/
Contact usSee pricingStart building

    About B2B Saas Authentication

    Introduction
    Stytch B2B Basics
    Integration Approaches
      Full-stack overview
      Frontend (pre-built UI)
      Frontend (headless)
      Backend
    Next.js
      Routing
      Authentication
      Sessions
    Migrations
      Overview
      Reconciling data models
      Migrating user data
      Additional migration considerations
      Zero-downtime deployment
      Defining external IDs for members
      Exporting from Stytch
    Custom Domains
      Overview

    Authentication

    Single Sign On

    • Resources

        • Overview
        External SSO Connections
        Standalone SSO

    • Integration Guides

        • Start here
        Backend integration guide
        Headless integration guide
        Pre-built UI integration guide
    OAuth

    • Resources

        • Overview
        Authentication flows
        Identity providers
        Google One Tap
        Provider setup

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Connected AppsBeta
      Setting up Connected Apps
      About Remote MCP Servers

    • Resources

        • Integrate with AI agents
        Integrate with a remote MCP server
    Sessions

    • Resources

        • Overview
        JWTs vs Session Tokens
        How to use Stytch JWTs
        Custom Claims

    • Integration Guides

        • Start here
        Backend integration
        Frontend integration
    Email OTP
      Overview
    Magic Links

    • Resources

        • Overview
        Email Security Scanner Protections

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Multi-Factor Authentication

    • Resources

        • Overview

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Passwords
      Overview
      Strength policies
    UI components
      Overview
      Implement the Discovery flow
      Implement the Organization flow
    DFP Protected Auth
      Overview
      Setting up DFP Protected Auth
      Handling challenges
    M2M Authentication
      Authenticate an M2M Client
      Rotate client secrets
      Import M2M Clients from Auth0

    Authorization & Provisioning

    RBAC

    • Resources

        • Overview
        Stytch Resources & Roles
        Role assignment

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
    SCIM

    • Resources

        • Overview
        Supported actions

    • Integration Guides

        • Using Okta
        Using Microsoft Entra
    Organizations
      Managing org settings
      JIT Provisioning

    Testing

    E2E testing
    Sandbox values
Get support on SlackVisit our developer forum

Contact us

B2B Saas Authentication

/

Guides

/

Authorization & Provisioning

/

RBAC

/

Integration Guides

/

Start here

Getting Started with Stytch RBAC

Before getting started with integrating RBAC with Stytch, go to the Stytch Dashboard Roles & Permissions section to enable some custom RBAC settings for your project.

Create custom resources and actions

Navigate to "Resources" and "Create New Resource", where you will add a resource_id and actions. Resources represent entities within your application that a user might act upon, and Actions for a Resource are the valid operations for that Resource. Together these form a permission that a user would be authorized or not authorized to take.

RBAC Resources in Stytch Dashboard

For example, if your application has documents, you might create a ResourceID of document with create update delete and download as the Actions.

RBAC Resources in Stytch Dashboard

2
Assign permissions to roles

After creating your custom Resource, you can navigate to the "Roles" tab. You will see two default Roles:

  • stytch_member: this Role is automatically assigned to all Members, and enables basic permissions that you'd want any Member of your application to have -- such as updating their own name.
  • stytch_admin: this Role is automatically assigned to the creating Member of the Organization but can also be assigned to other Members. By default this Role has permissions for any admin action within the Organization, such as inviting Members or updating Organization settings

You can edit the permissions associated with these Roles, and can also create your own custom Roles.

When you add permissions to a Role, you will select the Resource and then can explicitly assign a subset of permissions to that Role. For example, you might give the stytch_member Role permission to take the create and update Actions on document Resources but not allow download or delete Actions.

RBAC Grant Subset of Permissions

You can also grant the Role the "wildcard" Action, which allows Members with that Role to take any defined Action on the Resource. This is helpful for situations where the Role should always have complete control over the Resource, even as new permissions are added.

RBAC Wildcard Actions Grant

3
Implement backend RBAC checks

Even if you are leveraging Stytch's frontend SDKs, it is critical that you add server-side authentication and authorization checks before honoring requests from your client.

Read the backend integration guide to learn how to properly authorize requests on your backend.

4
Add frontend RBAC handling

If you are using Stytch's frontend SDKs, follow the headless frontend integration guide to leverage Stytch's RBAC product client-side.

Create custom resources and actions

2.

Assign permissions to roles

3.

Implement backend RBAC checks

4.

Add frontend RBAC handling