Manage organization

This section covers how developers manage their organizations via Logto Console or Logto Management API, not how organization admins self-serve managing their members within your app. To learn more about how to develop your orgnaization experience, please check this guide.

Manage via Logto Console

Create an organization

Navigate to Console > Organizations and click the "Create organization" button.

Basic settings

You can configure the basic attributes of the organization like name, description, logo, custom data, etc.

Require MFA for organization members

You can require all members of an organization to enable MFA. This is a security measure to ensure that all members have an extra layer of protection when accessing the organization's resources.

To enable this feature, go to the organization details page and turn on the "Multi-factor authentication (MFA)" toggle switch.

note:

You'll need to enable at least one MFA method in order to make this feature work properly.

Once enabled, members without MFA configured will not be able to exchange organization tokens until they set up MFA. See Authorization for more details on when organization tokens are exchanged.

Please note that:

This feature only checks if the user has MFA configured. It does not force users to use MFA when exchanging access tokens.
This feature does not limit what MFA methods users can use.

Just-in-Time provisioning

Just-in-Time provisioning automatically adds users to an organization when they first sign in to the app. In Logto, this is supported for Enterprise SSO and email domain-based provisioning. When users meet specific criteria, like signing in through a specific enterprise IdP or using an email with a certain domain, they are automatically added to the organization.

You can also set default organization roles for members when they first join the organization.

For more details on Just-in-Time provisioning and how to set it up, refer to this section.

Manage organization members

Users can hold one or more roles. When adding members to an organization, you have the option to assign roles to multiple users at once. If you leave this assignment blank, the added users will not receive any roles.

In the Console > User management > User details page , you can see which organizations the user belongs to and what organization roles they have.

Manage organization M2M applications

Machine-to-machine applications can also be added to organizations. You can assign roles to machine-to-machine applications like you assign roles to users.

In the Console > Applications > Application details page, you can see which organizations the application associates with and what organization roles it has.

Manage via Logto Management API

Everything you can do in Logto Console can also be done through Management API. This includes, but is not limited to:

Create, delete, or edit an organization.
Manage organization template: create, delete, or edit organization permissions and roles.
Add members to, or remove members from an organization.
Assign or remove the user's organization roles.
Add machine-to-machine applications to, or remove machine-to-machine applications from an organization.
Assign or remove machine-to-machine application's organization roles.

You can also check out this section for using Management API to enable more organization-level experience and management. Learn more

For a complete list of capabilities, please refer to our API references.

Organization data structure

For each organization, Logto stores the following data:

Organization ID

The organization id is a unique identifier for each organization. It’s useful for implementing organization-level sign-in experiences and retrieving organization tokens.

Name

The name supports organization-level sign-in and can be integrated into organization-level product interfaces as needed.

Description

The description field allows you to add text to help identify and label the organization.

Organization logos

To dynamically show your client’s organization logo in the sign-in experience, you can upload the organization logos to the organization settings page.

See organization-specific logos for more details.

Custom data

Custom data is a JSON object used to store extra information about the organization. This can be used to store any additional information that is relevant to your application, such as organization-specific settings or metadata.

Is MFA required

isMfaRequired indicates whether Multi-Factor Authentication (MFA) is mandatory for the organization. If set to true, all members must complete MFA during sign-in to access the organization. This security policy setting is configured at the organization level.

See Manage organization for more details.

Created at

createdAt is the timestamp with the timezone when the organization was created.

Tenant ID

tenantId identifies the tenant that the organization belongs to.

Manage via Logto Console​

Create an organization​

Basic settings​

Require MFA for organization members​

Just-in-Time provisioning​

Manage organization members​

Manage organization M2M applications​

Manage via Logto Management API​

Organization data structure​

Organization ID​

Name​

Description​

Organization logos​

Custom data​

Is MFA required​

Created at​

Tenant ID​