Skip to main content

Create organization

Imagine you are building a multi-tenant app (e.g., multi-tenant SaaS app) that servers numerous customers, and each customer owns a dedicated tenant. When a new customer arrives, they create a new account, as well as a new tenant for their own business.

Just like how you registered your Logto Cloud account and have your own Logto tenant. You can implement the very same architecture in your app as well, using Logto's "organization" feature.

Create your organizations

There are two ways to create organizations for your app.

Create via Logto Console

Manually create your organizations through Logto Console UI. Go to Console > Organizations to create organization, assign members and roles, and customize organization sign-in experience UI.

Create an "organization template" if you want to batch create similar organizations that share the same role and permission settings.

Create via Logto Management API

Clicking buttons on the Console UI works great, but we really want to have the end-users self-serve and create organizations, manage the organizations themselves In YOUR App. Thus, you’ll have to implement these features in your app, with the help of Logto Management API.

note

If you are not familiar with Logto Management API, please make sure you read these docs first.

Management APIInteract with Management API

Assuming you have already connected your API backend server to Logto Management API endpoint through the Machine-to-Machine (M2M) mechanism, and acquired the M2M access token.

Create an organization with Management API (API references):

curl \
 -X POST https://[tenant_id].logto.app/api/organizations \
 -H "Authorization: Bearer $M2M_ACCESS_TOKEN" \
 -H "Content-Type: application/json" \
 -d '{"tenantId":"string","name":"string","description":"string","customData":{},"isMfaRequired":false,"branding":{"logoUrl":"string","darkLogoUrl":"string","favicon":"string","darkFavicon":"string"},"createdAt":1234567890}'

Response example (201)

{
  "tenantId": "string",
  "id": "string",
  "name": "string",
  "description": "string",
  "customData": {},
  "isMfaRequired": false,
  "branding": {
    "logoUrl": "string",
    "darkLogoUrl": "string",
    "favicon": "string",
    "darkFavicon": "string"
  },
  "createdAt": 1234567890
}

Next, you can implement your own API for your app. So when your users perform the "create organization" action in your app, you can validate the request by checking their permissions, and then call Logto Management API to do the rest of the job.

Validating organization token in user request

In your app, when users perform actions in the context of an organization, they need to use the organization token instead of the regular access token. The organization token is a special kind of JWT token that contains organization permissions. And just like any JWT access tokens, you can decode the token claims and verify the "scope" claim for permission check.

Check these documentations for more details:

Verify organization tokens

 Protect your API