Skip to main content
You can update these settings on the Stytch Dashboard, or by using the Update Organization endpoint. 
curl --request PUT \
  --url https://api.stytch.com/v1/b2b/organizations/{organization_id} \
  --header 'Authorization: Basic <encoded-value>' \
  --header 'Content-Type: application/json' \
  --data '{
    "auth_methods": "RESTRICTED",
    "allowed_auth_methods": ["google_oauth"],
    "mfa_policy": "REQUIRED_FOR_ALL",
  }'

Setting allowed authentication methods

Allowed authentication methods are controlled by the auth_methods setting. The accepted values are:
  • ALL_ALLOWED – the default setting which allows all authentication methods allowed by your application to be used
  • RESTRICTED – only methods that comply with allowed_auth_methods can be used for authentication.
If auth_methods is RESTRICTED, allowed_auth_methods must be set to an array of allowed authentication methods. The valid values are:
  • sso
  • magic_link
  • email_otp
  • password
  • google_oauth
  • microsoft_oauth
  • slack_oauth
  • github_oauth
  • hubspot_oauth

Setting allowed MFA methods

Allowed MFA methods are controlled by the mfa_methods setting. The accepted values are:
  • ALL_ALLOWED – the default setting which allows all MFA methods allowed by your application to be used
  • RESTRICTED – only methods that comply with allowed_mfa_methods can be used for MFA.
If mfa_methods is RESTRICTED, allowed_mfa_methods must be set to an array of allowed MFA methods. The valid values are:
  • sms_otp
  • totp

Requiring MFA

Allowed MFA methods are controlled by the mfa_policy setting. The accepted values are:
  • REQUIRED_FOR_ALL – all Members of the Organization will be required to complete an MFA flow in order to log in.
  • OPTIONAL – MFA is optional, but individual Members can still enroll in MFA, which will require them to complete an MFA flow to log in going forward.

Breakglass Members

Breakglass Members serve as protection against invalid provisioning settings. A breakglass Member has permissions to authenticate into an Organization by bypassing the Organization’s settings. Typically, this is used for emergency purposes to gain access outside of normal authentication procedures.