> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn to use Actions and SDKs with Auth0 organizations.

# Custom Development with Organizations

You can extend Auth0 capabilities using [organization](/docs/manage-users/organizations/organizations-overview) metadata and Actions, or use our APIs and SDKs to build organization administration dashboards for your users.

<Card title="Availability varies by Auth0 plan">
  Your Auth0 plan or custom agreement affects whether this feature is available. To learn more, read [Pricing](https://auth0.com/pricing).
</Card>

## Extensibility

Organizations support our extensibility points, so you can define properties within organization metadata and expose that data to [Actions](/docs/customize/actions). This allows you to customize capabilities for individual customers or applications; for example, you can execute custom logic in Actions for certain customers based on their subscription plan by storing that information in organization metadata.

### Actions event object

The Action event object stores contextual information about the current authentication transaction, such as the user's IP address, application, or location.

If you change token content using the `event` object within an Action, your changes will be available in tokens after all Actions have finished running.

## SDKs

To allow members to self-manage their organizations, you can assign roles to members, and use our API and SDKs to build dashboards in your products. Administrators can configure <Tooltip tip="Single Sign-On (SSO): Service that, after a user logs into one applicaton, automatically logs that user in to other applications." cta="View Glossary" href="/docs/glossary?term=Single+Sign-On">Single Sign-On</Tooltip> (SSO), invite users to organizations, assign members to organizations, assign roles to members, and so on.

Example tasks you may want to perform with organizations using the SDKs are outlined below.

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  The examples below reference the `org_id` claim available by default in ID and access tokens. However, you can configure your tenant to also support the use of organization names in the Authentication API. This results in tokens containing both the `org_id` and `org_name` claims. If present, validate the `org_name` claim in addition to `org_id` to ensure the received values correspond to a trusted entity.

  In general, using organization IDs is the preferred method for validating tokens. However, organization names can be used if they are more appropriate for your use case. To understand the potential implications of using organization names to validate tokens, review [Use Organization Names in Authentication API](/docs/manage-users/organizations/configure-organizations/use-org-name-authentication-api).
</Callout>

### I want users to log in to a specified organization

When defining a new client, pass the organization ID into an organization parameter. Then on callback, ensure that the organization returned in the <Tooltip tip="ID Token: Credential meant for the client itself, rather than for accessing a resource." cta="View Glossary" href="/docs/glossary?term=ID+token">ID token</Tooltip> is the same one that was sent in the `/authorize` request by validating the `org_id` claim in the same way that other claims like `exp` and `nonce` are validated.

To learn more, read:

* [Add Login Using the Authorization Code Flow](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow/add-login-auth-code-flow)
* [Call Your API Using the Authorization Code Flow](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow/call-your-api-using-the-authorization-code-flow)
* [Add Login Using the Authorization Code Flow with PKCE](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce/add-login-using-the-authorization-code-flow-with-pkce)
* [Call Your API Using the Authorization Code Flow with PKCE](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce/call-your-api-using-the-authorization-code-flow-with-pkce)
* [Add Login Using the Implicit Flow with Form Post](/docs/get-started/authentication-and-authorization-flow/implicit-flow-with-form-post/add-login-using-the-implicit-flow-with-form-post)
* [Call Your API Using the Hybrid Flow](/docs/get-started/authentication-and-authorization-flow/hybrid-flow/call-api-hybrid-flow)
* [Customize session inactivity timeout based on Organization](/docs/manage-users/sessions/manage-sessions-actions)

### From my application, I want to get the organization to which the authenticated user logged in

If the user was authenticated using an organization, the organization ID will appear in the `org_id` claim in the ID token. Using the Auth0 SPA SDK, this can be retrieved as follows:

`const { org_id } = await client.getIdTokenClaims();`

### From my API, I want to get the organization with which the access token was issued

If the user was authenticated using an organization and an <Tooltip tip="Audience: Unique identifier of the audience for an issued token. Named aud in a token, its value contains the ID of either an application (Client ID) for an ID Token or an API (API Identifier) for an Access Token." cta="View Glossary" href="/docs/glossary?term=audience">audience</Tooltip> was specified, the <Tooltip tip="Audience: Unique identifier of the audience for an issued token. Named aud in a token, its value contains the ID of either an application (Client ID) for an ID Token or an API (API Identifier) for an Access Token." cta="View Glossary" href="/docs/glossary?term=access+token">access token</Tooltip> will be a <Tooltip tip="JSON Web Token (JWT): Standard ID Token format (and often Access Token format) used to represent claims securely between two parties." cta="View Glossary" href="/docs/glossary?term=JWT">JWT</Tooltip> and will contain the `org_id` claim with the ID of the organization to which the user logged in.

This can be validated along with the other claims on the backend, as in the following example for Ruby:

```ruby lines theme={null}
class JsonWebToken
  def self.verify(token)
    decoded = JWT.decode(token, nil,
               true, # Verify the signature of this token
               algorithms: 'RS256',
               iss: 'https://YOUR_DOMAIN/',
               verify_iss: true,
               aud: Rails.application.secrets.auth0_api_audience,
               verify_aud: true) do |header|
      jwks_hash[header['kid']]
    end

    // Retrieve the organization ID value from the decoded token
    org = decoded[0]['org_id']
  end
end
```

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  **Find Your Auth0 Domain**

  If your Auth0 domain is your tenant name, your regional subdomain (unless your tenant is in the US region and was created before June 2020), plus `.auth0.com`. For example, if your tenant name were `travel0`, your Auth0 domain name would be `travel0.us.auth0.com`. (If your tenant were in the US and created before June 2020, then your domain name would be `https://travel0.auth0.com`.)

  If you are using custom domains, this should be your custom domain name.
</Callout>

## Learn more

* [Understand How Auth0 Organizations Work](/docs/manage-users/organizations/organizations-overview)
* [Create Your First Organization](/docs/manage-users/organizations/create-first-organization)
* [Work with Tokens and Organizations](/docs/manage-users/organizations/using-tokens)
* [Configure Organizations](/docs/manage-users/organizations/configure-organizations)
* [Auth0 Actions](/docs/customize/actions)