Per-org authentication methods

Part of Authio Lobby

Your project enables a set of sign-in methods globally, but enterprise customers routinely want tighter rules for their org — “passkeys and SSO only, no social,” or “SSO is mandatory.” Authio expresses this per organization on the org_policies row, and the org Features → Authentication methods card in your dashboard edits it.

Deny-list: disabled_methods

org_policies.disabled_methods is a list of method tokens that are turned off for the org. Anything not in the list stays available (as long as the project has it configured). The tokens are:

• magic_link — email magic link / email code.
• passkey — WebAuthn passkeys.
• password_otp — password + OTP.
• oauth — all social / OAuth providers at once.
• oauth:<vendor> — a single social vendor, e.g. oauth:google, oauth:github, oauth:microsoft.

Require SSO

org_policies.require_sso is a separate boolean. When it’s on, only SSO sign-in (the org’s SAML/OIDC connection) is allowed — every other method is refused even if it isn’t in disabled_methods. Pair it with an active SSO connection; with require_sso on and a connection present, the SP-initiated login URL sends users straight to the IdP.

Enforcement

The policy is enforced at sign-in: a disabled method is rejected with policy_violation_method_disabled, and an attempt to use a non-SSO method under require_sso returns policy_violation_sso_required.

API

The dashboard card writes through the org policy endpoint; you can also call it directly:

GET    /v1/session/orgs/{orgId}/policy
PUT    /v1/session/orgs/{orgId}/policy
DELETE /v1/session/orgs/{orgId}/policy

# PUT body (relevant fields)
{
  "require_sso": false,
  "disabled_methods": ["oauth", "password_otp"]
}

Editing the policy is an owner/admin action and is gated to paid plans.

Related

• Lobby sign-in methods — the project-wide method set these per-org rules sit on top of.
• Connecting an identity provider.
• Security model.