Just-in-Time (JIT) Provisioning
Just-in-Time (JIT) Provisioning is when a user is able to automatically create an account for an Organization on first authentication, rather than needing to be explicitly added or invited to the Organization.
Organizations can allow JIT Provisioning based on specific email domains, SSO Connections, or OAuth tenants (Github Organizations, Slack Workspaces or Hubspot Teams).
You can configure an Organization's JIT Provisioning settings a few different ways:
- By editing the Organization Details in the Organization settings tab in the Stytch Dashboard.
- By calling the Update an Organization endpoint or corresponding SDK method.
- Surfacing an Organization settings UI directly to your customers via our AdminPortalOrgSettings frontend UI component.
JIT Provisioning by email domain
You can enable JIT Provisioning by email domain if you'd like to allow any user with a certain email domain (for example, @companyname.com) to log into a given Organization.
To enable JIT Provisioning by email domain programmatically:
- Set the Organization's email_jit_provisioning value to RESTRICTED.
- Add the allowed email domains to the Organization's email_allowed_domains array. Note that common domains such as gmail.com can not be added to the email_allowed_domains array. See the common email domains resource for the full list.
During the Discovery flow, in order for a user with a given email domain to access an Organization via JIT Provisioning, there must already be at least one Member in the Organization with a verified email address with the same email domain. This restriction is in place to avoid phishing attacks.
OAuth step-up flow
If a user authenticates via OAuth, they will only be able to access an Organization via JIT Provisioning by email domain if the OAuth provider indicates active ownership of the email address. Otherwise, the user will be prompted to complete a step-up form of primary authentication before they can access the Organization. See here for additional information.
JIT Provisioning by SSO Connection
You can enable JIT Provisioning by SSO Connection if you'd like to allow users to log into an Organization via their company's Identity Provider, assuming a Stytch SSO Connection has been set up for that Organization/ Identity Provider pair.
For example, assume one of your customers sets up a Microsoft Entra SSO Connection. If you enable JIT Provisioning for that SSO Connection, your customer's team members will be able to log into the customer's Stytch Organization without being explicitly added or invited, as long as the team members are assigned to your application within Microsoft Entra.
To enable JIT Provisioning by SSO Connection programmatically:
- Set the Organization's sso_jit_provisioning value to ALL_ALLOWED if you'd like to enable JIT Provisioning for all of the Organization's active SSO Connections, or to RESTRICTED if you'd like to specify which of the Organization's SSO Connections should be enabled for JIT Provisioning.
- If you set the Organization's sso_jit_provisioning value to RESTRICTED, specify which SSO Connections should be enabled for JIT Provisioning in the Organization's sso_jit_provisioning_allowed_connections array.
JIT Provisioning by OAuth tenant
You can enable JIT Provisioning by OAuth tenant if you'd like to allow users to log into an Organization based on their OAuth tenant membership – in other words, if they belong to a specific Github Organization, Slack Workspace, or Hubspot Team.
Note that if you're using Google or Microsoft OAuth, in most cases you can use JIT Provisioning by email domain instead. See here for additional information.
To enable JIT Provisioning by OAuth tenant programmatically:
- Set the Organization's oauth_tenant_jit_provisioning value to RESTRICTED.
- Add the allowed OAuth tenants to the Organization's allowed_oauth_tenants object, where the available keys are slack, hubspot, and github, and the values are arrays of tenant identifiers (for example, Slack Team IDs).
Here's an example allowed_oauth_tenants object:
"allowed_oauth_tenants": {
"hubspot": ["HUBSPOT-ABC", "HUBSPOT-DEF"],
"slack": ["SLACK-123", "SLACK-456"],
"github": [12345, 67890]
}Your Slack tenant ID (referred to as a Workspace ID by Slack) can be determined by following this guide.
Your HubSpot tenant ID (referred to as a Hub ID by HubSpot) can be determined by either:
- Logging into your HubSpot developer account and parsing it from the URL path. It will have the form https://app.hubspot.com/developer/${TENANT_ID}.
When logged into your HubSpot developer account, clicking on the dropdown menu under your account name in the upper right-hand corner. It will be the sequence of numbers under your account name.
GitHub tenant IDs are taken from the internal ID of a GitHub organization. There are a number of ways to retrieve this value, depending on your permissions in relation to the GitHub organization and the organization's privacy settings:
- You can query GitHub's organization endpoint. The tenant ID will be the id value in the JSON response.
- If you are a member of the GitHub organization in question, it may be easier to use the GitHub CLI to request a list of the organizations you are a member of with the List organizations for the authenticated user endpoint.