Organizations

Organizations let you partition a tenant for B2B SaaS. Each of your customers gets an organization with its own members, roles, branding, and auth settings.

Create an Organization

POST /manage/v1/acme/organizations
{
  "name": "Cardiology Department",
  "slug": "cardiology",
  "metadata": { "department_code": "CARD-01" }
}

Per-Org Branding

Each org can override the tenant’s branding:

PATCH /manage/v1/acme/organizations/{orgId}
{
  "logo_url": "https://...",
  "primary_color": "#0066cc",
  "welcome_text": "Cardiology Portal",
  "custom_domain": "auth.cardiology.hospital.com"
}

If a field is not set, it inherits from the tenant. Users see org-specific branding on the login page.

Per-Org Auth Settings

Override password rules, MFA policy, session TTL per org:

PATCH /manage/v1/acme/organizations/{orgId}
{
  "password_min_length": 12,
  "require_mfa": true,
  "session_ttl_hours": 8,
  "max_login_attempts": 3,
  "lockout_duration_minutes": 30,
  "default_connection_id": "saml-conn-uuid"
}

Members

# Add member
POST /manage/v1/acme/organizations/{orgId}/members
{ "user_id": "user-uuid", "role": "admin" }

# List members
GET /manage/v1/acme/organizations/{orgId}/members

# Update role
PATCH /manage/v1/acme/organizations/{orgId}/members/{userId}
{ "role": "member" }

# Remove
DELETE /manage/v1/acme/organizations/{orgId}/members/{userId}

Roles: owner, admin, member.

Invitations

POST /manage/v1/acme/organizations/{orgId}/invitations
{ "email": "bob@hospital.com", "role": "member" }

Sends an email with a 7-day invitation link. When accepted, the user is added to the org.

Org Context in Tokens

When a user authenticates in an org context, the JWT includes:

{
  "org_id": "org-uuid",
  "org_slug": "cardiology",
  "org_role": "admin"
}

Per-Org Connections

Restrict which SSO connections are available per org:

POST /manage/v1/acme/organizations/{orgId}/connections
{ "connection_id": "saml-conn-uuid" }