Stytch Resources and Roles

Out of the box, Stytch offers default Resources and Roles to gate permissions for certain Stytch API endpoints and their functionality. These defaults are included in your Project's RBAC Policy to provide access controls for Stytch objects such as Organizations, Members, and SSO Connections.

Default Resources

Stytch has four default Resources, all of which are prefixed with stytch. Custom Resources may not use the stytch prefix in their resource_ids.

Within your Dashboard, you'll find the following four default Resources:

  • stytch.self: access controls for the logged-in user's Member.
  • stytch.organization: access controls for the Organization.
  • stytch.member: access controls for all Members in the Organization.
  • stytch.sso: access controls for SSO Connections.

Each default Resource is scoped to the logged-in user's Organization and has a predefined list of actions tailored to control specific functionality. Here's a comprehensive list of actions that are supported:

For the stytch.organization Resource:

  • update.info.name
  • update.info.slug
  • update.info.untrusted_metadata
  • update.info.email_jit_provisioning
  • update.info.logo_url
  • update.info.email_invites
  • update.info.allowed_domains
  • update.info.default_sso_connection
  • update.info.sso_jit_provisioning
  • update.info.mfa_policy
  • update.info.implicit_roles
  • delete

For the stytch.member Resource:

  • create
  • update.info.name
  • update.info.untrusted_metadata
  • update.info.mfa-phone
  • update.info.delete.mfa-phone
  • update.settings.is-breakglass
  • update.settings.mfa_enrolled
  • update.settings.roles
  • search
  • delete

For the stytch.sso Resource:

  • create
  • update
  • delete

For the stytch.self Resource:

  • update.info.name
  • update.info.untrusted_metadata
  • update.info.mfa-phone
  • update.info.delete.mfa-phone
  • update.info.delete.password
  • update.settings.mfa_enrolled
  • delete

Default Roles

To manage the default Resources, Stytch provides two default Roles for your convenience.

Stytch-Member: a Role that's automatically assigned to all new Members on sign-up (including the original Member who created the Organization). By default, it contains most stytch.self permissions, enabling permissions like updating your own Member object's name or untrusted_metadata. This Role does not allow certain sensitive actions like deleting your own password or deleting the Member object.

Stytch-Admin: a Role that's automatically assigned to the Member that creates a new Organization through the Discovery flow. By default, the Stytch-Admin Role includes all permissions for the stytch.organization, stytch.member, and stytch.sso resources.

Editing the descriptions or deleting these default Stytch Roles is not permitted. However, you can edit their permissions to suit the needs of your Project. For example, if you want to leverage Stytch's default Roles for billing tier gating, you could remove the stytch.sso permissions from the Stytch-Admin Role that is automatically assigned to new signups and instead create your own enterprise-admin Role with those permissions.

What's next

Learn about Role assignment and how Members are explicitly or implicitly granted permissions.

Contact us for more details on our upcoming RBAC release.

Request early access