Add Roles to Organization Members

Each organization member can be assigned one or more roles, which are applied when users log in through the organization. To learn more about roles and their behavior, read Role-based Access Control.

You can add roles to members in organizations using either the Auth0 Dashboard or the Management API.

To enable a role for an organization member, you must have already created the role in your tenant.

Auth0 Dashboard

To add roles to an organization member via the Auth0 Dashboard:

  1. Navigate to Auth0 Dashboard > Organizations, and select the organization for which you want to configure membership.

  2. Select the Members view, and select the name of the member to which you would like to add a role.

  3. Select Assign role.

  4. Enter the role name(s) you would like to assign to the member, and select Add role(s) to organization.

Management API

To add roles to an organization member via the Management API: Make a POST call to the Create Organization Member Roles endpoint. Be sure to replace ORG_ID, MGMT_API_ACCESS_TOKEN, USER_ID, and ROLE_ID placeholder values with your organization ID, Management API Access Token, user ID, and role ID, respectively.


curl --request POST \
  --url https://your_auth0_domain/api/v2/organizations/ORG_ID/members/USER_ID/roles \
  --header 'authorization: Bearer MGMT_API_ACCESS_TOKEN' \
  --header 'cache-control: no-cache' \
  --header 'content-type: application/json' \
  --data '{ "roles": [ "ROLE_ID", "ROLE_ID", "ROLE_ID" ] }'
var client = new RestClient("https://your_auth0_domain/api/v2/organizations/ORG_ID/members/USER_ID/roles");
var request = new RestRequest(Method.POST);
request.AddHeader("content-type", "application/json");
request.AddHeader("authorization", "Bearer MGMT_API_ACCESS_TOKEN");
request.AddHeader("cache-control", "no-cache");
request.AddParameter("application/json", "{ \"roles\": [ \"ROLE_ID\", \"ROLE_ID\", \"ROLE_ID\" ] }", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);
package main

import (
	"fmt"
	"strings"
	"net/http"
	"io/ioutil"
)

func main() {

	url := "https://your_auth0_domain/api/v2/organizations/ORG_ID/members/USER_ID/roles"

	payload := strings.NewReader("{ \"roles\": [ \"ROLE_ID\", \"ROLE_ID\", \"ROLE_ID\" ] }")

	req, _ := http.NewRequest("POST", url, payload)

	req.Header.Add("content-type", "application/json")
	req.Header.Add("authorization", "Bearer MGMT_API_ACCESS_TOKEN")
	req.Header.Add("cache-control", "no-cache")

	res, _ := http.DefaultClient.Do(req)

	defer res.Body.Close()
	body, _ := ioutil.ReadAll(res.Body)

	fmt.Println(res)
	fmt.Println(string(body))

}
HttpResponse<String> response = Unirest.post("https://your_auth0_domain/api/v2/organizations/ORG_ID/members/USER_ID/roles")
  .header("content-type", "application/json")
  .header("authorization", "Bearer MGMT_API_ACCESS_TOKEN")
  .header("cache-control", "no-cache")
  .body("{ \"roles\": [ \"ROLE_ID\", \"ROLE_ID\", \"ROLE_ID\" ] }")
  .asString();
var axios = require("axios").default;

var options = {
  method: 'POST',
  url: 'https://your_auth0_domain/api/v2/organizations/ORG_ID/members/USER_ID/roles',
  headers: {
    'content-type': 'application/json',
    authorization: 'Bearer MGMT_API_ACCESS_TOKEN',
    'cache-control': 'no-cache'
  },
  data: {roles: ['ROLE_ID', 'ROLE_ID', 'ROLE_ID']}
};

axios.request(options).then(function (response) {
  console.log(response.data);
}).catch(function (error) {
  console.error(error);
});
#import <Foundation/Foundation.h>

NSDictionary *headers = @{ @"content-type": @"application/json",
                           @"authorization": @"Bearer MGMT_API_ACCESS_TOKEN",
                           @"cache-control": @"no-cache" };
NSDictionary *parameters = @{ @"roles": @[ @"ROLE_ID", @"ROLE_ID", @"ROLE_ID" ] };

NSData *postData = [NSJSONSerialization dataWithJSONObject:parameters options:0 error:nil];

NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://your_auth0_domain/api/v2/organizations/ORG_ID/members/USER_ID/roles"]
                                                       cachePolicy:NSURLRequestUseProtocolCachePolicy
                                                   timeoutInterval:10.0];
[request setHTTPMethod:@"POST"];
[request setAllHTTPHeaderFields:headers];
[request setHTTPBody:postData];

NSURLSession *session = [NSURLSession sharedSession];
NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request
                                            completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
                                                if (error) {
                                                    NSLog(@"%@", error);
                                                } else {
                                                    NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
                                                    NSLog(@"%@", httpResponse);
                                                }
                                            }];
[dataTask resume];
$curl = curl_init();

curl_setopt_array($curl, [
  CURLOPT_URL => "https://your_auth0_domain/api/v2/organizations/ORG_ID/members/USER_ID/roles",
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_ENCODING => "",
  CURLOPT_MAXREDIRS => 10,
  CURLOPT_TIMEOUT => 30,
  CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
  CURLOPT_CUSTOMREQUEST => "POST",
  CURLOPT_POSTFIELDS => "{ \"roles\": [ \"ROLE_ID\", \"ROLE_ID\", \"ROLE_ID\" ] }",
  CURLOPT_HTTPHEADER => [
    "authorization: Bearer MGMT_API_ACCESS_TOKEN",
    "cache-control: no-cache",
    "content-type: application/json"
  ],
]);

$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;
}
import http.client

conn = http.client.HTTPSConnection("your_auth0_domain")

payload = "{ \"roles\": [ \"ROLE_ID\", \"ROLE_ID\", \"ROLE_ID\" ] }"

headers = {
    'content-type': "application/json",
    'authorization': "Bearer MGMT_API_ACCESS_TOKEN",
    'cache-control': "no-cache"
    }

conn.request("POST", "/api/v2/organizations/ORG_ID/members/USER_ID/roles", payload, headers)

res = conn.getresponse()
data = res.read()

print(data.decode("utf-8"))
require 'uri'
require 'net/http'
require 'openssl'

url = URI("https://your_auth0_domain/api/v2/organizations/ORG_ID/members/USER_ID/roles")

http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request = Net::HTTP::Post.new(url)
request["content-type"] = 'application/json'
request["authorization"] = 'Bearer MGMT_API_ACCESS_TOKEN'
request["cache-control"] = 'no-cache'
request.body = "{ \"roles\": [ \"ROLE_ID\", \"ROLE_ID\", \"ROLE_ID\" ] }"

response = http.request(request)
puts response.read_body
import Foundation

let headers = [
  "content-type": "application/json",
  "authorization": "Bearer MGMT_API_ACCESS_TOKEN",
  "cache-control": "no-cache"
]
let parameters = ["roles": ["ROLE_ID", "ROLE_ID", "ROLE_ID"]] as [String : Any]

let postData = JSONSerialization.data(withJSONObject: parameters, options: [])

let request = NSMutableURLRequest(url: NSURL(string: "https://your_auth0_domain/api/v2/organizations/ORG_ID/members/USER_ID/roles")! as URL,
                                        cachePolicy: .useProtocolCachePolicy,
                                    timeoutInterval: 10.0)
request.httpMethod = "POST"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data

let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
  if (error != nil) {
    print(error)
  } else {
    let httpResponse = response as? HTTPURLResponse
    print(httpResponse)
  }
})

dataTask.resume()

Find Your Auth0 Domain

If your Auth0 domain is your tenant name, your regional subdomain (unless your tenant is in the US region and was created before June 2020), plus .auth0.com. For example, if your tenant name were travel0, your Auth0 domain name would be travel0.us.auth0.com. (If your tenant were in the US and created before June 2020, then your domain name would be https://travel0.auth0.com.)

If you are using custom domains, this should be your custom domain name.

Value Description
ORG_ID ID of the organization for which you want to add roles to a member.
MGMT_API_ACCESS_TOKEN Access Token for the Management API with the scope create:organization_member_roles.
USER_ID ID of the user to which you want to add the specified role(s).
ROLE_ID ID of the role you want to add to the specified user for the specified organization. Maximum of 100 roles per user.

Response status codes

Possible response status codes are as follows:

Status code Error code Message Cause
204 Roles successfully associated with user.
400 invalid_body Invalid request body. The message will vary depending on the cause. The request payload is not valid.
400 invalid_query_string Invalid request query string. The message will vary depending on the cause. The query string is not valid.
401 Invalid token.
401 Invalid signature received for JSON Web Token validation.
401 Client is not global.
403 insufficient_scope Insufficient scope; expected any of: create:organization_member_roles. Tried to read/write a field that is not allowed with provided bearer token scopes.
429 Too many requests. Check the X-RateLimit-Limit, X-RateLimit-Remaining and X-RateLimit-Reset headers.