AuthFI · Documentation

AuthFI Organizations

Multi-tenant within a tenant. Per-org members, roles, branding, auth settings, and SSO connections. Built for B2B SaaS where each customer has sub-organizations.

B2B / B2B2CPer-org brandingPer-org auth settingsOwner / Admin / Member

Organizations let you partition a tenant for B2B SaaS. Each of your customers gets an organization with its own members, roles, branding, and auth settings.

Create an organization

POST /manage/v1/acme/organizations
{
  "name": "Cardiology Department",
  "slug": "cardiology",
  "metadata": { "department_code": "CARD-01" }
}

Per-org capabilities

Branding

Logo, primary color, welcome text, custom domain. Inherited from tenant when not set.

Auth settings

Password rules, MFA policy, session TTL, lockout — overridable per org.

SSO connections

Restrict which connections an org can use. Per-org default connection.

Member roles

Owner, Admin, Member. Tracked separately from tenant-level roles.

Per-org branding

PATCH /manage/v1/acme/organizations/{orgId}
{
  "logo_url": "https://...",
  "primary_color": "#0066cc",
  "welcome_text": "Cardiology Portal",
  "custom_domain": "auth.cardiology.hospital.com"
}

If a field is not set, it inherits from the tenant. Users see org-specific branding on the login page.

Per-org auth settings

Override password rules, MFA policy, session TTL per org:

PATCH /manage/v1/acme/organizations/{orgId}
{
  "password_min_length": 12,
  "require_mfa": true,
  "session_ttl_hours": 8,
  "max_login_attempts": 3,
  "lockout_duration_minutes": 30,
  "default_connection_id": "saml-conn-uuid"
}

Members

# Add member
POST /manage/v1/acme/organizations/{orgId}/members
{ "user_id": "user-uuid", "role": "admin" }

# List members
GET /manage/v1/acme/organizations/{orgId}/members

# Update role
PATCH /manage/v1/acme/organizations/{orgId}/members/{userId}
{ "role": "member" }

# Remove
DELETE /manage/v1/acme/organizations/{orgId}/members/{userId}

Roles: owner, admin, member.

Invitations

POST /manage/v1/acme/organizations/{orgId}/invitations
{ "email": "bob@hospital.com", "role": "member" }

Sends an email with a 7-day invitation link. When accepted, the user is added to the org.

Org context in tokens

When a user authenticates in an org context, the JWT includes:

{
  "org_id": "org-uuid",
  "org_slug": "cardiology",
  "org_role": "admin"
}

Per-org connections

Restrict which SSO connections are available per org:

POST /manage/v1/acme/organizations/{orgId}/connections
{ "connection_id": "saml-conn-uuid" }