Multi-tenancy in Stytch's data model
Stytch Organizations and Members are first-class entities in the data model architecture. Use Stytch's B2B authentication solution to handle your multi-tenant requirements like per-organization settings, memberships, and self-serve or enterprise onboarding.
The Organization is the top-level “tenant” in Stytch’s B2B offering. In more basic terms, an Organization refers to a group of end users who belong together in your application. Most commonly these are businesses and their employees – but they also include community groups, project collaborators, or other groups of people who want to use your product within a shared entity.
Organizations have configurable settings for access control and regulating the authentication and provisioning of Members. Each Organization can have its own unique combination of settings to solve for different authentication requirements. These Organization controls and settings include:
- Approved auth methods: Specify which auth methods can be used for authentication.
- Email domains: Restrict which email addresses Members can sign up with.
- JIT Provisioning: Control which auth methods can provision Members upon authentication.
- Invites: Allow or disable invites to join an Organization.
- SSO connections: Manage SSO connections that integrate with IdPs.
- Custom metadata: Store application or business-specific attributes on the Organization object.
Stytch Organizations are uniquely identified by:
organization_id: The Stytch-generated unique ID for the Organization.
organization_slug: A unique short (typically) human-readable alphanumeric string that you provide. This is often a portion of a URL (e.g. https://ui.honeycomb.io/stytch or https://stytch.slack.com).
Stytch supports two different methods for creating Organizations:
Managed Onboarding: Using direct API calls to create an Organization in order to support manual onboarding processes – often used to restrict access behind a sales team (e.g. Lattice).
Self-Onboarding: A new end user authenticates, verifies their email, and then is able to create a new Organization – used for self-service onboarding flows (e.g. Slack). This can be done by creating an Organization and initial Member as the final step of the Discovery Flow.
Members are the end users who belong to Organizations.
Stytch uses the email address as the unique primary identifier for Members. A single end user can have multiple distinct Members in different Organizations linked by the same email address.
Stytch supports three different methods for creating Members:
Invite: Members can be invited to join a specific Organization by receiving a Magic Link-powered email invitation.
Just-in-Time (JIT) Provisioning: An Organization can specify trusted sources (such as an Identity Provider or a verified email domain) that enable end users to join the Organization without an explicit invite. Through these sources, Members will be automatically created upon successful authentication.
Manual Provisioning: Using direct API calls in order to support user base migrations and manual onboarding processes.
Members can be distinguished as is_breakglass. This flag identifies a Member as someone who has elevated permissions to authenticate into an Organization by bypassing the Organization's settings. A break glass account is typically used for emergency purposes to gain access outside of normal authentication procedures.
Stytch also supports custom metadata, which lets developers store application or business-specific attributes on the Member object.