Skip to main content
My Organization API and Embeddable UI Components is currently available in Early Access for all customers. By using this feature, you agree to the applicable Free Trial terms in Okta’s Master Subscription Agreement. To learn more about Auth0’s product release cycle, read Product Release Stages.Customers are responsible for ensuring that its use of the My Organization API and Embeddable UI Components comply with its security policies and applicable laws, including any permissions granted to its end users.
The Auth0 My Organization API provides a secure, Organization-scoped interface that allows your business customers to manage their own Organizations within your Auth0 tenant. This API serves as the technical backbone for embedded delegated administration and API-first integrations.

Core Capabilities

Currently, the API supports management of the following:
The My Organization API allows deep technical control over your integration. For the fastest deployment, we strongly recommend you start with the Embeddable UI components, SDKs, and sample applications. The Embeddable UI components and sample applications significantly reduce the time and effort to deliver a self-service experience to your customers and end users.

Set up My Organization API

Activate the My Organization API in Auth0 Dashboard

  1. Navigate to Auth0 Dashboard > Applications > APIs.
  2. Locate the My Organization API banner.
  3. Select Activate.
    Auth0 Dashboard>Authentication>APIs
  4. The API appears in your Applications > API list as My Organization API.
Once you activate the My Organization API:
  • Auth0 disables the API for all client applications by default.
  • You must grant access to applications and roles using client grants or RBAC policies.
  • Your business customers can retrieve Organization details or configure IdPs on behalf of their own Organizations.

Default settings

Auth0 domain vs custom domain The My Organization API supports using your canonical Auth0 domain or your custom domain, but you must use the same one throughout the entire process, which includes the following:
  • Request an access token
  • Set the audience or aud value
  • Call the My Organization API endpoint
To learn more about using custom domains in Auth0, read Custom Domains. Access policies By default, the My Organization API activates with the following application API access policies:
  • require_client_grant for user flows
  • deny-all for machine-to-machine flows
For an application to access the My Organization API on the user’s behalf, create a client grant for that application to define the maximum scopes the application can request. Alternatively, you can allow any application in your tenant to request any scope by changing the user access flows to allow_all.
Auth0 does not recommend using allow_all for user access flows because the My Organization API exposes sensitive information and operations. You should follow the principle of least privilege to ensure applications get access to what they truly need, minimizing potential security risks.
The final permissions granted to the application will be determined by the intersection of the scopes allowed by the application API access policy, the Role-Based Access Control (RBAC) permissions assigned to the end user, and any user consent given (if applicable). To learn more about how to manage application API access policies and their associated client grants, read Application Access to APIs: Client Grants. Token lifetimes The My Organization API issues access tokens with a fixed lifetime of 600 seconds (10 minutes). This short duration is a deliberate security measure designed to protect your tenant and its resources.
The My Organization API will always remain opt-in for security reasons. Disabling the API removes access for all connected applications until re-enabled.

Configure client application attributes

Create an application in Auth0 to use with the My Organization API. Once created, navigate to Auth0 Dashboard > Applications > APIs and authorize the My Organization API, including the scopes you want the application to perform. Your application must provide the my_organization_configuration object or the My Organization API gives an error and rejects the request. You can use the following properties with the my_organization_configuration object:

Configure client application attributes

To configure the My Organization API’s required attributes:
  1. Navigate to Dashboard > Applications > APIs and select My Organization API.
  2. Select the Application Access tab.
  3. Choose the application you want to configure and select Edit.
  4. Configure the following Settings:
    A. Optional. Configure the Connection Profile.
    1. Select an existing Connection Profile or create a new one. For a new Connection Profile:
      a. Add a name.
      b. Review mappings to ensure the connection attributes reflect the desired settings for new connections.
    B. Optional. Configure the User Attribute Profile.
    1. Add a name.
    2. Review mappings to ensure the profile attributes map to your preferred Auth0 attributes.
    C. Configure the Supported Identity Providers.
    1. Enable one or more identity providers. Customer administrators can select their preferred option from the list of enabled providers.
    D. Configure the Connection Deletion Behavior to Allow or Allow if Empty.
    1. Allow: Given the user has the correct scope, a user can delete the connection which results in all Users originating from the connection being deleted.
    2. Allow if Empty: Given the user has the correct scope, a user can only delete the connection if there are no Users in the connection. If users are present, the My Organization API will return an error and won’t proceed with the deletion.
    E. Configure the User Access Authorization to Unauthorized, Authorized, or All.
    1. Unauthorized. No permission allowed.
    2. Authorized. Select desired permissions.
    3. All. Includes all existing and future permissions.
    F. Configure the Client Credential Access Authorization to Unauthorized, Authorized, or All.
    1. Unauthorized. No permission allowed.
    2. Authorized. Select desired permissions.
    3. All. Includes all existing and future permissions.
  5. Select Save.

Generate an Access Token

The My Organization API can only be called with a user-bound access token obtained through one of the supported OAuth 2.0 flows.
If you’re going to allow the My Organization API to perform sensitive operations, we strongly recommend that you use step-up authentication to enforce additional security policies through multi-factor authentication (MFA).

Example with Authorization Code Flow

Use Authorization Code Flow for confidential Web Applications with a .
Sample Response

Example with Authorization Code Flow with PKCE

Use Authorization Code Flow with Proof Key for Code Exchange (PKCE) or public applications without a Client Secret, Single-Page Applications, Mobile or Native Applications, and CLI Tools.

Audience

The audience and base URL of the My Organization API is https://{yourDomain}/my-org/. Tokens must include the audience https://YOUR_DOMAIN/my-org/. Tokens from other APIs (like /me or /api/v2/) won’t work.

Scopes

Endpoint reference

The My Organization API supports endpoints for configuration, Organization details, identity providers, domains, provisioning configurations, and SCIM Tokens. For a complete reference guide on the endpoints, including the schemas, error codes, etc., refer to our API Explorer.

SDK reference

The API is available in an SDK format for Typescript, Java, .NET, Go, and Python. For details on each SDK implementation and for examples on how to leverage the SDK, refer to our SDK documentation.

User profiles

The My Organization API utilizes Connection Profiles and User Attribute Profiles to define the structure, restrictions, and rules for configurations created by third-party customers.

Connection Profile (CP)

The Connection Profile enables Auth0 developers to specify how the private settings of an Auth0 connection should be configured when created by third parties. For more information on how the Connection Profile works, its attribute mappings and overrides, examples, and how to configure one, read Connection Profiles.

User Attribute Profile (UAP)

The User Attribute Profile (UAP) provides a consistent way to define, manage, and map user attributes across protocols such as SCIM, SAML, and OIDC. For more information on how the UAP works, its attribute mappings and overrides, examples, and how to configure one, read User Attribute Profiles.

Rate limits

Rate limits are enforced based on your service tier:

Per-Organization rate limits

In addition to the service tier rate limits, the My Organization API also enforces per-Organization rate limits. These limits are designed to ensure fair resource allocation and prevent any single Organization from impacting the overall performance of your tenant. By enforcing these boundaries, we mitigate the ‘noisy neighbor’ effect, ensuring that a sudden surge in activity from one Organization does not consume shared resources or impact another within the same environment. Each Organization is allocated a specific number of requests per second (RPS) for both read and write operations.

Cross-Origin requests

If you intend to call the My Organization API directly from a browser-based application (like a Single Page Application) running on a different domain than your Auth0 tenant, you will encounter browser security policies known as Cross-Origin Resource Sharing (CORS). By default, browsers block these cross-origin requests. To allow your application to successfully make requests to the API, you must add your application’s domain (its “origin”) to your client’s configuration:
  1. Navigate to Auth0 Dashboard > Applications. Select the application to view.
  2. Under Cross-Origin Authentication, toggle on Allow Cross-Origin Authentication.
  3. Locate Allowed Origins (CORS), and enter your application’s origin URL.
  4. Select Save.
If you do not need to use CORS for your application, ensure that Allow Cross-Origin Authentication is toggled off. Adding your application’s URL to this list tells Auth0 to trust requests from that origin, allowing your client-side application to access the API.

Log events

To facilitate granular auditing and monitoring, the My Organization API generates a specific set of log events unique to the API. While your tenant will continue to emit standard system logs, the table below represents the comprehensive list of event types triggered specifically by My Organization API activity. These event codes allow you to track activities across all resources managed by the API, specifically: configuration, Organization details, IdPs, and domains. If you want to learn more about log event schemas, you can reference our GitHub repository.

Organization connection ownership

The API introduces an ownership model to distinguish between connections managed by the Tenant Admin and those self-managed by the Organization. This is controlled by the organization_access_level property. Key Property: organization_access_level Management API Endpoints for Connections: When you call the /connections endpoints, use the same scopes as you would for the /enabled_connections endpoints:
  • create:organization_connections
  • read:organization_connections
  • delete:organization_connections
  • update:organization_connections
Review the additional schema attributes: Notes:
  • These endpoints accept an optional query parameter of is_enabled=true/false and if present only show the connections that have the specified is_enabled value.
  • organization_access_level can only be changed via the Management API.
  • If the name attribute is not set, it must be populated via the Management API before changing organization_access_level from none to any other value.

Auth0 Universal Components

We strongly encourage starting with our embeddable UI components, Auth0 Universal Components, in favor of using an API-first integration. These resources should significantly reduce your development time and quickly deliver a self-service experience to your customers.