Entity Auth

Organizations

Create orgs, add members, and switch context

Organizations provide multi‑tenant scoping. The SDKs expose thin wrappers over the API routes.

Org context

Most API calls operate within the active organization (session tid). Ensure the user has switched to the intended org before making org‑scoped calls.

Create (generic entities)

import { SDK } from '@entityauth/auth-client';

const me = await SDK.me();
await SDK.createEntity({
  workspaceTenantId: me.workspaceTenantId!,
  kind: 'org',
  properties: { name: 'Acme', slug: 'acme', ownerId: me.id },
});
let config = EntityAuthConfig(
    environment: .production,
    workspaceTenantId: "your-tenant-id",
    clientIdentifier: "ios-app"
)
let auth = EntityAuthFacade(config: config)
// Uses generic /api/entities under the hood
try await auth.createOrganization(name: "Acme", slug: "acme", ownerId: userId)

Add member (generic relations)

import { SDK } from '@entityauth/auth-client';

const me = await SDK.me();
await SDK.linkRelation({
  workspaceTenantId: me.workspaceTenantId!,
  srcId: userId, // user
  relation: 'member_of',
  dstId: orgId, // organization
  attrs: { role: 'member' },
});
try await auth.addMember(orgId: orgId, userId: userId, role: "member")

Active org context

Active organization is carried in the access token as oid (org id). Use the switch endpoint to change it and reissue a token.

Switch Organization

POST /api/auth/switch-organization
Content-Type: application/json
Authorization: Bearer <access-token>

{ "organizationId": "entities:org" }

Response:

{ "accessToken": "...", "organizationId": "entities:org" }

Notes:

  • wid (workspace tenant id) stays constant for the app.
  • oid (active org id) changes in the new access token.
  • Refresh token is not rotated here; clients keep their existing refresh token.

Swift

try await facade.switchOrg(orgId: "entities:org")

Web (JS)

await ea.fetch('/api/auth/switch-organization', {
  method: 'POST',
  body: JSON.stringify({ organizationId: 'entities:org' }),
});

OIDC & Tokens

  • Issuer exposes /.well-known/openid-configuration and /.well-known/jwks.json.
  • Access token claims: sub, wid (app tenant id), oid (active org id).

List organizations

Use relations to find organizations for a user, then fetch each org entity:

import { SDK } from '@entityauth/auth-client';

const me = await SDK.me();
const links = await SDK.queryRelations({ srcId: me.user.id, relation: 'member_of' });
const orgs = await Promise.all(
  links.map(async (l) => SDK.getEntity({ id: l.dstId }))
);

Active organization

// ActiveOrganization extends OrganizationSummary with optional description
type ActiveOrganization = OrganizationSummary & {
  description: string | null;
};

const active: ActiveOrganization | null = await ea.getActiveOrganization();
if (active) {
  console.log(active.orgId, active.description);
}

Passkeys

Previous Page

Users

Profile endpoints and username helpers

On this page

Create (generic entities)Add member (generic relations)Active org contextSwitch OrganizationSwiftWeb (JS)OIDC & TokensList organizationsActive organization