What is Stytch B2B Authentication

Purpose-built identity infrastructure, for the unique authentication and authorization requirements of B2B SaaS applications.

Stytch's B2B Authentication product is a comprehensive identity platform purpose-built for unique authentication and authorization needs of B2B SaaS applications, from driving adoption for PLG motions to satisfying advanced enterprise-level requirements.

Stytch provides a robust suite of powerful API primitives, enabling developers to customize authentication flows for each customer, organization, or tenant within their application.

Identity management for every stage of growth

Stytch allows you to easily support everything from low-friction, self-serve sign-ups and organization discovery, to the rigorous access and authentication required by the largest enterprise.

Stytch comes out-of-the-box with the full range of authentication and authorization features you need at every stage of your growth, for every stage of customer. For example:

  1. Multiple discoverable organizations for driving self-serve adoption through and seamless login and signup.
  2. Multi-Factor Authentication (MFA) policies specific to each organization or member.
  3. Single Sign On (SSO) integration with an organization's workforce identity provider via SAML or OIDC protocol.

An organization-first data model

Stytch's organization-first data model allows developers to manage diverse authentication flows and complex permission settings across various customer organizations simultaneously.

Your customers expect complete control over who can access their tenant and how, and Stytch's data model reflects this reality.

Stytch Organizations are equipped with a comprehensive set of native admin controls that allow your customers to control their employee's accounts and configure their own unique combination of identity requirements — all without any side effects on other Organizations.

These per-organization controls and settings include:

  • Approved auth methods: Specify which auth methods can be used for authentication.
  • Email domains: Restrict which email addresses Members can sign up with.
  • JIT Provisioning: Control which auth methods can provision Members upon authentication.
  • Invites: Allow or disable invites to join an Organization.
  • SSO connections: Manage SSO connections that integrate with IdPs.
  • MFA policies: Enforce secondary factor policies.
  • RBAC assignment: Assign roles and permissions.
  • Custom metadata: Store application or business-specific attributes on the Organization object.

Multiple integration methods

Stytch offers APIs and SDKs for backend, frontend headless, and frontend pre-built UI integrations.

Stytch's full-stack developer toolkit provides you with multiple strategies and options when integrating with the Stytch API — for client-side and server-side development.

Stytch offers three high-level integration paths, but you're never locked into a single approach and can move from one to another as your needs and preferences evolve.

  1. A backend server-side integration that calls the Stytch API directly or uses our backend SDKs.
  2. A frontend client-side integration that uses our frontend SDKs headlessly.
  3. A frontend client-side integration that uses our frontend SDKs with our pre-built UI components.

B2B feature list

Stytch offers developers a comprehensive set of features and capabilities in order to build secure and scalable B2B SaaS Authentication.

This is a non-exhaustive list of features includes but is not limited to:

  • Multi-tenancy: Stytch's B2B SaaS Authentication platform is built upon two key data entities: Organizations and their Members. With Stytch, you can implement B2B SaaS Authentication without needing to build all the back-end logic to solve the many challenges that multi-tenancy poses like per organization settings, authentication settings, invites, provisioning, multiple memberships, account deduplication, and more. Refer to the multi-tenancy guide to learn more.

  • Organizations: Stytch treats Organizations as first-class entities. Every Organization has configurable settings for administering important access controls like allowed auth methods, allowed email domains, provisioning, invites, IdP connections, and more. Organizations can have thousands or just one single Member, making it flexibly suited for enterprises, teams, and collaborative data models. Refer to the Organization settings guide to learn more.

  • Members: Stytch stores and manages authenticated end users as Members who are primarily identified by their email addresses. A single end user can have multiple distinct Members in different Organizations linked by the same email address. Refer to the multi-tenancy guide to learn more.

  • Single Sign On: Stytch supports both SAML and OIDC protocols for SSO login. Integrate with IdPs for centralized authentication with existing identity systems and frameworks. Organizations can support multiple SSO connections with different IdPs and specify which connections can be used as defaults or for JIT provisioning. Refer to the Single Sign On guide to learn more.

  • Sessions: Stytch issues, stores, and validates Sessions on behalf of your application. After an end user successfully authenticates, Stytch's API will return both a session_token and a session_jwt for you to store and manage. Use Stytch's Sessions to validate requests, authorize actions, and store metadata.Refer to the Single Sign On guide to learn more.

  • Auth methods: Stytch offers a comprehensive suite of authentication methods. Choose the right login experience for your application user base. We offer Email Magic links, Passwords, Single Sign On, OAuth, and One-Time Passcodes (OTP). More auth methods are coming soon, like Time-Based One-Time Passcodes (TOTP). Refer to the login flows guide to learn more.

  • Break glass: Members can also be designated as breakglass which grants them elevated privileges in the Organization for use cases such as emergency access. Refer to the Member API object to learn more.

  • RBAC: Stytch's RBAC framework is an authorization model that governs resource access within your application. The RBAC model streamlines the management and enforcement of permissions with a flexible interface designed for a multi-tenant auth system. Refer to the Member API object to learn more.

  • SCIM: Stytch's SCIM solution offers a way to integrate with workforce identity providers for automated user provisioning. Developed to streamline identity management processes, SCIM provides a common framework for handling user data synchronizations within complex, multi-domain environments. Refer to the SCIM guide to learn more.

  • Webhooks: Subscribe to webhook events for updates that occur out-of-band from you system, such as provisioning and deprovisioning through SCIM or updates from the Stytch Dashboard. Refer to the Webhooks guide to learn more. Refer to the Webhooks guide to learn more.

  • Multi-Factor Authentication: Stytch supports MFA. Organizations and Members can opt-in to MFA and add an extra layer of security by requiring multiple forms of verification factors during the authentication process.Refer to the MFA guide to learn more.

  • Device Fingerprint-Protected Auth: Protection from account takeover (ATO) and related attacks using Device Fingerprinting on every authentication request. Refer to the DFP Protected Auth guide to learn more.

  • Protected Email Magic Links: Ensure the delivery of email magic links even when enterprise security services are in place to check links. Refer to the Protected Email Magic Links guide to learn more.

  • Just-in-time (JIT) provisioning: Organizations can specify trusted sources (such as an Identity Provider or a verified email domain) that enable end users to join the Organization without an explicit invite. Through these sources, Members will be automatically created when an end user successfully authenticates. Refer to the multi-tenancy guide to learn more.

  • Discovery: Stytch's Discovery flow enables end users to discover all of their Organizations upon authentication. Instead of logging in to each Organization separately, the end user can use the Discovery flow to log in once, see all of their memberships, and select an Organization to authenticate into. Discovery also allows end users to switch between Organizations within an active Session. Refer to the login flows guide to learn more.

  • Enterprise onboarding: Stytch supports manual onboarding processes, often used to restrict access behind a sales team (e.g. Lattice), by exposing direct API calls to create Organizations. Refer to the Create Organization API endpoint to learn more.

  • Self-onboarding: Stytch also supports end users being able to create Organizations, often used for self-service onboarding flows (e.g. Slack). This can be done by creating an Organization and initial Member as the final step of the Discovery flow. Refer to the login flows guide to learn more.