Restrict API to a Specific Organization

gabriela.pantea · July 16, 2024, 6:16pm

Overview

Some customers may want to restrict an API in Auth0 to a specific Organization. One possible use case is an internal API that should only be accessible to an organization that contains the customers’ backend developers.

Applies To

API Calls
Multiple Organizations
Specific Organization

Solution

The following ‘post-login’ action will restrict an API to be accessible only for the users within the specified organization:

exports.onExecutePostLogin = async (event, api) => {

  const organization_id = event?.organization?.id;
  const audience        = event?.resource_server?.identifier;
  const restricted_org  = ''; // FILL IN ORGANIZATION TO RESTRICT API TO
  const restricted_api  = ''; // FILL IN API TO RESTRICT

  if (audience === restricted_api) { 
    console.log(event.organization);
    if ( !(organization_id === restricted_org) ) {
      return api.access.deny("This API can only be accessed by users in organization id: " + organization_id);
    }
  }
}

Related References

Actions Triggers: post-login - Event Object

Topic		Replies	Views
Allowing Specific Client and Audience to Access API Knowledge Articles api , client , audience	1	153	June 4, 2024
Per-Organization APIs Help identifier-first , login-experience	5	915	August 4, 2023
Define which organizations can access app Help organizations	5	1966	April 28, 2022
Prevent Users from Joining Multiple Organizations Help user-management , user-search	2	1047	April 28, 2023
Organization Permissions on access token JWT.io jwt , auth0 , login , organizations	4	2714	August 24, 2021

Restrict API to a Specific Organization

Overview

Applies To

Solution

Related References

Related topics