Update Organization - Stytch Docs

The organization.update method wraps the update organization API endpoint. This will update the logged-in .

RBAC Enforced MethodThis method requires a valid Session for a member with permission to perform the Action on the Resource.Before using this method, enable Member actions & organization modifications in the Frontend SDK page. To learn more, see our RBAC guide.

Parameters

organization_name

string

The name of the Organization. Must be between 1 and 128 characters in length. If this field is provided, the logged-in Member must have permission to perform the update.info.name action on the stytch.organization Resource.

organization_slug

string

The unique URL slug of the Organization. The slug only accepts alphanumeric characters and the following reserved characters: - . _ ~. Must be between 2 and 128 characters in length. Wherever an organization_id is expected in a path or request parameter, you may also use the organization_slug as a convenience. If this field is provided, the logged-in Member must have permission to perform the update.info.slug action on the stytch.organization Resource.

organization_logo_url

string

The image URL of the Organization logo.If this field is provided, the logged-in Member must have permission to perform the update.info.logo-url action on the stytch.organization Resource.

email_jit_provisioning

string

The authentication setting that controls how a new Member can be provisioned by authenticating via Email Magic Link or OAuth. The accepted values are:

RESTRICTED – only new Members with verified emails that comply with email_allowed_domains can be provisioned upon authentication via Email Magic Link or OAuth
NOT_ALLOWED – the default setting, disables JIT provisioning via Email Magic Link and OAuth

If this field is provided, the logged-in Member must have permission to perform the update.settings.email-jit-provisioning action on the stytch.organization Resource.

email_invites

string

The authentication setting that controls how a new Member can be invited to an organization by email. The accepted values are:

ALL_ALLOWED – any new Member can be invited to join via email
RESTRICTED – only new Members with verified emails that comply with email_allowed_domains can be invited via email
NOT_ALLOWED – disable email invites

If this field is provided, the logged-in Member must have permission to perform the update.settings.email-invites action on the stytch.organization Resource.

email_allowed_domains

array[strings]

An array of email domains that allow invites or JIT provisioning for new Members. This list is enforced when either email_invites or email_jit_provisioning is set to RESTRICTED. Common domains such as gmail.com are not allowed. See the list of common email domains for the full list.If this field is provided, the logged-in Member must have permission to perform the update.settings.allowed-domains action on the stytch.organization Resource.

sso_default_connection_id

string

The default connection used for SSO when there are multiple active connections.If this field is provided, the logged-in Member must have permission to perform the update.settings.default-sso-connection action on the stytch.organization Resource.

sso_jit_provisioning

string

The authentication setting that controls the JIT provisioning of Members when authenticating via SSO. The accepted values are:

ALL_ALLOWED – the default setting, new Members will be automatically provisioned upon successful authentication via any of the Organization’s sso_active_connections
RESTRICTED – only new Members with SSO logins that comply with sso_jit_provisioning_allowed_connections can be provisioned upon authentication
NOT_ALLOWED – disable JIT provisioning via SSO

If this field is provided, the logged-in Member must have permission to perform the update.settings.sso-jit-provisioning action on the stytch.organization Resource.

sso_jit_provisioning_allowed_connections

array[strings]

An array of connection_ids that reference SAML Connection objects. Only these connections will be allowed to JIT provision Members via SSO when sso_jit_provisioning is set to RESTRICTED.If this field is provided, the logged-in Member must have permission to perform the update.settings.sso-jit-provisioning action on the stytch.organization Resource.

auth_methods

string

The setting that controls which authentication methods can be used by Members of an Organization. The accepted values are:

ALL_ALLOWED – the default setting which allows all authentication methods to be used
RESTRICTED – only methods that comply with allowed_auth_methods can be used for authentication. This setting does not apply to Members with is_breakglass set to true

If this field is provided, the logged-in Member must have permission to perform the update.settings.allowed-auth-methods action on the stytch.organization Resource.

allowed_auth_methods

array[strings]

An array of allowed authentication methods. This list is enforced when auth_methods is set to RESTRICTED. The list’s accepted values are: sso, magic_link, email_otp, password, google_oauth, microsoft_oauth, slack_oauth, github_oauth, and hubspot_oauth.If this field is provided, the logged-in Member must have permission to perform the update.settings.allowed-auth-methods action on the stytch.organization Resource.

mfa_methods

string

The setting that controls which MFA methods can be used by Members of an Organization. The accepted values are:

ALL_ALLOWED – the default setting which allows all authentication methods to be used
RESTRICTED – only methods that comply with allowed_mfa_methods can be used for authentication. This setting does not apply to Members with is_breakglass set to true

If this field is provided, the logged-in Member must have permission to perform the update.settings.allowed-mfa-methods action on the stytch.organization Resource.

allowed_mfa_methods

array[strings]

An array of allowed MFA authentication methods. This list is enforced when mfa_methods is set to RESTRICTED. The list’s accepted values are: sms_otp and totp.If this field is provided, the logged-in Member must have permission to perform the update.settings.allowed-mfa-methods action on the stytch.organization Resource.

mfa_policy

string

The setting that controls the MFA policy for all Members in the Organization. The accepted values are:

REQUIRED_FOR_ALL – All Members within the Organization will be required to complete MFA every time they wish to log in. However, any active Session that existed prior to this setting change will remain valid
OPTIONAL – The default value. The Organization does not require MFA by default for all Members. Members will be required to complete MFA only if their mfa_enrolled status is set to true

If this field is provided, the logged-in Member must have permission to perform the update.settings.mfa-policy action on the stytch.organization Resource.

rbac_email_implicit_role_assignments

array[object]

Implicit role assignments based off of email domains. For each domain-Role pair, all Members whose email addresses have the specified email domain will be granted the associated Role, regardless of their login method. See the RBAC guide for more information about role assignment. If this field is provided, the logged-in Member must have permission to perform the update.settings.implicit-roles action on the stytch.organization Resource.

Show rbac_email_implicit_role_assignments properties

domain

string

Email domain that grants the specified Role.

role_id

string

The unique identifier of the RBAC Role, provided by the developer and intended to be human-readable.Reserved role_ids that are predefined by Stytch include:

stytch_member
stytch_admin

Check out the guide on Stytch default Roles for a more detailed explanation.

oauth_tenant_jit_provisioning

string

The authentication setting that controls how a new Member can JIT provision into an Organization by tenant. The accepted values are:

RESTRICTED – only new Members with tenants in allowed_oauth_tenants can JIT provision via tenant
NOT_ALLOWED – the default setting, disables JIT provisioning by OAuth Tenant

If this field is provided, the logged-in Member must have permission to perform the update.settings.oauth-tenant-jit-provisioning action on the stytch.organization Resource.

allowed_oauth_tenants

object

A map of allowed OAuth tenants. If this field is not passed in, the Organization will not allow JIT provisioning by OAuth Tenant. Allowed keys are “slack”, “hubspot”, and “github”.If this field is provided, the logged-in Member must have permission to perform the update.settings.allowed-oauth-tenants action on the stytch.organization Resource.

Response

organization

object

The updated Organization.

Show properties

organization_id

string

Globally unique UUID that identifies a specific Organization. The organization_id is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.

organization_name

string

The name of the Organization. Must be between 1 and 128 characters in length.

organization_logo_url

string

The image URL of the Organization logo.

organization_slug

string

sso_active_connections

array[objects]

An array of active SAML Connection references or OIDC Connection references.

Show sso_active_connections properties

connection_id

string

Globally unique UUID that identifies a specific SSO connection_id for a Member.

display_name

string

A human-readable display name for the connection.

email_allowed_domains

array[strings]

email_jit_provisioning

string

The authentication setting that controls how a new Member can be provisioned by authenticating via Email Magic Link or OAuth. The accepted values are:

RESTRICTED – only new Members with verified emails that comply with email_allowed_domains can be provisioned upon authentication via Email Magic Link or OAuth
NOT_ALLOWED – the default setting, disables JIT provisioning via Email Magic Link and OAuth

auth_methods

string

The setting that controls which authentication methods can be used by Members of an Organization. The accepted values are:

ALL_ALLOWED – the default setting which allows all authentication methods to be used
RESTRICTED – only methods that comply with allowed_auth_methods can be used for authentication. This setting does not apply to Members with is_breakglass set to true

allowed_auth_methods

array[strings]

An array of allowed authentication methods. This list is enforced when auth_methods is set to RESTRICTED. The list’s accepted values are: sso, magic_link, email_otp, password, google_oauth, microsoft_oauth, slack_oauth, github_oauth, and hubspot_oauth.

sso_default_connection_id

string

The default connection used for SSO when there are multiple active connections.

oauth_tenant_jit_provisioning

string

The authentication setting that controls how a new Member can JIT provision into an Organization by tenant. The accepted values are:

RESTRICTED – only new Members with tenants in allowed_oauth_tenants can JIT provision via tenant
NOT_ALLOWED – the default setting, disables JIT provisioning by OAuth Tenant

allowed_oauth_tenants

object

A map of allowed OAuth tenants. If this field is not passed in, the Organization will not allow JIT provisioning by OAuth Tenant. Allowed keys are “slack”, “hubspot”, and “github”.

request_id

string

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

status_code

number

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.

​Parameters

​Response

Parameters

Response