Stytch – The most powerful identity platform built for developers

Get Organization RBAC Policy

GET

https://test.stytch.com/v1/b2b/rbac/organizations/{organization_id}

Get the active RBAC Policy for a specific Organization within your Stytch Project. An Organization RBAC Policy contains the roles that have been defined specifically for that organization, allowing for organization-specific permissioning models.

This endpoint returns the organization-scoped roles that supplement the project-level RBAC policy. Organization policies allow you to define custom roles that are specific to individual organizations within your project.

When using the backend SDKs, the RBAC Policy will be cached to allow for local evaluations, eliminating the need for an extra request to Stytch. The policy will be refreshed if an authorization check is requested and the RBAC policy was last updated more than 5 minutes ago.

Organization-specific roles can be created and managed through this API endpoint, providing fine-grained control over permissions at the organization level.

Check out the RBAC overview to learn more about Stytch's RBAC permissioning model and organization-scoped policies.

Path parameters

organization_id* string

Globally unique UUID that identifies a specific Organization. The organization_id is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.

Response fields

request_id string

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

status_code int

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.

org_policy object

The organization-specific RBAC Policy that contains roles defined for this organization. Organization policies supplement the project-level RBAC policy with additional roles that are specific to the organization.

roles array[object]

An array of Role objects.

role_id string

The unique identifier of the RBAC Role, provided by the developer and intended to be human-readable.

Reserved role_ids that are predefined by Stytch include:

stytch_member
stytch_admin

Check out the guide on Stytch default Roles for a more detailed explanation.

description string

The description of the RBAC Role.

permissions array[objects]

A list of permissions that link a Resource to a list of actions.

resource_id string

A unique identifier of the RBAC Resource, provided by the developer and intended to be human-readable.

A resource_id is not allowed to start with stytch, which is a special prefix used for Stytch default Resources with reserved resource_ids. These include:

stytch.organization
stytch.member
stytch.sso
stytch.self

Check out the guide on Stytch default Resources for a more detailed explanation.

actions array[strings]

A list of permitted actions the Role is authorized to take with the provided Resource. You can use * as a wildcard to grant a Role permission to use all possible actions related to the Resource.

const stytch = require('stytch');

const client = new stytch.B2BClient({
  project_id: 'PROJECT_ID',
  secret: 'SECRET',
});

const params = {
  organization_id: 'organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931',
};

client.rbac.orgPolicy(params)
  .then(resp => { console.log(resp) })
  .catch(err => { console.log(err) });

RESPONSE 200

{
  "status_code": 200,
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "policy": {
    "roles": [
      {
        "description": "Custom role for managing organization-specific documents",
        "permissions": [
          {
            "actions": [
              "create",
              "read",
              "write",
              "approve"
            ],
            "resource_id": "documents"
          },
          {
            "actions": [
              "read"
            ],
            "resource_id": "images"
          }
        ],
        "role_id": "org_document_manager"
      },
      {
        "description": "Organization-specific viewer role with limited access",
        "permissions": [
          {
            "actions": [
              "read"
            ],
            "resource_id": "documents"
          }
        ],
        "role_id": "org_viewer"
      }
    ]
  }
}

RESPONSE 401

{
  "status_code": 401,
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "error_type": "unauthorized_credentials",
  "error_message": "Unauthorized credentials.",
  "error_url": "https://stytch.com/docs/api/errors/401"
}

RESPONSE 500

{
  "status_code": 500,
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "error_type": "internal_server_error",
  "error_message": "Oops, something seems to have gone wrong, please reach out to support@stytch.com to let us know what went wrong.",
  "error_url": "https://stytch.com/docs/api/errors/500"
}

Delete

Organization

Discovery

Organization

Discovery

Discovery

Organization

Token

SAML

OIDC

External

Shared

Connection management

Token management

SCIM groups

Create or Reset Options

One-time passcodes

Time-based one-time passcodes

Recovery codes

TOKEN

M2M Client

Rotate secret

Tokens

Configuration

Methods

Consent Management

Application Management

Rotate secret

Get Organization RBAC Policy

Path parameters

Response fields