The setting that controls the MFA policy for all Members in the Organization. The accepted values are: REQUIRED_FOR_ALL – All Members within the Organization will be required to complete MFA every time they wish to log in. However, any active Session that existed prior to this setting change will remain valid. OPTIONAL – The default value. The Organization does not require MFA by default for all Members. Members will be required to complete MFA only if their mfa_enrolled status is set to true.
Organization object
Fields
mfa_policy string
organization_id string
Globally unique UUID that identifies a specific Organization. The organization_id is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.
organization_slug string
The unique URL slug of the Organization. The slug only accepts alphanumeric characters and the following reserved characters: - . _ ~. Must be between 2 and 128 characters in length. Wherever an organization_id is expected in a path or request parameter, you may also use the organization_slug as a convenience.
organization_external_id string
A unique identifier for the organization.
organization_logo_url string
The image URL of the Organization logo.
organization_name string
The name of the Organization. Must be between 1 and 128 characters in length.
trusted_metadata object
An arbitrary JSON object for storing application-specific data or identity-provider-specific data.
email_invites string
The authentication setting that controls how a new Member can be invited to an organization by email. The accepted values are: ALL_ALLOWED – any new Member can be invited to join via email. RESTRICTED – only new Members with verified emails that comply with email_allowed_domains can be invited via email. NOT_ALLOWED – disable email invites.
email_jit_provisioning string
The authentication setting that controls how a new Member can be provisioned by authenticating via Email Magic Link or OAuth. The accepted values are: RESTRICTED – only new Members with verified emails that comply with email_allowed_domains can be provisioned upon authentication via Email Magic Link or OAuth. NOT_ALLOWED – the default setting, disables JIT provisioning via Email Magic Link and OAuth.
email_allowed_domains array[strings]
An array of email domains that allow invites or JIT provisioning for new Members. This list is enforced when either email_invites or email_jit_provisioning is set to RESTRICTED. Common domains such as gmail.com are not allowed. See the common email domains resource for the full list.
oauth_tenant_jit_provisioning string
The authentication setting that controls how a new Member can JIT provision into an organization by tenant. The accepted values are: RESTRICTED – only new Members with tenants in allowed_oauth_tenants can JIT provision via tenant. NOT_ALLOWED – the default setting, disables JIT provisioning by OAuth Tenant.
allowed_oauth_tenants object
A map of allowed OAuth tenants. If this field is not passed in, the Organization will not allow JIT provisioning by OAuth Tenant. Allowed keys are "slack", "hubspot", and "github".
rbac_email_implicit_role_assignments array[object]
Implicit role assignments based off of email domains. For each domain-Role pair, all Members whose email addresses have the specified email domain will be granted the associated Role, regardless of their login method. See the RBAC guide for more information about role assignment.
domain string
Email domain that grants the specified Role.
role_id string
The unique identifier of the RBAC Role, provided by the developer and intended to be human-readable.
Reserved role_ids that are predefined by Stytch include:
- stytch_member
- stytch_admin
Check out the guide on Stytch default Roles for a more detailed explanation.
sso_default_connection_id string
The default connection used for SSO when there are multiple active connections.
sso_jit_provisioning string
The authentication setting that controls the JIT provisioning of Members when authenticating via SSO. The accepted values are: ALL_ALLOWED – the default setting, new Members will be automatically provisioned upon successful authentication via any of the Organization's sso_active_connections. RESTRICTED – only new Members with SSO logins that comply with sso_jit_provisioning_allowed_connections can be provisioned upon authentication. NOT_ALLOWED – disable JIT provisioning via SSO.
sso_active_connections array[objects]
An array of active SAML Connection references or OIDC Connection references.
connection_id string
Globally unique UUID that identifies a specific SSO connection_id for a Member.
display_name string
A human-readable display name for the connection.
scim_active_connection object
An active SCIM Connection references.
connection_id string
The ID of the SCIM connection.
display_name string
A human-readable display name for the connection.
sso_jit_provisioning_allowed_connections array[strings]
An array of connection_ids that reference SAML Connection objects. Only these connections will be allowed to JIT provision Members via SSO when sso_jit_provisioning is set to RESTRICTED.
auth_methods string
The setting that controls which authentication methods can be used by Members of an Organization. The accepted values are: ALL_ALLOWED – the default setting which allows all authentication methods to be used. RESTRICTED – only methods that comply with allowed_auth_methods can be used for authentication. This setting does not apply to Members with is_breakglass set to true.
allowed_auth_methods array[strings]
An array of allowed authentication methods. This list is enforced when auth_methods is set to RESTRICTED. The list's accepted values are: sso, magic_link, email_otp, password, google_oauth, microsoft_oauth, slack_oauth, github_oauth, and hubspot_oauth.
mfa_methods string
The setting that controls which MFA methods can be used by Members of an Organization. The accepted values are: ALL_ALLOWED – the default setting which allows all authentication methods to be used. RESTRICTED – only methods that comply with allowed_mfa_methods can be used for authentication. This setting does not apply to Members with is_breakglass set to true.
allowed_mfa_methods array[strings]
An array of allowed MFA authentication methods. This list is enforced when mfa_methods is set to RESTRICTED. The list's accepted values are: sms_otp and totp.
claimed_email_domains array[strings]
A list of email domains that are claimed by the Organization.
first_party_connected_apps_allowed_type string
The authentication setting that sets the Organization's policy towards first party Connected Apps. The accepted values are: ALL_ALLOWED – the default setting, any first party Connected App in the Project is permitted for use by Members. RESTRICTED – only first party Connected Apps with IDs in allowed_first_party_connected_apps can be used by Members. NOT_ALLOWED – no first party Connected Apps are permitted.
allowed_first_party_connected_apps array[strings]
An array of first party Connected App IDs that are allowed for the Organization. Only used when the Organization's first_party_connected_apps_allowed_type is RESTRICTED.
third_party_connected_apps_allowed_type string
The authentication setting that sets the Organization's policy towards third party Connected Apps. The accepted values are: ALL_ALLOWED – the default setting, any third party Connected App in the Project is permitted for use by Members. RESTRICTED – only third party Connected Apps with IDs in allowed_first_party_connected_apps can be used by Members. NOT_ALLOWED – no third party Connected Apps are permitted.
allowed_third_party_connected_apps array[strings]
An array of third party Connected App IDs that are allowed for the Organization. Only used when the Organization's third_party_connected_apps_allowed_type is RESTRICTED.
created_at string
The timestamp of the Organization's creation. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.
updated_at string
The timestamp of when the Organization was last updated. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.
OBJECT 200
{
"organization": {
"organization_id": "organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
"organization_name": "Example Org Inc.",
"organization_slug": "example-org",
"organization_external_id": "example-org-external-id",
"organization_logo_url": "",
"email_allowed_domains": ["stytch.com"],
"email_invites": "ALL_ALLOWED",
"email_jit_provisioning": "RESTRICTED",
"mfa_policy": "OPTIONAL",
"rbac_email_implicit_role_assignments": [
{
"domain": "stytch.com",
"role_id": "stytch_admin",
}
],
"oauth_tenant_jit_provisioning": "RESTRICTED",
"allowed_oauth_tenants": {
"slack": ["T1234"],
"hubspot": ["Hub12345", "Hub23456"]
}
"sso_default_connection_id": "saml-connection-test-51861cbc-d3b9-428b-9761-227f5fb12be9",
"sso_jit_provisioning": "ALL_ALLOWED",
"sso_jit_provisioning_allowed_connections": ["saml-connection-test-51861cbc-d3b9-428b-9761-227f5fb12be9"],
"sso_active_connections": [
{
"connection_id": "saml-connection-test-51861cbc-d3b9-428b-9761-227f5fb12be9",
"display_name": "SSO test connection with IdP"
}
],
"scim_active_connection": {
"connection_id": "scim-connection-test-cdd5415a-c470-42be-8369-5c90cf7762dc",
"display_name": "SCIM test connection with IdP"
},
"auth_methods": "ALL_ALLOWED",
"allowed_auth_methods": [],
"trusted_metadata": {
"address": {
"street": "1 Telegraph Hill Blvd",
"city": "San Francisco",
"state": "CA",
"zip_code": "94133"
},
"billing_tier": "free"
},
"created_at": "2023-01-01T00:00:00Z",
"updated_at": "2024-01-01T00:00:00Z"
}
}