Skip to main content
can allow of new based on specific email domains, SSO Connections, or OAuth tenants (Github Organizations, Slack Workspaces or Hubspot Teams). When JIT provisioning is enabled, an Organization doesn’t need to explicitly invite or add Members to the Organization; they’ll be added as soon as they authenticate.

By email domain

Enable JIT provisioning by email domain to allow any user with a certain email domain (for example, @companyname.com) to log into a given Organization. Using the Update Organization endpoint, set: During the Discovery flow, in order for a user with a given email domain to access an Organization via JIT Provisioning, there must already be at least one Member in the Organization with a verified email address with the same email domain. This restriction is in place to avoid phishing attacks. 
curl --request PUT \
  --url https://api.stytch.com/v1/b2b/organizations/{organization_id} \
  --header 'Authorization: Basic <encoded-value>' \
  --header 'Content-Type: application/json' \
  --data '{
    "email_jit_provisioning": "RESTRICTED",
    "email_allowed_domains": ["companyname.com"],
  }'
Stytch disallows setting certain common email domains on the email_allowed_domains array:
  • gmail
  • aol
  • yahoo
  • icloud
  • hotmail
  • msn
  • comcast
  • live
  • outlook
  • att
  • earthlink
  • me
  • mac
  • sbcglobal
  • verizon
  • ig
  • mail
  • hey
  • laposte
  • wanadoo
  • googlemail
  • orange
  • rediffmail
  • uol
  • bol
  • free
  • gmx
  • yandex
  • ymail
  • libero

OAuth step-up flow

If a user authenticates via OAuth, they will only be able to access an Organization via JIT Provisioning by email domain if the OAuth provider indicates active ownership of the email address. Otherwise, the user will be prompted to complete a step-up form of primary authentication before they can access the Organization. See here for additional information.

By SSO Connection

Enable JIT Provisioning by SSO Connection to allow users to log into an Organization via their company’s Identity Provider, assuming an SSO Connection has been set up for that Organization and Identity Provider. For example, assume one of your customers sets up a Microsoft Entra SSO Connection. If JIT Provisioning is enabled for that SSO Connection, your customer’s team members will be able to log into the customer’s Stytch Organization without being explicitly added or invited, as long as the team members are assigned to your application within Microsoft Entra. To enable JIT Provisioning by SSO Connection:
  • Set sso_jit_provisioning to either:
    • ALL_ALLOWED if you’d like to enable JIT Provisioning for all of the Organization’s active SSO Connections
    • RESTRICTED if you’d like to specify which of the Organization’s SSO Connections should be enabled for JIT Provisioning
  • If RESTRICTED, specify which SSO Connections should be enabled for JIT Provisioning with sso_jit_provisioning_allowed_connections.
curl --request PUT \
  --url https://api.stytch.com/v1/b2b/organizations/{organization_id} \
  --header 'Authorization: Basic <encoded-value>' \
  --header 'Content-Type: application/json' \
  --data '{
    "sso_jit_provisioning": "RESTRICTED",
    "sso_jit_provisioning_allowed_connections": ["sso-connection-123"],
  }'

By OAuth tenant

Enable JIT Provisioning by OAuth tenant to allow users to log into an Organization based on their OAuth tenant membership (for example, if they belong to a specific Github Organization, Slack Workspace, or Hubspot Team).
If you’re using Google or Microsoft OAuth, in most cases you can use JIT Provisioning by email domain instead.
Using the Update Organization endpoint: 
curl --request PUT \
  --url https://api.stytch.com/v1/b2b/organizations/{organization_id} \
  --header 'Authorization: Basic <encoded-value>' \
  --header 'Content-Type: application/json' \
  --data '{
    "oauth_tenant_jit_provisioning": "RESTRICTED",
    "allowed_oauth_tenants": {
      "hubspot": ["HUBSPOT-ABC", "HUBSPOT-DEF"],
      "slack": ["SLACK-123", "SLACK-456"],
      "github": [12345, 67890]
    },
  }'

Determining tenant IDs

Your Slack tenant ID (referred to as a Workspace ID by Slack) can be determined by following this guide.
Your HubSpot tenant ID (referred to as a Hub ID by HubSpot) can be determined by either:
  • Logging into your HubSpot developer account and parsing it from the URL path. It will have the form https://app.hubspot.com/developer/${TENANT_ID}.
  • When logged into your HubSpot developer account, clicking on the dropdown menu under your account name in the upper right-hand corner. It will be the sequence of numbers under your account name.
GitHub tenant IDs are taken from the internal ID of a GitHub organization. There are a number of ways to retrieve this value, depending on your permissions in relation to the GitHub organization and the organization’s privacy settings: