diff --git a/clerk-typedoc/shared/check-authorization-params-from-session-claims.mdx b/clerk-typedoc/shared/check-authorization-params-from-session-claims.mdx index 24a67f0074..67490f70f6 100644 --- a/clerk-typedoc/shared/check-authorization-params-from-session-claims.mdx +++ b/clerk-typedoc/shared/check-authorization-params-from-session-claims.mdx @@ -3,7 +3,7 @@ | Property | Type | Description | | --------------------------------------------- | ---------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | | `feature?` | `Autocomplete`\< user:${string} \| org:${string} \> | The [feature](/docs/guides/billing/overview) to check for. | -| `permission?` | `DisallowSystemPermissions`\<`P`\> | The [permission](/docs/guides/organizations/roles-and-permissions) to check for. | +| `permission?` | `DisallowSystemPermissions`\<`P`\> | The [permission](/docs/guides/organizations/control-access/roles-and-permissions) to check for. | | `plan?` | `Autocomplete`\< user:${string} \| org:${string} \> | The [plan](/docs/guides/billing/overview) to check for. | | `reverification?` | [`ReverificationConfig`](reverification-config.mdx) | The reverification configuration to check for. This feature is currently in public beta. **It is not recommended for production use.** | -| `role?` | `string` | The [role](/docs/guides/organizations/roles-and-permissions) to check for. | +| `role?` | `string` | The [role](/docs/guides/organizations/control-access/roles-and-permissions) to check for. | diff --git a/clerk-typedoc/shared/organization-custom-role-key.mdx b/clerk-typedoc/shared/organization-custom-role-key.mdx index 5a0af4dce8..942f239fca 100644 --- a/clerk-typedoc/shared/organization-custom-role-key.mdx +++ b/clerk-typedoc/shared/organization-custom-role-key.mdx @@ -1,3 +1,3 @@ `OrganizationCustomRoleKey` is a type that represents the user's role in an organization. It will be string unless the developer has provided their own types through [`ClerkAuthorization`](/docs/guides/development/override-clerk-types-interfaces#example-custom-roles-and-permissions). -Clerk provides the [default roles](/docs/guides/organizations/roles-and-permissions#default-roles) `org:admin` and `org:member`. However, you can create [custom roles](/docs/guides/organizations/roles-and-permissions#custom-roles) as well. +Clerk provides the [default roles](/docs/guides/organizations/control-access/roles-and-permissions#default-roles) `org:admin` and `org:member`. However, you can create [custom roles](/docs/guides/organizations/control-access/roles-and-permissions#custom-roles) as well. diff --git a/clerk-typedoc/shared/organization-resource.mdx b/clerk-typedoc/shared/organization-resource.mdx index b5128e2f6a..edbf573c5f 100644 --- a/clerk-typedoc/shared/organization-resource.mdx +++ b/clerk-typedoc/shared/organization-resource.mdx @@ -1,6 +1,6 @@ The `Organization` object holds information about an organization, as well as methods for managing it. -To use these methods, you must have the **Organizations** feature [enabled in your app's settings in the Clerk Dashboard](/docs/guides/organizations/overview#enable-organizations-in-your-application). +To use these methods, you must have the **Organizations** feature [enabled in your app's settings in the Clerk Dashboard](/docs/guides/organizations/overview). ## Properties diff --git a/clerk-typedoc/shared/use-organization-params.mdx b/clerk-typedoc/shared/use-organization-params.mdx index a08d9628b9..25b5c53b0e 100644 --- a/clerk-typedoc/shared/use-organization-params.mdx +++ b/clerk-typedoc/shared/use-organization-params.mdx @@ -1,6 +1,6 @@ | Property | Type | Description | | ----------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `domains?` | true \| \{ initialPage?: number; pageSize?: number; \} & \{ enrollmentMode?: "manual_invitation" \| "automatic_invitation" \| "automatic_suggestion"; \} & \{ infinite?: boolean; keepPreviousData?: boolean; \} | If set to `true`, all default properties will be used.
Otherwise, accepts an object with the following optional properties: | +| `domains?` | true \| \{ initialPage?: number; pageSize?: number; \} & \{ enrollmentMode?: "manual_invitation" \| "automatic_invitation" \| "automatic_suggestion"; \} & \{ infinite?: boolean; keepPreviousData?: boolean; \} | If set to `true`, all default properties will be used.
Otherwise, accepts an object with the following optional properties: | | `invitations?` | true \| \{ initialPage?: number; pageSize?: number; \} & \{ status?: ("expired" \| "pending" \| "accepted" \| "revoked")[]; \} & \{ infinite?: boolean; keepPreviousData?: boolean; \} | If set to `true`, all default properties will be used.
Otherwise, accepts an object with the following optional properties: | | `membershipRequests?` | true \| \{ initialPage?: number; pageSize?: number; \} & \{ status?: "expired" \| "pending" \| "accepted" \| "revoked"; \} & \{ infinite?: boolean; keepPreviousData?: boolean; \} | If set to `true`, all default properties will be used.
Otherwise, accepts an object with the following optional properties: | | `memberships?` | true \| \{ initialPage?: number; pageSize?: number; \} & \{ query?: string; role?: string[]; \} & \{ infinite?: boolean; keepPreviousData?: boolean; \} | If set to `true`, all default properties will be used.
Otherwise, accepts an object with the following optional properties: | diff --git a/docs/_partials/has-warning.mdx b/docs/_partials/has-warning.mdx index 3e719d42ce..b55b330eee 100644 --- a/docs/_partials/has-warning.mdx +++ b/docs/_partials/has-warning.mdx @@ -1,2 +1,2 @@ > [!WARNING] -> Using `has()` **on the server-side** to check Permissions works only with **Custom Permissions**, as [System Permissions](/docs/guides/organizations/roles-and-permissions#system-permissions) aren't included in the session token claims. To check System Permissions, verify the user's Role instead. +> Using `has()` **on the server-side** to check Permissions works only with **Custom Permissions**, as [System Permissions](/docs/guides/organizations/control-access/roles-and-permissions#system-permissions) aren't included in the session token claims. To check System Permissions, verify the user's Role instead. diff --git a/docs/_partials/organization-sync-options.mdx b/docs/_partials/organization-sync-options.mdx index 24fd15d8a7..8f3e5cfa1b 100644 --- a/docs/_partials/organization-sync-options.mdx +++ b/docs/_partials/organization-sync-options.mdx @@ -25,7 +25,7 @@ object has the type `OrganizationSyncOptions`, which has the following propertie - `personalAccountPatterns` - [Pattern](#pattern)\[] - URL patterns for resources that exist within the context of a user's [Personal Account](/docs/guides/organizations/overview#allow-personal-accounts). + URL patterns for resources that exist within the context of a user's [Personal Account](/docs/guides/organizations/configure#allow-personal-accounts). If the route also matches the `organizationPattern` prop, the `organizationPattern` prop takes precedence. diff --git a/docs/_tooltips/choose-organization.mdx b/docs/_tooltips/choose-organization.mdx new file mode 100644 index 0000000000..65b7151b8b --- /dev/null +++ b/docs/_tooltips/choose-organization.mdx @@ -0,0 +1 @@ +This happens because the choose-organization session task must be completed before the user's authentication process can be considered complete. Session tasks are pending requirements that users must complete after authentication. Learn more about [session tasks](/docs/guides/configure/session-tasks). diff --git a/docs/getting-started/quickstart.expo.mdx b/docs/getting-started/quickstart.expo.mdx index ca7517323e..6a78fbb326 100644 --- a/docs/getting-started/quickstart.expo.mdx +++ b/docs/getting-started/quickstart.expo.mdx @@ -6,23 +6,23 @@ sdk: expo diff --git a/docs/getting-started/quickstart.ios.mdx b/docs/getting-started/quickstart.ios.mdx index 7cf67afc76..5ad9f9dcdb 100644 --- a/docs/getting-started/quickstart.ios.mdx +++ b/docs/getting-started/quickstart.ios.mdx @@ -6,12 +6,12 @@ sdk: ios diff --git a/docs/guides/billing/for-b2b.mdx b/docs/guides/billing/for-b2b.mdx index a3dfe06134..a1b7ee69d3 100644 --- a/docs/guides/billing/for-b2b.mdx +++ b/docs/guides/billing/for-b2b.mdx @@ -12,7 +12,7 @@ Clerk Billing for B2B SaaS allows you to create Plans and manage Subscriptions * ## Create a Plan -Subscription Plans are what your customers subscribe to. There is no limit to the number of Plans you can create. If your Clerk instance has existing [Custom Permissions](/docs/guides/organizations/roles-and-permissions), the corresponding Features from those Permissions will automatically be added to the free Plan for Orgs. This ensures that Organization members get the same set of Custom Permissions when Billing is enabled, because all Organizations start on the free Plan. +Subscription Plans are what your customers subscribe to. There is no limit to the number of Plans you can create. If your Clerk instance has existing [Custom Permissions](/docs/guides/organizations/control-access/roles-and-permissions), the corresponding Features from those Permissions will automatically be added to the Free Plan for Organizations. This ensures that Organization members get the same set of Custom Permissions when Billing is enabled, because all Organizations start on the Free Plan. To create a Plan, navigate to the [**Plans**](https://dashboard.clerk.com/~/billing/plans) page in the Clerk Dashboard. Here, you can create, edit, and delete Plans. To setup B2B Billing, select the **Plans for Organizations** tab and select **Add Plan**. When creating a Plan, you can also create [Features](/docs/guides/secure/features) for the Plan; see the next section for more information. diff --git a/docs/guides/configure/auth-strategies/social-connections/dropbox.mdx b/docs/guides/configure/auth-strategies/social-connections/dropbox.mdx index 1b52aec691..686c91e132 100644 --- a/docs/guides/configure/auth-strategies/social-connections/dropbox.mdx +++ b/docs/guides/configure/auth-strategies/social-connections/dropbox.mdx @@ -5,17 +5,17 @@ description: Learn how to allow users to sign up and sign in to your Clerk app w Enabling OAuth with Dropbox allows your users to sign up and sign in to your Clerk application with their Dropbox account. diff --git a/docs/guides/configure/auth-strategies/social-connections/facebook.mdx b/docs/guides/configure/auth-strategies/social-connections/facebook.mdx index 6969fb62ba..adba78569d 100644 --- a/docs/guides/configure/auth-strategies/social-connections/facebook.mdx +++ b/docs/guides/configure/auth-strategies/social-connections/facebook.mdx @@ -5,17 +5,17 @@ description: Learn how to allow users to sign up and sign in to your Clerk app w Enabling OAuth with Facebook allows your users to sign up and sign in to your Clerk app with their Facebook account. diff --git a/docs/guides/configure/auth-strategies/social-connections/twitch.mdx b/docs/guides/configure/auth-strategies/social-connections/twitch.mdx index 11cc33b702..9671264132 100644 --- a/docs/guides/configure/auth-strategies/social-connections/twitch.mdx +++ b/docs/guides/configure/auth-strategies/social-connections/twitch.mdx @@ -5,17 +5,17 @@ description: Learn how to allow users to sign up and sign in to your Clerk app w Enabling OAuth with [Twitch](https://dev.twitch.tv/docs/api/reference#oauth-client-credentials-flow) allows your users to sign up and sign in to your Clerk application with their Twitch account. diff --git a/docs/guides/configure/session-tasks.mdx b/docs/guides/configure/session-tasks.mdx index eb540eda59..5e4ca70ec7 100644 --- a/docs/guides/configure/session-tasks.mdx +++ b/docs/guides/configure/session-tasks.mdx @@ -33,7 +33,7 @@ The following table lists the available tasks and their corresponding components | Name | Component | | - | - | -| [Personal accounts disabled (default)](/docs/guides/organizations/overview#allow-personal-accounts) | [``](/docs/reference/components/authentication/task-choose-organization) | +| [Personal accounts disabled (default)](/docs/guides/organizations/configure#enable-organizations) | [``](/docs/reference/components/authentication/task-choose-organization) | > [!IMPORTANT] > Personal accounts being disabled by default was released on 08-22-2025. Applications created before this date will not be able to see the **Allow Personal Accounts** setting, because Personal Accounts were enabled by default. @@ -272,7 +272,7 @@ The `useAuth()` hook and helpers that access the [`Auth` object](/docs/reference #### Example: Personal accounts disabled -When Organizations are enabled, [Personal Accounts are disabled by default](/docs/guides/organizations/overview#allow-personal-accounts) and your users will be required to select or create an Organization after authenticating. Until completed, their session remains `pending`. Pages that are protected using Clerk's protection utilities will treat the user's session as signed-out. +When Organizations are enabled, [Personal Accounts are disabled by default](/docs/guides/organizations/configure#allow-personal-accounts) and your users will be required to select or create an Organization after authenticating. Until completed, their session remains `pending`. Pages that are protected using Clerk's protection utilities will treat the user's session as signed-out. For `useAuth()`, `isSignedIn` will be `false` and `userId` and `orgId` will be `null` if the user has a `pending` session. diff --git a/docs/guides/development/custom-flows/account-updates/user-impersonation.mdx b/docs/guides/development/custom-flows/account-updates/user-impersonation.mdx index 41a4681760..c13df22db6 100644 --- a/docs/guides/development/custom-flows/account-updates/user-impersonation.mdx +++ b/docs/guides/development/custom-flows/account-updates/user-impersonation.mdx @@ -13,7 +13,7 @@ This guide will walk you through how to build a custom flow that handles user im - The following example builds a dashboard that is only accessible to users with the `org:admin:impersonate` permission. To use this example, you must first [create the custom `org:admin:impersonate` permission](/docs/guides/organizations/roles-and-permissions#custom-permissions). Or you can modify the [authorization checks](!authorization-check) to fit your use case. + The following example builds a dashboard that is only accessible to users with the `org:admin:impersonate` permission. To use this example, you must first [create the custom `org:admin:impersonate` permission](/docs/guides/organizations/control-access/roles-and-permissions#custom-permissions). Or you can modify the [authorization checks](!authorization-check) to fit your use case. In the dashboard, the user will see a list of the application's users. When the user chooses to impersonate a user, they will be signed in as that user and redirected to the homepage. diff --git a/docs/guides/development/custom-flows/organizations/accept-organization-invitations.mdx b/docs/guides/development/custom-flows/organizations/accept-organization-invitations.mdx index e7571284ff..34e820ccf3 100644 --- a/docs/guides/development/custom-flows/organizations/accept-organization-invitations.mdx +++ b/docs/guides/development/custom-flows/organizations/accept-organization-invitations.mdx @@ -5,11 +5,11 @@ description: Learn how to use the Clerk API to build a custom flows for acceptin -When a user visits an [Organization invitation](/docs/guides/organizations/invitations) link, Clerk first checks whether a custom redirect URL was provided. +When a user visits an [Organization invitation](/docs/guides/organizations/add-members/invitations) link, Clerk first checks whether a custom redirect URL was provided. **If no redirect URL is specified**, the user will be redirected to the appropriate Account Portal page (either [sign-up](/docs/guides/customizing-clerk/account-portal#sign-up) or [sign-in](/docs/guides/customizing-clerk/account-portal#sign-in)), or to the custom sign-up/sign-in pages that you've configured for your application. -**If you specified [a redirect URL when creating the invitation](/docs/guides/organizations/invitations#redirect-url)**, you must handle the authentication flows in your code for that page. You can either embed the [``](/docs/reference/components/authentication/sign-in) component on that page, or if the prebuilt component doesn't meet your specific needs or if you require more control over the logic, you can rebuild the existing Clerk flows using the Clerk API. +**If you specified [a redirect URL when creating the invitation](/docs/guides/organizations/add-members/invitations#redirect-url)**, you must handle the authentication flows in your code for that page. You can either embed the [``](/docs/reference/components/authentication/sign-in) component on that page, or if the prebuilt component doesn't meet your specific needs or if you require more control over the logic, you can rebuild the existing Clerk flows using the Clerk API. This guide demonstrates how to use Clerk's API to build a custom flow for accepting Organization invitations from a link. diff --git a/docs/guides/development/custom-flows/organizations/manage-membership-requests.mdx b/docs/guides/development/custom-flows/organizations/manage-membership-requests.mdx index 21fbe78110..487849a050 100644 --- a/docs/guides/development/custom-flows/organizations/manage-membership-requests.mdx +++ b/docs/guides/development/custom-flows/organizations/manage-membership-requests.mdx @@ -5,7 +5,7 @@ description: Learn how to use the Clerk API to build a custom flow for managing -This guide will demonstrate how to use the Clerk API to build a custom flow for managing [Organization membership requests](/docs/guides/organizations/verified-domains#membership-requests). +This guide will demonstrate how to use the Clerk API to build a custom flow for managing [Organization membership requests](/docs/guides/organizations/add-members/verified-domains#membership-requests). diff --git a/docs/guides/development/custom-flows/organizations/manage-organization-invitations.mdx b/docs/guides/development/custom-flows/organizations/manage-organization-invitations.mdx index a25d9c11c8..b22ef42059 100644 --- a/docs/guides/development/custom-flows/organizations/manage-organization-invitations.mdx +++ b/docs/guides/development/custom-flows/organizations/manage-organization-invitations.mdx @@ -5,14 +5,14 @@ description: Learn how to use the Clerk API to build a custom flow for creating -Organization members with appropriate [Permissions](/docs/guides/organizations/roles-and-permissions) can invite new users to their Organization and manage those invitations. The invitation recipient can be either an existing user of your application or a new user. If they are a new user, they will need to sign up in order to accept the invitation. +Organization members with appropriate [Permissions](/docs/guides/organizations/control-access/roles-and-permissions) can invite new users to their Organization and manage those invitations. The invitation recipient can be either an existing user of your application or a new user. If they are a new user, they will need to sign up in order to accept the invitation. Users with the appropriate Permissions can also revoke Organization invitations for users that have not yet joined, which will prevent the user from becoming an Organization member. This guide will demonstrate how to use the Clerk API to build a custom flow for inviting users to an Organization and managing an Organization's pending invitations. > [!NOTE] -> This guide is for creating and managing Organization invitations client-side. You can also create an Organization invitation using the Backend API. See the [Organization invitations reference](/docs/guides/organizations/invitations) for more information. +> This guide is for creating and managing Organization invitations client-side. You can also create an Organization invitation using the Backend API. See the [Organization invitations reference](/docs/guides/organizations/add-members/invitations) for more information. > > Also, see the [custom flow for accepting Organization invitations](/docs/guides/development/custom-flows/organizations/accept-organization-invitations). diff --git a/docs/guides/development/custom-flows/organizations/manage-roles.mdx b/docs/guides/development/custom-flows/organizations/manage-roles.mdx index 1e9880ccd6..6221407dc7 100644 --- a/docs/guides/development/custom-flows/organizations/manage-roles.mdx +++ b/docs/guides/development/custom-flows/organizations/manage-roles.mdx @@ -5,7 +5,7 @@ description: Learn how to use the Clerk API build a custom flow for managing mem -Organization members with appropriate [Permissions](/docs/guides/organizations/roles-and-permissions#permissions) can manage a member's [Roles](/docs/guides/organizations/roles-and-permissions#roles) and remove members within an Organization. +Organization members with appropriate [Permissions](/docs/guides/organizations/control-access/roles-and-permissions#permissions) can manage a member's [Roles](/docs/guides/organizations/control-access/roles-and-permissions#roles) and remove members within an Organization. This guide will demonstrate how to use the Clerk API to build a custom flow for managing member Roles in an Organization. diff --git a/docs/guides/development/custom-flows/organizations/manage-user-org-invitations.mdx b/docs/guides/development/custom-flows/organizations/manage-user-org-invitations.mdx index af88b52faa..756d8096d9 100644 --- a/docs/guides/development/custom-flows/organizations/manage-user-org-invitations.mdx +++ b/docs/guides/development/custom-flows/organizations/manage-user-org-invitations.mdx @@ -5,7 +5,7 @@ description: Learn how to use the Clerk API to build a custom flow for managing -This guide will demonstrate how to use the Clerk API to build a custom flow for managing a user's [Organization invitations](/docs/guides/organizations/overview#organization-invitations). +This guide will demonstrate how to use the Clerk API to build a custom flow for managing a user's [Organization invitations](/docs/guides/organizations/add-members/invitations). diff --git a/docs/guides/development/custom-flows/organizations/update-organizations.mdx b/docs/guides/development/custom-flows/organizations/update-organizations.mdx index e9438a956f..3c3ee5bb0f 100644 --- a/docs/guides/development/custom-flows/organizations/update-organizations.mdx +++ b/docs/guides/development/custom-flows/organizations/update-organizations.mdx @@ -5,7 +5,7 @@ description: Learn how to use the Clerk API to build a custom flow for updating -Organization members with appropriate [Permissions](/docs/guides/organizations/roles-and-permissions) can update an Organization. +Organization members with appropriate [Permissions](/docs/guides/organizations/control-access/roles-and-permissions) can update an Organization. This guide will demonstrate how to use Clerk's API to build a custom flow for updating an Organization. diff --git a/docs/guides/development/integrations/platforms/shopify.mdx b/docs/guides/development/integrations/platforms/shopify.mdx index 307d42ee54..8c2f5b0f65 100644 --- a/docs/guides/development/integrations/platforms/shopify.mdx +++ b/docs/guides/development/integrations/platforms/shopify.mdx @@ -5,17 +5,17 @@ description: Learn how to integrate Clerk into your Shopify store. This tutorial outlines how to integrate Clerk's authentication with your Shopify Plus store, allowing you to use Clerk as your identity provider for customer logins. In Shopify, using [your own Identity Provider for customer login](https://changelog.shopify.com/posts/use-your-own-identity-provider-for-customer-login) is only available to stores on the **Shopify Plus plan**. diff --git a/docs/guides/development/mcp/build-mcp-server.mdx b/docs/guides/development/mcp/build-mcp-server.mdx index 5184563745..e095a30dbd 100644 --- a/docs/guides/development/mcp/build-mcp-server.mdx +++ b/docs/guides/development/mcp/build-mcp-server.mdx @@ -7,23 +7,23 @@ sdk: nextjs, expressjs This guide demonstrates how to build an MCP server using Clerk's OAuth server in your Next.js app. This example is written for Next.js App Router, but **can be adapted for Next.js Pages Router**. It assumes that you have already integrated Clerk into your app by following the [quickstart](/docs/nextjs/getting-started/quickstart). @@ -32,23 +32,23 @@ sdk: nextjs, expressjs This guide demonstrates how to build an MCP server using Clerk's OAuth server in your Express app. It assumes that you have already integrated Clerk into your app by following the [quickstart](/docs/nextjs/getting-started/quickstart). diff --git a/docs/guides/development/override-clerk-types-interfaces.mdx b/docs/guides/development/override-clerk-types-interfaces.mdx index 0cedbf42f7..0eb48553c1 100644 --- a/docs/guides/development/override-clerk-types-interfaces.mdx +++ b/docs/guides/development/override-clerk-types-interfaces.mdx @@ -42,7 +42,7 @@ declare global { When defining custom types for Roles and Permissions: -- Custom Permissions are merged with [System Permissions](/docs/guides/organizations/roles-and-permissions#system-permissions) +- Custom Permissions are merged with [System Permissions](/docs/guides/organizations/control-access/roles-and-permissions#system-permissions) - Custom Roles completely replace default Roles (`org:admin` and `org:member`) ```tsx {{ filename: 'types/globals.d.ts' }} diff --git a/docs/guides/development/sdk-development/backend-only.mdx b/docs/guides/development/sdk-development/backend-only.mdx index 619689da03..d11819eb24 100644 --- a/docs/guides/development/sdk-development/backend-only.mdx +++ b/docs/guides/development/sdk-development/backend-only.mdx @@ -12,7 +12,7 @@ The source of truth for all BAPI endpoints is the [BAPI reference docs](/docs/re - User only needs to provide their [Secret Key](/docs/guides/development/sdk-development/terminology) - Centralized request authentication (e.g. in a middleware or plugin) - Give access to the instance of BAPI client (so that users can use all methods) -- User should be able to limit access to routes by checking for [Roles and Permissions](/docs/guides/organizations/roles-and-permissions) +- User should be able to limit access to routes by checking for [Roles and Permissions](/docs/guides/organizations/control-access/roles-and-permissions) > [!IMPORTANT] > BAPI has [rate limits](/docs/guides/how-clerk-works/system-limits) to help protect users against brute-force attacks or stop abuse of Clerk's platform. Be sure to include a backoff mechanism into your fetching logic and respect the `Retry-After` header to gracefully handle any active rate limits. diff --git a/docs/guides/development/sdk-development/fullstack.mdx b/docs/guides/development/sdk-development/fullstack.mdx index 658f4ea202..f5eebe159e 100644 --- a/docs/guides/development/sdk-development/fullstack.mdx +++ b/docs/guides/development/sdk-development/fullstack.mdx @@ -14,7 +14,7 @@ A fullstack SDK combines the [frontend-only SDK](/docs/guides/development/sdk-de - User should be able to use [ClerkJS options](/docs/reference/javascript/clerk#clerk-options){{ target: '_blank' }} - Centralized request authentication (e.g. in a middleware or plugin) - Give access to the instance of [BAPI](/docs/guides/development/sdk-development/terminology) client (so that users can use all methods) -- User should be able to limit access to routes by checking for [Roles and Permissions](/docs/guides/organizations/roles-and-permissions) +- User should be able to limit access to routes by checking for [Roles and Permissions](/docs/guides/organizations/control-access/roles-and-permissions) ## Optional features diff --git a/docs/guides/development/upgrading/upgrade-guides/core-2/backend.mdx b/docs/guides/development/upgrading/upgrade-guides/core-2/backend.mdx index effce20ccd..9db620be1e 100644 --- a/docs/guides/development/upgrading/upgrade-guides/core-2/backend.mdx +++ b/docs/guides/development/upgrading/upgrade-guides/core-2/backend.mdx @@ -686,7 +686,7 @@ As part of this major version, a number of previously deprecated props, argument - The `MembershipRole` type was replaced with `OrganizationCustomRoleKey` (related to [roles and permissions](/docs/guides/organizations/roles-and-permissions)). An example of where this type might be found: + The `MembershipRole` type was replaced with `OrganizationCustomRoleKey` (related to [roles and permissions](/docs/guides/organizations/control-access/roles-and-permissions)). An example of where this type might be found: ```js import { useAuth } from '@clerk/clerk-react' diff --git a/docs/guides/development/webhooks/syncing.mdx b/docs/guides/development/webhooks/syncing.mdx index e914eaaed7..4a097d21ee 100644 --- a/docs/guides/development/webhooks/syncing.mdx +++ b/docs/guides/development/webhooks/syncing.mdx @@ -5,16 +5,16 @@ description: Learn how to sync Clerk data to your app with webhooks. In some cases, you may want to sync Clerk's user table to a user table in your own database. Read the next few sections carefully to determine if this is the right approach for your app. diff --git a/docs/guides/organizations/invitations.mdx b/docs/guides/organizations/add-members/invitations.mdx similarity index 66% rename from docs/guides/organizations/invitations.mdx rename to docs/guides/organizations/add-members/invitations.mdx index 3136e774df..a6c4b5257f 100644 --- a/docs/guides/organizations/invitations.mdx +++ b/docs/guides/organizations/add-members/invitations.mdx @@ -1,41 +1,51 @@ --- -title: Invite users to your organization -description: Step-by-step guide on how to send, manage, and track user invitations within your multitenant SaaS, all using Clerk Organizations. +title: Invite users to your Organization +description: Send, manage, and track user invitations within your multi-tenant SaaS using Clerk Organizations. metadata: - title: Send and manage B2C/B2B organization invitations via Clerk + title: Send and manage Organization invitations via Clerk --- -Organization invitations allow you to add new members to your organization. When you send an invitation, Clerk sends an email to the invited user with a unique invitation link. When the user visits the organization invitation link, they will be redirected to the [Account Portal sign-in page](/docs/guides/customizing-clerk/account-portal#sign-in). If the user is already signed in, they will be redirected to your application's homepage (`/`). If you want to redirect the user to a specific page in your application, you can [specify a redirect URL when creating the invitation](#redirect-url). +Organization invitations let you add new members to your Organization. When you send an invitation, Clerk sends an email to the invited user with a unique invitation link. When the user visits the Organization invitation link, Clerk redirects them to the [Account Portal sign-in page](/docs/guides/customizing-clerk/account-portal#sign-in). If the user is already signed in, Clerk redirects them to your application's homepage (`/`). If you want to redirect the user to a specific page in your application, you can [specify a redirect URL when creating the invitation](#redirect-url). -By default, only admins can invite users to an organization. +By default, only [admins](/docs/guides/organizations/control-access/roles-and-permissions#default-roles) can invite users to an Organization. This feature requires that [**Email** is enabled](/docs/guides/configure/auth-strategies/sign-up-sign-in-options#email), as Clerk uses the user's email address to send the invitation. You can still disable **Email** as a sign-in option if you do not want users to be able to sign-in with their email address. To configure your application's **Email** settings, navigate to the [**User & authentication**](https://dashboard.clerk.com/~/user-authentication/user-and-authentication) page in the Clerk Dashboard. +## When to use invitations + +Invitations work well when you need precise control over who joins your Organization and which Role they receive. This approach fits scenarios where: + +- Teams are small and members are known in advance. +- Onboarding requires manual approval or review. +- Specific Roles need to be assigned during the invitation. + +If you want to streamline enrollment for users with company email addresses, consider [Verified Domains](/docs/guides/organizations/add-members/verified-domains), which can automatically invite users based on their email domain. If customers require centralized authentication through their Identity Provider, use [Enterprise SSO](/docs/guides/organizations/add-members/sso). + ## Create an invitation -Clerk's [prebuilt components](/docs/reference/components/overview) and [Account Portal pages](/docs/guides/customizing-clerk/account-portal) manage all organization invitation flows, including creating, managing, and accepting invitations. +Clerk's [prebuilt components](/docs/reference/components/overview) and [Account Portal pages](/docs/guides/customizing-clerk/account-portal) manage all Organization invitation flows, including creating, managing, and accepting invitations. However, if you want to build custom flows, see the following sections. ### Client-side -To create an organization invitation on the client-side, see the [dedicated guide](/docs/guides/development/custom-flows/organizations/manage-organization-invitations). Note that this uses the [`organizations.inviteMember()`](/docs/reference/javascript/organization#invite-member) method, which does not allow you to specify a redirect URL; it will always redirect to the Account Portal sign-in page. If you want to specify a redirect URL, you must create the invitation on the server-side. +To create an Organization invitation on the client-side, see the [dedicated guide](/docs/guides/development/custom-flows/organizations/manage-organization-invitations). Note that this uses the [`organizations.inviteMember()`](/docs/reference/javascript/organization#invite-member) method, which does not let you specify a redirect URL; it will always redirect to the Account Portal sign-in page. If you want to specify a redirect URL, you must create the invitation on the server-side. ### Server-side -To create organization invitations on the server-side, use the [Backend API](/docs/reference/backend-api/tag/organization-invitations/post/organizations/\{organization_id}/invitations){{ target: '_blank' }} either by using a cURL command or the [JS Backend SDK](/docs/js-backend/getting-started/quickstart). The JS Backend SDK is a wrapper around the Backend API that makes it easier to interact with the API. +To create Organization invitations on the server-side, use the [Backend API](/docs/reference/backend-api/tag/organization-invitations/post/organizations/\{organization_id}/invitations){{ target: '_blank' }} either by using a cURL command or the [JS Backend SDK](/docs/js-backend/getting-started/quickstart). The JS Backend SDK is a wrapper around the Backend API that makes it easier to interact with the API. Use the following tabs to see examples for each method. - The following example demonstrates how to create an organization invitation using cURL. + The following example demonstrates how to create an Organization invitation using cURL. - Your Secret Key is already injected into the code snippet. - - Replace the `org_123` with the ID of the organization you want to invite the user to. + - Replace the `org_123` with the ID of the Organization you want to invite the user to. - Replace the `user_123` with the ID of the user who is inviting the other user. - Replace the email address with the email address you want to invite. - Replace the `role` with the role you want to assign to the invited user. @@ -43,10 +53,10 @@ Use the following tabs to see examples for each method. - Replace `YOUR_SECRET_KEY` with your Clerk Secret Key. You can find your Secret Key on the [**API Keys**](https://dashboard.clerk.com/~/api-keys) page in the Clerk Dashboard. - - Replace the `org_123` with the ID of the organization you want to invite the user to. + - Replace the `org_123` with the ID of the Organization you want to invite the user to. - Replace the `user_123` with the ID of the user who is inviting the other user. - Replace the email address with the email address you want to invite. - - Replace the `role` with the role you want to assign to the invited user. + - Replace the `role` with the Role you want to assign to the invited user. ```bash {{ filename: 'terminal' }} @@ -83,11 +93,11 @@ Once the user visits the invitation link, they will be redirected to the page yo > [!TIP] > -> - To test redirect URLs in your development environment, pass your port. For example, `http://localhost:3000/accept-invitation`. +> To test redirect URLs in your development environment, pass your port. For example, `http://localhost:3000/accept-invitation`. ### Invitation metadata -You can also add metadata to an invitation when creating the invitation through the Backend API. Once the invited user signs up using the invitation link, the **invitation** metadata (`OrganizationInvitation.publicMetadata`) will be stored in the organization **membership's** metadata (`OrganizationMembership.publicMetadata`). You can find more information about organization membership metadata in the [Organization Membership](/docs/reference/javascript/types/organization-membership) docs. +You can also add metadata to an invitation when creating the invitation through the Backend API. Once the invited user signs up using the invitation link, Clerk stores the **invitation** metadata (`OrganizationInvitation.publicMetadata`) in the Organization **membership's** metadata (`OrganizationMembership.publicMetadata`). For more details on Organization membership metadata, see the [OrganizationMembership](/docs/reference/javascript/types/organization-membership) reference. To add metadata to an invitation, add the `public_metadata` parameter when creating the invitation. @@ -141,6 +151,15 @@ Use the following tabs to see examples for each method. - To use the JS Backend SDK to revoke an organization invitation, see the [`revokeOrganizationInvitation()`](/docs/reference/backend/organization/revoke-organization-invitation) reference documentation. + To use the JS Backend SDK to revoke an Organization invitation, see the [`revokeOrganizationInvitation()`](/docs/reference/backend/organization/revoke-organization-invitation) reference documentation. + +## Next steps + +Now that you know how to invite users to your Organization, you can: + +- [Configure Verified Domains](/docs/guides/organizations/add-members/verified-domains) to automatically invite users based on their email domain +- [Set up Enterprise SSO Connections](/docs/guides/organizations/add-members/sso) for centralized authentication through an Identity Provider +- [Set up Roles and Permissions](/docs/guides/organizations/control-access/roles-and-permissions) to control what invited users can access +- [Add metadata to invitations](/docs/guides/organizations/metadata) for tracking or custom workflows diff --git a/docs/guides/organizations/add-members/sso.mdx b/docs/guides/organizations/add-members/sso.mdx new file mode 100644 index 0000000000..46ec2e0c97 --- /dev/null +++ b/docs/guides/organizations/add-members/sso.mdx @@ -0,0 +1,80 @@ +--- +title: Organization-level Enterprise SSO +description: Integrate as many Enterprise SSO methods within Clerk Organizations. Enable SAML SSO, OAuth/OIDC, and other secure MFA/single sign-on options for B2B SaaS apps. +metadata: + title: Set up Organization-level SAML and OIDC for B2B/B2C apps +--- + +Clerk provides Enterprise Single Sign-On (SSO) through a feature called [**Enterprise Connections**](/docs/guides/configure/auth-strategies/enterprise-connections/overview). You can enable Enterprise Connections for specific Organizations, allowing members to authenticate through their company's identity provider using SAML or OIDC protocols. + +When users sign up or sign in using an Organization's Enterprise Connection, Clerk automatically adds them as members of that Organization and assigns them the [default Role](/docs/guides/organizations/control-access/roles-and-permissions#the-default-role-for-members). This process is known as [Just-in-Time (JIT) provisioning](/docs/guides/configure/auth-strategies/enterprise-connections/jit-provisioning). + +## When to use Enterprise SSO + +Enterprise SSO works well when customers require centralized authentication through their Identity Provider (IdP). This approach fits scenarios where: + +- Enterprise customers have security requirements that mandate IdP-based authentication. +- IT teams need to manage user provisioning from a central location. +- Organizations want to maintain existing identity management workflows. + +If you need manual control over who joins and their [Roles](/docs/guides/organizations/control-access/roles-and-permissions), use [invitations](/docs/guides/organizations/add-members/invitations). If you want automatic enrollment without IdP requirements, use [Verified Domains](/docs/guides/organizations/add-members/verified-domains). + +## Common onboarding flows + +The timing of when you set up Enterprise SSO depends on how customers adopt your product. The two common approaches are to create the Organization and configure SSO before users sign in (top-down) or to let users start individually and add SSO later (bottom-up). + +### Organization created first (top-down approach) + +This flow is common for enterprise sales where the relationship is established before users access the application. + +1. [Create an Organization](/docs/guides/organizations/create-and-manage#create-an-organization) for your customer through the Clerk Dashboard. +1. Collaborate with the customer's IT administrator to obtain the necessary configuration details. +1. Configure the Enterprise SSO Connection for the Organization. +1. Invite users to the Organization, who can then sign in using Enterprise SSO. + +### User-initiated setup (bottom-up approach) + +This flow is common when individual users try the product before company-wide adoption. + +1. An end user signs up to evaluate your application, starting with an individual account. +1. After adopting the application, the user [creates an Organization](/docs/guides/organizations/create-and-manage#create-an-organization) for their company. +1. Configure Enterprise SSO for the Organization through the Clerk Dashboard. +1. All subsequent users from that Organization can now sign in using Enterprise SSO. + +## Add an Enterprise SSO connection for an Organization + +Clerk supports Enterprise SSO via [SAML](/docs/guides/configure/auth-strategies/enterprise-connections/overview#saml) or via the [OpenID Connect (OIDC) protocol](/docs/guides/configure/auth-strategies/enterprise-connections/overview#oidc), either through EASIE or by integrating with any OIDC-compatible provider. + +To add an Enterprise SSO Connection for an Organization, go to the [Enterprise Connections](/docs/guides/configure/auth-strategies/enterprise-connections/overview) docs and follow the appropriate guide based on the platform you want to use, such as the [Google SAML guide](/docs/guides/configure/auth-strategies/enterprise-connections/saml/google). When configuring the connection in the Clerk Dashboard, there will be an option to select the **Organization** for which you want to enable this connection. If you don't select an Organization, Clerk will add the connection for your entire application. + +> [!WARNING] +> A domain used for Enterprise SSO can't be used as a [Verified Domain](/docs/guides/organizations/add-members/verified-domains) for the same Organization. + +## Enforce Enterprise SSO by domain + +Clerk enforces Enterprise SSO connections on a per-domain basis in Organizations, enabling flexible access management: + +- Configure Enterprise SSO for your primary domain (e.g., `company.com`) to enforce Enterprise SSO authentication for employees. +- Add additional domains without Enterprise SSO for external collaborators (e.g., contractors, consultants). +- Each domain in an Organization can have different authentication requirements. + +## Remove a member from your Organization + +Users who joined through an Enterprise Connection cannot leave the Organization on their own. You can remove them through the Clerk Dashboard, the [Backend API](/docs/reference/backend-api/tag/organization-memberships/delete/organizations/\{organization_id}/memberships/\{user_id}){{ target: '_blank' }}, or by another member with the [manage members Permission](/docs/guides/organizations/control-access/roles-and-permissions#system-permissions) (`org:sys_memberships:manage`). However, the user will be added back to the Organization on next sign-in, unless they are removed from the IdP or the Enterprise Connection is no longer associated with the Organization. + +Removed users will automatically rejoin the Organization on their next sign-in unless you also remove them from the IdP or disconnect the Enterprise Connection. + +## Move an Enterprise Connection to a different Organization + +When you reassign an Enterprise Connection to a new Organization, existing members stay in the original Organization. They will automatically join the new Organization the next time they sign in. + +## Next steps + +Now that you've set up Enterprise SSO, you can: + +- [Learn more about Enterprise Connections](/docs/guides/configure/auth-strategies/enterprise-connections/overview) for advanced configuration options +- [Understand JIT provisioning](/docs/guides/configure/auth-strategies/enterprise-connections/jit-provisioning) to customize how users are automatically added to Organizations +- [Configure Verified Domains](/docs/guides/organizations/add-members/verified-domains) for users who don't use SSO +- [Invite specific users](/docs/guides/organizations/add-members/invitations) to your Organization +- [Set up Roles and Permissions](/docs/guides/organizations/control-access/roles-and-permissions) to control what SSO users can access +- [Configure default roles](/docs/guides/organizations/configure#default-roles) for users joining via SSO diff --git a/docs/guides/organizations/add-members/verified-domains.mdx b/docs/guides/organizations/add-members/verified-domains.mdx new file mode 100644 index 0000000000..67ad357e72 --- /dev/null +++ b/docs/guides/organizations/add-members/verified-domains.mdx @@ -0,0 +1,98 @@ +--- +title: Verified Domains +description: Build Organization-specific or tenant-isolated authentication flows that only authorized users with matching domains can join, using Verified Domains within Clerk Organizations. +metadata: + title: Verified Domains within Clerk Organizations +--- + +Clerk's **Verified Domains** feature is useful for Organizations that want to restrict membership to users with specific email domains, and automatically invite or suggest users with that domain to join an Organization. For example, if the domain `@clerk.com` is verified, any user with an email address ending in `@clerk.com` can be automatically invited or be suggested to join an Organization with that domain. Clerk assigns users the [**Default** Role](/docs/guides/organizations/control-access/roles-and-permissions#the-default-role-for-members) set in the Organization settings page. + +A Verified Domain cannot be a disposable domain or common email provider. For example, you cannot create a Verified Domain for `@gmail.com`. + +> [!WARNING] +> A Verified Domain can't be added if it's already in use for the [Organization's Enterprise SSO](/docs/guides/organizations/add-members/sso). + +The easiest way to add and verify domains, and manage all settings related to Verified Domains is to use Clerk's [``](/docs/reference/components/organization/organization-switcher) component. + +## When to use Verified Domains + +Verified Domains work well when you want to streamline enrollment for users with company email addresses. This approach fits scenarios where: + +- Company-wide rollouts need automatic or suggested membership. +- Reducing onboarding friction for employees with approved email domains. +- Enrollment can happen based on email domain without manual approval. + +If you need precise control over specific people and their Roles, use [invitations](/docs/guides/organizations/add-members/invitations). If customers require authentication through their Identity Provider, use [Enterprise SSO](/docs/guides/organizations/add-members/sso). + +## Enable Verified Domains + +Enabling Verified Domains applies to all Organizations and cannot currently be managed on a per-Organization basis. + +In order to enable this feature: + +1. In the Clerk Dashboard, navigate to the [**Organizations Settings**](https://dashboard.clerk.com/~/organizations-settings) page. +1. In the **Verified domains** section, enable **Enable verified domains**. +1. The following setting will appear: + - [**Enrollment mode**](#enrollment-mode) - **Automatic invitation** and **Automatic suggestion**. + +### Enrollment mode + +You can enable the following enrollment modes to be available for your application: + +- [**Automatic invitation**](#automatic-invitations) - Clerk automatically invites users to join the Organization when they sign up and they can join anytime. +- [**Automatic suggestion**](#automatic-suggestions) - Users receive a suggestion to request to join, but must be approved by an admin before they are able to join the Organization. + +Then, in your application, when a user with the `org:sys_domains:manage` Permission has added and verified a domain, they can enable an enrollment mode. Only one enrollment mode can be enabled for a Verified Domain at a time. + +### Automatic invitations + +After sign-up, a user will receive an **invitation** for the Organization if their email's domain matches the Verified Domain. If your app uses the `` component, the user will see a notification on the component. When they open the component, they will see a **Join** button next to the Organization they were invited to. Selecting the button will accept the invitation and the user will instantly be added as a member of the Organization. + +### Automatic suggestions + +After sign-up, a user will receive a **suggestion** for the Organization if their email's domain matches the Verified Domain. If your app uses the `` component, the user will see a **Request to join** button next to the Organization. Selecting the button will send a [Membership Request](#membership-requests) to the Organization. + +### Membership Requests + +Membership Requests are requests from users who saw an Organization Suggestion and requested to join an Organization. Membership Requests are only available for Organizations that have the **Verified Domains** and **Automatic Suggestion** features enabled in both the Dashboard and for the specific domain. + +When a user sends an Organization Membership Request, users with the `org:sys_memberships:manage` Permission (by default, admins) will see a notification on their `` component. They will need to accept the request before the user can join the Organization. + +## Add and verify domains + +Any user with the `org:sys_domains:manage` Permission can add and verify domains under an Organization. By default, admins have this Permission. To add and verify domains in the [``](/docs/reference/components/organization/organization-switcher) component, select the **General** tab. There will be a **Verified domains** section. + +Domains can be verified through an email verification code sent to an email that matches the domain. If the user adding the domain already has a verified email using that domain in their account, Clerk will automatically verify the domain. + +An application instance may only have one Verified Domain of the same name, and an Organization may only have one domain of the same name (verified or unverified). + +You can create up to 10 domains per Organization to meet your needs. If you need more than 10 domains, [contact support](/contact/support){{ target: '_blank' }}. + +### Custom flow + +If Clerk's [``](/docs/reference/components/organization/organization-switcher) does not meet your specific needs or if you require more control over the logic, you can use the Clerk API to add and verify a domain and update the domain's enrollment mode. Here's an example of how you can do this: + +```tsx +const { organization, domains } = useOrganization() + +// create domain +const domain = await organization.createDomain('example.com') + +// prepare email verification +domain.prepareAffiliationVerification({ affiliationEmailAddress: 'foo@example.com' }) + +// attempt email verification +domain.attemptAffiliationVerification({ code: '123456' }) + +// update domain enrollment mode +domain.updateEnrollmentMode({ enrollmentMode: 'automatic_invitation' }) +``` + +## Next steps + +Now that you've configured Verified Domains, you can: + +- [Set up Enterprise SSO](/docs/guides/organizations/add-members/sso) for centralized authentication through an Identity Provider +- [Invite specific users](/docs/guides/organizations/add-members/invitations) who don't match your Verified Domain +- [Set up Roles and Permissions](/docs/guides/organizations/control-access/roles-and-permissions) to control what auto-enrolled users can access +- [Configure default Roles](/docs/guides/organizations/configure#default-roles) for users joining via Verified Domains diff --git a/docs/guides/organizations/configure.mdx b/docs/guides/organizations/configure.mdx new file mode 100644 index 0000000000..c63cea0d1b --- /dev/null +++ b/docs/guides/organizations/configure.mdx @@ -0,0 +1,164 @@ +--- +title: Configure Organizations +description: Learn how to configure global Organization settings in the Clerk Dashboard, including pricing, membership limits, and optional features. +metadata: + title: Configure Organization settings in Clerk Dashboard +--- + +Global Organization settings control how Organizations work across your entire application. These settings determine who can create Organizations, how members join them, what Roles they receive, and which Features are available. You'll configure most of these when you first enable Organizations, though you can adjust them later as your needs evolve. + +## Enable Organizations + +Organizations are disabled by default. When you enable Organizations, Clerk offers two workspace models: + +- **Personal accounts disabled (default)**: Every user is required to belong to an Organization. All new and existing users will be prompted to create or join an Organization through the [session tasks flow](/docs/guides/configure/session-tasks) before they can access your application. + + > [!IMPORTANT] + > Personal Accounts being disabled by default was released on August 22, 2025. Applications created before this date will not see the **Allow Personal Accounts** setting, because Personal Accounts were enabled by default. + +- **Personal Accounts enabled**: Users can operate in their own individual workspace or join Organizations. They start in their Personal Account and can switch to Organizations using the [``](/docs/reference/components/organization/organization-switcher) component. + +Most B2B and multi-tenant applications leave Personal Accounts disabled. This ensures proper data isolation and team structure from the start. You should only enable Personal Accounts if your app serves both individual users and teams (like a tool that works for solo users but also has team features). + +To enable Organizations: + +1. In the Clerk Dashboard, navigate to the [**Organizations Settings**](https://dashboard.clerk.com/~/organizations-settings) page. +1. Select **Enable Organizations**. +1. In the modal, toggle **Allow Personal Accounts** based on your decision above. +1. Select **Enable**. + +Clerk measures Organizations by Monthly Active Organizations (MAOs). Refer to the [overview page](/docs/guides/organizations/overview#how-do-organizations-work) for pricing details and limits. + +## Organization settings + +Once Organizations are enabled, you can configure core features and behaviors, such as membership limits, Verified Domains, Organization slugs, and whether to allow Personal Accounts alongside Organizations. + +### Membership limits + +There is no limit to the number of Organizations a user can be a member of. + +Each Organization allows a maximum of 5 members by default. You can increase this limit as your customer base grows, or set different limits for individual Organizations if you have different pricing tiers. + +To change the membership limit for all Organizations in your application: + +1. In the Clerk Dashboard, navigate to the [**Organizations Settings**](https://dashboard.clerk.com/~/organizations-settings) page. +1. In the **Default membership limit** section, update the membership limit. + - **Free plan**: Allows a maximum of 5 members in an Organization + - **Pro plan**: Allows unlimited members in an Organization + +To change the membership limit for a specific Organization: + +1. In the Clerk Dashboard, select [**Organizations**](https://dashboard.clerk.com/~/organizations). +1. Select the Organization you want to update. +1. In the **Membership limit** section, update the limit for that specific Organization. + +### Allow Personal Accounts + +When enabling the Organizations feature, you were prompted to choose whether to allow Personal Accounts. This setting is disabled by default. Refer to the [section on enabling Organizations](#enable-organizations) above for a detailed explanation of how Personal Accounts work. + +You can change this setting after initial setup, which is useful if your product strategy evolves. For example, if you initially served only teams but now want to support individual users as well. + +To change this setting: + +1. In the Clerk Dashboard, navigate to the [**Organizations Settings**](https://dashboard.clerk.com/~/organizations-settings) page. +1. Toggle **Allow personal accounts**. + +### Verified Domains + +Verified Domains allow automatic or suggested Organization membership for users with specific email domains (like `@acme.com`). This is useful for company-wide rollouts where you want to streamline enrollment for employees with company email addresses. Members with the [`org:sys_domains:manage` System Permission](/docs/guides/organizations/control-access/roles-and-permissions#system-permissions) can manage Verified Domains and enrollment modes. + +Learn more about [Verified Domains](/docs/guides/organizations/add-members/verified-domains). + +### Organization slugs + +> [!IMPORTANT] +> Organization slugs are disabled by default for applications created after October 7, 2025. For applications created before this date, you can opt to disable it. + +Organization slugs are human-readable URL identifiers (like `acme-corp`) that help users reference which Organization they're working in. Enable this feature if you need Organization-specific URLs or if users frequently switch between multiple Organizations. + +You can also [use Organization slugs in your application's URLs](/docs/guides/organizations/org-slugs-in-urls). + +### Allow user-created Organizations + +By default, users can create Organizations in your application. You can restrict this if you prefer to manually provision Organizations. + +You can also override this Permission for specific users in their profile page under **User permissions**. + +Learn more about [creating Organizations](/docs/guides/organizations/create-and-manage). + +#### Organization creation limit + +{/* TODO: Come back to this. Is the max 100, or is it unlimited? By default, in the Clerk Dash, it says unlimited. But I thought Clerk caps each user to create up to 100 orgs per application instance */} + +When user-created Organizations are enabled, each user can create up to 100 Organizations by default. You can configure this to set a lower limit or allow unlimited Organizations. + +To change the default limit: + +1. In the Clerk Dashboard, navigate to the [**Organizations Settings**](https://dashboard.clerk.com/~/organizations-settings) page. +1. In the **Organization limit** section, choose between: + - **Users can create unlimited organizations** + - **Users can create a limited number of organizations** (specify the limit) + +If you need users to create more than 100 Organizations, [contact support](/contact/support){{ target: '_blank' }} to have the limit raised. + +To override this limit for a specific user: + +1. In the Clerk Dashboard, select [**Users**](https://dashboard.clerk.com/~/users). +1. Select the user you want to update. +1. In the **User permissions** section, configure their Organization creation limit. + +### Default roles + +When users create or join Organizations, they need to be assigned a role. These settings determine which roles are automatically assigned in different scenarios, whether someone is creating a new Organization or joining an existing one. + +#### Default role for members + +The default role for members is assigned to users when they join an Organization through invitations or Verified Domain enrollment. By default, this is set to [**Member**](/docs/guides/organizations/control-access/roles-and-permissions#default-roles). + +This role is used: + +- When sending invitations from the [``](/docs/reference/components/organization/organization-profile) component (pre-filled as default) +- When users auto-join via [Verified Domains](/docs/guides/organizations/add-members/verified-domains) +- As the suggested role for new Organization members + +To change the default role: + +1. In the Clerk Dashboard, navigate to the [**Roles & Permissions**](https://dashboard.clerk.com/~/organizations-settings/roles) page. +1. Select the three dots next to the role you want to set as default. +1. Choose **Set as Default role**. + +Learn more about [Roles and Permissions](/docs/guides/organizations/control-access/roles-and-permissions). + +#### Creator's initial role + +When a user creates a new Organization, Clerk automatically adds them as its first member and assigns them the Organization's designated **Creator** Role. By default, that Role is [**Admin**](/docs/guides/organizations/control-access/roles-and-permissions#default-roles), giving them full control over the Organization they created. + +The Creator role must have at least these [System Permissions](/docs/guides/organizations/control-access/roles-and-permissions#system-permissions): + +- Manage members (`org:sys_memberships:manage`) +- Read members (`org:sys_memberships:read`) +- Delete Organization (`org:sys_profile:delete`) + +Learn more about the [Creator Role and how to reassign it](/docs/guides/organizations/control-access/roles-and-permissions#the-creator-role). + +### Allow new members to delete Organizations + +This setting controls whether Organization members can delete Organizations. + +By default, any member with the [`org:sys_profile:delete` System Permission](/docs/guides/organizations/control-access/roles-and-permissions#system-permissions) can delete an Organization. You can disable this if you want to prevent accidental data loss or require your own approval process before Organizations are removed. + +To change this setting: + +1. In the Clerk Dashboard, navigate to the [**Organizations Settings**](https://dashboard.clerk.com/~/organizations-settings) page. +1. Toggle **Allow new members to delete organizations**. + +> [!IMPORTANT] +> This setting only applies to newly created Organizations. Existing Organizations retain their current deletion settings. + +## Next steps + +Now that you've configured global settings, you can: + +- [Create your first Organization](/docs/guides/organizations/create-and-manage) and start adding members +- [Add members to your Organization](/docs/guides/organizations/add-members/invitations) with invitations, Verified Domains, or SSO +- [Configure access control](/docs/guides/organizations/control-access/roles-and-permissions) with Custom Roles and Permissions diff --git a/docs/guides/organizations/control-access/check-access.mdx b/docs/guides/organizations/control-access/check-access.mdx new file mode 100644 index 0000000000..a9ccb61b84 --- /dev/null +++ b/docs/guides/organizations/control-access/check-access.mdx @@ -0,0 +1,169 @@ +--- +title: Check Roles and Permissions with Authorization Checks +description: Limit access to content or entire routes based on a user's Organization Role or Permissions. +metadata: + title: Check Roles and Permissions in Organizations +--- + +Authorization checks are checks you perform in your code to determine the access rights and privileges of a user, ensuring they have the necessary Permissions to perform specific actions or access certain content. These checks are essential for protecting sensitive data, gating premium features, and ensuring users stay within their allowed scope of access. + +Within Organizations, authorization checks can be performed by checking a user's Roles or Custom Permissions. Roles like `org:admin` determine a user's level of access within an Organization, while Custom Permissions like `org:invoices:create` provide fine-grained control over specific features and actions. + +## Examples + +For examples on how to perform authorization checks, see the [guide on authorization checks](/docs/guides/secure/authorization-checks). + + + + You can protect content and even entire routes based on Organization membership, Roles, and Permissions by performing [authorization checks](!authorization-check). + + In the following example, the page is restricted to authenticated users, users who have the `org:admin` Role, and users who belong to the `Acme Corp` Organization. + + - The [`Auth`](/docs/reference/backend/types/auth-object) object is used to access the `isSignedIn` property and `has()` method. + - The `isSignedIn` property is used to check if the user is signed in. + - The `has()` method is used to check if the user has the `org:admin` Role. + - The [`useOrganization()`](/docs/reference/hooks/use-organization) hook is used to access the organization data. + - The Organization name is checked to ensure it matches the required Organization name. If a user is not in the required Organization, the page will display a message and the [``](/docs/reference/components/organization/organization-switcher) component will be rendered to allow the user to switch to the required Organization. + + ```tsx {{ filename: 'app/protected/page.tsx' }} + 'use client' + import { OrganizationSwitcher, useAuth, useOrganization } from '@clerk/nextjs' + + export default function Page() { + // The `useAuth()` hook gives you access to properties like `isSignedIn` and `has()` + const { isSignedIn, has } = useAuth() + const { organization } = useOrganization() + + // Check if the user is authenticated + if (!isSignedIn) { + return

You must be signed in to access this page.

+ } + + // Check if there is an Active Organization + if (!organization) { + return ( + <> +

Set an Active Organization to access this page.

+ + + ) + } + + // Check if the user has the `org:admin` Role + if (!has({ role: 'org:admin' })) { + return

You must be an admin to access this page.

+ } + + // Check if Organization name matches (e.g., "Acme Corp") + const requiredOrgName = 'Acme Corp' + if (organization.name !== requiredOrgName) { + return ( + <> +

+ This page is only accessible in the {requiredOrgName} Organization. + Switch to the {requiredOrgName} Organization to access this page. +

+ + + ) + } + + return ( +

+ You are currently signed in as an admin in the{' '} + {organization.name} Organization. +

+ ) + } + ``` + + For more examples on how to perform authorization checks, see the [dedicated guide](/docs/guides/secure/authorization-checks). + + + + You can protect content and even entire routes based on Organization membership, Roles, and Permissions by performing [authorization checks](!authorization-check). + + In the following example, the page is restricted to authenticated users, users who have the `org:admin` Role, and users who belong to the `Acme Corp` Organization. + + - The [`Auth`](/docs/reference/backend/types/auth-object) object is used to access the `isAuthenticated` and `orgId` properties, as well as the `has()` method. + - The `isAuthenticated` property is used to check if the user is authenticated. + - The `orgId` property is used to check if there is an Active Organization. + - The `has()` method is used to check if the user has the `org:admin` Role. + - To fetch the Organization server-side, the [`clerkClient()`](/docs/reference/nextjs/overview#clerk-client) helper is used to access the [`getOrganization()`](/docs/reference/backend/organization/get-organization) method. + - The Organization name is checked to ensure it matches the required Organization name. If a user is not in the required Organization, the page will display a message and the [``](/docs/reference/components/organization/organization-switcher) component will be rendered to allow the user to switch to the required Organization. + + This example is written for Next.js App Router, but can be adapted to other frameworks by using the appropriate method for accessing the [`Auth` object](/docs/reference/backend/types/auth-object), and the appropriate initialization for `clerkClient()`. + + ```tsx {{ filename: 'app/protected/page.tsx' }} + import { auth, clerkClient } from '@clerk/nextjs/server' + import { OrganizationSwitcher } from '@clerk/nextjs' + + export default async function Page() { + // The `Auth` object gives you access to properties like `isAuthenticated` and `userId` + // Accessing the `Auth` object differs depending on the SDK you're using + // https://clerk.com/docs/reference/backend/types/auth-object#how-to-access-the-auth-object + const { isAuthenticated, orgId, has } = await auth() + + // Check if the user is authenticated + if (!isAuthenticated) { + return

You must be signed in to access this page.

+ } + + // Check if there is an Active Organization + if (!orgId) { + return ( + <> +

Set an Active Organization to access this page.

+ + + ) + } + + // Check if the user has the `org:admin` Role + if (!has({ role: 'org:admin' })) { + return

You must be an admin to access this page.

+ } + + // To fetch the Active Organization server-side, + // first initialize the JS Backend SDK. + // This varies depending on the SDK you're using + // https://clerk.com/docs/js-backend/getting-started/quickstart + // Then use the `clerkClient()` to access the `getOrganization()` method + const client = await clerkClient() + const organization = await client.organizations.getOrganization({ organizationId: orgId }) + + // Check if Organization name matches (e.g., "Acme Corp") + const requiredOrgName = 'Acme Corp' + if (organization.name !== requiredOrgName) { + return ( + <> +

+ This page is only accessible in the {requiredOrgName} Organization. + Switch to the {requiredOrgName} Organization to access this page. +

+ + + ) + } + + return ( +

+ You are currently signed in as an admin in the{' '} + {organization.name} Organization. +

+ ) + } + ``` + + For more examples on how to perform authorization checks, see the [dedicated guide](/docs/guides/secure/authorization-checks). + + + +## Next steps + +Now that you know how to check Roles and Permissions, you can: + +- [Read the complete authorization checks guide](/docs/guides/secure/authorization-checks) +- [Learn how to check Features and Plans](/docs/guides/billing/for-b2b#control-access-with-features-plans-and-permissions) for Subscription-based applications +- [Set up custom Roles and Permissions](/docs/guides/organizations/control-access/roles-and-permissions) to define your access control model +- [Configure default Roles](/docs/guides/organizations/configure#default-roles) for new Organization members diff --git a/docs/guides/organizations/control-access/roles-and-permissions.mdx b/docs/guides/organizations/control-access/roles-and-permissions.mdx new file mode 100644 index 0000000000..79600dc851 --- /dev/null +++ b/docs/guides/organizations/control-access/roles-and-permissions.mdx @@ -0,0 +1,148 @@ +--- +title: Roles and Permissions +description: Implement Role-Based Access Control (RBAC) in your application. Set custom Roles, assign privileges, and control access to resources using Clerk Organizations. +metadata: + title: B2B/B2C Roles and Permissions with Clerk Organizations +--- + + + +Roles and Permissions let you control who can access specific resources and perform certain actions within each Organization. Clerk provides two default Roles - **admin** and **member** - that cover most common use cases. You can also create custom Roles and fine-grained Permissions that fit your application's specific features and team setup. + +## Roles + +Each Role defines what users can do and access within an Organization. You can extend a Role's capabilities by adding [Permissions](#permissions). + +### Default Roles + +When users create or join Organizations, they need to be assigned a Role. These settings determine which Roles are automatically assigned in different scenarios, whether someone is creating a new Organization or joining an existing one. + +For each instance, there are currently two default Roles: + +- **Admin (`org:admin`)** - Offers full access to Organization resources. Members with the admin Role have all of the [System Permissions](#system-permissions). They can fully manage the Organization and Organization memberships. +- **Member (`org:member`)** - Offers limited access to Organization resources. Access to Organization resources is limited to the "Read members" and "Read billing" Permissions only, by default. They cannot manage the Organization and Organization memberships, but they can view information about other members in it. + +### The **Creator** Role + +When a user creates a new Organization, Clerk automatically adds them as its first member and assigns them the Organization's designated **Creator** Role. By default, that Role is `org:admin`. + +You cannot delete an Organization Role if it's used as the Organization's **Creator** Role. But, you _can_ reassign the **Creator** Role to any other Role with the right Permissions. For example, if you want to delete the `admin` Role, you will have to assign another Role as the **Creator** Role. + +The **Creator** Role must _at least_ have the following [System Permissions](#system-permissions): + +- Manage members (`org:sys_memberships:manage`) +- Read members (`org:sys_memberships:read`) +- Delete Organization (`org:sys_profile:delete`) + +To reassign the **Creator** Role: + +1. In the Clerk Dashboard, navigate to [**Roles & Permissions**](https://dashboard.clerk.com/~/organizations-settings/roles). +1. [Create a new Role](#custom-roles) or use an existing Role from the list. +1. Ensure that **Manage members**, **Read members**, and **Delete Organization** System Permissions are selected for the Role. +1. Open the three dots icon for the Role. +1. From the dropdown, select the **Set as Creator role** option. + +### The **Default** Role for members + +New Organization members are initially assigned the **Default** Role. By default, that Role is `org:member`. This Role is used as a pre-filled default in `` invitations and for Organization enrollment with [Verified Domains](/docs/guides/organizations/add-members/verified-domains). + +You cannot delete an Organization Role if it's used as the Organization's **Default** Role. But, you _can_ reassign the **Default** Role to any other Role. + +To reassign the **Default** Role: + +1. In the Clerk Dashboard, navigate to [**Roles & Permissions**](https://dashboard.clerk.com/~/organizations-settings/roles). +1. [Create a new Role](#custom-roles) or use an existing Role from the list. +1. Select the three dots next to the Role you want to set as default. +1. From the dropdown, select the **Set as Default role** option. + +### Custom Roles + +You can create up to 10 custom Organization Roles per application instance to meet your application needs. If you need more than 10 Roles, [contact support](/contact/support){{ target: '_blank' }}. + +Custom Roles can be granted Permissions and access. For example, you can create a new Role of **Billing** (`org:billing`) which can be used to group users who belong to a specific department of the Organization and have permission to manage credit card information, invoices, and other resources related to billing. + +To create a new Role: + +1. In the Clerk Dashboard, navigate to [**Roles & Permissions**](https://dashboard.clerk.com/~/organizations-settings/roles) +1. Select **Add role**. +1. Give the Role a name, a key to reference it by, and a description. The final key will follow the format `org:`. +1. Select **Save**. + +### Change a user's Role + +You can change a user's Role in the Clerk Dashboard, or in your application using the [``](/docs/reference/components/organization/organization-switcher) component. + +To change a user's Role in the Clerk Dashboard: + +1. In the Clerk Dashboard, select [**Organizations**](https://dashboard.clerk.com/~/organizations) and select an organization. +1. Select the **Members** tab. +1. In the list of members, find the one whose Role you want to change. +1. Select another Role from their Role dropdown. + +### Delete a Role + +You cannot delete a Role that is still assigned to members of an Organization. Change the members to a different Role before completing the following steps. + +1. In the Clerk Dashboard, navigate to [**Roles & Permissions**](https://dashboard.clerk.com/~/organizations-settings/roles). +1. Select the three dots icon next to the Role. +1. Select **Delete role**. + +## Permissions + +Permissions grant users privileged access to resources and operations, like creating and deleting. Clerk supports two types of Permissions: **System Permissions** and **Custom Permissions**. + +### System Permissions + +Clerk provides a set of System Permissions that power [Clerk's Frontend API](/docs/reference/frontend-api){{ target: '_blank' }} and [organization-related Clerk components](/docs/reference/components/overview). These Permissions serve as the baseline required for Clerk to operate effectively. + +Clerk's System Permissions consist of the following: + +- Manage Organization (`org:sys_profile:manage`) +- Delete Organization (`org:sys_profile:delete`) +- Read members (`org:sys_memberships:read`) +- Manage members (`org:sys_memberships:manage`) +- Read domains (`org:sys_domains:read`) +- Manage domains (`org:sys_domains:manage`) +- Read billing (`org:sys_billing:read`) +- Manage billing (`org:sys_billing:manage`) + +You can assign these System Permissions to any Role. + +> [!WARNING] +> System Permissions aren't included in [session claims](/docs/guides/sessions/session-tokens#default-claims). If you need to check Permissions on the server-side, you must [create Custom Permissions](#custom-permissions) for authorization checks in your application code. + +### Custom Permissions + +Custom Permissions let you define fine-tuned access control within your Organization. Each Permission is tied to a Feature, and can be assigned to one or more Roles. To create a Custom Permission, you must first create a Role (e.g. **sales**) and a Feature within that Role (e.g. **invoices**). Once both exist, you can define specific Permissions (e.g. **create**) related to that Feature. To assign a Custom Permission to a user, you must assign the user to the Role that has the Permission. + +To create a new Permission: + +1. In the Clerk Dashboard, navigate to [**Roles & Permissions**](https://dashboard.clerk.com/~/organizations-settings/roles). +1. [Create a new Role](#custom-roles) or use an existing Role from the list. +1. Under **Custom permissions**, select **Create permission** under the Feature you want to create the Permission for. If there are no Features, you'll need to create a new one first. Select **Create feature** and fill in the required fields. Once finished, the newly created Feature will appear in the list, and the **Create permission** button will appear. +1. Give the Permission a name, a key to reference it by, and a description. The final key will follow the format `org::`. + > [!NOTE] + > Common Permission values could be: + > + > - `create` — to allow creating resources + > - `read` — to allow reading/viewing resources + > - `update/manage` — to allow updating/editing resources + > - `delete` — to allow deleting resources + > + > For example, you could create a new Permission called **Create invoices** (`org:invoices:create`) which allows only users with this Permission to edit invoices. Then, you could assign this Permission to a Role, or multiple Roles, such as **Billing** (`org:billing`) or **Sales** (`org:sales`). +1. Select **Create permission**. + +You can also create a Custom Permission by navigating to the [**Features**](https://dashboard.clerk.com/~/features) tab in the Clerk Dashboard. + +## Verify a user's Role or Permission + +It's best practice to always verify whether or not a user is **authorized** to access sensitive information, important content, or exclusive features. **Authorization** is the process of determining the access rights and privileges of a user, ensuring they have the necessary Permissions to perform specific actions. To perform authorization checks using a user's Role or Permission, see the [guide on authorizing users](/docs/guides/secure/authorization-checks). + +## Next steps + +Now that you've set up Roles and Permissions, you can: + +- [Perform authorization checks](/docs/guides/secure/authorization-checks) to limit access to content or entire routes based on a user's Role or Permissions +- [Learn how to automatically invite users to an Organization based on their email domain](/docs/guides/organizations/add-members/verified-domains) +- [Learn how to manually invite users to an Organization](/docs/guides/organizations/add-members/invitations) +- [Learn how to automatically add users to an Organization through Enterprise SSO](/docs/guides/organizations/add-members/sso) diff --git a/docs/guides/organizations/create-and-manage.mdx b/docs/guides/organizations/create-and-manage.mdx new file mode 100644 index 0000000000..e8694b77a5 --- /dev/null +++ b/docs/guides/organizations/create-and-manage.mdx @@ -0,0 +1,61 @@ +--- +title: Create and manage Organizations +description: Learn how to create and manage individual Organizations in the Clerk Dashboard and in your application. +metadata: + title: Create and manage Organizations with Clerk +--- + +Organizations can be created and managed either **in the Clerk Dashboard** or **in your application**. This guide covers working with individual Organizations. For global settings that affect all Organizations in your application (like enabling Organizations, setting default Roles, or configuring memberships), refer to the [dedicated guide](/docs/guides/organizations/configure). + +## Create an Organization + +Organizations can be created in the Clerk Dashboard or in your application. The number of Organizations you can create depends on your [Monthly Active Organization (MAO) limits](/docs/guides/organizations/overview#how-do-organizations-work). + +### Create an Organization in the Clerk Dashboard + +To create an Organization in the Clerk Dashboard, navigate to the [**Organizations**](https://dashboard.clerk.com/~/organizations) page and select the **Create Organization** button. + +### Create an Organization in your application + +By default, [users have permission to create Organizations within your application](/docs/guides/organizations/configure#allow-user-created-organizations). When a user creates an Organization, they become the Organization's [admin](/docs/guides/organizations/control-access/roles-and-permissions#default-roles) with full control over settings, members, and Permissions. + +**Default limits**: Each user can create up to 100 Organizations. To change creation permissions or limits, see the [dedicated guide](/docs/guides/organizations/configure#allow-user-created-organizations). + +The easiest way to allow users to create Organizations is to use the [``](/docs/reference/components/organization/create-organization) and/or [``](/docs/reference/components/organization/organization-switcher) components. The `` component is more comprehensive, as it handles all Organization flows including creating, switching, and managing an Organization. + +If the prebuilt components don't meet your needs, you can build [custom flows](/docs/guides/development/custom-flows/overview) using the Clerk API. + +## Manage Organizations + +As an application owner, you can manage all Organizations in your application, both those created by you and those created by your users. You can view, update, and delete any Organization, as well as manage its members and settings. + +### Manage Organizations in the Clerk Dashboard + +To manage an Organization in the Clerk Dashboard, navigate to the [**Organizations**](https://dashboard.clerk.com/~/organizations) page. Select a specific Organization to view its details, members, invitations, subscriptions, payments, and settings. + +### Manage Organizations in your application + +For managing Organizations in your application, Clerk provides prebuilt components that handle Organization management flows: + +- [``](/docs/reference/components/organization/organization-profile) - A profile page for the user's currently active Organization where they can update settings and manage members. +- [``](/docs/reference/components/organization/organization-switcher) - A dropdown menu that handles all Organization flows, including switching between Organizations and managing the active Organization's profile. +- [``](/docs/reference/components/organization/organization-list) - A list of Organizations that a user is a member of, with options to switch between them. + +If the prebuilt components don't meet your needs, you can build [custom flows](/docs/guides/development/custom-flows/overview) using the Clerk API. + +## Switch between Organizations + +Users who belong to multiple Organizations can switch between them at any time. The currently selected Organization is called the active Organization. + +The [``](/docs/reference/components/organization/organization-switcher) component provides the easiest way for users to switch between Organizations. If you need more control over the switching logic, you can use the `setActive()` method from the [`useOrganizationList()`](/docs/reference/hooks/use-organization-list) hook, or access it directly from the [`Clerk`](/docs/reference/javascript/clerk#set-active) object. + +If [Personal Accounts are enabled](/docs/guides/organizations/configure#allow-personal-accounts), users can switch to their Personal Account using the `` component. + +## Next steps + +Now that you know how to create and manage Organizations, you can: + +- [Add custom data with Organization metadata](/docs/guides/organizations/metadata) +- [Use Organization slugs in URLs](/docs/guides/organizations/org-slugs-in-urls) for tenant-specific routing +- [Invite members to Organizations](/docs/guides/organizations/add-members/invitations) +- [Set up Roles and Permissions](/docs/guides/organizations/control-access/roles-and-permissions) diff --git a/docs/guides/organizations/get-started-tu/quickstart.mdx b/docs/guides/organizations/get-started-tu/quickstart.mdx new file mode 100644 index 0000000000..3b3c58d1f2 --- /dev/null +++ b/docs/guides/organizations/get-started-tu/quickstart.mdx @@ -0,0 +1,220 @@ +--- +title: Get started with Organizations and Next.js +description: Create and manage Organizations in your Next.js app in this guided tutorial. +sdk: nextjs +--- + +Organizations let you group users with Roles and Permissions, enabling you to build multi-tenant B2B apps like Slack (workspaces), Linear (teams), or Vercel (projects) where users can switch between different team contexts. + +> [!NOTE] +> Haven't set up Clerk auth yet? Head over to the [Next.js quickstart](/docs/nextjs/getting-started/quickstart)! + + + ## Add `` to your app + + The `` component is the easiest way to let users create, switch between, and manage Organizations. It's recommended to place it in your app's header or navigation so it's always accessible to your users. For example: + + ```tsx {{ filename: 'app/layout.tsx', mark: [9, 39], fold: [[11, 28]] }} + import type { Metadata } from 'next' + import { + ClerkProvider, + SignInButton, + SignUpButton, + SignedIn, + SignedOut, + UserButton, + OrganizationSwitcher, + } from '@clerk/nextjs' + import { Geist, Geist_Mono } from 'next/font/google' + import './globals.css' + + const geistSans = Geist({ + variable: '--font-geist-sans', + subsets: ['latin'], + }) + + const geistMono = Geist_Mono({ + variable: '--font-geist-mono', + subsets: ['latin'], + }) + + export const metadata: Metadata = { + title: 'Clerk Next.js Quickstart', + description: 'Generated by create next app', + } + + export default function RootLayout({ + children, + }: Readonly<{ + children: React.ReactNode + }>) { + return ( + + + +
+ + + + + + + + + + +
+ {children} + + + + ) + } + ``` + + ## Access Organization data + + Use Clerk's [`useOrganization()`](/docs/reference/hooks/use-organization) hook to access information about the currently active Organization. Use Clerk's [`useOrganizationList()`](/docs/reference/hooks/use-organization-list) hook to access information about the current user's Organization memberships. + + ```tsx {{ filename: 'app/page.tsx' }} + 'use client' + + import { useOrganization, useOrganizationList } from '@clerk/nextjs' + + export default function Home() { + const { organization } = useOrganization() + const { userMemberships } = useOrganizationList({ + userMemberships: true, + }) + + return ( +
+

+ Welcome to the {organization?.name} organization +

+

+ Your role in this organization:{' '} + + { + userMemberships?.data?.find( + (membership) => membership.organization.id === organization?.id, + )?.role + } + +

+
+ ) + } + ``` + + ## Visit your app + + Run your project with the following command: + + ```npm + npm run dev + ``` + + Visit your app locally at [`localhost:3000`](http://localhost:3000). + + ### Enable Organizations + + When prompted, select **Enable Organizations**. + + ### Create first user and Organization + + You must sign in to use Organizations. When prompted, select **Sign in to continue**. Then, authenticate to create your first user. + + Since you selected disabled Personal Accounts when you enabled Organizations, every user must be in at least one Organization. [Clerk will prompt you](!choose-organization) to create an Organization for your user. + + ## Create and switch Organizations + + At this point, Clerk should have redirected you to a page with the [``](/docs/reference/components/organization/organization-switcher) component. This component allows you to create, switch between, and manage organizations. + + 1. Select the `` component, then **Create an organization**. + 1. Enter `Acme Corp` as the Organization name. + 1. Invite users to your Organization and select their Role. + + ## Protect routes by Organization and Roles + + You can protect content and even entire routes based on Organization membership, Roles, and Permissions by performing [authorization checks](!authorization-check). + + In the following example, the page is protected from unauthenticated users, users that don't have the `org:admin` Role, and users that are not in the `Acme Corp` Organization. + + - The [`Auth`](/docs/reference/backend/types/auth-object) object is used to access the `isSignedIn` and `has()` properties. + - The `isSignedIn` property is used to check if the user is signed in. + - The `has()` helper is used to check if the user has the `org:admin` Role. + - The [`useOrganization()`](/docs/reference/hooks/use-organization) hook is used to access the Organization data. + - The Organization name is checked to ensure it matches the required Organization name. If a user is not in the required Organization, the page will display a message and the [``](/docs/reference/components/organization/organization-switcher) component will be rendered to allow the user to switch to the required Organization. + + ```tsx {{ filename: 'app/protected/page.tsx', collapsible: true }} + 'use client' + import { OrganizationSwitcher, useAuth, useOrganization } from '@clerk/nextjs' + + export default function Page() { + // The `useAuth()` hook gives you access to + // properties like `isSignedIn` and `has()` + const { isSignedIn, has } = useAuth() + const { organization } = useOrganization() + + // Check if the user is authenticated + if (!isSignedIn) { + return

You must be signed in to access this page.

+ } + + // Check if there is an Active Organization + if (!organization) { + return ( + <> +

Set an Active Organization to access this page.

+ + + ) + } + + // Check if the user has the `org:admin` Role + if (!has({ role: 'org:admin' })) { + return

You must be an admin to access this page.

+ } + + // Check if Organization name matches (e.g., "Acme Corp") + const requiredOrgName = 'Acme Corp' + if (organization.name !== requiredOrgName) { + return ( + <> +

+ This page is only accessible in the {requiredOrgName} organization. + Switch to the {requiredOrgName} organization to access this page. +

+ + + ) + } + + return ( +

+ You are currently signed in as an admin in the{' '} + {organization.name} organization. +

+ ) + } + ``` + + Navigate to [`localhost:3000/protected`](localhost:3000/protected). You should see a green message confirming you are an admin in `Acme Corp`. Use the `` to switch Organizations or rename the Organization to show the red message. + + Learn more about protecting routes and checking Organization Roles in the [authorization guide](/docs/guides/organizations/control-access/roles-and-permissions). + + ## It's time to build your B2B SaaS! + + You've added Clerk Organizations to your Next.js app 🎉. If your app needs to scale to enterprise customers, here's what you can do next: + + To make configuration changes to your Clerk development instance, claim the Clerk keys that were generated for you by selecting **Claim your application** in the bottom right of your app. This will associate the application with your Clerk account. + + - **Control access** with [custom Roles and Permissions](/docs/guides/organizations/control-access/roles-and-permissions): define granular Permissions for different user types within Organizations. + + - **Onboard entire companies** with [Verified Domains](/docs/guides/organizations/add-members/verified-domains): automatically invite users with approved email domains (e.g., `@company.com`) to join Organizations without manual invitations. + + - **Enable Enterprise SSO** with [SAML and OIDC](/docs/guides/organizations/add-members/sso): let customers authenticate through their identity provider (Okta, Entra ID, Google Workspace) with unlimited connections, no per-connection fees. + diff --git a/docs/guides/organizations/get-started.mdx b/docs/guides/organizations/get-started.mdx new file mode 100644 index 0000000000..041e09726e --- /dev/null +++ b/docs/guides/organizations/get-started.mdx @@ -0,0 +1,293 @@ +--- +title: Organizations quickstart +description: Learn how to add Organizations to your application with Clerk's prebuilt components. +--- + +Organizations let you group users with roles and permissions, enabling you to build multi-tenant B2B apps like Slack (workspaces), Linear (teams), or Vercel (projects) where users can switch between different team contexts. + + + ## Enable organizations + + Organizations are disabled by default. To enable them: + + 1. In the Clerk Dashboard, navigate to the [**Organizations Settings**](https://dashboard.clerk.com/~/organizations-settings) page. + 1. Select **Enable Organizations**. + 1. In the modal, choose whether to allow personal accounts: + - **Personal accounts disabled (default)**: Every user must belong to an organization. This is recommended for most B2B applications. + - **Personal accounts enabled**: Users can operate in their own individual workspace or join organizations. + 1. Select **Enable**. + + Learn more about configuring organizations in the [dedicated guide](/docs/guides/organizations/configure). + + ## Add the `` component + + The [``](/docs/reference/components/organization/organization-switcher) component is the easiest way to let users create, switch between, and manage organizations. It's recommended to place it in your app's header or navigation so it's always accessible. For example: + + ```tsx {{ filename: 'components/Header.tsx' }} + export default function Header() { + return ( +
+ +
+ ) + } + ``` + + ## Access organization data + + + + Use Clerk's hooks to access the current organization and role within your components: + + - The [`useOrganization()`](/docs/reference/hooks/use-organization) hook is used to access information about the currently active organization. + - The [`useOrganizationList()`](/docs/reference/hooks/use-organization-list) hook is used to access information about the current user's organization memberships. + + ```tsx + export default function Page() { + const { organization } = useOrganization() + const { userMemberships } = useOrganizationList({ + userMemberships: true, + }) + + return ( +
+

+ Welcome to the {organization?.name} organization +

+

+ Your role in this organization:{' '} + + {/* Find the organization membership that matches the + currently active organization and return the role */} + { + userMemberships?.data?.find( + (membership) => membership.organization.id === organization?.id, + )?.role + } + +

+
+ ) + } + ``` + + + + [Clerk's JS Backend SDK](/docs/js-backend/getting-started/quickstart) provides methods for accessing organization data server-side. For example, to get information about an organization, you can use the [`getOrganization()`](/docs/reference/backend/organization/get-organization) method. It requires the organization ID, which can be accessed through the [`Auth`](/docs/reference/backend/types/auth-object) object. + + This example is written for Next.js App Router, but can be adapted to other frameworks by using the appropriate method for accessing the [`Auth` object](/docs/reference/backend/types/auth-object), and the [appropriate initialization for `clerkClient()`](/docs/js-backend/getting-started/quickstart). + + ```tsx + import { auth, clerkClient } from '@clerk/nextjs/server' + import { OrganizationSwitcher } from '@clerk/nextjs' + + export default async function Page() { + // The `Auth` object gives you access to properties like `orgId` + // Accessing the `Auth` object differs depending on the SDK you're using + // https://clerk.com/docs/reference/backend/types/auth-object#how-to-access-the-auth-object + const { orgId } = await auth() + + // Check if there is an active organization + if (!orgId) { + return ( + <> +

Set an active organization to access this page.

+ + + ) + } + + // To fetch the active organization server-side, + // first initialize the JS Backend SDK. + // This varies depending on the SDK you're using + // https://clerk.com/docs/js-backend/getting-started/quickstart + // Then use the `clerkClient()` to access the `getOrganization()` method + const client = await clerkClient() + const organization = await client.organizations.getOrganization({ organizationId: orgId }) + + return

Hello {organization.name}

+ } + ``` + + + + ## Protect content + + + + You can protect content and even entire routes based on organization membership, roles, and permissions by performing [authorization checks](!authorization-check). + + In the following example, the page is restricted to authenticated users, users who have the `org:admin` role, and users who belong to the `Acme Corp` organization. + + - The [`Auth`](/docs/reference/backend/types/auth-object) object is used to access the `isSignedIn` property and `has()` method. + - The `isSignedIn` property is used to check if the user is signed in. + - The `has()` method is used to check if the user has the `org:admin` role. + - The [`useOrganization()`](/docs/reference/hooks/use-organization) hook is used to access the organization data. + - The organization name is checked to ensure it matches the required organization name. If a user is not in the required organization, the page will display a message and the [``](/docs/reference/components/organization/organization-switcher) component will be rendered to allow the user to switch to the required organization. + + ```tsx {{ filename: 'app/protected/page.tsx' }} + 'use client' + import { OrganizationSwitcher, useAuth, useOrganization } from '@clerk/nextjs' + + export default function Page() { + // The `useAuth()` hook gives you access to properties like `isSignedIn` and `has()` + const { isSignedIn, has } = useAuth() + const { organization } = useOrganization() + + // Check if the user is authenticated + if (!isSignedIn) { + return

You must be signed in to access this page.

+ } + + // Check if there is an active organization + if (!organization) { + return ( + <> +

Set an active organization to access this page.

+ + + ) + } + + // Check if the user has the `org:admin` role + if (!has({ role: 'org:admin' })) { + return

You must be an admin to access this page.

+ } + + // Check if organization name matches (e.g., "Acme Corp") + const requiredOrgName = 'Acme Corp' + if (organization.name !== requiredOrgName) { + return ( + <> +

+ This page is only accessible in the {requiredOrgName} organization. + Switch to the {requiredOrgName} organization to access this page. +

+ + + ) + } + + return ( +

+ You are currently signed in as an admin in the{' '} + {organization.name} organization. +

+ ) + } + ``` + + For more examples on how to perform authorization checks, see the [dedicated guide](/docs/guides/secure/authorization-checks). + + + + You can protect content and even entire routes based on organization membership, roles, and permissions by performing [authorization checks](!authorization-check). + + In the following example, the page is restricted to authenticated users, users who have the `org:admin` role, and users who belong to the `Acme Corp` organization. + + - The [`Auth`](/docs/reference/backend/types/auth-object) object is used to access the `isAuthenticated` and `orgId` properties, as well as the `has()` method. + - The `isAuthenticated` property is used to check if the user is authenticated. + - The `orgId` property is used to check if there is an active organization. + - The `has()` method is used to check if the user has the `org:admin` role. + - To fetch the organization server-side, the [`clerkClient()`](/docs/reference/nextjs/overview#clerk-client) helper is used to access the [`getOrganization()`](/docs/reference/backend/organization/get-organization) method. + - The organization name is checked to ensure it matches the required organization name. If a user is not in the required organization, the page will display a message and the [``](/docs/reference/components/organization/organization-switcher) component will be rendered to allow the user to switch to the required organization. + + This example is written for Next.js App Router, but can be adapted to other frameworks by using the appropriate method for accessing the [`Auth` object](/docs/reference/backend/types/auth-object), and the appropriate initialization for `clerkClient()`. + + ```tsx {{ filename: 'app/protected/page.tsx' }} + import { auth, clerkClient } from '@clerk/nextjs/server' + import { OrganizationSwitcher } from '@clerk/nextjs' + + export default async function Page() { + // The `Auth` object gives you access to properties like `isAuthenticated` and `userId` + // Accessing the `Auth` object differs depending on the SDK you're using + // https://clerk.com/docs/reference/backend/types/auth-object#how-to-access-the-auth-object + const { isAuthenticated, orgId, has } = await auth() + + // Check if the user is authenticated + if (!isAuthenticated) { + return

You must be signed in to access this page.

+ } + + // Check if there is an active organization + if (!orgId) { + return ( + <> +

Set an active organization to access this page.

+ + + ) + } + + // Check if the user has the `org:admin` role + if (!has({ role: 'org:admin' })) { + return

You must be an admin to access this page.

+ } + + // To fetch the active organization server-side, + // first initialize the JS Backend SDK. + // This varies depending on the SDK you're using + // https://clerk.com/docs/js-backend/getting-started/quickstart + // Then use the `clerkClient()` to access the `getOrganization()` method + const client = await clerkClient() + const organization = await client.organizations.getOrganization({ organizationId: orgId }) + + // Check if organization name matches (e.g., "Acme Corp") + const requiredOrgName = 'Acme Corp' + if (organization.name !== requiredOrgName) { + return ( + <> +

+ This page is only accessible in the {requiredOrgName} organization. + Switch to the {requiredOrgName} organization to access this page. +

+ + + ) + } + + return ( +

+ You are currently signed in as an admin in the{' '} + {organization.name} organization. +

+ ) + } + ``` + + For more examples on how to perform authorization checks, see the [dedicated guide](/docs/guides/secure/authorization-checks). + + + + ## It's time to build your B2B SaaS! + + You've added Clerk organizations to your Next.js app 🎉. Ready to scale to enterprise customers? + + - **Control access** with [custom roles and permissions](/docs/guides/organizations/control-access/roles-and-permissions): define granular permissions for different user types within organizations. + + - **Onboard entire companies** with [verified domains](/docs/guides/organizations/add-members/verified-domains): automatically invite users with approved email domains (e.g., `@company.com`) to join organizations without manual invitations. + + - **Enable enterprise SSO** with [SAML and OIDC](/docs/guides/organizations/add-members/sso): let customers authenticate through their identity provider (Okta, Entra ID, Google Workspace) with unlimited connections, no per-connection fees. + + +## Next steps + + + - [Create and manage organizations](/docs/guides/organizations/create-and-manage) + - Learn how to create organizations, manage members, and switch between organizations. + + --- + + - [Invite members to organizations](/docs/guides/organizations/add-members/invitations) + - Learn how to invite team members to your organizations with role-based access. + + --- + + - [Roles and permissions](/docs/guides/organizations/control-access/roles-and-permissions) + - Set up custom roles and permissions to control access within organizations. + + --- + + - [Organization components](/nextjs/reference/components/organization/organization-switcher) + - Learn more about Clerk's prebuilt organization components. + diff --git a/docs/guides/organizations/metadata.mdx b/docs/guides/organizations/metadata.mdx index 49f1cfd541..ff384bb62b 100644 --- a/docs/guides/organizations/metadata.mdx +++ b/docs/guides/organizations/metadata.mdx @@ -5,33 +5,52 @@ metadata: title: Custom metadata for B2B authentication flows --- -Organization metadata allows you to store information about an organization that is not part of the standard fields, such as custom attributes that are specific to your application. +Organization metadata lets you store custom information about an Organization that is not part of the standard fields, such as custom attributes that are specific to your application. This is useful for advanced user segmentation, analytics, or storing application-specific data like subscription tier, department, or region. -There are two types of metadata: **public** and **private**. +Metadata is stored on the [`Organization`](/docs/reference/javascript/organization) and [`OrganizationMembership`](/docs/reference/javascript/types/organization-membership) objects. -- Both **public** and **private** metadata are set and can be accessed from the [Backend API](/docs/reference/backend-api){{ target: '_blank' }}. -- Only **public** metadata can be accessed from the [Frontend API](/docs/reference/frontend-api/){{ target: '_blank' }}. +## Types of metadata -Both the `Organization` and `Organization Membership` objects have the metadata fields: `publicMetadata` and `privateMetadata`. +There are two types of Organization metadata: **public** and **private**. + +| Metadata | Frontend API | Backend API | +| - | - | - | +| Public | Read access | Read & write access | +| Private | No read or write access | Read & write access | + +Both the [`Organization`](/docs/reference/javascript/organization) and [`OrganizationMembership`](/docs/reference/javascript/types/organization-membership) objects have the metadata fields: `publicMetadata` and `privateMetadata`. - Use the `publicMetadata` property if you need to set some metadata from your backend and have them displayed as read-only on the frontend. - Use the `privateMetadata` property if the custom attributes contain sensitive information that should not be displayed on the frontend. -## Set organization metadata +## Set Organization metadata + +You can set Organization metadata in the [Clerk Dashboard](https://dashboard.clerk.com/~/organizations) or using Clerk's Backend API. See the [`updateOrganizationMetadata()`](/docs/reference/backend/organization/update-organization-metadata) and [`updateOrganizationMembershipMetadata()`](/docs/reference/backend/organization/update-organization-membership-metadata) methods for more information. + +## Access public metadata + +To access public metadata on the frontend, it's available on the [`Organization`](/docs/reference/javascript/organization) object, which can be accessed using the [`useOrganization()`](/docs/reference/hooks/use-organization) hook. + +To access public metadata on the backend, it's available on the [Backend `Organization`](/docs/reference/backend/types/backend-organization) object which can be accessed using the [`getOrganization()`](/docs/reference/backend/organization/get-organization) method. This method will return the `Organization` object which contains the public metadata. However, this method is subject to [rate limits](/docs/guides/how-clerk-works/system-limits#backend-api-requests), so _if you are accessing the metadata frequently_, it's recommended to [attach it to the user's session token](#metadata-in-the-session-token). + +## Metadata in the session token + +Retrieving metadata from the `Organization` or `OrganizationMembership` objects on the server-side requires making an API request to Clerk's Backend API, which is slower and is subject to [rate limits](/docs/guides/how-clerk-works/system-limits#backend-api-requests). You can store it in the user's session token, which doesn't require making an API request as it's available on the user's authentication context. **However, there is a size limitation to keep in mind.** Clerk stores the session token in a cookie, and most browsers cap cookie size at [**4KB**](https://datatracker.ietf.org/doc/html/rfc2109#section-6.3). After accounting for the size of Clerk's default claims, the cookie can support **up to 1.2KB** of custom claims. **Exceeding this limit will cause the cookie to not be set, which will break your app as Clerk depends on cookies to work properly.** -There are two ways to set organization metadata: +If you need to store more than 1.2KB of metadata, you should [store the extra data in your own database](/docs/guides/development/webhooks/syncing#storing-extra-user-data) instead. If this isn't an option, you can [move particularly large claims out of the token](/docs/guides/sessions/session-tokens#example) and fetch them using a separate API call from your backend, but this approach brings back the issue of making an API request to Clerk's Backend API, which is slower and is subject to rate limits. -- In the Clerk Dashboard -- Using the [JS Backend SDK](/docs/js-backend/getting-started/quickstart) +Another limitation of storing metadata in the session token is that when you modify metadata server-side, the changes won't appear in the session token until the next refresh. To avoid race conditions, either [force a JWT refresh](/docs/guides/sessions/force-token-refresh) after metadata changes or handle the delay in your application logic. -### In the Clerk Dashboard +If you've considered the limitations, and you still want to store metadata in the session token: -1. In the Clerk Dashboard, navigate to the [**Organizations**](https://dashboard.clerk.com/~/organizations) page. -1. Select the organization you want to update. -1. In the **Organization metadata** section, select **Edit** next to the metadata you want to update. +1. In the Clerk Dashboard, navigate to the [**Sessions**](https://dashboard.clerk.com/~/sessions) page. +1. Under **Customize session token**, in the **Claims** editor, you can add any claim to your session token that you need and select **Save**. To avoid exceeding the session token's 1.2KB limit, it's not recommended to add the entire `organization.public_metadata` or `organization_membership.public_metadata` object. Instead, add individual fields as claims, like `organization.public_metadata.birthday`. When doing this, it's recommended to leave particularly large claims out of the token to avoid exceeding the session token's size limit. See the [example](/docs/guides/sessions/session-tokens#example) for more information. -### Using the JS Backend SDK +## Next steps -To ease the flow of setting metadata, Clerk provides the [`updateOrganizationMetadata()`](/docs/reference/backend/organization/update-organization-metadata) and [`updateOrganizationMembershipMetadata()`](/docs/reference/backend/organization/update-organization-membership-metadata) methods from the [JS Backend](/docs/js-backend/getting-started/quickstart), which is a wrapper around the [Backend API](/docs/reference/backend-api){{ target: '_blank' }}. +Now that you understand Organization metadata, you can: - +- [Add metadata to invitations](/docs/guides/organizations/add-members/invitations#invitation-metadata) to track invitation sources or assign attributes +- [Create and manage Organizations](/docs/guides/organizations/create-and-manage) to see metadata in action +- [Control access based on Roles and Permissions](/docs/guides/secure/authorization-checks) +- [Use Organization slugs in URLs](/docs/guides/organizations/org-slugs-in-urls) for tenant-specific routing diff --git a/docs/guides/organizations/org-slugs-in-urls.mdx b/docs/guides/organizations/org-slugs-in-urls.mdx index 57b38810f9..0f7abf2d43 100644 --- a/docs/guides/organizations/org-slugs-in-urls.mdx +++ b/docs/guides/organizations/org-slugs-in-urls.mdx @@ -1,8 +1,8 @@ --- -title: Use organization slugs in URLs -description: Learn how to use organization slugs in your application URLs to build tenant-specific authentication flows. Enable seamless switching between active orgs (one-to-many or many-to-many) with Clerk's secure and scalable multi-tenant authentication suite. +title: Use Organization slugs in URLs +description: Learn how to use Organization slugs in your application URLs to build tenant-specific authentication flows. Enable seamless switching between active Organizations (one-to-many or many-to-many) with Clerk's secure and scalable multi-tenant authentication suite. metadata: - title: Use organization slugs in URLs for tenant-specific auth flows + title: Use Organization slugs in URLs for tenant-specific auth flows --- -Organization slugs are human-readable URL identifiers that help users reference which organization they're working in. A common pattern for organization-scoped areas in an application is to include the organization slug in the URL path. +Organization slugs are human-readable URL identifiers (like `acme-corp` or `marketing-team`) that help users reference which Organization they're working in. A common pattern for Organization-scoped areas in an application is to include the Organization slug in the URL path, making links sharable and providing clear context about which tenant the page belongs to. -For example, a B2B application named "Petstore" has two customer organizations: **Acmecorp** and **Widgetco**. Each organization uses its name as a slug in the URL: +For example, a B2B application named "Petstore" has two customer Organizations: **Acmecorp** and **Widgetco**. Each Organization uses its name as a slug in the URL: - **Acmecorp**: `https://petstore.example.com/orgs/`**`acmecorp`**`/dashboard` - **Widgetco**: `https://petstore.example.com/orgs/`**`widgetco`**`/dashboard` -Alternatively, [organization IDs](/docs/reference/javascript/organization#properties) can be used to identify organizations in URLs: +Alternatively, [Organization IDs](/docs/reference/javascript/organization#properties) can be used to identify Organizations in URLs: - **Acmecorp**: `https://petstore.example.com/orgs/`**`org_1a2b3c4d5e6f7g8e`**`/dashboard` - **Widgetco**: `https://petstore.example.com/orgs/`**`org_1a2b3c4d5e6f7g8f`**`/dashboard` -### When to use organization slugs +### When to use Organization slugs -This feature is intended for apps that **require** organization slugs in URLs. **Adding slugs to URLs isn't recommended unless necessary.** +This feature is intended for apps that **require** Organization slugs in URLs. **We don't recommend adding slugs to URLs unless necessary.** -Use organization slugs if: +Use Organization slugs if: -- Users frequently share links for public-facing content (e.g., documentation, marketing materials, and third-party blogs) -- Users regularly switch between multiple organizations -- Organization-specific URLs provide meaningful context +- Users frequently share links for public-facing content (e.g., documentation, marketing materials, and third-party blogs). +- Users regularly switch between multiple Organizations. +- Organization-specific URLs provide meaningful context. -**Don't** use organization slugs if: +**Don't** use Organization slugs if: -- Most users belong to only one organization -- You want to keep URLs simple and consistent -- You're primarily using the Clerk session for organization context +- Most users belong to only one Organization. +- You want to keep URLs simple and consistent. +- You're primarily using the Clerk session for Organization context. -This guide shows you how to add organization slugs to your app's URLs, configure Clerk components to handle slug-based navigation, and access organization data based on the URL slug at runtime. +This guide shows you how to add Organization slugs to your app's URLs, configure Clerk components to handle slug-based navigation, and access Organization data based on the URL slug at runtime. ## Configure `` and `` - The [``](/docs/reference/components/organization/organization-switcher) and [``](/docs/reference/components/organization/organization-list) components provide a robust set of options to manage organization slugs and IDs in your application's URLs. + The [``](/docs/reference/components/organization/organization-switcher) and [``](/docs/reference/components/organization/organization-list) components provide a robust set of options to manage Organization slugs and IDs in your application's URLs. Set the following properties to configure the components to handle slug-based navigation: - - Set `hideSlug` to `false` to allow users to customize the organization's URL slug when creating an organization. - - Set `afterCreateOrganizationUrl` to `/orgs/:slug` to navigate the user to the organization's slug after creating an organization. - - Set `afterSelectOrganizationUrl` to `/orgs/:slug` to navigate the user to the organization's slug after selecting it. + - Set `hideSlug` to `false` to allow users to customize the Organization's URL slug when creating an Organization. + - Set `afterCreateOrganizationUrl` to `/orgs/:slug` to navigate the user to the Organization's slug after creating an Organization. + - Set `afterSelectOrganizationUrl` to `/orgs/:slug` to navigate the user to the Organization's slug after selecting it. - For example, if the organization has the slug `acmecorp`, when a user creates or selects that organization using either component, they'll be redirected to `/orgs/acmecorp`. + For example, if the Organization has the slug `acmecorp`, when a user creates or selects that Organization using either component, they'll be redirected to `/orgs/acmecorp`. ", ""]}> @@ -113,14 +113,14 @@ This guide shows you how to add organization slugs to your app's URLs, configure > [!TIP] > If your app doesn't use `clerkMiddleware()`, or you prefer to manually set the [Active Organization](!active-organization), use the [`setActive()`](/docs/reference/javascript/clerk) method to control the Active Organization on the client-side. - With [`clerkMiddleware()`](/docs/reference/nextjs/clerk-middleware), you can use the [`organizationSyncOptions`](/docs/reference/nextjs/clerk-middleware#organization-sync-options) property to declare URL patterns that determine whether a specific organization should be activated. + With [`clerkMiddleware()`](/docs/reference/nextjs/clerk-middleware), you can use the [`organizationSyncOptions`](/docs/reference/nextjs/clerk-middleware#organization-sync-options) property to declare URL patterns that determine whether a specific Organization should be activated. - If the middleware detects one of these patterns in the URL and finds that a different organization is active in the session, it'll attempt to set the specified organization as the active one. + If the middleware detects one of these patterns in the URL and finds that a different Organization is active in the session, it'll attempt to set the specified Organization as the active one. - In the following example, two `organizationPatterns` are defined: one for the root (e.g., `/orgs/acmecorp`) and one as the wildcard matcher `(.*)` to match `/orgs/acmecorp/any/other/resource`. This configuration ensures that the path `/orgs/:slug` with any optional trailing path segments will set the organization indicated by the slug as the active one. + In the following example, two `organizationPatterns` are defined: one for the root (e.g., `/orgs/acmecorp`) and one as the wildcard matcher `(.*)` to match `/orgs/acmecorp/any/other/resource`. This configuration ensures that the path `/orgs/:slug` with any optional trailing path segments will set the Organization indicated by the slug as the active one. > [!WARNING] - > If no organization with the specified slug exists, or if the user isn't a member of the organization, then `clerkMiddleware()` **won't** modify the Active Organization. Instead, it will leave the previously Active Organization unchanged on the Clerk session. + > If no Organization with the specified slug exists, or if the user isn't a member of the Organization, then `clerkMiddleware()` **won't** modify the Active Organization. Instead, it will leave the previously Active Organization unchanged on the Clerk session. ```tsx {{ filename: 'proxy.ts', mark: [[7, 13]] }} import { clerkMiddleware } from '@clerk/nextjs/server' @@ -151,17 +151,17 @@ This guide shows you how to add organization slugs to your app's URLs, configure ### Handle failed activation - Now that `clerkMiddleware()` is configured to activate organizations, you can build an organization-specific page while handling cases where the organization can't be activated. + Now that `clerkMiddleware()` is configured to activate Organizations, you can build an Organization-specific page while handling cases where the Organization can't be activated. - Failed activation occurs if no organization with the specified slug exists, or if the given user isn't a member of the organization. When this happens, the middleware won't change the Active Organization, leaving the previously active one unchanged. + Failed activation occurs if no Organization with the specified slug exists, or if the given user isn't a member of the Organization. When this happens, the middleware won't change the Active Organization, leaving the previously active one unchanged. - For troubleshooting, a message will also be logged on the server: + For troubleshooting, Clerk will also log a message on the server: - > Clerk: Organization activation handshake loop detected. This is likely due to an invalid organization ID or slug. Skipping organization activation. + > Clerk: Organization activation handshake loop detected. This is likely due to an invalid Organization ID or slug. Skipping Organization activation. - It's ultimately the responsibility of the page to ensure that it renders the appropriate content for a given URL, and to handle the case where the expected organization **isn't** active. + It's ultimately the responsibility of the page to ensure that it renders the appropriate content for a given URL, and to handle the case where the expected Organization **isn't** active. - In the following example, the organization slug is detected as a Next.js [Dynamic Route](https://nextjs.org/docs/pages/building-your-application/routing/dynamic-routes) param and passed as a parameter to the page. If the slug doesn't match the Active Organization slug, an error message is rendered and the [``](/docs/reference/components/organization/organization-list) component allows the user to select a valid organization. + In the following example, the Organization slug is detected as a Next.js [Dynamic Route](https://nextjs.org/docs/pages/building-your-application/routing/dynamic-routes) param and passed as a parameter to the page. If the slug doesn't match the Active Organization slug, an error message is rendered and the [``](/docs/reference/components/organization/organization-list) component allows the user to select a valid Organization. ```tsx {{ filename: 'app/orgs/[slug]/page.tsx' }} import { auth } from '@clerk/nextjs/server' @@ -171,13 +171,13 @@ This guide shows you how to add organization slugs to your app's URLs, configure const { orgSlug } = await auth() const { slug } = await params - // Check if the organization slug from the URL params doesn't match - // the Active Organization slug from the user's session. - // If they don't match, show an error message and the list of valid organizations. + // Check if the org slug from the URL params doesn't match + // the active org slug from the user's session. + // If they don't match, show an error message and the list of valid Organizations. if (slug != orgSlug) { return ( <> -

Sorry, organization {slug} is not valid.

+

Sorry, Organization {slug} is not valid.

Welcome to organization {orgSlug} + return
Welcome to Organization {orgSlug}
} ``` - ## Render organization-specific content + ## Render Organization-specific content - Use the following tabs to learn how to access organization information on the server-side and client-side. + Use the following tabs to learn how to access Organization information on the server-side and client-side. - To get organization information on the server-side, access the [`Auth`](/docs/reference/backend/types/auth-object) object which includes the active org's `orgId` and `orgSlug` and the current user's `orgRole` and `orgPermissions`. To access _additional_ organization information server-side, like the organization name, you can store the additional information in the user's session token. To [customize the session token](/docs/guides/sessions/customize-session-tokens), do the following: + To get Organization information on the server-side, access the [`Auth`](/docs/reference/backend/types/auth-object) object which includes the active org's `orgId` and `orgSlug` and the current user's `orgRole` and `orgPermissions`. To access _additional_ Organization information server-side, like the Organization name, you can store the additional information in the user's session token. To [customize the session token](/docs/guides/sessions/customize-session-tokens), do the following: 1. In the Clerk Dashboard, navigate to the [**Sessions**](https://dashboard.clerk.com/~/sessions) page. 1. Under **Customize session token**, in the **Claims** editor, add any claim you need to your session token. For this guide, add the following claim: @@ -219,13 +219,13 @@ This guide shows you how to add organization slugs to your app's URLs, configure const { orgSlug, sessionClaims } = await auth() const { slug } = await params - // Check if the organization slug from the URL params doesn't match - // the Active Organization slug from the user's session. - // If they don't match, show an error message and the list of valid organizations. + // Check if the org slug from the URL params doesn't match + // the active org slug from the user's session. + // If they don't match, show an error message and the list of valid Organizations. if (slug != orgSlug) { return ( <> -

Sorry, organization {slug} is not valid.

+

Sorry, Organization {slug} is not valid.

{orgId && `Welcome to organization ${orgId}`} @@ -244,7 +244,7 @@ This guide shows you how to add organization slugs to your app's URLs, configure - To get organization information on the client-side, use the [`useOrganization()`](/docs/reference/hooks/use-organization) hook to access the [`organization`](/docs/reference/javascript/organization) object. + To get Organization information on the client-side, use the [`useOrganization()`](/docs/reference/hooks/use-organization) hook to access the [`organization`](/docs/reference/javascript/organization) object. ```tsx {{ filename: 'app/orgs/[slug]/page.tsx', mark: [[27, 28]] }} 'use client' @@ -252,16 +252,16 @@ This guide shows you how to add organization slugs to your app's URLs, configure import { OrganizationList, useOrganization } from '@clerk/nextjs' export default function Home({ params }: { params: { slug: string } }) { - // Use `useOrganization()` to access the currently Active Organization's `Organization` object + // Use `useOrganization()` to access the currently active org's `Organization` object const { organization } = useOrganization() - // Check if the organization slug from the URL params doesn't match - // the Active Organization slug from the user's session. - // If they don't match, show an error message and the list of valid organizations. + // Check if the org slug from the URL params doesn't match + // the active org slug from the user's session. + // If they don't match, show an error message and the list of valid Organizations. if (!organization || organization.slug != params.slug) { return ( <> -

Sorry, organization {params.slug} is not valid.

+

Sorry, Organization {params.slug} is not valid.

{organization && `Welcome to organization ${organization.name}`} + // Access the org name from the `Organization` object + return
{organization && `Welcome to Organization ${organization.name}`}
} ``` diff --git a/docs/guides/organizations/overview.mdx b/docs/guides/organizations/overview.mdx index f2bc323b73..6579784539 100644 --- a/docs/guides/organizations/overview.mdx +++ b/docs/guides/organizations/overview.mdx @@ -1,190 +1,50 @@ --- title: Organizations -description: Learn how to use Clerk Organizations to build scalable B2B auth features, user management, role based access control (RBAC), and per-organization invitation flows into your B2B SaaS. +description: Learn what Clerk Organizations are, how they work, and how to build secure multi-tenant B2B applications with team workspaces, Role-Based Access Control, and streamlined enrollment. metadata: - title: Overview - Build a B2B/B2C multi-tenant SaaS with Clerk Organizations + title: Organizations - Build multi-tenant B2B applications --- -Organizations are a flexible and scalable way to manage users and their access to resources within your Clerk application. With organizations, you can assign specific roles and permissions to users, making them useful for managing projects, coordinating teams, or facilitating partnerships. +Organizations let you group users with Roles and Permissions. This lets you build multi-tenant B2B apps like Slack (workspaces), Linear (teams), or Vercel (projects) where users switch between different team contexts. -> [!NOTE] -> To explore organizations in Clerk, check out the demo apps: -> [https://github.com/clerk/orgs](https://github.com/clerk/orgs) - -## Enable organizations in your application - -Organizations are disabled by default. - -To enable organizations: - -1. In the Clerk Dashboard, navigate to the [**Organizations Settings**](https://dashboard.clerk.com/~/organizations-settings) page. -1. Select **Enable Organizations**. - -Once organizations are enabled, you will be presented with the default settings, roles, and permissions that are applied to all organizations in that application instance. The following sections will explain these settings in more detail. - -## Roles and permissions - -Roles determine a user's level of access and permissions within an organization. Learn more about [how roles and permissions work and how to create your own with Clerk](/docs/guides/organizations/roles-and-permissions). - -## Membership limit - -There is no limit to the number of organizations a user can be a member of. - -However, there is a limit to how many total members can be in a single organization. By default, the membership limit is set to 5 members. To change this limit, scroll to the **Default membership limit** section and update the membership limit. - -If you are on the Free plan, you can update the membership limit to a maximum of 5 members. - -If you have the Pro plan, you can set the membership limit to unlimited. - -You can also change this limit on a per-organization basis: - -1. In the top in the Clerk Dashboard, select [**Organizations**](https://dashboard.clerk.com/~/organizations). -1. Select the organization you want to update. -1. In the **Membership limit** section, update the membership limit. Note that this will not apply to organizations that already exist. - -## Allow new members to delete organizations - -By default, organizations are deletable. Any member with the "Delete organization" permission can delete an organization. To prevent organizations from being deleted, you can disable the ability to delete organizations by following these steps: - -1. In the Clerk Dashboard, navigate to the [**Organizations Settings**](https://dashboard.clerk.com/~/organizations-settings) page. -1. Disable **Allow new members to delete organizations**. Note that this will not apply to organizations that already exist. - -## Verified domains - -Verified domains can be used to streamline enrollment into an organization. For example, if the domain `@clerk.com` is added to an organization, any user with a `@clerk.com` email address can be automatically invited or be suggested to join this organization. This feature is useful for organizations that want to restrict membership to users with specific email domains. See the [guide on verified domains](/docs/guides/organizations/verified-domains) for more information. - -## Allow Personal Accounts - -In the Clerk Dashboard, there are two types of workspaces: - -- **Personal account**: A Personal Account/workspace is a user's unique, individual space, independent of any organization. -- **Organization workspace**: An organization workspace is owned and managed by an organization, which can have multiple members, also known as collaborators. The organization workspace that a user is currently viewing is called the [Active Organization](!active-organization). - -Most multi-tenant applications want every user to be part of an organization rather than operating in an isolated Personal Account. Accordingly, **Personal Accounts are disabled by default** once you enable organizations. After signing up, [a user must create or join an organization before they can proceed](/docs/guides/configure/session-tasks). - -To enable Personal Accounts for your application, toggle **Allow Personal Accounts** in the [**Organizations Settings**](https://dashboard.clerk.com/~/organizations-settings) page. - -> [!IMPORTANT] -> Personal accounts being disabled by default was released on August 22, 2025. Applications created before this date will not be able to see the **Allow Personal Accounts** setting, because Personal Account were enabled by default. - -## Organization slugs - -Organization slugs are human-readable URL identifiers that help users reference which organization they're working in. - -To enable it, navigate to the [**Organizations Settings**](https://dashboard.clerk.com/~/organizations-settings) page in the Clerk Dashboard. - -When enabled, organization slugs will be displayed in the [``](/docs/reference/components/organization/create-organization), [``](/docs/reference/components/organization/organization-list), and [``](/docs/reference/components/organization/organization-switcher) components. - -> [!IMPORTANT] -> Organization slugs are disabled by default for applications created after October 7, 2025. For applications created before this date, you can opt to disable it. - -## Active organization +Users can belong to multiple Organizations, and Clerk provides the Organization context (memberships, Roles, and the Active Organization) in each session. You can then use this context to control what data to show and what actions to allow. -When a user is a member of an organization, they can switch between different organizations. The organization workspace that a user is currently viewing is called the **Active Organization**. The Active Organization determines which organization-specific data the user can access and which role and related permissions they have within the organization. - -When Personal Accounts are disabled (the default), users must select or create an organization to continue. This is handled automatically in the [session tasks flow](/docs/guides/configure/session-tasks). - -When Personal Accounts are enabled, users initially sign in to their Personal Account with **no** Active Organization set. The easiest way to allow users to set an organization as active is to use the [``](/docs/reference/components/organization/organization-switcher) component. If the prebuilt components don't meet your specific needs or if you require more control over the logic, you can also use the `setActive()` method, which is returned by the [`useOrganizationList()`](/docs/reference/hooks/use-organization-list) hook. If you aren't using hooks, you can access the `setActive()` method from the [`Clerk`](/docs/reference/javascript/clerk#set-active) object. - -## Monthly Active Organization (MAO) - -The number of organizations you can have in a single Clerk application depends on your [Clerk plan](/pricing){{ target: '_blank' }} and the type of instance (development or production), and is measured by Monthly Active Organizations (MAOs). An MAO is an organization with at least two users that have signed in that month, at least one of which must have interacted with the organization during the current billing cycle. - -With the Free plan: - -- In development instances, you can have _up to_ 50 MAOs in a single Clerk application. Each MAO can have _up to_ 5 members. -- In production instances, you can have up to 100 MAOs in a single Clerk application. Each MAO can have up to 5 members. - -With the Pro plan: - -- In development instances, you can have an unlimited number of MAOs in a single Clerk application _for free_. Each MAO can have an unlimited number of members. -- In production instances, you can have up to 100 MAOs in a single Clerk application _for free_. Each MAO after the first 100 costs $1.00 per month. Each MAO can have an unlimited number of members. - -For more information on pricing, see the [pricing page](/pricing){{ target: '_blank' }}. - -If you need more organizations or custom pricing, contact the [sales team](/contact/sales){{ target: '_blank' }} to upgrade to the Enterprise plan. - -## Manage organizations - -As the application owner, you have control over all of the organizations within your application - both those created by you and those created by your users. You can create, update, and delete organizations, as well as manage their members and settings. - -There are two ways to manage organizations: - -- [In the Clerk Dashboard](#manage-organizations-in-the-clerk-dashboard) -- [In your application](#manage-organizations-in-your-application) - -### Manage organizations in the Clerk Dashboard - -To manage organizations in the Clerk Dashboard: - -1. In the top in the Clerk Dashboard, select [**Organizations**](https://dashboard.clerk.com/~/organizations). Here, you can view and manage all organizations in your application. -1. Select a specific organization to view its details, members, invitations, and settings. Here, you can update the organization's name, slug, logo, and public and private metadata. You can also set the organization's [membership limit](#membership-limit). - -### Manage organizations in your application - -For managing organizations in your application, Clerk provides a set of prebuilt components: - -- [``](/docs/reference/components/organization/create-organization) - A form for a user to create a new organization. -- [``](/docs/reference/components/organization/organization-profile) - A profile page for the user's currently Active Organization. -- [``](/docs/reference/components/organization/organization-list) - A list of organizations that a user is a member of. -- [``](/docs/reference/components/organization/organization-switcher) - A dropdown menu that handles all organization flows. It allows a user to create an organization, switch between organizations, and view their organization's profile, which allows them to manage the organization's settings, invitations, and current members. If [Personal Accounts are enabled](/docs/guides/organizations/overview#allow-personal-accounts), users can also switch to their Personal Account. - -If the prebuilt components don't meet your specific needs or if you require more control over the logic, you can rebuild and customize the existing Clerk flows using the Clerk API. See the [custom flows](/docs/guides/development/custom-flows/overview) for more information. - -## Create an organization - -There are two ways to create an organization: - -- [In the Clerk Dashboard](#create-an-organization-in-the-clerk-dashboard) -- [In your application](#create-an-organization-in-your-application) - -How many organizations you can create depends on how many [MAOs](#monthly-active-organization-mao) you have. - -### Create an organization in the Clerk Dashboard - -To create an organization in the Clerk Dashboard: - -1. In the top in the Clerk Dashboard, select [**Organizations**](https://dashboard.clerk.com/~/organizations). -1. Select the **Create Organization** button. -1. Enter the organization's name. Optionally, upload the organization's logo, enter the organization's slug, and select the organization's owner. The slug is a unique identifier for the organization that is used in URLs, such as `example-name`. - -### Create an organization in your application +> [!NOTE] +> To explore Organizations in Clerk, check out the [demo apps](https://github.com/clerk/orgs). -By default, users have the permission to create organizations within your application. To configure this permission for all users: +## How do Organizations work? -1. In the Clerk Dashboard, navigate to the [**Organizations Settings**](https://dashboard.clerk.com/~/organizations-settings) page. -1. At the bottom of the page, in the **Limit creation** section, enable/disable **Allow new users to create organizations**. You can also configure the number of organizations that can be created by each user. By default, each user can create an unlimited number of organizations. +Organizations live within your Clerk application. Each application can contain multiple Organizations, and each Organization can have multiple users. You define [Roles and Permissions](/docs/guides/organizations/control-access/roles-and-permissions) once at the application level, and they apply across all Organizations within that application. -If you want to only configure this permission for a specific user, you can override it on a per-user basis on the user's profile page in the Clerk Dashboard: +![Relationship between Clerk Organization, users, Roles and Permissions](/docs/images/orgs/relationship-diagram.jpg) -1. In the top in the Clerk Dashboard, select [**Users**](https://dashboard.clerk.com/~/users). -1. Select the user you want to update. -1. In the **User permissions** section, enable/disable **Allow user to create organizations**. +The Organization that a user is currently viewing is called the **Active Organization**. The Active Organization determines which Organization-specific data the user can access and which Role and related Permissions they have within the Organization. -When a user creates an organization, they become the organization's admin. As the organization's admin, they have full control over the organization, including the ability to update the organization's settings, invite users to join the organization, and manage the organization's members. +Clerk measures Organization usage through **Monthly Active Organizations (MAOs)**. An MAO is an Organization with at least two users that have signed in that month, where at least one has interacted with the Organization during the current billing cycle. Free plans include up to 50 MAOs in development and 100 in production. Pro plans offer unlimited development MAOs and start at 100 free production MAOs, then $1 per additional MAO. Refer to the [pricing page](/pricing){{ target: '_blank' }} for complete details. -A single user within one of your applications can create _up to_ 100 organizations in that application. If you need users to be able to create more organizations than this, [contact support](/contact/support){{ target: '_blank' }} to have the limit raised. +## Core workflow -The easiest way to allow users to create organizations is to use the [``](/docs/reference/components/organization/create-organization) and/or [``](/docs/reference/components/organization/organization-switcher) components. The `` component is more comprehensive, as it handles all organization flows. +The core workflow when working with Organizations can follow something along the lines of: -## Organization invitations +1. **Create**: You can create Organizations [in the Clerk Dashboard](https://dashboard.clerk.com/~/organizations), or end users can create them in your application through prebuilt components or APIs. Each Organization has a profile, settings, and [metadata](/docs/guides/organizations/metadata). Users can belong to multiple Organizations and switch between them with the [``](/docs/reference/components/organization/organization-switcher) component. Learn more about [creating and managing Organizations](/docs/guides/organizations/create-and-manage). -[Learn how to create and revoke organization invitations](/docs/guides/organizations/invitations). +1. **Add members**: You can add members to Organizations in different ways depending on your needs: -## Manage enterprise connections + - [**Invitations**](/docs/guides/organizations/add-members/invitations) for bottom-up adoption, where individual users invite teammates with precise control over roles. + - [**Verified Domains**](/docs/guides/organizations/add-members/verified-domains) for company-wide rollouts, where Clerk automatically invites users with matching email domains (who can join immediately) or suggests they join (requiring admin approval). + - [**Enterprise Connections**](/docs/guides/organizations/add-members/sso) (SAML or OIDC) for top-down deployments managed by IT with centralized authentication through an Identity Provider (IdP). -Single Sign-On (SSO) can be configured at the organization level, allowing organizations to use their own Identity Provider (IdP) for authentication. These are called **enterprise connections**. When configured: + You can combine these approaches: use manual invitations for external contractors alongside domain-based enrollment for employees. The Active Organization determines which members and Roles apply to the current context. -- Users can sign in through their organization's configured IdP -- Users are **automatically added as members** of the organization upon successful authentication -- Organizations can maintain their existing identity management workflows -- SAML 2.0 and OIDC protocols are supported +1. **Control access**: You can manage access to content or entire pages using Roles and Permissions. Default admin and member Roles cover common cases, while custom Roles and Permissions provide fine-grained access for more complex needs. You can perform [authorization checks](!authorization-check) in both frontend and backend code. -For instructions on how to set up and manage SSO for your organizations, see the [dedicated guide](/docs/guides/organizations/sso). +Beyond these core steps, you can also monitor Organization health and growth with analytics in the Clerk Dashboard. This helps you spot which Organizations are growing, staying active, or dropping off, so you know what's working and where you might need attention. ## Next steps -- [Learn how to limit access to content or entire routes based on a user's role or permissions](/docs/guides/secure/authorization-checks) -- [Learn how to restrict memberships to an organization based on their email domain](/docs/guides/organizations/verified-domains) -- [Learn how to manually invite users to an organization](/docs/guides/organizations/invitations) -- [Learn how to automatically add users to an organization based on their email domain](/docs/guides/organizations/sso) +Now that you understand what Organizations are and how they work, here's how to implement them: + +- [Configure Organization settings](/docs/guides/organizations/configure) +- [Create and manage Organizations](/docs/guides/organizations/create-and-manage) +- [Invite members](/docs/guides/organizations/add-members/invitations) +- [Set up Roles and Permissions](/docs/guides/organizations/control-access/roles-and-permissions) diff --git a/docs/guides/organizations/roles-and-permissions.mdx b/docs/guides/organizations/roles-and-permissions.mdx deleted file mode 100644 index 8b5c9046c8..0000000000 --- a/docs/guides/organizations/roles-and-permissions.mdx +++ /dev/null @@ -1,144 +0,0 @@ ---- -title: Roles and permissions -description: Step-by-step guide on how to implement role based access control (RBAC) in B2C/B2B SaaS apps. You can set as many custom roles, assign privileges and access permissions, all using Clerk Organizations. -metadata: - title: B2B/B2C roles and permissions with Clerk Organizations ---- - - - -Clerk supports modeling your own custom role and permissions to control access to resources within your application when you use [organizations](/docs/guides/organizations/overview). - -## Roles - -Roles determine a user's level of access to the organization. You can extend a role's privileges and access to resources by adding [permissions](#permissions). - -### Default roles - -For each instance, there are currently two default roles: - -- **Admin (`org:admin`)** - Offers full access to organization resources. Members with the admin role have all of the [system permissions](#system-permissions). They can fully manage the organization and organization memberships. -- **Member (`org:member`)** - Offers limited access to organization resources. Access to organization resources is limited to the "Read members" and "Read billing" permissions only, by default. They cannot manage the organization and organization memberships, but they can view information about other members in it. - -### The **Creator** role - -When a user creates a new organization, they're automatically added as its first member and assigned the organization's designated **Creator** role. By default, that role is `org:admin`. - -You cannot delete an organization role if it's used as the organization's **Creator** role. But, you _can_ reassign the **Creator** role to any other role with the right permissions. For example, if you want to delete the `admin` role, you will have to assign another role as the **Creator** role. - -The **Creator** role must _at least_ have the following [system permissions](#system-permissions): - -- Manage members (`org:sys_memberships:manage`) -- Read members (`org:sys_memberships:read`) -- Delete organization (`org:sys_profile:delete`) - -To reassign the **Creator** role: - -1. In the Clerk Dashboard, navigate to [**Roles & Permissions**](https://dashboard.clerk.com/~/organizations-settings/roles). -1. [Create a new role](#custom-roles) or use an existing role from the list. -1. Ensure that **Manage members**, **Read members**, and **Delete organization** system permissions are selected for the role. -1. Open the three dots icon for the role. -1. From the dropdown, select the **Set as Creator role** option. - -### The **Default** role for members - -New organization members are initially assigned the **Default** role. By default, that role is `org:member`. This role is used as a pre-filled default in `` invitations and for organization enrollment with [verified domains](/docs/guides/organizations/verified-domains). - -You cannot delete an organization role if it's used as the organization's **Default** role. But, you _can_ reassign the **Default** role to any other role. - -To reassign the **Default** role: - -1. In the Clerk Dashboard, navigate to [**Roles & Permissions**](https://dashboard.clerk.com/~/organizations-settings/roles). -1. [Create a new role](#custom-roles) or use an existing role from the list. -1. Open the three dots icon for the role. -1. From the dropdown, select the **Set as Default role** option. - -### Custom roles - -You can create up to 10 custom organization roles per application instance to meet your application needs. If you need more than 10 roles, [contact support](/contact/support){{ target: '_blank' }}. - -Custom roles can be granted permissions and access. For example, you can create a new role of **Billing** (`org:billing`) which can be used to group users who belong to a specific department of the organization and have permission to manage credit card information, invoices, and other resources related to billing. - -To create a new role: - -1. In the Clerk Dashboard, navigate to [**Roles & Permissions**](https://dashboard.clerk.com/~/organizations-settings/roles) -1. Select **Add role**. -1. Give the role a name, a key to reference it by, and a description. The final key will follow the format `org:`. -1. Select **Save**. - -### Change a user's role - -You can change a user's role in the Clerk Dashboard, or in your application, such as in the [``](/docs/reference/components/organization/organization-switcher) component. - -To change a user's role in the Clerk Dashboard: - -1. In the top in the Clerk Dashboard, select [**Organizations**](https://dashboard.clerk.com/~/organizations) and select an organization. -1. Select the **Members** tab. -1. In the list of members, find the one whose role you want to change. -1. Select another role from their role dropdown. - -### Delete a role - -You cannot delete a role that is still assigned to members of an organization. Change the members to a different role before completing the following steps. - -1. In the Clerk Dashboard, navigate to [**Roles & Permissions**](https://dashboard.clerk.com/~/organizations-settings/roles). -1. Select the three dots icon next to the role. -1. Select **Delete role**. - -## Permissions - -Permissions grant users privileged access to resources and operations, like creating and deleting. Clerk supports two types of permissions: **system permissions** and **custom permissions**. - -### System permissions - -Clerk provides a set of system permissions that power [Clerk's Frontend API](/docs/reference/frontend-api){{ target: '_blank' }} and [organization-related Clerk components](/docs/reference/components/overview). These permissions serve as the baseline required for Clerk to operate effectively. - -Clerk's system permissions consist of the following: - -- Manage organization (`org:sys_profile:manage`) -- Delete organization (`org:sys_profile:delete`) -- Read members (`org:sys_memberships:read`) -- Manage members (`org:sys_memberships:manage`) -- Read domains (`org:sys_domains:read`) -- Manage domains (`org:sys_domains:manage`) -- Read billing (`org:sys_billing:read`) -- Manage billing (`org:sys_billing:manage`) - -You can assign these system permissions to any role. - -> [!WARNING] -> System permissions aren't included in [session claims](/docs/guides/sessions/session-tokens#default-claims). To check permissions on the server-side, you must [create custom permissions](#custom-permissions). - -### Custom permissions - -Custom permissions let you define fine-tuned access control within your organization. Each permission is tied to a feature, and can be assigned to one or more roles. To create a custom permission, you must first create a role (e.g. **sales**) and a feature within that role (e.g. **invoices**). Once both exist, you can define specific permissions (e.g. **create**) related to that feature. - -To create a new permission: - -1. In the Clerk Dashboard, navigate to [**Roles & Permissions**](https://dashboard.clerk.com/~/organizations-settings/roles). -1. [Create a new role](#custom-roles) or use an existing role from the list. -1. Under **Custom permissions**, select **Create permission** under the feature you want to create the permission for. If there are no features, you'll need to create a new one first. Select **Create feature** and fill in the required fields. Once finished, the newly created feature will appear in the list, and the **Create permission** button will appear. -1. Give the permission a name, a key to reference it by, and a description. The final key will follow the format `org::`. - > [!NOTE] - > Common permission values could be: - > - > - `create` — to allow creating resources - > - `read` — to allow reading/viewing resources - > - `update/manage` — to allow updating/editing resources - > - `delete` — to allow deleting resources - > - > For example, you could create a new permission called **Create invoices** (`org:invoices:create`) which allows only users with this permission to edit invoices. Then, you could assign this permission to a role, or multiple roles, such as **Billing** (`org:billing`) or **Sales** (`org:sales`). -1. Select **Create permission**. - -You can also create a custom permission by navigating to the [**Features**](https://dashboard.clerk.com/~/features) tab in the Clerk Dashboard. - -## Verify a user's role or permission - -It's best practice to always verify whether or not a user is **authorized** to access sensitive information, important content, or exclusive features. **Authorization** is the process of determining the access rights and privileges of a user, ensuring they have the necessary permissions to perform specific actions. To perform authorization checks using a user's role or permission, see the [guide on authorizing users](/docs/guides/secure/authorization-checks). - -## Next steps - -- [Learn how to limit access to content or entire routes based on a user's role or permissions](/docs/guides/secure/authorization-checks) -- [Learn how to automatically invite users to an organization based on their email domain](/docs/guides/organizations/verified-domains) -- [Learn how to manually invite users to an organization](/docs/guides/organizations/invitations) -- [Learn how to automatically add users to an organization based on their email domain](/docs/guides/organizations/sso) diff --git a/docs/guides/organizations/sso.mdx b/docs/guides/organizations/sso.mdx deleted file mode 100644 index 4b68f8718e..0000000000 --- a/docs/guides/organizations/sso.mdx +++ /dev/null @@ -1,59 +0,0 @@ ---- -title: Organization-level enterprise SSO -description: Integrate as many enterprise SSO methods within Clerk Organizations. Enable SAML SSO, OAuth/OIDC, and other secure MFA/single sign-on options for B2B SaaS apps. -metadata: - title: Set up organization-level SAML and OIDC for B2B/B2C apps ---- - -Clerk supports enabling enterprise SSO connections for specific organizations. When users sign up or sign in using an organization's enterprise connection, they're automatically added as members of that organization and assigned the [default role](/docs/guides/organizations/roles-and-permissions#the-default-role-for-members), which can be either `member` or `admin`. - -## Add an enterprise SSO connection for an organization - -Clerk supports enterprise SSO via [SAML](/docs/guides/configure/auth-strategies/enterprise-connections/overview#saml) or via the [OpenID Connect (OIDC) protocol](/docs/guides/configure/auth-strategies/enterprise-connections/overview#oidc), either through EASIE or by integrating with any OIDC-compatible provider. - -To add an enterprise SSO connection for an organization, follow the appropriate guide based on the platform you want to use, such as the [Google SAML guide](/docs/guides/configure/auth-strategies/enterprise-connections/saml/google). When configuring the connection in the Clerk Dashboard, there will be an option to select the **Organization** for which you want to enable this connection. If you don't select an organization, the connection will be added for your entire application. - -> [!WARNING] -> A domain used for enterprise SSO can't be used as a [verified domain](/docs/guides/organizations/verified-domains) for the same organization. - -## Onboarding flows - -The two common onboarding flows for organizations with enterprise SSO are to either create an organization first or to have users initiate the setup themselves. - -#### Organization created first (top-down approach) - -This flow is common for enterprise sales where the relationship is established before users access the application. - -1. [Create an organization](/docs/guides/organizations/overview#create-an-organization) for your customer through the Clerk Dashboard. -1. Collaborate with the customer's IT administrator to obtain the necessary configuration details. -1. Configure the enterprise SSO connection for the organization. -1. Invite users to the organization, who can then sign in using enterprise SSO. - -#### User-initiated setup (bottom-up approach) - -This flow is common when individual users try the product before company-wide adoption. - -1. An end user signs up to evaluate your application, starting with an individual account. -1. After adopting the application, the user [creates an organization](/docs/guides/organizations/overview#create-an-organization) for their company. -1. Configure enterprise SSO for the organization through the Clerk Dashboard. -1. All subsequent users from that organization can now sign in using enterprise SSO. - -## Enforce enterprise SSO by domain - -Enterprise SSO connections are enforced on a per-domain basis in organizations, enabling flexible access management: - -- Configure enterprise SSO for your primary domain (e.g., `company.com`) to enforce enterprise SSO authentication for employees. -- Add additional domains without enterprise SSO for external collaborators (e.g., contractors, consultants). -- Each domain in an organization can have different authentication requirements. - -## Manage memberships - -### Remove a member from your organization - -When a user is tied to an organization through their enterprise connection, they cannot leave the organization themselves, but they can be removed either in the Clerk Dashboard, using [Clerk's Backend API](/docs/reference/backend-api/tag/organization-memberships/delete/organizations/\{organization_id}/memberships/\{user_id}){{ target: '_blank' }} endpoint, or by another organization member with the [manage members permission](/docs/guides/organizations/roles-and-permissions#system-permissions) (`org:sys_memberships:manage`). However, the user will be added back to the organization on next sign-in, unless they are removed from the IdP or the enterprise connection is no longer associated with the organization. - -## Update an organization from an existing enterprise connection - -When transitioning an enterprise connection to a new organization, existing members will remain part of the original organization. However, they will automatically join the new organization upon their next sign-in. - -To remove members from the original organization, you have two options: utilize [Clerk's Backend API](/docs/reference/backend-api/tag/organization-memberships/delete/organizations/\{organization_id}/memberships/\{user_id}){{ target: '_blank' }} or manage memberships directly through the Clerk Dashboard. diff --git a/docs/guides/organizations/verified-domains.mdx b/docs/guides/organizations/verified-domains.mdx deleted file mode 100644 index 49d8b1c6cb..0000000000 --- a/docs/guides/organizations/verified-domains.mdx +++ /dev/null @@ -1,79 +0,0 @@ ---- -title: Verified domains -description: Build organization-specific or tenant-isolated authentication flows that only authorized users with matching domains can join, using Verified Domains within Clerk Organizations. -metadata: - title: Verified domains within Clerk Organizations (Step-by-Step) ---- - -Clerk's **verified domains** feature is useful for organizations that want to restrict membership to users with specific email domains, and automatically invite or suggest users with that domain to join an organization. For example, if the domain `@clerk.com` is verified, any user with an email address ending in `@clerk.com` can be automatically invited or be suggested to join an organization with that domain. The role assigned to this user will be the role set as the [**Default** role](/docs/guides/organizations/roles-and-permissions#the-default-role-for-members) in the organization settings page. - -A verified domain cannot be a disposable domain or common email provider. For example, you cannot create a verified domain for `@gmail.com`. - -> [!WARNING] -> A verified domain can't be added if it's already in use for the [organization's SSO](/docs/guides/organizations/sso). - -The easiest way to add and verify domains, and manage all settings related to verified domains is to use Clerk's [``](/docs/reference/components/organization/organization-switcher) component. - -## Enable verified domains - -Enabling verified domains applies to all organizations and cannot currently be managed on a per-organization basis. - -In order to enable this feature: - -1. In the Clerk Dashboard, navigate to the [**Organizations Settings**](https://dashboard.clerk.com/~/organizations-settings) page. -1. In the **Verified domains** section, enable **Enable verified domains**. -1. The following setting will appear: - - [**Enrollment mode**](#enrollment-mode) - **Automatic invitation** and **Automatic suggestion**. - -### Enrollment mode - -You can enable the following enrollment modes to be available for your application: - -- [**Automatic invitation**](#automatic-invitations) - Users are automatically invited to join the organization when they sign-up and can join anytime. -- [**Automatic suggestion**](#automatic-suggestions) - Users receive a suggestion to request to join, but must be approved by an admin before they are able to join the organization. - -Then, in your application, when a user with the `org:sys_domains:manage` permission has added and verified a domain, they can enable an enrollment mode. Only one enrollment mode can be enabled for a verified domain at a time. - -### Automatic invitations - -After sign-up, a user will receive an **invitation** for the organization if their email's domain matches the verified domain. If your app uses the `` component, the user will see a notification on the component. When they open the component, they will see a **Join** button next to the organization they were invited to. Selecting the button will accept the invitation and the user will instantly be added as a member of the organization. - -### Automatic suggestions - -After sign-up, a user will receive a **suggestion** for the organization if their email's domain matches the verified domain. If your app uses the `` component, the user will see a **Request to join** button next to the organization. Selecting the button will send a [membership request](#membership-requests) to the organization. - -### Membership requests - -Membership requests are requests from users who saw an organization suggestion and requested to join an organization. Membership requests are only available for organizations that have the **Verified domains** feature enabled and the **Automatic suggestions** feature enabled in both the Dashboard and for the specific domain. - -When a user sends an organization membership request, users with the `org:sys_memberships:manage` permission (by default, admins) will see a notification on their `` component. They will need to accept the request before the user can join the organization. - -## Add and verify domains - -Domains can be added and verified under an organization by any user with the `org:sys_domains:manage` permission. By default, admins have this permission. To add and verify domains in the [``](/docs/reference/components/organization/organization-switcher) component, select the **General** tab. There will be a **Verified domains** section. - -Domains can be verified through an email verification code sent to an email that matches the domain. If the user adding the domain already has a verified email using that domain in their account, the domain will be automatically verified. - -An application instance may only have one verified domain of the same name, and an organization may only have one domain of the same name (verified or unverified). - -You can create up to 10 domains per organization to meet your needs. If you need more than 10 domains, [contact support](/contact/support){{ target: '_blank' }}. - -### Custom flow - -If Clerk's [``](/docs/reference/components/organization/organization-switcher) does not meet your specific needs or if you require more control over the logic, you can use the Clerk API to add and verify a domain and update the domain's enrollment mode. Here's an example of how you can do this: - -```tsx -const { organization, domains } = useOrganization() - -// create domain -const domain = await organization.createDomain('example.com') - -// prepare email verification -domain.prepareAffiliationVerification({ affiliationEmailAddress: 'foo@example.com' }) - -// attempt email verification -domain.attemptAffiliationVerification({ code: '123456' }) - -// update domain enrollment mode -domain.updateEnrollmentMode({ enrollmentMode: 'automatic_invitation' }) -``` diff --git a/docs/guides/secure/authorization-checks.mdx b/docs/guides/secure/authorization-checks.mdx index c1a16b01b7..69c212c64c 100644 --- a/docs/guides/secure/authorization-checks.mdx +++ b/docs/guides/secure/authorization-checks.mdx @@ -1,6 +1,6 @@ --- -title: Authorize users -description: Learn how to verify and validate user Roles and Permissions within Clerk to maintain secure access control. We provide a collection of utility functions and components that allow developers to perform authorization checks. +title: Authorization checks +description: Learn how to verify and validate user Roles and Permissions within Clerk to maintain secure access control. metadata: title: Verifying user permissions with Clerk --- @@ -10,7 +10,7 @@ It's best practice to always verify whether or not a user is **authorized** to a Clerk provides two main features that can be used to implement authorization checks: - [Organizations](/docs/guides/organizations/overview) - - Users can be assigned [Roles and Permissions](/docs/guides/organizations/roles-and-permissions#permissions) + - Users can be assigned [Roles and Permissions](/docs/guides/organizations/control-access/roles-and-permissions#permissions) - Useful for Role-based and Permission-based access control - [Billing](/docs/guides/billing/overview) - Users can subscribe to Plans and Features @@ -21,8 +21,8 @@ You can use either options independently or combine them together depending on y There are a few methods to perform authorization checks: - The [`has()`](/docs/reference/backend/types/auth-object#has) helper **(recommended)**: returns `false` if the user is unauthorized. - - Benefits: it offers flexibility and control over the response; if a user is not authorized, you can choose how your app responds. - - Limitations: when checking for Permissions, it only checks for custom Permissions. To check for system Permissions, you have to verify the user's Role instead, which isn't as flexible. + - Benefits: it cna be used both client-side and server-side. It offers flexibility and control over the response; if a user is not authorized, you can choose how your app responds. + - Limitations: when checking for Permissions, it only checks for Custom Permissions. To check for System Permissions, you have to verify the user's Role instead, which isn't as flexible. - The [``](/docs/reference/components/control/protect) component: prevents content from rendering if the user is unauthorized. - Benefits: it can be used both client-side and server-side (in Server Components). - Limitations: this component only **visually hides** its children when the current user is not authorized. The contents of its children remain accessible via the browser's source code even if the user fails the authorization check. Do not use this component to hide sensitive information that should be completely inaccessible to unauthorized users. For truly sensitive data, it's recommended to use `has()` to perform authorization checks on the server before sending the data to the client. @@ -38,7 +38,7 @@ This guide will show you how to implement authorization checks in order to prote ## Important considerations - When doing authorization checks, it's recommended to use Permission-based over Role-based, and Feature-based over Plan-based authorization, as these approaches are more granular, flexible, and more secure. - - Note: Using `has()` **on the server-side** to check Permissions works only with **Custom Permissions**, as [System Permissions](/docs/guides/organizations/roles-and-permissions#system-permissions) aren't included in the session token claims. To check System Permissions, verify the user's Role instead. + - Note: Using `has()` **on the server-side** to check Permissions works only with **Custom Permissions**, as [System Permissions](/docs/guides/organizations/control-access/roles-and-permissions#system-permissions) aren't included in the session token claims. To check System Permissions, verify the user's Role instead. - Checking for a Role or Permission depends on the user having an [Active Organization](!active-organization). Without an Active Organization, the authorization checks will likely always evaluate to false by default. - If you would like to perform Role-based authorization checks **without** using Clerk's Organizations feature, see [the Role Based Access Control (RBAC) guide](/docs/guides/secure/basic-rbac). - If you have both Organizations and Billing enabled, a Permission check will only work if the Feature part of the Permission key (`org::`) **is a Feature included in the Organization's active Plan**. For example, say you want to check if an Organization member has the Custom Permission `org:teams:manage`, where `teams` is the Feature. Before performing the authorization check, you need to ensure that the user's Organization is subscribed to a Plan that has the `teams` Feature. If not, the authorization check will always return `false`, _even if the user has the Custom Permission_. diff --git a/docs/guides/secure/basic-rbac.mdx b/docs/guides/secure/basic-rbac.mdx index a404f0eead..f2036fb818 100644 --- a/docs/guides/secure/basic-rbac.mdx +++ b/docs/guides/secure/basic-rbac.mdx @@ -4,7 +4,7 @@ description: Learn how to leverage Clerk's publicMetadata to implement your own sdk: nextjs --- -To control which users can access certain parts of your app, you can use the [Roles](/docs/guides/organizations/roles-and-permissions#roles) feature. Although Clerk offers Roles as part of the [Organizations](/docs/guides/organizations/overview) feature set, not every app implements Organizations. **This guide covers a workaround to set up a basic Role Based Access Control (RBAC) system for products that don't use Clerk's Organizations or Roles.** +To control which users can access certain parts of your app, you can use the [Roles](/docs/guides/organizations/control-access/roles-and-permissions#roles) feature. Although Clerk offers Roles as part of the [Organizations](/docs/guides/organizations/overview) feature set, not every app implements Organizations. **This guide covers a workaround to set up a basic Role Based Access Control (RBAC) system for products that don't use Clerk's Organizations or Roles.** This guide assumes that you're using Next.js App Router, but the concepts can be adapted to Next.js Pages Router and Remix. diff --git a/docs/guides/secure/features.mdx b/docs/guides/secure/features.mdx index 5a86fc19fa..bb16ac76ec 100644 --- a/docs/guides/secure/features.mdx +++ b/docs/guides/secure/features.mdx @@ -7,7 +7,7 @@ Features are specific capabilities or functionalities in your application that y Features can be used in two ways: -- With Clerk's [Organizations](/docs/guides/organizations/overview) feature to create Custom Permissions. Custom Permissions are always tied to a Feature, and are formatted as `org::`. For example, you could create a Feature called **invoices** and then create a new Permission called **create invoices**. The Custom Permission's key would be `org:invoices:create`. Learn more about [Custom Permissions](/docs/guides/organizations/roles-and-permissions). +- With Clerk's [Organizations](/docs/guides/organizations/overview) feature to create Custom Permissions. Custom Permissions are always tied to a Feature, and are formatted as `org::`. For example, you could create a Feature called **invoices** and then create a new Permission called **create invoices**. The Custom Permission's key would be `org:invoices:create`. Learn more about [Custom Permissions](/docs/guides/organizations/control-access/roles-and-permissions). - With Clerk's Billing feature to create Features specific to a Subscription Plan. See the [Billing docs](/docs/guides/billing/overview) for more information. To manage your Features, navigate to the [**Features**](https://dashboard.clerk.com/~/features) page in the Clerk Dashboard. diff --git a/docs/guides/sessions/manual-jwt-verification.mdx b/docs/guides/sessions/manual-jwt-verification.mdx index f59451147f..c4c7edfcdc 100644 --- a/docs/guides/sessions/manual-jwt-verification.mdx +++ b/docs/guides/sessions/manual-jwt-verification.mdx @@ -43,7 +43,7 @@ The following example uses the `authenticateRequest()` method to verify the sess ### Optional: Check for a `sts` claim - If you are using Clerk's [Organizations](/docs/guides/organizations/overview) feature and [have not enabled Personal Accounts](/docs/guides/organizations/overview#allow-personal-accounts), users are _required to be part of an Organization before accessing your application_. If the user has completed registration, but is not yet part of an Organization, a valid session token will be created, but the token will contain a `sts` (status) claim set to `pending`. You may want to reject requests to your backend with pending statuses to ensure that users are not able to work around the Organization requirement. + If you are using Clerk's [Organizations](/docs/guides/organizations/overview) feature and [have not enabled Personal Accounts](/docs/guides/organizations/configure#allow-personal-accounts), users are _required to be part of an Organization before accessing your application_. If the user has completed registration, but is not yet part of an Organization, a valid session token will be created, but the token will contain a `sts` (status) claim set to `pending`. You may want to reject requests to your backend with pending statuses to ensure that users are not able to work around the Organization requirement. ### Finished diff --git a/docs/manifest.json b/docs/manifest.json index 6f4ed2b1f5..4f9e530f39 100644 --- a/docs/manifest.json +++ b/docs/manifest.json @@ -90,6 +90,14 @@ { "title": "Hybrid rendering", "href": "/docs/guides/development/hybrid-rendering" + }, + { + "title": "Get started with organizations", + "href": "/docs/guides/organizations/get-started" + }, + { + "title": "Get started with organizations", + "href": "/docs/guides/organizations/get-started-tu/quickstart" } ] ] @@ -661,27 +669,63 @@ "href": "/docs/guides/organizations/overview" }, { - "title": "Verified domains", - "href": "/docs/guides/organizations/verified-domains" + "title": "Get started with organizations 123", + "href": "/docs/guides/organizations/get-started-tu/quickstart" }, { - "title": "Roles and Permissions", - "href": "/docs/guides/organizations/roles-and-permissions" + "title": "Get started with organizations", + "href": "/docs/guides/organizations/get-started" }, { - "title": "Invitations", - "href": "/docs/guides/organizations/invitations" + "title": "Configure organizations", + "href": "/docs/guides/organizations/configure" }, { - "title": "Metadata", - "href": "/docs/guides/organizations/metadata" + "title": "Create and manage organizations", + "href": "/docs/guides/organizations/create-and-manage" }, { - "title": "Manage enterprise SSO connections", - "href": "/docs/guides/organizations/sso" + "title": "Add members to an organization", + "collapse": true, + "items": [ + [ + { + "title": "Invitations", + "href": "/docs/guides/organizations/add-members/invitations" + }, + { + "title": "Verified domains", + "href": "/docs/guides/organizations/add-members/verified-domains" + }, + { + "title": "Enterprise SSO", + "href": "/docs/guides/organizations/add-members/sso" + } + ] + ] + }, + { + "title": "Control access", + "collapse": true, + "items": [ + [ + { + "title": "Roles and permissions", + "href": "/docs/guides/organizations/control-access/roles-and-permissions" + }, + { + "title": "Check access", + "href": "/docs/guides/organizations/control-access/check-access" + } + ] + ] + }, + { + "title": "Set organization metadata", + "href": "/docs/guides/organizations/metadata" }, { - "title": "Use org slugs in URLs", + "title": "Use organization slugs in URLs", "href": "/docs/guides/organizations/org-slugs-in-urls" } ] diff --git a/docs/reference/backend/organization/create-organization-invitation-bulk.mdx b/docs/reference/backend/organization/create-organization-invitation-bulk.mdx index 53910a1082..200b5bdb2b 100644 --- a/docs/reference/backend/organization/create-organization-invitation-bulk.mdx +++ b/docs/reference/backend/organization/create-organization-invitation-bulk.mdx @@ -53,7 +53,7 @@ function createOrganizationInvitationBulk( - `role` - [`OrganizationCustomRoleKey`](/docs/reference/javascript/types/organization-custom-role-key) - The [Role](/docs/guides/organizations/roles-and-permissions) to assign the invited user within the Organization. + The [Role](/docs/guides/organizations/control-access/roles-and-permissions) to assign the invited user within the Organization. --- diff --git a/docs/reference/backend/organization/create-organization-invitation.mdx b/docs/reference/backend/organization/create-organization-invitation.mdx index 0bd7a84d40..b316375670 100644 --- a/docs/reference/backend/organization/create-organization-invitation.mdx +++ b/docs/reference/backend/organization/create-organization-invitation.mdx @@ -41,7 +41,7 @@ function createOrganizationInvitation( - `role` - `string` - The [Role](/docs/guides/organizations/roles-and-permissions) to assign the invited user within the Organization. + The [Role](/docs/guides/organizations/control-access/roles-and-permissions) to assign the invited user within the Organization. --- diff --git a/docs/reference/backend/organization/create-organization-membership.mdx b/docs/reference/backend/organization/create-organization-membership.mdx index fa09c0a151..c6f9a9bb72 100644 --- a/docs/reference/backend/organization/create-organization-membership.mdx +++ b/docs/reference/backend/organization/create-organization-membership.mdx @@ -34,7 +34,7 @@ function createOrganizationMembership( - `role` - `string` - The [Role](/docs/guides/organizations/roles-and-permissions) to assign the added user within the Organization. + The [Role](/docs/guides/organizations/control-access/roles-and-permissions) to assign the added user within the Organization. ## Example diff --git a/docs/reference/backend/organization/update-organization-membership.mdx b/docs/reference/backend/organization/update-organization-membership.mdx index 98b00e7dd9..e6274ef3d4 100644 --- a/docs/reference/backend/organization/update-organization-membership.mdx +++ b/docs/reference/backend/organization/update-organization-membership.mdx @@ -34,7 +34,7 @@ function updateOrganizationMembership( - `role` - `string` - The [Role](/docs/guides/organizations/roles-and-permissions) to assign the user. + The [Role](/docs/guides/organizations/control-access/roles-and-permissions) to assign the user. ## Example diff --git a/docs/reference/backend/types/auth-object.mdx b/docs/reference/backend/types/auth-object.mdx index fad74b24ee..a27eb5129e 100644 --- a/docs/reference/backend/types/auth-object.mdx +++ b/docs/reference/backend/types/auth-object.mdx @@ -135,14 +135,14 @@ function has(isAuthorizedParams: CheckAuthorizationParamsWithCustomPermissions): - `role` - `string` - The [Role](/docs/guides/organizations/roles-and-permissions) to check for. + The [Role](/docs/guides/organizations/control-access/roles-and-permissions) to check for. --- - `permission` - `string` - The [Permission](/docs/guides/organizations/roles-and-permissions) to check for. + The [Permission](/docs/guides/organizations/control-access/roles-and-permissions) to check for. --- diff --git a/docs/reference/components/control/protect.mdx b/docs/reference/components/control/protect.mdx index 1709e6736d..f56e330bb8 100644 --- a/docs/reference/components/control/protect.mdx +++ b/docs/reference/components/control/protect.mdx @@ -1130,14 +1130,14 @@ The following example uses ``'s `condition` prop to conditionally rende - `permission?` - `string` - Optional string corresponding to a [Permission](/docs/guides/organizations/roles-and-permissions) in the format `org::` + Optional string corresponding to a [Permission](/docs/guides/organizations/control-access/roles-and-permissions) in the format `org::` --- - `role?` - `string` - Optional string corresponding to a [Role](/docs/guides/organizations/roles-and-permissions) in the format `org:` + Optional string corresponding to a [Role](/docs/guides/organizations/control-access/roles-and-permissions) in the format `org:` --- diff --git a/docs/reference/components/organization/organization-list.mdx b/docs/reference/components/organization/organization-list.mdx index cf171d7db8..0418707f54 100644 --- a/docs/reference/components/organization/organization-list.mdx +++ b/docs/reference/components/organization/organization-list.mdx @@ -6,7 +6,7 @@ sdk: astro, chrome-extension, expo, nextjs, nuxt, react, react-router, remix, ta ![The \ component displays Organization-related memberships and automatic invitations and suggestions for the user.](/docs/images/ui-components/organization-list.png){{ style: { maxWidth: '460px' } }} -The `` component displays Organization-related memberships and automatic [invitations](/docs/guides/organizations/verified-domains#automatic-invitations) and [suggestions](/docs/guides/organizations/verified-domains#automatic-suggestions) for the user. +The `` component displays Organization-related memberships and automatic [invitations](/docs/guides/organizations/add-members/verified-domains#automatic-invitations) and [suggestions](/docs/guides/organizations/add-members/verified-domains#automatic-suggestions) for the user. ` component accepts the following properties, all of wh - `afterSelectPersonalUrl` - ((org: [Organization][org-ref]) => string) | string - The full URL or path to navigate to after selecting the [Personal Account](/docs/guides/organizations/overview#allow-personal-accounts). Defaults to `undefined`. + The full URL or path to navigate to after selecting the [Personal Account](/docs/guides/organizations/configure#allow-personal-accounts). Defaults to `undefined`. --- @@ -308,7 +308,7 @@ The `` component accepts the following properties, all of wh - `hidePersonal` - `boolean` - A boolean that controls whether `` will include the user's [Personal Account](/docs/guides/organizations/overview#allow-personal-accounts) in the Organization list. Setting this to `true` will hide the Personal Account option, and users will only be able to switch between Organizations. Defaults to `false`. + A boolean that controls whether `` will include the user's [Personal Account](/docs/guides/organizations/configure#allow-personal-accounts) in the Organization list. Setting this to `true` will hide the Personal Account option, and users will only be able to switch between Organizations. Defaults to `false`. --- diff --git a/docs/reference/components/organization/organization-profile.mdx b/docs/reference/components/organization/organization-profile.mdx index ebf5497458..06388ab4c9 100644 --- a/docs/reference/components/organization/organization-profile.mdx +++ b/docs/reference/components/organization/organization-profile.mdx @@ -10,7 +10,7 @@ The `` component allows users to manage their Organizatio This component's **General** tab displays the Organization's information and the **Leave organization** button. Admins will be able to see the **Update profile** button, **Verified domains** section, and **Delete organization** button. -The **Members** tab shows the Organization's members along with their join dates and Roles. Admins will have the ability to invite a member, change a member's Role, or remove them from the Organization. Admins will have tabs within the **Members** tab to view the Organization's [invitations](/docs/guides/organizations/overview#organization-invitations) and [requests](/docs/guides/organizations/verified-domains#membership-requests). +The **Members** tab shows the Organization's members along with their join dates and Roles. Admins will have the ability to invite a member, change a member's Role, or remove them from the Organization. Admins will have tabs within the **Members** tab to view the Organization's [invitations](/docs/guides/organizations/add-members/invitations) and [requests](/docs/guides/organizations/add-members/verified-domains#membership-requests). The **Billing** tab displays the Plans and Features that are available to the Organization, as well as the user's billing information, such as their invoices and payment methods. diff --git a/docs/reference/components/organization/organization-switcher.mdx b/docs/reference/components/organization/organization-switcher.mdx index 7e38066a68..c3a6b69f4a 100644 --- a/docs/reference/components/organization/organization-switcher.mdx +++ b/docs/reference/components/organization/organization-switcher.mdx @@ -6,7 +6,7 @@ sdk: astro, chrome-extension, expo, nextjs, nuxt, react, react-router, remix, ta ![The \ component allows a user to switch between their account types - their Personal Account and their joined Organizations.](/docs/images/ui-components/organization-switcher.png){{ style: { maxWidth: '436px' } }} -The `` component allows a user to switch between their joined Organizations. If [Personal Accounts are enabled](/docs/guides/organizations/overview#allow-personal-accounts), users can also switch to their Personal Account. This component is useful for applications that have a multi-tenant architecture, where users can be part of multiple Organizations. It handles all Organization-related flows, including full Organization management for admins. Learn more about [Organizations](/docs/guides/organizations/overview). +The `` component allows a user to switch between their joined Organizations. If [Personal Accounts are enabled](/docs/guides/organizations/configure#allow-personal-accounts), users can also switch to their Personal Account. This component is useful for applications that have a multi-tenant architecture, where users can be part of multiple Organizations. It handles all Organization-related flows, including full Organization management for admins. Learn more about [Organizations](/docs/guides/organizations/overview). ` component accepts the following properties, all o - `hidePersonal` - `boolean` - A boolean that controls whether `` will include the user's [Personal Account](/docs/guides/organizations/overview#allow-personal-accounts) in the Organization list. Setting this to `true` will hide the Personal Account option, and users will only be able to switch between Organizations. Defaults to `false`. + A boolean that controls whether `` will include the user's [Personal Account](/docs/guides/organizations/configure#allow-personal-accounts) in the Organization list. Setting this to `true` will hide the Personal Account option, and users will only be able to switch between Organizations. Defaults to `false`. --- diff --git a/docs/reference/expo/use-sign-in-with-apple.mdx b/docs/reference/expo/use-sign-in-with-apple.mdx index dad1152847..2a138e952b 100644 --- a/docs/reference/expo/use-sign-in-with-apple.mdx +++ b/docs/reference/expo/use-sign-in-with-apple.mdx @@ -7,9 +7,9 @@ sdk: expo diff --git a/docs/reference/javascript/organization.mdx b/docs/reference/javascript/organization.mdx index 78c589def6..4eb1634862 100644 --- a/docs/reference/javascript/organization.mdx +++ b/docs/reference/javascript/organization.mdx @@ -6,7 +6,7 @@ sdk: js-frontend The `Organization` object holds information about an Organization, as well as methods for managing it. -To use these methods, you must have the **Organizations** feature [enabled in your app's settings in the Clerk Dashboard](/docs/guides/organizations/overview#enable-organizations-in-your-application). +To use these methods, you must have the **Organizations** feature [enabled in your app's settings in the Clerk Dashboard](/docs/guides/organizations/configure#enable-organizations). ## Properties @@ -227,7 +227,7 @@ function getDomains(params?: GetDomainsParams): Promise #### Example @@ -317,7 +317,7 @@ For an example on how to use `getMemberships()`, see the [custom flow on managin Retrieve the list of membership requests for the currently [Active Organization](!active-organization). Returns a [`ClerkPaginatedResponse`][pag-ref] of [`OrganizationMembershipRequest`][org-mem-ref]-request) objects. > [!WARNING] -> You must have [**Organizations**](/docs/guides/organizations/overview#enable-organizations-in-your-application), and [**Verified domains** and **Automatic suggestion**][verified-domains-ref] enabled in your app's settings in the Clerk Dashboard. +> You must have [**Organizations**](/docs/guides/organizations/configure#enable-organizations), and [**Verified domains** and **Automatic suggestion**][verified-domains-ref] enabled in your app's settings in the Clerk Dashboard. ```ts function getMembershipRequests( @@ -578,8 +578,8 @@ await organization.updateMember({ userId: 'user_123', role: 'org:admin' }) [org-mem-ref]: /docs/reference/javascript/types/organization-membership -[roles-perms-ref]: /docs/guides/organizations/roles-and-permissions +[roles-perms-ref]: /docs/guides/organizations/control-access/roles-and-permissions [pag-ref]: /docs/reference/javascript/types/clerk-paginated-response -[verified-domains-ref]: /docs/guides/organizations/verified-domains +[verified-domains-ref]: /docs/guides/organizations/add-members/verified-domains diff --git a/docs/reference/javascript/session.mdx b/docs/reference/javascript/session.mdx index dcf525ff37..b33bf487ed 100644 --- a/docs/reference/javascript/session.mdx +++ b/docs/reference/javascript/session.mdx @@ -224,11 +224,11 @@ type WithReverification = T & { type CheckAuthorizationParams = WithReverification< | { /** - * The [Role](https://clerk.com/docs/guides/organizations/roles-and-permissions) to check for. + * The [Role](https://clerk.com/docs/guides/organizations/control-access/roles-and-permissions) to check for. */ role: OrganizationCustomRoleKey /** - * The [Permission](https://clerk.com/docs/guides/organizations/roles-and-permissions) to check for. + * The [Permission](https://clerk.com/docs/guides/organizations/control-access/roles-and-permissions) to check for. */ permission?: never /** @@ -266,14 +266,14 @@ type CheckAuthorizationParams = WithReverification< - `role` - `string` - Accepts [Role](/docs/guides/organizations/roles-and-permissions#roles) key. + Accepts [Role](/docs/guides/organizations/control-access/roles-and-permissions#roles) key. --- - `permission` - `string` - Accepts [Permission](/docs/guides/organizations/roles-and-permissions#permissions) key. + Accepts [Permission](/docs/guides/organizations/control-access/roles-and-permissions#permissions) key. --- diff --git a/docs/reference/javascript/types/organization-custom-permission-key.mdx b/docs/reference/javascript/types/organization-custom-permission-key.mdx index f78dd81366..cb3bd4146c 100644 --- a/docs/reference/javascript/types/organization-custom-permission-key.mdx +++ b/docs/reference/javascript/types/organization-custom-permission-key.mdx @@ -6,4 +6,4 @@ sdk: js-frontend `OrganizationCustomPermissionKey` is a type that represents a user's Permission in an organization. It will be string unless the developer has provided their own types through [`ClerkAuthorization`](/docs/guides/development/override-clerk-types-interfaces#example-custom-roles-and-permissions). -Clerk provides [default System Permissions](/docs/guides/organizations/roles-and-permissions#system-permissions). However, you can create [Custom Permissions](/docs/guides/organizations/roles-and-permissions#custom-permissions) as well. +Clerk provides [default System Permissions](/docs/guides/organizations/control-access/roles-and-permissions#system-permissions). However, you can create [Custom Permissions](/docs/guides/organizations/control-access/roles-and-permissions#custom-permissions) as well. diff --git a/docs/reference/javascript/types/organization-domain.mdx b/docs/reference/javascript/types/organization-domain.mdx index 850a991be1..98bbcb4fd1 100644 --- a/docs/reference/javascript/types/organization-domain.mdx +++ b/docs/reference/javascript/types/organization-domain.mdx @@ -33,7 +33,7 @@ The `OrganizationDomain` object is the model around an Organization domain. - `enrollmentMode` - `'manual_invitation' | 'automatic_invitation' | 'automatic_suggestion'` - An [enrollment mode](/docs/guides/organizations/verified-domains#enrollment-mode) will change how new users join an Organization. + An [enrollment mode](/docs/guides/organizations/add-members/verified-domains#enrollment-mode) will change how new users join an Organization. --- diff --git a/docs/reference/javascript/types/organization-invitation.mdx b/docs/reference/javascript/types/organization-invitation.mdx index 5bfc4c4359..5a1666592a 100644 --- a/docs/reference/javascript/types/organization-invitation.mdx +++ b/docs/reference/javascript/types/organization-invitation.mdx @@ -40,7 +40,7 @@ The `OrganizationInvitation` object is the model around an Organization invitati - `role` - [`OrganizationCustomRoleKey`](/docs/reference/javascript/types/organization-custom-role-key) - The [Role](/docs/guides/organizations/roles-and-permissions) of the current user in the Organization. + The [Role](/docs/guides/organizations/control-access/roles-and-permissions) of the current user in the Organization. --- @@ -81,7 +81,7 @@ The following example demonstrates how to revoke an Organization invitation. It It assumes: - you have followed the [quickstart](/docs/js-frontend/getting-started/quickstart) in order to add Clerk to your JavaScript application -- you have [enabled the Organizations feature in the Clerk Dashboard](/docs/guides/organizations/overview#enable-organizations-in-your-application) +- you have [enabled the Organizations feature in the Clerk Dashboard](/docs/guides/organizations/configure#enable-organizations) ```js {{ filename: 'main.js', mark: [22, 23] }} import { Clerk } from '@clerk/clerk-js' diff --git a/docs/reference/javascript/types/organization-membership.mdx b/docs/reference/javascript/types/organization-membership.mdx index 4e178a478a..b593bbf195 100644 --- a/docs/reference/javascript/types/organization-membership.mdx +++ b/docs/reference/javascript/types/organization-membership.mdx @@ -26,7 +26,7 @@ The `OrganizationMembership` object is the model around an Organization membersh - `role` - `string` - The [Role](/docs/guides/organizations/roles-and-permissions) of the current user in the Organization. + The [Role](/docs/guides/organizations/control-access/roles-and-permissions) of the current user in the Organization. --- @@ -81,5 +81,5 @@ function update(updateParams: UpdateOrganizationMembershipParams): Promise diff --git a/docs/reference/javascript/types/user-organization-invitation.mdx b/docs/reference/javascript/types/user-organization-invitation.mdx index 4b788b36e9..0aeaa307de 100644 --- a/docs/reference/javascript/types/user-organization-invitation.mdx +++ b/docs/reference/javascript/types/user-organization-invitation.mdx @@ -46,7 +46,7 @@ The `UserOrganizationInvitation` object is the model around a user's invitation - `role` - [`OrganizationCustomRoleKey`](/docs/reference/javascript/types/organization-custom-role-key) - The [Role](/docs/guides/organizations/roles-and-permissions) of the current user in the Organization. + The [Role](/docs/guides/organizations/control-access/roles-and-permissions) of the current user in the Organization. --- diff --git a/package-lock.json b/package-lock.json index 63272b275e..1415813afc 100644 --- a/package-lock.json +++ b/package-lock.json @@ -48,7 +48,6 @@ "resolved": "https://registry.npmjs.org/@ampproject/remapping/-/remapping-2.3.0.tgz", "integrity": "sha512-30iZtAPgz+LTIYoeivqYo853f02jBYSd5uGnGpkFV0M3xOt9aN73erkgYAmZU43x4VfqcnLxW9Kpg3R5LC4YYw==", "dev": true, - "peer": true, "dependencies": { "@jridgewell/gen-mapping": "^0.3.5", "@jridgewell/trace-mapping": "^0.3.24" @@ -679,7 +678,6 @@ "resolved": "https://registry.npmjs.org/@jridgewell/gen-mapping/-/gen-mapping-0.3.5.tgz", "integrity": "sha512-IzL8ZoEDIBRWEzlCcRhOaCupYyN5gdIK+Q6fbFdPDg6HqX6jpkItn7DFIpW9LQzXG6Df9sA7+OKnq0qlz/GaQg==", "dev": true, - "peer": true, "dependencies": { "@jridgewell/set-array": "^1.2.1", "@jridgewell/sourcemap-codec": "^1.4.10", @@ -694,7 +692,6 @@ "resolved": "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.1.2.tgz", "integrity": "sha512-bRISgCIjP20/tbWSPWMEi54QVPRZExkuD9lJL+UIxUKtwVJA8wW1Trb1jMs1RFXo1CBTNZ/5hpC9QvmKWdopKw==", "dev": true, - "peer": true, "engines": { "node": ">=6.0.0" } @@ -704,7 +701,6 @@ "resolved": "https://registry.npmjs.org/@jridgewell/set-array/-/set-array-1.2.1.tgz", "integrity": "sha512-R8gLRTZeyp03ymzP/6Lil/28tGeGEzhx1q2k703KGWRAI1VdvPIXdG70VJc2pAMw3NA6JKL5hhFu1sJX0Mnn/A==", "dev": true, - "peer": true, "engines": { "node": ">=6.0.0" } @@ -720,7 +716,6 @@ "resolved": "https://registry.npmjs.org/@jridgewell/trace-mapping/-/trace-mapping-0.3.25.tgz", "integrity": "sha512-vNk6aEwybGtawWmy/PzwnGDOjCkLWSD2wqvjGGAgOAwCGWySYXfYoxt00IJkTF+8Lb57DwOb3Aa0o9CApepiYQ==", "dev": true, - "peer": true, "dependencies": { "@jridgewell/resolve-uri": "^3.1.0", "@jridgewell/sourcemap-codec": "^1.4.14" @@ -1560,6 +1555,7 @@ "integrity": "sha512-Z+r8y3XL9ZpI2EY52YYygAFmo2/oWfNSj4BCpAXE2McAexDk8VcnBMGC9Djn9gTKt4d2T/hhXqmPzo4hfIXtTg==", "dev": true, "license": "MIT", + "peer": true, "dependencies": { "undici-types": "~6.20.0" } @@ -1704,6 +1700,7 @@ "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.11.2.tgz", "integrity": "sha512-nc0Axzp/0FILLEVsm4fNwLCwMttvhEI263QtVPQcbpfZZ3ts0hLsZGOpE6czNlid7CJ9MlyH8reXkpsf3YUY4w==", "dev": true, + "peer": true, "bin": { "acorn": "bin/acorn" }, @@ -1750,7 +1747,6 @@ "resolved": "https://registry.npmjs.org/aria-query/-/aria-query-5.3.0.tgz", "integrity": "sha512-b0P0sZPKtyu8HkeRAfCq0IfURZK+SuwMjY1UXGBU27wpAiTwQAIlq56IbIO+ytk/JjS1fMR14ee5WBBfKi5J6A==", "dev": true, - "peer": true, "dependencies": { "dequal": "^2.0.3" } @@ -1770,7 +1766,6 @@ "resolved": "https://registry.npmjs.org/axobject-query/-/axobject-query-4.1.0.tgz", "integrity": "sha512-qIj0G9wZbMGNLjLmg1PT6v2mE9AH2zlnADJD/2tC6E00hgmhUOfEB6greHPAfLRSufHqROIUTkw6E+M3lH0PTQ==", "dev": true, - "peer": true, "engines": { "node": ">= 0.4" } @@ -1969,7 +1964,6 @@ "resolved": "https://registry.npmjs.org/code-red/-/code-red-1.0.4.tgz", "integrity": "sha512-7qJWqItLA8/VPVlKJlFXU+NBlo/qyfs39aJcuMT/2ere32ZqvF5OSxgdM5xOfJJ7O429gg2HM47y8v9P+9wrNw==", "dev": true, - "peer": true, "dependencies": { "@jridgewell/sourcemap-codec": "^1.4.15", "@types/estree": "^1.0.1", @@ -2095,7 +2089,6 @@ "resolved": "https://registry.npmjs.org/css-tree/-/css-tree-2.3.1.tgz", "integrity": "sha512-6Fv1DV/TYw//QF5IzQdqsNDjx/wc8TrMBZsqjL9eW01tWb7R7k/mq+/VXfJCl7SoD5emsJop9cOByJZfs8hYIw==", "dev": true, - "peer": true, "dependencies": { "mdn-data": "2.0.30", "source-map-js": "^1.0.1" @@ -2528,7 +2521,6 @@ "resolved": "https://registry.npmjs.org/is-reference/-/is-reference-3.0.2.tgz", "integrity": "sha512-v3rht/LgVcsdZa3O2Nqs+NMowLOxeOm7Ay9+/ARQ2F+qEoANRcqrjAZKGN0v8ymUetZGgkp26LTnGT7H0Qo9Pg==", "dev": true, - "peer": true, "dependencies": { "@types/estree": "*" } @@ -2590,8 +2582,7 @@ "version": "3.0.0", "resolved": "https://registry.npmjs.org/locate-character/-/locate-character-3.0.0.tgz", "integrity": "sha512-SW13ws7BjaeJ6p7Q6CO2nchbYEc3X3J6WrmTTDto7yMPqVSZTUyY5Tjbid+Ab8gLnATtygYtiDIJGQRRn2ZOiA==", - "dev": true, - "peer": true + "dev": true }, "node_modules/lodash": { "version": "4.17.21", @@ -3075,8 +3066,7 @@ "version": "2.0.30", "resolved": "https://registry.npmjs.org/mdn-data/-/mdn-data-2.0.30.tgz", "integrity": "sha512-GaqWWShW4kv/G9IEucWScBx9G1/vsFZZJUO+tD26M8J8z3Kw5RDQjaoZe03YAClgeS/SWPOcb4nkFBTEi5DUEA==", - "dev": true, - "peer": true + "dev": true }, "node_modules/micromark": { "version": "4.0.0", @@ -4017,7 +4007,6 @@ "resolved": "https://registry.npmjs.org/periscopic/-/periscopic-3.1.0.tgz", "integrity": "sha512-vKiQ8RRtkl9P+r/+oefh25C3fhybptkHKCZSPlcXiJux2tJF55GnEj3BVn4A5gKfq9NWWXXrxkHBwVPUfH0opw==", "dev": true, - "peer": true, "dependencies": { "@types/estree": "^1.0.0", "estree-walker": "^3.0.0", @@ -4077,6 +4066,7 @@ "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.2.5.tgz", "integrity": "sha512-3/GWa9aOC0YeD7LUfvOG2NiDyhOWRvt1k+rcKhOuYnMY24iiCphgneUfJDyFXd6rZCAnuLBv6UeAULtrhT/F4A==", "dev": true, + "peer": true, "bin": { "prettier": "bin/prettier.cjs" }, @@ -4645,6 +4635,7 @@ "integrity": "sha512-pOUl6Vo2LUq/bSa8S5q7b91cgNSjctn9ugq/+Mvow99qW6x/UZYwzxy/3NmqoT66eHYfCVvFvACC58UBPFf28g==", "dev": true, "license": "MIT", + "peer": true, "dependencies": { "esbuild": "~0.23.0", "get-tsconfig": "^4.7.5" @@ -5004,6 +4995,7 @@ "integrity": "sha512-7dPxoo+WsT/64rDcwoOjk76XHj+TqNTIvHKcuMQ1k4/SeHDaQt5GFAeLYzrimZrMpn/O6DtdI03WUjdxuPM0oQ==", "dev": true, "license": "MIT", + "peer": true, "dependencies": { "esbuild": "^0.25.0", "postcss": "^8.5.3", @@ -5696,6 +5688,7 @@ "integrity": "sha512-+hSoy/QHluxmC9kCIJyL/uyFmLmc+e5CFR5Wa+bpIhIj85LVb9ZH2nVnqrHoSvKogwODv0ClqZkmiSSaIH5LTA==", "dev": true, "license": "ISC", + "peer": true, "bin": { "yaml": "bin.mjs" }, @@ -5736,6 +5729,7 @@ "integrity": "sha512-lY7CDW43ECgW9u1TcT3IoXHflywfVqDYze4waEz812jR/bZ8FHDsl7pFQoSZTz5N+2NqRXs8GBwnAwo3ZNxqhQ==", "dev": true, "license": "MIT", + "peer": true, "funding": { "url": "https://github.com/sponsors/colinhacks" } diff --git a/public/images/orgs/relationship-diagram.jpg b/public/images/orgs/relationship-diagram.jpg new file mode 100644 index 0000000000..765be8017f Binary files /dev/null and b/public/images/orgs/relationship-diagram.jpg differ diff --git a/redirects/static/docs.json b/redirects/static/docs.json index ff3d90efae..6072e9b677 100644 --- a/redirects/static/docs.json +++ b/redirects/static/docs.json @@ -2361,17 +2361,17 @@ }, { "source": "/docs/organizations/creator-role", - "destination": "/docs/guides/organizations/roles-and-permissions#the-creator-role", + "destination": "/docs/guides/organizations/control-access/roles-and-permissions#the-creator-role", "permanent": true }, { "source": "/docs/organizations/default-role", - "destination": "/docs/guides/organizations/roles-and-permissions#the-default-role-for-members", + "destination": "/docs/guides/organizations/control-access/roles-and-permissions#the-default-role-for-members", "permanent": true }, { "source": "/docs/organizations/create-roles-permissions", - "destination": "/docs/guides/organizations/roles-and-permissions#custom-roles", + "destination": "/docs/guides/organizations/control-access/roles-and-permissions#custom-roles", "permanent": true }, { @@ -2741,12 +2741,12 @@ }, { "source": "/docs/organizations/invitations", - "destination": "/docs/guides/organizations/invitations", + "destination": "/docs/guides/organizations/add-members/invitations", "permanent": true }, { "source": "/docs/organizations/manage-sso", - "destination": "/docs/guides/organizations/sso", + "destination": "/docs/guides/organizations/add-members/sso", "permanent": true }, { @@ -2761,12 +2761,17 @@ }, { "source": "/docs/organizations/roles-permissions", - "destination": "/docs/guides/organizations/roles-and-permissions", + "destination": "/docs/guides/organizations/control-access/roles-and-permissions", "permanent": true }, { "source": "/docs/organizations/verified-domains", - "destination": "/docs/guides/organizations/verified-domains", + "destination": "/docs/guides/organizations/add-members/verified-domains", + "permanent": true + }, + { + "source": "/docs/guides/organizations/sso", + "destination": "/docs/guides/organizations/add-members/sso", "permanent": true }, {