Skip to Content
GuidesOrganizationsB2B Multi-Tenant

B2B Multi-Tenant Organizations

The Organizations system enables B2B multi-tenancy in Auris. Each organization represents a customer entity — a company, a team, or any logical grouping — that owns a set of member users, has its own role assignments, and can configure its own enterprise SSO provider. Organizations are independent of each other: a user’s role in Organization A has no bearing on their access in Organization B.

This model is designed for SaaS products that sell to businesses: your single Auris tenant hosts multiple customer organizations, each with isolated membership and access control.


Core Concepts

Organization: A named entity with a unique slug. Organizations have metadata, display names, and settings. They are always owned by exactly one user (the OWNER).

Organization Member: A user who belongs to an organization with one of four roles: OWNER, ADMIN, MEMBER, or VIEWER.

Invitation: A time-limited, token-based invite that allows a user (or an email address not yet registered) to join an organization at a specified role.

Organization-scoped SSO: Each organization can configure its own SAML 2.0 or OIDC identity provider. When a user logs in with an email matching a verified domain, Auris redirects them to their organization’s IdP automatically. See Enterprise SSO.


Creating Organizations

Organizations can be created by any user with the appropriate permission, or programmatically via the Management SDK.

POST/api/organizationsRequires: manage:organizations

Creates a new organization. The creating user is automatically assigned the OWNER role.

Request body:

{ "name": "Acme Corporation", "displayName": "Acme Corp", "slug": "acme-corp", "metadata": { "plan": "enterprise", "contractId": "CNT-2025-0042" } }

Field reference:

FieldTypeRequiredNotes
namestringYesInternal name, unique per tenant
displayNamestringNoUser-facing name shown in UI
slugstringNoURL-safe identifier, auto-generated from name if omitted
metadataobjectNoArbitrary JSON for application-specific data
GET/api/organizationsRequires: view:organizations

Returns a paginated list of all organizations in the tenant. Supports search and page/limit query parameters.

GET/api/organizations/[id]Requires: view:organizations

Returns the organization record including member count and basic settings.

PATCH/api/organizations/[id]Requires: manage:organizations

Updates organization fields. All fields are optional — only provided fields are updated.

DELETE/api/organizations/[id]Requires: manage:organizations

Deletes the organization. Members lose their organization-level role assignments. The underlying user accounts are not affected.


Member Roles

Organizations use a four-level hierarchical role system. Higher roles inherit all capabilities of lower roles.

RoleCapabilities
OWNERFull control. Can manage all settings, members, SSO, and billing. There is always exactly one OWNER. The OWNER cannot be removed by another OWNER — ownership must be transferred first.
ADMINCan manage members (add, remove, change roles up to ADMIN). Can configure SSO and organization settings. Cannot delete the organization.
MEMBERStandard access. Role grants are application-defined — Auris does not impose resource restrictions at this level beyond what your application enforces.
VIEWERRead-only access. Can view organization membership and settings but cannot make changes.

Auris enforces the role hierarchy at the API level. An ADMIN cannot assign the OWNER role to another user — ownership transfer requires a separate API call by the current OWNER.


Managing Members

GET/api/organizations/[id]/membersRequires: view:organizations

Returns the paginated list of organization members, including their user details and role within the organization.

Response:

{ "data": [ { "userId": "usr_01HX...", "email": "[email protected]", "firstName": "Alice", "lastName": "Rossi", "role": "ADMIN", "joinedAt": "2025-01-15T10:00:00Z" } ], "pagination": { "page": 1, "limit": 20, "total": 12, "totalPages": 1 } }
POST/api/organizations/[id]/membersRequires: manage:organizations

Directly adds a user (by userId) to the organization at a specified role. The user must already exist in Auris.

{ "userId": "usr_01HX...", "role": "MEMBER" }
PATCH/api/organizations/[id]/members/[userId]Requires: manage:organizations

Updates the member’s role within the organization.

DELETE/api/organizations/[id]/members/[userId]Requires: manage:organizations

Removes the user from the organization. The user’s Auris account is not deleted or disabled.


Invitations

Invitations allow you to add users to an organization by email, even if they do not yet have an Auris account. The invite flow:

  1. An ADMIN or OWNER sends an invitation to an email address.
  2. Auris generates a unique, time-limited token and sends an email with an accept link.
  3. The invitee clicks the link. If they already have an Auris account, they are added to the organization immediately. If not, they are prompted to create an account, after which the invitation is accepted.
  4. Invitations expire after 7 days if not accepted.
POST/api/organizations/[id]/invitationsRequires: manage:organizations

Creates and sends an invitation to an email address.

{ "email": "[email protected]", "role": "MEMBER", "message": "You have been invited to join Acme Corp on our platform." }
GET/api/organizations/[id]/invitationsRequires: manage:organizations

Lists all pending, accepted, and expired invitations for the organization.

DELETE/api/organizations/[id]/invitations/[invitationId]Requires: manage:organizations

Cancels a pending invitation. Expired invitations cannot be accepted but do not need to be manually cancelled.

Invitation statuses:

StatusMeaning
PENDINGSent and awaiting acceptance
ACCEPTEDUser accepted and is now a member
EXPIRED7-day window passed without acceptance
CANCELLEDManually cancelled by an ADMIN or OWNER

SDK Usage

import { useOrganization } from '@auris/react' function OrgDashboard() { // Returns the organization context from the authenticated user's session. // The organization is derived from the access token's claims. const { organization, members, isLoading } = useOrganization() if (isLoading) return <div>Loading...</div> if (!organization) return <div>No organization</div> return ( <div> <h1>{organization.displayName}</h1> <p>Members: {members.length}</p> <ul> {members.map((member) => ( <li key={member.userId}> {member.email} — {member.role} </li> ))} </ul> </div> ) }

Organization Metadata

Like users, organizations support arbitrary JSON metadata. Use this to store application-specific data alongside the organization record without schema migrations.

{ "metadata": { "plan": "enterprise", "contractId": "CNT-2025-0042", "maxSeats": 250, "billingEmail": "[email protected]", "features": ["advanced-analytics", "custom-domains", "audit-export"] } }

Metadata is returned in every organization API response and is accessible in the Management SDK.


Use Cases

SaaS multi-tenancy: Each of your customers is an organization. Your application reads the user’s organization from their JWT or session and scopes all data queries to that organization. New customers are onboarded by creating an organization and inviting their admin.

Enterprise customer onboarding: Create the organization, add the customer’s IT administrator as OWNER, and let them manage their own users and configure their corporate SSO. Your team retains tenant-level visibility via the Admin Console.

White-label solutions: Each end-customer organization can configure their own SSO, domain verification, and display name. The Hosted Login page adapts to per-organization branding when a user’s email matches a verified domain.

Internal product teams: Separate product lines or business units into distinct organizations for isolated role management, without maintaining separate Auris tenant instances.


Required Permissions

OperationPermission
List / get organizationsview:organizations
Create / update / delete organizationsmanage:organizations
Manage membersmanage:organizations
Send / cancel invitationsmanage:organizations