> ## Documentation Index
> Fetch the complete documentation index at: https://stytch.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# JIT provision members
> Add Members to an Organization via just-in-time (JIT) provisioning.
export const jit_provisioning = "Just-in-time provisioning: allow new Members to be added to an Organization as soon as they authenticate, based on email domain or SSO connection.";
export const member = "Represents an individual end user's account within a given Organization, uniquely identified within that Organization by their email address.";
export const organization = "Represents an instance or tenant in your application, typically mapping to each of your top-level customers.";
Organizations can allow JIT provisioning of new Members based on specific **email domains**, **SSO Connections**, or **OAuth tenants** (Github Organizations, Slack Workspaces or Hubspot Teams). When JIT provisioning is enabled, an Organization doesn't need to explicitly invite or add Members to the Organization; they'll be added as soon as they authenticate.
## By email domain
Enable **JIT provisioning by email domain** to allow any user with a certain email domain (for example, `@companyname.com`) to log into a given Organization. Using the [Update Organization](/api-reference/b2b/api/organizations/update-organization) endpoint, set:
* [`email_jit_provisioning`](/api-reference/b2b/api/organizations/update-organization#body-email-jit-provisioning) to `RESTRICTED`
* [`email_allowed_domains`](/api-reference/b2b/api/organizations/update-organization#body-email-allowed-domains) to an array of allowed email domains
During the Discovery flow, in order for a user with a given email domain to access an Organization via JIT Provisioning, **there must already be at least one Member in the Organization with a verified email address with the same email domain**. This restriction is in place to avoid phishing attacks.
```bash cURL icon="https://d3gk2c5xim1je2.cloudfront.net/devicon/bash.svg" theme={null}
curl --request PUT \
--url https://api.stytch.com/v1/b2b/organizations/{organization_id} \
--header 'Authorization: Basic ' \
--header 'Content-Type: application/json' \
--data '{
"email_jit_provisioning": "RESTRICTED",
"email_allowed_domains": ["companyname.com"],
}'
```
```python Python icon="python" theme={null}
client.organizations.update(
organization_id="organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
auth_methods="RESTRICTED",
allowed_auth_methods=["google_oauth"],
)
```
```javascript Javascript icon="js" theme={null}
client.organizations.update({
organization_id: "organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
auth_methods: "RESTRICTED",
allowed_auth_methods: ["google_oauth"],
})
```
Stytch disallows setting certain common email domains on the `email_allowed_domains` array:
* `gmail`
* `aol`
* `yahoo`
* `icloud`
* `hotmail`
* `msn`
* `comcast`
* `live`
* `outlook`
* `att`
* `earthlink`
* `me`
* `mac`
* `sbcglobal`
* `verizon`
* `ig`
* `mail`
* `hey`
* `laposte`
* `wanadoo`
* `googlemail`
* `orange`
* `rediffmail`
* `uol`
* `bol`
* `free`
* `gmx`
* `yandex`
* `ymail`
* `libero`
### OAuth step-up flow
If a user authenticates via OAuth, they will only be able to access an Organization via JIT Provisioning by email domain if the OAuth provider indicates active ownership of the email address. Otherwise, the user will be prompted to complete a step-up form of primary authentication before they can access the Organization. [See here](/multi-tenant-auth/authentication/oauth/overview#understanding-step-up-requirements-in-oauth-discovery) for additional information.
## By SSO Connection
Enable **JIT Provisioning by SSO Connection** to allow users to log into an Organization via their company's Identity Provider, assuming an [SSO Connection](/multi-tenant-auth/authentication/sso/overview) has been set up for that Organization and Identity Provider.
For example, assume one of your customers sets up a Microsoft Entra SSO Connection. If JIT Provisioning is enabled for that SSO Connection, your customer's team members will be able to log into the customer's Stytch Organization without being explicitly added or invited, as long as the team members are assigned to your application within Microsoft Entra.
To enable JIT Provisioning by SSO Connection:
* Set [`sso_jit_provisioning`](/api-reference/b2b/api/organizations/update-organization#body-sso-jit-provisioning) to either:
* `ALL_ALLOWED` if you'd like to enable JIT Provisioning for all of the Organization's active SSO Connections
* `RESTRICTED` if you'd like to specify which of the Organization's SSO Connections should be enabled for JIT Provisioning
* If `RESTRICTED`, specify which SSO Connections should be enabled for JIT Provisioning with [`sso_jit_provisioning_allowed_connections`](/api-reference/b2b/api/organizations/update-organization#body-sso-jit-provisioning-allowed-connections).
```bash cURL icon="https://d3gk2c5xim1je2.cloudfront.net/devicon/bash.svg" theme={null}
curl --request PUT \
--url https://api.stytch.com/v1/b2b/organizations/{organization_id} \
--header 'Authorization: Basic ' \
--header 'Content-Type: application/json' \
--data '{
"sso_jit_provisioning": "RESTRICTED",
"sso_jit_provisioning_allowed_connections": ["sso-connection-123"],
}'
```
```python Python icon="python" theme={null}
client.organizations.update(
organization_id="organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
sso_jit_provisioning="RESTRICTED",
sso_jit_provisioning_allowed_connections=["sso-connection-123"],
)
```
```javascript Javascript icon="js" theme={null}
client.organizations.update({
organization_id: "organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
sso_jit_provisioning: "RESTRICTED",
sso_jit_provisioning_allowed_connections: ["sso-connection-123"],
})
```
## By OAuth tenant
Enable **JIT Provisioning by OAuth tenant** to allow users to log into an Organization based on their OAuth tenant membership (for example, if they belong to a specific Github Organization, Slack Workspace, or Hubspot Team).
If you're using Google or Microsoft OAuth, in most cases you can use [JIT Provisioning by email domain](#by-email-domain) instead.
Using the [Update Organization](/api-reference/b2b/api/organizations/update-organization) endpoint:
* Set [`oauth_tenant_jit_provisioning`](/api-reference/b2b/api/organizations/update-organization#body-oauth-tenant-jit-provisioning) to `RESTRICTED`.
* Add the allowed OAuth tenants to [`allowed_oauth_tenants`](/api-reference/b2b/api/organizations/update-organization#body-allowed-oauth-tenants) object, where the available keys are `slack`, `hubspot`, and `github`, and the values are arrays of tenant identifiers (for example, Slack Team IDs).
```bash cURL icon="https://d3gk2c5xim1je2.cloudfront.net/devicon/bash.svg" theme={null}
curl --request PUT \
--url https://api.stytch.com/v1/b2b/organizations/{organization_id} \
--header 'Authorization: Basic ' \
--header 'Content-Type: application/json' \
--data '{
"oauth_tenant_jit_provisioning": "RESTRICTED",
"allowed_oauth_tenants": {
"hubspot": ["HUBSPOT-ABC", "HUBSPOT-DEF"],
"slack": ["SLACK-123", "SLACK-456"],
"github": [12345, 67890]
},
}'
```
```python Python icon="python" theme={null}
client.organizations.update(
organization_id="organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
sso_jit_provisioning="RESTRICTED",
allowed_oauth_tenants={
"hubspot": ["HUBSPOT-ABC", "HUBSPOT-DEF"],
"slack": ["SLACK-123", "SLACK-456"],
"github": [12345, 67890],
},
)
```
```javascript Javascript icon="js" theme={null}
client.organizations.update({
organization_id: "organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
oauth_tenant_jit_provisioning: "RESTRICTED",
allowed_oauth_tenants: {
hubspot: ["HUBSPOT-ABC", "HUBSPOT-DEF"],
slack: ["SLACK-123", "SLACK-456"],
github: [12345, 67890],
},
})
```
### Determining tenant IDs
Your **Slack tenant ID** (referred to as a Workspace ID by Slack) can be determined by [following this guide](https://slack.com/help/articles/221769328-Locate-your-Slack-URL-or-ID#free,-pro,-and-business+-plans-2).
Your **HubSpot tenant ID** (referred to as a Hub ID by HubSpot) can be determined by either:
* Logging into your HubSpot developer account and parsing it from the URL path. It will have the form `https://app.hubspot.com/developer/${TENANT_ID}`.
* When logged into your HubSpot developer account, clicking on the dropdown menu under your account name in the upper right-hand corner. It will be the sequence of numbers under your account name.
**GitHub tenant IDs** are taken from the internal ID of a GitHub organization. There are a number of ways to retrieve this value, depending on your permissions in relation to the GitHub organization and the organization's privacy settings:
* You can query [GitHub's organization endpoint](https://docs.github.com/en/rest/orgs/orgs?apiVersion=2022-11-28#get-an-organization). The tenant ID will be the id value in the JSON response.
* If you are a member of the GitHub organization in question, it may be easier to use the GitHub CLI to request a list of the organizations you are a member of with the [List organizations for the authenticated user endpoint](https://docs.github.com/en/rest/orgs/orgs?apiVersion=2022-11-28#list-organizations-for-the-authenticated-user).