/
Contact usSee pricingStart building

    About B2B Saas Authentication

    Introduction
    Stytch B2B Basics
    Integration Approaches
      Full-stack overview
      Frontend (pre-built UI)
      Frontend (headless)
      Backend
    Next.js
      Routing
      Authentication
      Sessions
    Migrations
      Overview
      Reconciling data models
      Migrating user data
      Additional migration considerations
      Zero-downtime deployment
      Defining external IDs for members
      Exporting from Stytch
    Custom Domains
      Overview

    Authentication

    Single Sign On
    • Resources

      • Overview
        External SSO Connections
    • Integration Guides

      • Start here
        Backend integration guide
        Headless integration guide
        Pre-built UI integration guide
    OAuth
    • Resources

      • Overview
        Authentication flows
        Identity providers
        Google One Tap
        Provider setup
    • Integration Guides

      • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Connected AppsBeta
      Setting up Connected Apps
      About Remote MCP Servers
    • Resources

      • Integrate with AI agents
        Integrate with a remote MCP server
    Sessions
    • Resources

      • Overview
        JWTs vs Session Tokens
        How to use Stytch JWTs
        Custom Claims
    • Integration Guides

      • Start here
        Backend integration
        Frontend integration
    Email OTP
      Overview
    Magic Links
    • Resources

      • Overview
        Email Security Scanner Protections
    • Integration Guides

      • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Multi-Factor Authentication
    • Resources

      • Overview
    • Integration Guides

      • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Passwords
      Overview
      Strength policies
    UI components
      Overview
      Implement the Discovery flow
      Implement the Organization flow
    DFP Protected Auth
      Overview
      Setting up DFP Protected Auth
      Handling challenges
    M2M Authentication
      Authenticate an M2M Client
      Rotate client secrets
      Import M2M Clients from Auth0

    Authorization & Provisioning

    RBAC
    • Resources

      • Overview
        Stytch Resources & Roles
        Role assignment
    • Integration Guides

      • Start here
        Backend integration
        Headless frontend integration
    SCIM
    • Resources

      • Overview
        Supported actions
    • Integration Guides

      • Using Okta
        Using Microsoft Entra
    Organizations
      Managing org settings
      JIT Provisioning

    Testing

    E2E testing
    Sandbox values
Get support on SlackVisit our developer forum

Contact us

B2B Saas Authentication

/

Guides

/

Authorization & Provisioning

/

Organizations

/

JIT Provisioning

Just-in-Time (JIT) Provisioning

Just-in-Time (JIT) Provisioning is when a user is able to automatically create an account for an Organization on first authentication, rather than needing to be explicitly added or invited to the Organization.

Organizations can allow JIT Provisioning based on specific email domains, SSO Connections, or OAuth tenants (Github Organizations, Slack Workspaces or Hubspot Teams).

You can configure an Organization's JIT Provisioning settings a few different ways:

  • By editing the Organization Details in the Organization settings tab in the Stytch Dashboard.
  • By calling the Update an Organization endpoint or corresponding SDK method.
  • Surfacing an Organization settings UI directly to your customers via our AdminPortalOrgSettings frontend UI component.

JIT Provisioning by email domain

You can enable JIT Provisioning by email domain if you'd like to allow any user with a certain email domain (for example, @companyname.com) to log into a given Organization.

Dashboard page for configuring JIT Provisioning by email domain

To enable JIT Provisioning by email domain programmatically:

  • Set the Organization's email_jit_provisioning value to RESTRICTED.
  • Add the allowed email domains to the Organization's email_allowed_domains array. Note that common domains such as gmail.com can not be added to the email_allowed_domains array. See the common email domains resource for the full list.

During the Discovery flow, in order for a user with a given email domain to access an Organization via JIT Provisioning, there must already be at least one Member in the Organization with a verified email address with the same email domain. This restriction is in place to avoid phishing attacks.

OAuth step-up flow

If a user authenticates via OAuth, they will only be able to access an Organization via JIT Provisioning by email domain if the OAuth provider indicates active ownership of the email address. Otherwise, the user will be prompted to complete a step-up form of primary authentication before they can access the Organization. See here for additional information.

JIT Provisioning by SSO Connection

You can enable JIT Provisioning by SSO Connection if you'd like to allow users to log into an Organization via their company's Identity Provider, assuming a Stytch SSO Connection has been set up for that Organization/ Identity Provider pair.

For example, assume one of your customers sets up a Microsoft Entra SSO Connection. If you enable JIT Provisioning for that SSO Connection, your customer's team members will be able to log into the customer's Stytch Organization without being explicitly added or invited, as long as the team members are assigned to your application within Microsoft Entra.

Dashboard page for configuring JIT Provisioning by SSO Connection

To enable JIT Provisioning by SSO Connection programmatically:

  • Set the Organization's sso_jit_provisioning value to ALL_ALLOWED if you'd like to enable JIT Provisioning for all of the Organization's active SSO Connections, or to RESTRICTED if you'd like to specify which of the Organization's SSO Connections should be enabled for JIT Provisioning.
  • If you set the Organization's sso_jit_provisioning value to RESTRICTED, specify which SSO Connections should be enabled for JIT Provisioning in the Organization's sso_jit_provisioning_allowed_connections array.

JIT Provisioning by OAuth tenant

You can enable JIT Provisioning by OAuth tenant if you'd like to allow users to log into an Organization based on their OAuth tenant membership – in other words, if they belong to a specific Github Organization, Slack Workspace, or Hubspot Team.

Note that if you're using Google or Microsoft OAuth, in most cases you can use JIT Provisioning by email domain instead. See here for additional information.

Dashboard page for configuring JIT Provisioning by OAuth Connection

To enable JIT Provisioning by OAuth tenant programmatically:

  • Set the Organization's oauth_tenant_jit_provisioning value to RESTRICTED.
  • Add the allowed OAuth tenants to the Organization's allowed_oauth_tenants object, where the available keys are slack, hubspot, and github, and the values are arrays of tenant identifiers (for example, Slack Team IDs).

Here's an example allowed_oauth_tenants object:

"allowed_oauth_tenants": {
    "hubspot": ["HUBSPOT-ABC", "HUBSPOT-DEF"],
    "slack": ["SLACK-123", "SLACK-456"],
    "github": [12345, 67890]
  }

Your Slack tenant ID (referred to as a Workspace ID by Slack) can be determined by following this guide.

Your HubSpot tenant ID (referred to as a Hub ID by HubSpot) can be determined by either:

  • Logging into your HubSpot developer account and parsing it from the URL path. It will have the form https://app.hubspot.com/developer/${TENANT_ID}.
  • When logged into your HubSpot developer account, clicking on the dropdown menu under your account name in the upper right-hand corner. It will be the sequence of numbers under your account name.

GitHub tenant IDs are taken from the internal ID of a GitHub organization. There are a number of ways to retrieve this value, depending on your permissions in relation to the GitHub organization and the organization's privacy settings:

  • You can query GitHub's organization endpoint. The tenant ID will be the id value in the JSON response.
  • If you are a member of the GitHub organization in question, it may be easier to use the GitHub CLI to request a list of the organizations you are a member of with the List organizations for the authenticated user endpoint.

JIT Provisioning by email domain

OAuth step-up flow

JIT Provisioning by SSO Connection

JIT Provisioning by OAuth tenant