You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: examples/Organizations.md
+19-20Lines changed: 19 additions & 20 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,17 +1,18 @@
1
1
# Organizations
2
2
3
-
[Organizations](https://auth0.com/docs/organizations) is a set of features that provide better support for developers building SaaS and B2B applications. This guide covers the two main deployment patterns and the invitation flow.
3
+
[Organizations](https://auth0.com/docs/organizations) is a set of features that provide better support for developers building SaaS and B2B applications. This guide covers org login, invitation flows, error handling, and reading org data from the session.
-[5. Reading organization data from the session](#5-reading-organization-data-from-the-session)
11
10
12
-
## 1. Dedicated-org instance
11
+
## 1. Configuring the organization
13
12
14
-
When a single instance of your application serves one organization, set `organization` at client initialization. Every login from that instance will include the `organization` parameter in the `/authorize` request and validate the `org_id` claim in the returned token automatically.
13
+
The `organization` parameter can be set at client initialization (dedicated-org) or per login (multi-org).
14
+
15
+
**Dedicated-org:** when a single instance of your application serves one organization, set `organization` at client initialization. Every login from that instance will enforce the org automatically.
15
16
16
17
```python
17
18
from auth0_server_python.auth_server.server_client import ServerClient
> You do not need to pass `organization` to `complete_interactive_login`. The SDK stores it in the encrypted transaction at login time and reads it back at callback — the validation is automatic.
55
-
56
-
## 2. Multi-org — per-login override
57
-
58
-
When one application instance serves multiple organizations (for example, a B2B SaaS where different users belong to different orgs), pass `organization` at login time using `StartInteractiveLoginOptions`. This overrides any client-level default for that specific login.
54
+
**Multi-org:** when one application instance serves multiple organizations, pass `organization` at login time using `StartInteractiveLoginOptions`. This overrides any client-level default for that specific login.
59
55
60
56
```python
61
57
from auth0_server_python.auth_types import StartInteractiveLoginOptions
> You do not need to pass `organization` to `complete_interactive_login`. The SDK stores it in the encrypted transaction at login time and reads it back at callback — the validation is automatic.
70
+
72
71
> [!IMPORTANT]
73
-
> Validate that `org_id` comes from a trusted source (your own data, a verified session, or a registered tenant list) — never pass it unvalidated from a query parameter directly from an untrusted user.
72
+
> In the multi-org pattern, validate that `org_id` comes from a trusted source (your own data, a verified session, or a registered tenant list) — never pass it unvalidated from a query parameter directly from an untrusted user.
74
73
75
-
## 3. Log in using an organization name
74
+
## 2. Log in using an organization name
76
75
77
76
`organization` accepts either an org ID (starts with `org_`) or an org name (any other value). The SDK uses the prefix to determine which token claim to validate at callback:
> Auth0 enforces that organization names cannot start with `org_`, so the prefix dispatch is unambiguous. When using org name, the SDK applies NFC Unicode normalization before comparison to prevent false rejections from visually identical characters with different byte representations.
96
95
97
-
## 4. Accept user invitations
96
+
## 3. Accept user invitations
98
97
99
98
When a user follows an invitation link, extract the `invitation` and `organization` parameters from the URL and pass them at login time. Auth0 validates the invitation ticket server-side — your application does not need to verify it.
> `organization` and `invitation` are forwarded to `/authorize`. Auth0 consumes the invitation ticket server-side — it is not stored in the encrypted transaction. If the ticket is expired or already used, `complete_interactive_login` raises `OrganizationInvitationError`.
125
124
126
-
## 5. Handling organization errors
125
+
## 4. Handling organization errors
127
126
128
127
The SDK raises typed exceptions for org-specific failure modes. Catch them in your callback handler to return meaningful responses to your users.
0 commit comments