Stytch B2B Basics
Purpose-built identity infrastructure, for the unique authentication and authorization requirements of B2B SaaS applications.Data Model Overview
Stytch’s B2B auth product is built around two core entities: Organizations and Members.
Data model relationship between Organizations and Members.Organizations
Represents an instance or tenant in your application, typically mapping to each of your top-level customers.
In most standard B2B use cases this is a shared workspace managed and paid for by a company and accessed by their employees, but if you also have individual users as customers you can still create an Organization to represent their instance – enabling seamless upgrades if they want to invite collaborators in the future.
Members
Represents an individual end user’s account within a given Organization, identified by their email address.
While emails are unique within the Organization, an end user can belong to multiple Organizations under the same email, each being represented as a distinct Member record.
This model allows each Organization to have complete control over all the users who access their instance, from mandating particular primary or secondary auth methods, to admin updates to their profile information and identifying email.
End users who are part of multiple Organizations can easily switch between them without logging out and logging back in, and Stytch will enforce that all authentication requirements of each Organization are satisfied.
Core Flows
Discovery Authentication
Discovery refers to the flow where an end user authenticates before specifying the Organization they wish to access, and is then presented with all of the Organizations that they are:
Currently an active Member of
Have a pending invite to join
Are eligible to join based on their email domain
The end user then selects the Organization they wish to log into, or can alternatively opt to create a new Organization.
When selecting an existing Organization, Stytch will enforce that the Organization’s authentication requirements have been met – and if not, prompt the end user to perform MFA or use a different primary auth method – before logging the user in and returning a Member Session.
This flow allows you to have a centralized login page for all Organizations, and ensures that end users are able to find any existing instances they have access to, instead of accidentally creating a new one. This often helps improve conversion by centralizing a company’s usage of your tool in a single instance, allowing for better collaboration and clearer value prop.
Organization-Specific Login
Organization-Specific Login refers to the flow where end users go to a specialized login page for their tenant, often a subdomain or route that contains the Organization Slug (e.g. acme-corp.yourapp.com or yourapp.com/team/acme-corp).
The end user will be presented with the specific authentication methods the Organization allows, and can log into the Organization directly if they are:
Currently an active Member of
Have a pending invite to join
Are eligible to join based on their email domain or the SSO Connection that they authenticated through
We recommend using this flow alongside discovery to support enterprise customers with SSO configured.
However, if your app does not already have tenanted subdomains or routes, Stytch also supports IdP-initiated SSO – which allows end users to simply initiate login to your app directly from their company’s workforce Identity Provider (IdP), skipping the discovery flow.
Organization Switching
Organization Switching, or Session Exchange, refers to the flow of allowing end users to switch between various Organizations they belong to, without needing to log out and log back in.
While Stytch Sessions are explicitly scoped to a specific Member within an Organization, eliminating any ambiguity around the context that the end user is operating within and their permissions within that context, we offer out-of-the-box support for:
Surfacing any other Organizations the end user belongs
Prompting for additional step-up authentication if needed to switch to the selected Organization
“Exchanging” their current Member Session for a new Member Session on the selected Organization
This model allows seamless switching between multiple Organizations, while still maintaining the data isolation and authentication requirements that your enterprise customers demand.
Why Stytch
Our B2B product is purpose built around the unique dynamics of having companies as customers – where each one of those companies wants full control of who can access their instance of your app, how those users must authenticate, and what they can do once they’re logged in. By centering our data model and product around this organization-driven ownership and control, we allow you to easily satisfy the full range of authentication and authorization features required to serve customers of every size – from the enterprise requirements of Fortune 100 companies, to powering PLG and prosumer motions.
Stytch's organization-first data model allows you to manage diverse authentication flows and complex permission settings across various customer organizations simultaneously..Learn more about our org-first data model by reading our multi-tenancy guide.
Feature Overview
Stytch offers developers a comprehensive set of features and capabilities in order to build secure and scalable B2B SaaS Authentication.
This is a non-exhaustive list of features that includes but is not limited to:
Multi-tenancy: Stytch's B2B SaaS Authentication platform is built upon two key data entities: Organizations and their Members. With Stytch, you can implement B2B SaaS Authentication without needing to build all the back-end logic to solve the many challenges that multi-tenancy poses like per organization settings, authentication settings, invites, provisioning, multiple memberships, account deduplication, and more. Refer to the multi-tenancy guide to learn more.
Organizations: Stytch treats Organizations as first-class entities. Every Organization has configurable settings for administering important access controls like allowed auth methods, allowed email domains, provisioning, invites, IdP connections, and more. Organizations can have thousands or just one single Member, making it flexibly suited for enterprises, teams, and collaborative data models. Refer to the Organization settings guide to learn more.
Members: Stytch stores and manages authenticated end users as Members who are primarily identified by their email addresses. A single end user can have multiple distinct Members in different Organizations linked by the same email address. Refer to the multi-tenancy guide to learn more.
Single Sign On: Stytch supports both SAML and OIDC protocols for SSO login. Integrate with IdPs for centralized authentication with existing identity systems and frameworks. Organizations can support multiple SSO connections with different IdPs and specify which connections can be used as defaults or for JIT provisioning. Refer to the Single Sign On guide to learn more.
Sessions: Stytch issues, stores, and validates Sessions on behalf of your application. After an end user successfully authenticates, Stytch's API will return both a session_token and a session_jwt for you to store and manage. Use Stytch's Sessions to validate requests, authorize actions, and store metadata.Refer to the Sessions guide to learn more.
Auth methods: Stytch offers a comprehensive suite of authentication methods. Choose the right login experience for your application user base. We offer Email Magic links, Passwords, Single Sign On, and OAuth for primary authentication, and offer One-Time Passcodes (OTP), and Time-Based One-Time Passcodes (TOTP) for MFA.
Break glass: Members can also be designated as breakglass which grants them elevated privileges in the Organization for use cases such as emergency access. Refer to the Member API object to learn more.
RBAC: Stytch's RBAC framework is an authorization model that governs resource access within your application. The RBAC model streamlines the management and enforcement of permissions with a flexible interface designed for a multi-tenant auth system. Refer to the Member API object to learn more.
SCIM: Stytch's SCIM solution offers a way to integrate with workforce identity providers for automated user provisioning. Developed to streamline identity management processes, SCIM provides a common framework for handling user data synchronizations within complex, multi-domain environments. Refer to the SCIM guide to learn more.
Webhooks: Subscribe to webhook events for updates that occur out-of-band from you system, such as provisioning and deprovisioning through SCIM or updates from the Stytch Dashboard. Refer to the Webhooks guide to learn more. Refer to the Webhooks guide to learn more.
Multi-Factor Authentication: Stytch supports MFA. Organizations and Members can opt-in to MFA and add an extra layer of security by requiring multiple forms of verification factors during the authentication process.Refer to the MFA guide to learn more.
Device Fingerprint-Protected Auth: Protection from account takeover (ATO) and related attacks using Device Fingerprinting on every authentication request. Refer to the DFP Protected Auth guide to learn more.
Protected Email Magic Links: Ensure the delivery of email magic links even when enterprise security services are in place to check links. Refer to the Protected Email Magic Links guide to learn more.
Just-in-time (JIT) provisioning: Organizations can specify trusted sources (such as an Identity Provider or a verified email domain) that enable end users to join the Organization without an explicit invite. Through these sources, Members will be automatically created when an end user successfully authenticates. Refer to the multi-tenancy guide to learn more.
Discovery: Stytch's Discovery flow enables end users to discover all of their Organizations upon authentication. Instead of logging in to each Organization separately, the end user can use the Discovery flow to log in once, see all of their memberships, and select an Organization to authenticate into. Discovery also allows end users to switch between Organizations within an active Session. Refer to the core flows overview above to learn more.
Enterprise onboarding: Stytch supports manual onboarding processes, often used to restrict access behind a sales team (e.g. Lattice), by exposing direct API calls to create Organizations. Refer to the Create Organization API endpoint to learn more.
Self-onboarding: Stytch also supports end users being able to create Organizations, often used for self-service onboarding flows (e.g. Slack). This can be done by creating an Organization and initial Member as the final step of the Discovery flow. Refer to the core flows overview above to learn more.