> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.
> Learn to define organization behavior within applications for Auth0's Organizations feature.
# Define Organization Behavior
export const AuthCodeGroup = ({children, dropdown}) => {
const [processedChildren, setProcessedChildren] = useState(children);
useEffect(() => {
let unsubscribe = null;
function init() {
unsubscribe = window.autorun(() => {
const processChildren = node => {
if (typeof node === "string") {
let processedNode = node;
for (const [key, value] of window.rootStore.variableStore.values.entries()) {
const escapedKey = key.replaceAll(/[.*+?^${}()|[\]\\]/g, (String.raw)`\$&`);
processedNode = processedNode.replaceAll(new RegExp(escapedKey, "g"), value);
}
return processedNode;
} else if (Array.isArray(node)) {
return node.map(processChildren);
} else if (node && node.props && node.props.children) {
return {
...node,
props: {
...node.props,
children: processChildren(node.props.children)
}
};
}
return node;
};
setProcessedChildren(processChildren(children));
});
}
if (window.rootStore) {
init();
} else {
window.addEventListener("adu:storeReady", init);
}
return () => {
window.removeEventListener("adu:storeReady", init);
unsubscribe?.();
};
}, [children]);
return {processedChildren};
};
export const AuthCodeBlock = ({filename, icon, language, highlight, children}) => {
const [displayText, setDisplayText] = useState(children);
const [copyText, setCopyText] = useState(children);
const wrapperRef = React.useRef(null);
useEffect(() => {
let unsubscribe = null;
function init() {
if (!window.autorun || !window.rootStore) {
return;
}
unsubscribe = window.autorun(() => {
let processedChildrenForDisplay = children;
let processedChildrenForCopy = children;
for (const [key, value] of window.rootStore.variableStore.values.entries()) {
const escapedKey = key.replaceAll(/[.*+?^${}()|[\]\\]/g, (String.raw)`\$&`);
let displayValue = value;
if (key === "{yourClientSecret}" && value !== "{yourClientSecret}") {
displayValue = value.substring(0, 3) + "*****MASKED*****";
}
processedChildrenForDisplay = processedChildrenForDisplay.replaceAll(new RegExp(escapedKey, "g"), displayValue);
processedChildrenForCopy = processedChildrenForCopy.replaceAll(new RegExp(escapedKey, "g"), value);
}
setDisplayText(processedChildrenForDisplay);
setCopyText(processedChildrenForCopy);
});
}
if (window.rootStore) {
init();
} else {
window.addEventListener("adu:storeReady", init);
}
return () => {
window.removeEventListener("adu:storeReady", init);
unsubscribe?.();
};
}, [children]);
useEffect(() => {
if (!wrapperRef.current) return;
const originalWriteText = navigator.clipboard.writeText.bind(navigator.clipboard);
let isOverriding = false;
const handleClick = e => {
const button = e.target.closest('[data-testid="copy-code-button"]');
if (!button || !wrapperRef.current.contains(button)) return;
isOverriding = true;
navigator.clipboard.writeText = text => {
if (isOverriding) {
isOverriding = false;
navigator.clipboard.writeText = originalWriteText;
return originalWriteText(copyText);
}
return originalWriteText(text);
};
setTimeout(() => {
if (isOverriding) {
isOverriding = false;
navigator.clipboard.writeText = originalWriteText;
}
}, 100);
};
const wrapper = wrapperRef.current;
wrapper.addEventListener('click', handleClick, true);
return () => {
wrapper.removeEventListener('click', handleClick, true);
if (navigator.clipboard.writeText !== originalWriteText) {
navigator.clipboard.writeText = originalWriteText;
}
};
}, [copyText]);
return
{displayText}
;
};
When representing your application in Auth0, you can specify what types of users the application should support. Some applications support individuals logging in with personal accounts, while others are intended for use by members of [organizations](/docs/manage-users/organizations/organizations-overview). Some should support both. This is known as organization behavior and can be set for each application that you connect to Auth0.
For example, your application could have:
* A generic marketing landing page that has a **Log in** button that takes your users to the Auth0 login flow without an Organization.
* A separate URL for each of your B2B customers (e.g., Acme users go to `acme.yourcompany.com`) that redirects users to Auth0 with an Organization, so that your users see Acme’s SSO Login button.
You can define Organization behavior to allow either of these scenarios. Additionally, you can configure Organization behavior such that if your application requires that an Organization be provided but your user accidentally is sent to Auth0 without an organization, they would see a prompt that would allow them to enter the name of their organization.
You can define organization behavior using either the Auth0 Dashboard or the Management API.
## Auth0 Dashboard
To define organization behavior via the Auth0 Dashboard:
1. Navigate to [Auth0 Dashboard > Applications](https://manage.auth0.com/#/applications), and select the application for which you want to configure organizations.
2. Switch to the Login Experience view and configure the appropriate settings:
| Field | Description | API Mapping |
| -------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Type of Users** | Determines which category of users can log in to your application.
Options include: - **Individuals**: Users can sign up with a personal account and log directly in to your application. Individual users cannot log in using an Organization.
- **Business Users**: Users must be a member of an Organization in order to log in. When selected, you must either provide an Organization when you redirect users to the `/authorize` endpoint or set your Login Flow to Prompt for Organization.
- **Both**: Users can log in as an Organization member or sign up with a personal account.
| **Type of Users** maps to `organization_usage`
Options: - **Individuals** maps to `deny`
- **Business Users** maps to `require`
- **Both** maps to `allow`
|
| **Login Flow** | Determines the initial login prompt presented to users when they access your application. You can only configure this field if Type of Users is set to Businsess Users or Both.
Options include: - **Prompt for Credentials**: Users are first asked to provide their login credentials. After logging in, users can select their Organization.
- **Prompt for Organization**: Users are first asked to select their Organization. Then, they can provide their credentials to log in.
- **No Prompt**: Auth0 does not dictate which login prompt is given to users. Instead, your application is responsible for sending the required parameters to Auth0 to display the appropriate prompt.
| **Login Flow** maps to `organization_require_behavior`
Options: - **Prompt for Credentials** maps to `post_login_prompt`
- **Prompt for Organization** maps to `pre_login_prompt`
- **No Prompt** maps to `no_prompt`
|
| **Organization Discovery** | Defines the method used to identify the user’s organization before authentication. Only available with Prompt for Organization Login Flow.
Options include: - **Prompt for Organization Email**: Users are first asked to provide their email address associated with their Organization.
- **Prompt for Organization Name**: Users are first asked to provide the name of their Organization.
- **Prompt for Organization Email and Name**: Users are first asked to provide the name of their Organization or email associated with their Organization.
| - **Prompt for Emails**: maps to `email`.
- **Prompt for Organization**: maps to `organization_name`.
- **Prompt for Organization Email and Name**: maps to `email` and `organization_name`.
|
3. Select **Save changes**.
## Management API
Make a `PATCH` call to the [Update a Client endpoint](https://auth0.com/docs/api/management/v2#!/Clients/patch_clients_by_id). Be sure to replace `client_id`, `mgmt_api_access_token`, `organization_usage`, and `organization_require_behavior` placeholder values with your client ID, Management API Access Token, organization use option, and organization behavior option, respectively.
```bash cURL theme={null}
curl --request PATCH \
--url 'https://{yourDomain}/api/v2/clients/CLIENT_ID' \
--header 'authorization: Bearer MGMT_API_ACCESS_TOKEN' \
--header 'cache-control: no-cache' \
--header 'content-type: application/json' \
--data '{ "organization_usage": "ORG_USAGE", "organization_require_behavior": "ORG_REQUIRE_BEHAVIOR" }'
```
```csharp C# theme={null}
var client = new RestClient("https://{yourDomain}/api/v2/clients/CLIENT_ID");
var request = new RestRequest(Method.PATCH);
request.AddHeader("content-type", "application/json");
request.AddHeader("authorization", "Bearer MGMT_API_ACCESS_TOKEN");
request.AddHeader("cache-control", "no-cache");
request.AddParameter("application/json", "{ "organization_usage": "ORG_USAGE", "organization_require_behavior": "ORG_REQUIRE_BEHAVIOR" }", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);
```
```go Go theme={null}
package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://{yourDomain}/api/v2/clients/CLIENT_ID"
payload := strings.NewReader("{ "organization_usage": "ORG_USAGE", "organization_require_behavior": "ORG_REQUIRE_BEHAVIOR" }")
req, _ := http.NewRequest("PATCH", url, payload)
req.Header.Add("content-type", "application/json")
req.Header.Add("authorization", "Bearer MGMT_API_ACCESS_TOKEN")
req.Header.Add("cache-control", "no-cache")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}
```
```java Java theme={null}
HttpResponse response = Unirest.patch("https://{yourDomain}/api/v2/clients/CLIENT_ID")
.header("content-type", "application/json")
.header("authorization", "Bearer MGMT_API_ACCESS_TOKEN")
.header("cache-control", "no-cache")
.body("{ "organization_usage": "ORG_USAGE", "organization_require_behavior": "ORG_REQUIRE_BEHAVIOR" }")
.asString();
```
```javascript Node.JS theme={null}
var axios = require("axios").default;
var options = {
method: 'PATCH',
url: 'https://{yourDomain}/api/v2/clients/CLIENT_ID',
headers: {
'content-type': 'application/json',
authorization: 'Bearer MGMT_API_ACCESS_TOKEN',
'cache-control': 'no-cache'
},
data: {
organization_usage: 'ORG_USAGE',
organization_require_behavior: 'ORG_REQUIRE_BEHAVIOR'
}
};
axios.request(options).then(function (response) {
console.log(response.data);
}).catch(function (error) {
console.error(error);
});
```
```php PHP theme={null}
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => "https://{yourDomain}/api/v2/clients/CLIENT_ID",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "PATCH",
CURLOPT_POSTFIELDS => "{ "organization_usage": "ORG_USAGE", "organization_require_behavior": "ORG_REQUIRE_BEHAVIOR" }",
CURLOPT_HTTPHEADER => [
"authorization: Bearer MGMT_API_ACCESS_TOKEN",
"cache-control: no-cache",
"content-type: application/json"
],
]);
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}
```
```python Python theme={null}
import http.client
conn = http.client.HTTPSConnection("")
payload = "{ "organization_usage": "ORG_USAGE", "organization_require_behavior": "ORG_REQUIRE_BEHAVIOR" }"
headers = {
'content-type': "application/json",
'authorization': "Bearer MGMT_API_ACCESS_TOKEN",
'cache-control': "no-cache"
}
conn.request("PATCH", "/{yourDomain}/api/v2/clients/CLIENT_ID", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))
```
```ruby Ruby theme={null}
require 'uri'
require 'net/http'
require 'openssl'
url = URI("https://{yourDomain}/api/v2/clients/CLIENT_ID")
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Patch.new(url)
request["content-type"] = 'application/json'
request["authorization"] = 'Bearer MGMT_API_ACCESS_TOKEN'
request["cache-control"] = 'no-cache'
request.body = "{ "organization_usage": "ORG_USAGE", "organization_require_behavior": "ORG_REQUIRE_BEHAVIOR" }"
response = http.request(request)
puts response.read_body
```
| Value | Description |
| -------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `CLIENT_ID` | ID of the application for which you want to add organization behavior. |
| `MGMT_API_ACCESS_TOKEN` | [Access Tokens for the Management API](/docs/secure/tokens/access-tokens/management-api-access-tokens) with the scope `update:clients`. |
| `ORGANIZATION_USAGE` | Dictates whether your application can support users logging into an organization. Options include: - `deny`: (Default) Users cannot log in using an organization.
- `allow`: Users can log in with or without an Organization. When selected, you must provide an organization when you redirect users to the `/authorize` endpoint.
- `require`: Users must log in using an organization. When selected, you must either provide an organization when you redirect users to the `/authorize` endpoint or set `organization_require_behavior` to `pre_login_prompt` to allow users to choose an organization before they log in.
|
| `ORGANIZATION_REQUIRE_BEHAVIOR` | Determines the Login Flow presented to users accessing your application. Only applicable when `organization_usage` is set to `require` or `allow`.
Options include: - `no_prompt`: (Default) Display no prompt. Requests without a valid organization parameter are rejected.
- `pre_login_prompt`: Prompt users to select an Organization before they can log in. You can only use this option if `organization_usage` is set to `require`.
- `post_login_prompt`: Prompt users to log in with their credentials. After they log in, prompt users to select their Organization.
|
| `ORGANIZATION_DISCOVERY_METHODS` | Determines the method to identify a user’s organization before authentication. Only applicable when `organization_require_behavior` is `pre_login_prompt` and `organization_usage` is set to require or allow. - `email`: (Default) Users are prompted to enter their email address associated with their Organization.
- `organization_name`: Users are prompted to enter the name associated with their Organization.
- `Organization name` and `email`: Users are prompted for the email address or name associated with their Organization.
|
### Response status codes
Possible response status codes are as follows:
| Status code | Error code | Message | Cause |
| ----------- | ------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------- |
| `200` | | Client successfully updated. | |
| `400` | `invalid_uri` | Invalid request URI. The message will vary depending on the cause. | The path is not valid. |
| `400` | `invalid_body` | Invalid request body. The message will vary depending on the cause. | The request payload is not valid. |
| `401` | | Invalid token. | |
| `401` | | Client is not global. | |
| `401` | | Invalid signature received for JSON Web Token validation. | |
| `403` | `insufficient_scope` | Insufficient scope; expected any of: `update:clients`. | Tried to read/write a field that is not allowed with provided bearer token scopes. |
| `403` | `insufficient_scope` | Some fields cannot be updated with the permissions granted by the bearer token scopes. The message will vary depending on the fields and the scopes. | Tried to read/write a field that is not allowed with provided bearer token scopes. |
| `403` | `operation_not_supported` | The account is not allowed to perform this operation. | The account is not allowed to perform this operation. |
| `404` | `inexistent_client` | Client not found. | Inexistent resource. Specified application does not exist. |
| `429` | | Too many requests. Check the X-RateLimit-Limit, X-RateLimit-Remaining and X-RateLimit-Reset headers. | |