatically be granted the stytch_admin Role. See the RBAC guide for more details on this Role.This method will fail if there is no present.If this method succeeds and the Member is not required to complete MFA, the Member will be logged in, granted an active session, and the session cookies will be minted and stored in the browser.If this method succeeds and MFA is required, the intermediate session token will be stored in the browser as a cookie.
Set the session lifetime to be this many minutes from now. This will return both an opaque session_token and session_jwt for this session, which will automatically be stored in the browser cookies. The session_jwt will have a fixed lifetime of five minutes regardless of the underlying session duration, and will be automatically refreshed by the SDK in the background over time.This value must be a minimum of 5 and may not exceed the maximum session duration minutes value set in the Stytch Dashboard.A successful authentication will continue to extend the session this many minutes.
The name of the Organization.If the name is not specified, a default name will be created based on the email used to initiate the discovery flow:
If the email domain is a common email provider such as gmail.com, or if the email is a .edu email, the organization name will be generated based on the name portion of the email.
Otherwise, the organization name will be generated based on the email domain.
The unique URL slug of the Organization. A minimum of two characters is required. The slug only accepts alphanumeric characters and the following reserved characters: -._~.If the slug is not specified, a default slug will be created using the same logic as organization_name.
The authentication setting that controls how a new Member can be provisioned by authenticating via Email Magic Link or OAuth. The accepted values are:
RESTRICTED – only new Members with verified emails that comply with email_allowed_domains can be provisioned upon authentication via Email Magic Link or OAuth.
NOT_ALLOWED – the default setting, disables JIT provisioning via Email Magic Link and OAuth.
An array of email domains that allow invites or JIT provisioning for new Members. This list is enforced when either email_invites or email_jit_provisioning is set to RESTRICTED.
Common domains such as gmail.com are not allowed. See the full list.
The authentication setting that controls the JIT provisioning of Members when authenticating via SSO. The accepted values are:
ALL_ALLOWED – the default setting, new Members will be automatically provisioned upon successful authentication via any of the Organization’s sso_active_connections.
RESTRICTED – only new Members with SSO logins that comply with sso_jit_provisioning_allowed_connections can be provisioned upon authentication.
The setting that controls which authentication methods can be used by Members of an Organization. The accepted values are:
ALL_ALLOWED – the default setting which allows all authentication methods to be used.
RESTRICTED – only methods that comply with allowed_auth_methods can be used for authentication. This setting does not apply to Members with is_breakglass set to true.
An array of allowed authentication methods. This list is enforced when auth_methods is set to RESTRICTED. The list’s accepted values are: sso, magic_link, email_otp, password, google_oauth, microsoft_oauth, slack_oauth, github_oauth, and hubspot_oauth.
The setting that controls the MFA policy for all Members in the Organization. The accepted values are:
REQUIRED_FOR_ALL – All Members within the Organization will be required to complete MFA every time they wish to log in. However, any active Session that existed prior to this setting change will remain valid.
OPTIONAL – The default value. The Organization does not require MFA by default for all Members. Members will be required to complete MFA only if their mfa_enrolled status is set to true.
The type of authentication factor. The possible values are: email_otp, impersonated, imported, magic_link, oauth, otp, password, recovery_codes, sso, trusted_auth_token, or totp.
The method that was used to deliver the authentication factor. The possible values depend on the type:
email_otp: Only email.
impersonated: Only impersonation.
imported: Only imported_auth0.
magic_link: Only email.
oauth: oauth_google, oauth_microsoft, oauth_hubspot, oauth_slack, or oauth_github.
You may see an ‘exchange’ delivery method when a non-email-verifying OAuth factor originally authenticated in one organization is exchanged for a factor in another organization. This can happen during authentication flows such as session exchange. The non-email-verifying OAuth providers are Hubspot, Slack, and Github. Google is also considered non-email-verifying when the HD claim is empty. The possible exchange values are oauth_exchange_google, oauth_exchange_hubspot, oauth_exchange_slack, or oauth_exchange_github. The final possible value is oauth_access_token_exchange, if this factor came from an access token exchange flow.
A list of the roles associated with the Session.
Members may inherit certain roles depending on the factors in their Session.
For example, some roles may only be active if the member logged in from a specific SAML IDP.
Identifies the Member as a break glass user - someone who has permissions to authenticate into an Organization by bypassing the Organization’s settings.A break glass account is typically used for emergency purposes to gain access outside of normal authentication procedures. Refer to the Organization object and its auth_methods and allowed_auth_methods fields for more details.
If available, the profile_picture_url is a URL of the User’s profile picture set in the OAuth identity provider that the User has authenticated with, e.g. Google profile picture.
Sets whether the Member is enrolled in MFA.If true, the Member must complete an MFA step whenever they wish to log in to their Organization.If false, the Member only needs to complete an MFA step if the Organization’s MFA policy is set to REQUIRED_FOR_ALL.
A list of retired email addresses for this Member. A previously active email address can be marked as retired in one of two ways:
It’s replaced with a new primary email address during an explicit Member update.
A new email address is surfaced by an OAuth, SAML or OIDC provider. In this case the new email address becomes the Member’s primary email address and the old primary email address is retired. A retired email address cannot be used by other Members in the same Organization. However, unlinking retired email addresses allows them to be subsequently re-used by other Organization Members. Retired email addresses can be unlinked using the Unlink Retired Email endpoint.
An arbitrary JSON object of application-specific data. These fields can be edited directly by the frontend SDK, and should not be used to store critical information. See the Metadata resource for complete field behavior details.
Explicit or implicit Roles assigned to this Member, along with details about the role assignment source. See the RBAC guide for more information about role assignment.
The unique identifier of the RBAC Role, provided by the developer and intended to be human-readable.Reserved role_ids that are predefined by Stytch include:
A list of sources for this role assignment. A role assignment can come from multiple sources - for example, the Role could be both explicitly assigned and implicitly granted from the Member’s email domain.
The type of role assignment. The possible values are:
direct_assignment – an explicitly assigned Role. Directly assigned roles can be updated by passing in the roles argument to the Update Member endpoint.
email_assignment – an implicit Role granted by the Member’s email domain, regardless of their login method. Email implicit role assignments can be updated by passing in the rbac_email_implicit_role_assignments argument to the Update Organization endpoint.
sso_connection – an implicit Role granted by the Member’s SSO connection. This is currently only available for SAML connections and not for OIDC. If the Member has a SAML Member registration with the given connection, this role assignment will appear in the list. However, for authorization check purposes (in sessions authenticate or in any endpoint that enforces RBAC with session headers), the Member will only be granted the Role if their session contains an authentication factor with the specified SAML connection. SAML connection implicit role assignments can be updated by passing in the saml_connection_implicit_role_assignments argument to the Update SAML connection endpoint.
sso_connection_group – an implicit Role granted by the Member’s SSO connection and group. This is currently only available for SAML connections and not for OIDC. If the Member has a SAML Member registration with the given connection, and belongs to a specific group within the IdP, this role assignment will appear in the list. However, for authorization check purposes (in sessions authenticate or in any endpoint that enforces RBAC with session headers), the Member will only be granted the role if their session contains an authentication factor with the specified SAML connection.
scim_connection_group – an implicit Role granted by the Member’s SCIM connection and group. If the Member has a SCIM Member registration with the given connection, and belongs to a specific group within the IdP, this role assignment will appear in the list. SCIM group implicit role assignments can be updated by passing in the scim_group_implicit_role_assignments argument to the Update SCIM connection endpoint.
Whether or not the Member has the stytch_admin Role. This Role is automatically granted to Members who create an Organization through the discovery flow. See the RBAC guide for more details on this Role.
Globally unique UUID that identifies a specific Organization. The organization_id is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.
The unique URL slug of the Organization.The slug only accepts alphanumeric characters and the following reserved characters: - . _ ~. Must be between 2 and 128 characters in length.Wherever an organization_id is expected in a path or request parameter, you may also use the organization_slug as a convenience.
An array of email domains that allow invites or JIT provisioning for new Members. This list is enforced when either email_invites or email_jit_provisioning is set to RESTRICTEDCommon domains such as gmail.com are not allowed. See the full list of disallowed common email domains.
The authentication setting that controls how a new Member can be provisioned by authenticating via Email Magic Link or OAuth. The accepted values are:
RESTRICTED – only new Members with verified emails that comply with email_allowed_domains can be provisioned upon authentication via Email Magic Link or OAuth
NOT_ALLOWED – the default setting, disables JIT provisioning via Email Magic Link and OAuth
The setting that controls which authentication methods can be used by Members of an Organization. The accepted values are:
ALL_ALLOWED – the default setting which allows all authentication methods to be used
RESTRICTED – only methods that comply with allowed_auth_methods can be used for authentication. This setting does not apply to Members with is_breakglass set to true
An array of allowed authentication methods. This list is enforced when auth_methods is set to RESTRICTED. The list’s accepted values are: sso, magic_link, email_otp, password, google_oauth, microsoft_oauth, slack_oauth, github_oauth, and hubspot_oauth.
A map of allowed OAuth tenants. If this field is not passed in, the Organization will not allow JIT provisioning by OAuth Tenant. Allowed keys are “slack”, “hubspot”, and “github”.
The intermediate_session_token that should be passed into a secondary authentication endpoint, such as OTP authenticate, in order to receive a member session. The intermediate_session_token can also be used with discovery endpoints to join a different organization or create a new organization.If the member is fully authenticated, this field will be an empty string.
If the project is configured to use HttpOnly cookies, this field will always be an empty string.
The allowed authentication methods. The possible values are: sso, magic_link, email_otp, password, google_oauth, microsoft_oauth, slack_oauth, github_oauth, and hubspot_oauth.
