/
Contact usSee pricingStart building

    About B2B Saas Authentication

    Introduction
    Stytch B2B Basics
    Integration Approaches
      Full-stack overview
      Frontend (pre-built UI)
      Frontend (headless)
      Backend
    Next.js
      Routing
      Authentication
      Sessions
    Migrations
      Overview
      Reconciling data models
      Migrating user data
      Additional migration considerations
      Zero-downtime deployment
      Defining external IDs for members
      Exporting from Stytch
    Custom Domains
      Overview

    Authentication

    Single Sign On

    • Resources

        • Overview
        External SSO Connections

    • Integration Guides

        • Start here
        Backend integration guide
        Headless integration guide
        Pre-built UI integration guide
    OAuth

    • Resources

        • Overview
        Authentication flows
        Identity providers
        Google One Tap
        Provider setup

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Connected AppsBeta
      Setting up Connected Apps
      About Remote MCP Servers

    • Resources

        • Integrate with AI agents
        Integrate with a remote MCP server
    Sessions

    • Resources

        • Overview
        JWTs vs Session Tokens
        How to use Stytch JWTs
        Custom Claims

    • Integration Guides

        • Start here
        Backend integration
        Frontend integration
    Email OTP
      Overview
    Magic Links

    • Resources

        • Overview
        Email Security Scanner Protections

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Multi-Factor Authentication

    • Resources

        • Overview

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Passwords
      Overview
      Strength policies
    UI components
      Overview
      Implement the Discovery flow
      Implement the Organization flow
    DFP Protected Auth
      Overview
      Setting up DFP Protected Auth
      Handling challenges
    M2M Authentication
      Authenticate an M2M Client
      Rotate client secrets
      Import M2M Clients from Auth0

    Authorization & Provisioning

    RBAC

    • Resources

        • Overview
        Stytch Resources & Roles
        Role assignment

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
    SCIM

    • Resources

        • Overview
        Supported actions

    • Integration Guides

        • Using Okta
        Using Microsoft Entra
    Organizations
      Managing org settings
      JIT Provisioning

    Testing

    E2E testing
    Sandbox values
Get support on SlackVisit our developer forum

Contact us

B2B Saas Authentication

/

Guides

/

Authorization & Provisioning

/

RBAC

/

Integration Guides

/

Backend integration

Backend Integration of RBAC

Regardless of whether or not you are using Stytch's frontend SDKs, you should always perform server-side authentication and authorization checks before proceeding with a request.

Custom Resource Authorization Checks

Stytch's SDKs allow you to perform session authentication and authorization of your custom permissions in a single method call. Whether that method call is actually a local evaluation or makes an outbound call to Stytch depends on whether you are using Session Tokens or JWTs.

Using Session JWTs

If you are using Session JWTs, the Member's Roles are contained in the JWT and authorization checks will be done locally during the lifetime of the JWT, without incurring any additional latency of an outbound call. If the JWT is not expired, the flow will look as follows:

RBAC sequence when using backend SDKs and unexpired JWT

When the authenticateJwt() method detects the JWT is expired, it will make an outbound call to Stytch to refresh the JWT. This ensures that any changes to the Member's Role will take effect within five-minutes, in addition to ensuring that the underlying session has not been revoked.

RBAC sequence when using backend SDKs and JWTs

Stytch's backend SDKs will cache your Project’s RBAC policy and refresh it every five minutes, ensuring that any RBAC policy changes are incorporated into local evaluations within 5 minutes.

In code you'd want to perform the following check prior to honoring the user's request to create a new document:

authz_check = {
  organization_id: 'organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931',
  resource_id: 'document',
  action: 'create',
}

resp = stytch_client.sessions.authenticateJwt(
  session_jwt="eyJ...",
  authorization_check=authz_check
)
if resp != 200:
    # Redirect user to login page
    return 'not authenticated', 401

if not resp.authorized:
    return 'unauthorized', 403

The authorized boolean will indicate whether or not the user is allowed to take the requested action, and the verdict array will contain the role(s) that granted them the ability to take that action on that resource.

Using Session Tokens

If you are using Session Tokens, session authentication always triggers an outbound call to Stytch and authorization will also be done on Stytch's servers. Any changes to the RBAC policy or the Member's roles will be instantly honored.

RBAC sequence when using backend SDKs and Session Tokens

You can add authorization checks to your session authentication through the following:

authz_check = {
  organization_id: 'organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931',
  resource_id: 'document',
  action: 'create',
}

resp = stytch_client.sessions.authenticate(
  session_token='mZAYn5aLEqKUlZ_Ad9U_fWr38GaAQ1oFAhT8ds245v7Q',
  authorization_check=authz_check
)
if resp != 200:
    # Redirect user to login page
    return 'not authenticated', 401

if not resp.authorized:
    return 'unauthorized', 403

The authorized boolean will indicate whether or not the user is allowed to take the requested action, and the verdict array will contain the role(s) that granted them the ability to take that action on that resource.

Stytch Resource Authorization Checks

You can use the same pattern described in the Custom AuthZ Checks guide for authorizing requests related to Stytch Resources (e.g. stytch.self or stytch.organization), or you can directly pass the Member's Session Token or Session JWT into the Stytch API call to have Stytch perform authentication and authorization prior to honoring the request.

The sequence for how this flow works is as follows:

RBAC sequence for AuthZ on Stytch API calls

This allows the authentication and authorization checks to occur as close as possible to the action being taken, streamlining your handling.

Each backend SDK method that has RBAC authorization controls will have a method_options.authorization object where you can pass the session_jwt and session_token to have Stytch enforce RBAC on the request.

For example, if you receive an API request to remove a Member from an Organization you can pass the current Session JWT into the organizations.members.delete() call and Stytch will authenticate the session and perform an authorization check prior to honoring the call.

resp = stytch_client.organizations.members.delete(
  organization_id="organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
    member_id="member-test-32fc5024-9c09-4da3-bd2e-c9ce4da9375f",
    method_options=DeleteRequestOptions(
        authorization=Authorization(
            session_jwt="eyJ...",
        ),
    ),
)

Custom Resource Authorization Checks

Using Session JWTs

Using Session Tokens

Stytch Resource Authorization Checks