Stytch · Schema
api_organization_v1_UpdateRequest
Request type
AuthenticationIdentityPasswordlessSecurityB2BConnected AppsMCPAI AgentsDeveloper Tools
Properties
| Name | Type | Description |
|---|---|---|
| organization_name | string | The name of the Organization. Must be between 1 and 128 characters in length. If this field is provided and a session header is passed into the request, the Member Session must have permission to perf |
| organization_slug | string | The unique URL slug of the Organization. The slug only accepts alphanumeric characters and the following reserved characters: `-` `.` `_` `~`. Must be between 2 and 128 characters in length. Wherever |
| organization_logo_url | string | The image URL of the Organization logo. If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.info.logo-url` action |
| trusted_metadata | object | An arbitrary JSON object for storing application-specific data or identity-provider-specific data. If a session header is passed into the request, this field may **not** be passed into the request. Yo |
| organization_external_id | string | An identifier that can be used in API calls wherever a organization_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 character |
| sso_default_connection_id | string | The default connection used for SSO when there are multiple active connections. If this field is provided and a session header is passed into the request, the Member Session must have permission to pe |
| sso_jit_provisioning | string | The authentication setting that controls the JIT provisioning of Members when authenticating via SSO. The accepted values are: `ALL_ALLOWED` – the default setting, new Members will be automatically pr |
| sso_jit_provisioning_allowed_connections | array | An array of `connection_id`s that reference [SAML Connection objects](https://stytch.com/docs/b2b/api/saml-connection-object). Only these connections will be allowed to JIT provision Members via SSO w |
| email_allowed_domains | array | An array of email domains that allow invites or JIT provisioning for new Members. This list is enforced when either `email_invites` or `email_jit_provisioning` is set to `RESTRICTED`. Common domains s |
| email_jit_provisioning | string | The authentication setting that controls how a new Member can be provisioned by authenticating via Email Magic Link or OAuth. The accepted values are: `RESTRICTED` – only new Members with verified ema |
| email_invites | string | The authentication setting that controls how a new Member can be invited to an organization by email. The accepted values are: `ALL_ALLOWED` – any new Member can be invited to join via email. `RESTRIC |
| auth_methods | string | The setting that controls which authentication methods can be used by Members of an Organization. The accepted values are: `ALL_ALLOWED` – the default setting which allows all authentication methods t |
| allowed_auth_methods | array | An array of allowed authentication methods. This list is enforced when `auth_methods` is set to `RESTRICTED`. The list's accepted values are: `sso`, `magic_link`, `email_otp`, `password`, `google_oaut |
| mfa_policy | string | The setting that controls the MFA policy for all Members in the Organization. The accepted values are: `REQUIRED_FOR_ALL` – All Members within the Organization will be required to complete MFA every t |
| rbac_email_implicit_role_assignments | array | Implicit role assignments based off of email domains. For each domain-Role pair, all Members whose email addresses have the specified email domain will be granted the associated Role, regardless of th |
| mfa_methods | string | The setting that controls which MFA methods can be used by Members of an Organization. The accepted values are: `ALL_ALLOWED` – the default setting which allows all authentication methods to be used. |
| allowed_mfa_methods | array | An array of allowed MFA authentication methods. This list is enforced when `mfa_methods` is set to `RESTRICTED`. The list's accepted values are: `sms_otp` and `totp`. If this field is provided and a s |
| oauth_tenant_jit_provisioning | string | The authentication setting that controls how a new Member can JIT provision into an organization by tenant. The accepted values are: `RESTRICTED` – only new Members with tenants in `allowed_oauth_tena |
| allowed_oauth_tenants | object | A map of allowed OAuth tenants. If this field is not passed in, the Organization will not allow JIT provisioning by OAuth Tenant. Allowed keys are "slack", "hubspot", and "github". If this field is pr |
| claimed_email_domains | array | A list of email domains that are claimed by the Organization. |
| first_party_connected_apps_allowed_type | object | The authentication setting that sets the Organization's policy towards first party Connected Apps. The accepted values are: `ALL_ALLOWED` – the default setting, any first party Connected App in the Pr |
| allowed_first_party_connected_apps | array | An array of first party Connected App IDs that are allowed for the Organization. Only used when the Organization's `first_party_connected_apps_allowed_type` is `RESTRICTED`. |
| third_party_connected_apps_allowed_type | object | The authentication setting that sets the Organization's policy towards third party Connected Apps. The accepted values are: `ALL_ALLOWED` – the default setting, any third party Connected App in the Pr |
| allowed_third_party_connected_apps | array | An array of third party Connected App IDs that are allowed for the Organization. Only used when the Organization's `third_party_connected_apps_allowed_type` is `RESTRICTED`. |
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "#/components/schemas/api_organization_v1_UpdateRequest",
"title": "api_organization_v1_UpdateRequest",
"type": "object",
"properties": {
"organization_name": {
"type": "string",
"description": "The name of the Organization. Must be between 1 and 128 characters in length.\n\nIf this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.info.name` action on the `stytch.organization` Resource."
},
"organization_slug": {
"type": "string",
"description": "The unique URL slug of the Organization. The slug only accepts alphanumeric characters and the following reserved characters: `-` `.` `_` `~`. Must be between 2 and 128 characters in length. Wherever an organization_id is expected in a path or request parameter, you may also use the organization_slug as a convenience.\n\nIf this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.info.slug` action on the `stytch.organization` Resource."
},
"organization_logo_url": {
"type": "string",
"description": "The image URL of the Organization logo.\n\nIf this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.info.logo-url` action on the `stytch.organization` Resource."
},
"trusted_metadata": {
"type": "object",
"additionalProperties": true,
"description": "An arbitrary JSON object for storing application-specific data or identity-provider-specific data.\n If a session header is passed into the request, this field may **not** be passed into the request. You cannot\n update trusted metadata when acting as a Member."
},
"organization_external_id": {
"type": "string",
"description": "An identifier that can be used in API calls wherever a organization_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. External IDs must be unique within a project, but may be reused across different projects in the same workspace."
},
"sso_default_connection_id": {
"type": "string",
"description": "The default connection used for SSO when there are multiple active connections.\n\nIf this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.default-sso-connection` action on the `stytch.organization` Resource."
},
"sso_jit_provisioning": {
"type": "string",
"description": "The authentication setting that controls the JIT provisioning of Members when authenticating via SSO. The accepted values are:\n \n `ALL_ALLOWED` \u2013 the default setting, new Members will be automatically provisioned upon successful authentication via any of the Organization's `sso_active_connections`.\n \n `RESTRICTED` \u2013 only new Members with SSO logins that comply with `sso_jit_provisioning_allowed_connections` can be provisioned upon authentication.\n \n `NOT_ALLOWED` \u2013 disable JIT provisioning via SSO.\n \n\nIf this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.sso-jit-provisioning` action on the `stytch.organization` Resource."
},
"sso_jit_provisioning_allowed_connections": {
"type": "array",
"items": {
"type": "string"
},
"description": "An array of `connection_id`s that reference [SAML Connection objects](https://stytch.com/docs/b2b/api/saml-connection-object).\n Only these connections will be allowed to JIT provision Members via SSO when `sso_jit_provisioning` is set to `RESTRICTED`.\n\nIf this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.sso-jit-provisioning` action on the `stytch.organization` Resource."
},
"email_allowed_domains": {
"type": "array",
"items": {
"type": "string"
},
"description": "An array of email domains that allow invites or JIT provisioning for new Members. This list is enforced when either `email_invites` or `email_jit_provisioning` is set to `RESTRICTED`.\n \n \n Common domains such as `gmail.com` are not allowed. See the [common email domains resource](https://stytch.com/docs/b2b/api/common-email-domains) for the full list.\n\nIf this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-domains` action on the `stytch.organization` Resource."
},
"email_jit_provisioning": {
"type": "string",
"description": "The authentication setting that controls how a new Member can be provisioned by authenticating via Email Magic Link or OAuth. The accepted values are:\n \n `RESTRICTED` \u2013 only new Members with verified emails that comply with `email_allowed_domains` can be provisioned upon authentication via Email Magic Link or OAuth.\n \n `NOT_ALLOWED` \u2013 the default setting, disables JIT provisioning via Email Magic Link and OAuth.\n \n\nIf this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.email-jit-provisioning` action on the `stytch.organization` Resource."
},
"email_invites": {
"type": "string",
"description": "The authentication setting that controls how a new Member can be invited to an organization by email. The accepted values are:\n \n `ALL_ALLOWED` \u2013 any new Member can be invited to join via email.\n \n `RESTRICTED` \u2013 only new Members with verified emails that comply with `email_allowed_domains` can be invited via email.\n \n `NOT_ALLOWED` \u2013 disable email invites.\n \n\nIf this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.email-invites` action on the `stytch.organization` Resource."
},
"auth_methods": {
"type": "string",
"description": "The setting that controls which authentication methods can be used by Members of an Organization. The accepted values are:\n \n `ALL_ALLOWED` \u2013 the default setting which allows all authentication methods to be used.\n \n `RESTRICTED` \u2013 only methods that comply with `allowed_auth_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`.\n \n\nIf this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-auth-methods` action on the `stytch.organization` Resource."
},
"allowed_auth_methods": {
"type": "array",
"items": {
"type": "string"
},
"description": "An array of allowed authentication methods. This list is enforced when `auth_methods` is set to `RESTRICTED`.\n The list's accepted values are: `sso`, `magic_link`, `email_otp`, `password`, `google_oauth`, `microsoft_oauth`, `slack_oauth`, `github_oauth`, and `hubspot_oauth`.\n \n\nIf this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-auth-methods` action on the `stytch.organization` Resource."
},
"mfa_policy": {
"type": "string",
"description": "The setting that controls the MFA policy for all Members in the Organization. The accepted values are:\n \n `REQUIRED_FOR_ALL` \u2013 All Members within the Organization will be required to complete MFA every time they wish to log in. However, any active Session that existed prior to this setting change will remain valid.\n \n `OPTIONAL` \u2013 The default value. The Organization does not require MFA by default for all Members. Members will be required to complete MFA only if their `mfa_enrolled` status is set to true.\n \n\nIf this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.mfa-policy` action on the `stytch.organization` Resource."
},
"rbac_email_implicit_role_assignments": {
"type": "array",
"items": {
"$ref": "#/components/schemas/api_organization_v1_EmailImplicitRoleAssignment"
},
"description": "Implicit role assignments based off of email domains.\n For each domain-Role pair, all Members whose email addresses have the specified email domain will be granted the\n associated Role, regardless of their login method. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment)\n for more information about role assignment.\n\nIf this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.implicit-roles` action on the `stytch.organization` Resource."
},
"mfa_methods": {
"type": "string",
"description": "The setting that controls which MFA methods can be used by Members of an Organization. The accepted values are:\n \n `ALL_ALLOWED` \u2013 the default setting which allows all authentication methods to be used.\n \n `RESTRICTED` \u2013 only methods that comply with `allowed_mfa_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`.\n \n\nIf this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-mfa-methods` action on the `stytch.organization` Resource."
},
"allowed_mfa_methods": {
"type": "array",
"items": {
"type": "string"
},
"description": "An array of allowed MFA authentication methods. This list is enforced when `mfa_methods` is set to `RESTRICTED`.\n The list's accepted values are: `sms_otp` and `totp`.\n \n\nIf this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-mfa-methods` action on the `stytch.organization` Resource."
},
"oauth_tenant_jit_provisioning": {
"type": "string",
"description": "The authentication setting that controls how a new Member can JIT provision into an organization by tenant. The accepted values are:\n \n `RESTRICTED` \u2013 only new Members with tenants in `allowed_oauth_tenants` can JIT provision via tenant.\n \n `NOT_ALLOWED` \u2013 the default setting, disables JIT provisioning by OAuth Tenant.\n \n\nIf this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.oauth-tenant-jit-provisioning` action on the `stytch.organization` Resource."
},
"allowed_oauth_tenants": {
"type": "object",
"additionalProperties": true,
"description": "A map of allowed OAuth tenants. If this field is not passed in, the Organization will not allow JIT provisioning by OAuth Tenant. Allowed keys are \"slack\", \"hubspot\", and \"github\".\n\nIf this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-oauth-tenants` action on the `stytch.organization` Resource."
},
"claimed_email_domains": {
"type": "array",
"items": {
"type": "string"
},
"description": "A list of email domains that are claimed by the Organization."
},
"first_party_connected_apps_allowed_type": {
"$ref": "#/components/schemas/api_organization_v1_UpdateRequestFirstPartyConnectedAppsAllowedType",
"description": "The authentication setting that sets the Organization's policy towards first party Connected Apps. The accepted values are:\n \n `ALL_ALLOWED` \u2013 the default setting, any first party Connected App in the Project is permitted for use by Members.\n \n `RESTRICTED` \u2013 only first party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members.\n \n `NOT_ALLOWED` \u2013 no first party Connected Apps are permitted.\n "
},
"allowed_first_party_connected_apps": {
"type": "array",
"items": {
"type": "string"
},
"description": "An array of first party Connected App IDs that are allowed for the Organization. Only used when the Organization's `first_party_connected_apps_allowed_type` is `RESTRICTED`."
},
"third_party_connected_apps_allowed_type": {
"$ref": "#/components/schemas/api_organization_v1_UpdateRequestThirdPartyConnectedAppsAllowedType",
"description": "The authentication setting that sets the Organization's policy towards third party Connected Apps. The accepted values are:\n \n `ALL_ALLOWED` \u2013 the default setting, any third party Connected App in the Project is permitted for use by Members.\n \n `RESTRICTED` \u2013 only third party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members.\n \n `NOT_ALLOWED` \u2013 no third party Connected Apps are permitted.\n "
},
"allowed_third_party_connected_apps": {
"type": "array",
"items": {
"type": "string"
},
"description": "An array of third party Connected App IDs that are allowed for the Organization. Only used when the Organization's `third_party_connected_apps_allowed_type` is `RESTRICTED`."
}
},
"description": "Request type"
}