/
Contact usSee pricingStart building

    About B2B Saas Authentication

    Introduction
    Stytch B2B Basics
    Integration Approaches
      Full-stack overview
      Frontend (pre-built UI)
      Frontend (headless)
      Backend
    Next.js
      Routing
      Authentication
      Sessions
    Migrations
      Overview
      Reconciling data models
      Migrating user data
      Additional migration considerations
      Zero-downtime deployment
      Defining external IDs for members
      Exporting from Stytch
    Custom Domains
      Overview

    Authentication

    Single Sign On

    • Resources

        • Overview
        External SSO Connections

    • Integration Guides

        • Start here
        Backend integration guide
        Headless integration guide
        Pre-built UI integration guide
    OAuth

    • Resources

        • Overview
        Authentication flows
        Identity providers
        Google One Tap
        Provider setup

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Connected AppsBeta
      Setting up Connected Apps
      About Remote MCP Servers

    • Resources

        • Integrate with AI agents
        Integrate with a remote MCP server
    Sessions

    • Resources

        • Overview
        JWTs vs Session Tokens
        How to use Stytch JWTs
        Custom Claims

    • Integration Guides

        • Start here
        Backend integration
        Frontend integration
    Email OTP
      Overview
    Magic Links

    • Resources

        • Overview
        Email Security Scanner Protections

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Multi-Factor Authentication

    • Resources

        • Overview

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Passwords
      Overview
      Strength policies
    UI components
      Overview
      Implement the Discovery flow
      Implement the Organization flow
    DFP Protected Auth
      Overview
      Setting up DFP Protected Auth
      Handling challenges
    M2M Authentication
      Authenticate an M2M Client
      Rotate client secrets
      Import M2M Clients from Auth0

    Authorization & Provisioning

    RBAC

    • Resources

        • Overview
        Stytch Resources & Roles
        Role assignment

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
    SCIM

    • Resources

        • Overview
        Supported actions

    • Integration Guides

        • Using Okta
        Using Microsoft Entra
    Organizations
      Managing org settings
      JIT Provisioning

    Testing

    E2E testing
    Sandbox values
Get support on SlackVisit our developer forum

Contact us

B2B Saas Authentication

/

Guides

/

Authorization & Provisioning

/

RBAC

/

Resources

/

Stytch Resources & Roles

Stytch Resources and Roles

Out of the box, Stytch offers default Resources and Roles to gate permissions for certain Stytch API endpoints and their functionality. These defaults are included in your Project's RBAC Policy to provide access controls for Stytch objects such as Organizations, Members, and Single Sign-On (SSO) Connections.

Default Resources

Stytch has four default Resources, all of which are prefixed with stytch. Custom Resources may not use the stytch prefix in their resource_ids.

Within your Dashboard, you'll find the following four default Resources:

  • stytch.self: access controls for the logged-in user's Member.
  • stytch.organization: access controls for the Organization.
  • stytch.member: access controls for all Members in the Organization.
  • stytch.sso: access controls for SSO Connections.
  • stytch.scim: access controls for SCIM Connections.

Each default Resource is scoped to the logged-in Member's Organization and has a predefined list of actions tailored to control specific functionality.

You can view the full list of Actions associated with each Stytch Resource in the Stytch Dashboard Roles & Permissions section.

Default Roles

To manage the default Resources, Stytch provides two default Roles for your convenience.

stytch_member: a Role that's automatically assigned to all Members (including the original Member who created the Organization). By default, it contains all stytch.self permissions, enabling permissions like updating your own Member object's name or untrusted_metadata. By default, this Role does not allow certain sensitive actions like editing your own Roles. You cannot delete this Role from any Member, but you can edit its permissions.

stytch_admin: a Role that's automatically assigned to the Member that creates a new Organization through the Discovery flow. By default, the stytch_admin Role includes all permissions for the stytch.organization, stytch.member, and stytch.sso resources.

Editing the descriptions or deleting these default Stytch Roles is not permitted. However, you can edit their permissions to suit the needs of your Project. For example, if you want to leverage Stytch's default Roles for billing tier gating, you could remove the stytch.sso permissions from the stytch_admin Role that is automatically assigned to new signups and instead create your own enterprise_admin Role with those permissions.

What's next

Learn about Role assignment and how Members are explicitly or implicitly granted permissions.

Default Resources

Default Roles

What's next