Skip to main content

Update organization config

Modify the configuration for your organization.

The token duration determines the number of seconds a token issued by SlashID will be valid for. If not set, or set to 0, the default duration of 24 hours will be used for all tokens.

The groups claim name determines the name of the claim in the token payload where a user's groups are found. If not set, or set to the empty string, the default claim name groups will be used for all tokens.

Header Parameters
  • SlashID-OrgID string required

    The organization ID

    Example: af5fbd30-7ce7-4548-8b30-4cd59cb2aba1
  • SlashID-Required-Consistency string

    Possible values: [local_region, all_regions]

    Default value: local_region

    The consistency level required for this request. If the consistency level is not achieved within the timeout, the request will fail with a 408 Request Timeout error. 408 Request Timeout error indicates that request was not handled within the timeout, but it may still be handled after request timeout. Allowed values: * local_region: Wait while the request executes in the local region. * all_regions: Wait while the request executes across all regions. You can learn more about our replication model on our Cross-region Replication Model page.

  • SlashID-Required-Consistency-Timeout integer

    Possible values: >= 1 and <= 120

    Default value: 30

    The maximum amount of seconds to wait for the requested consistency level to be achieved. If the consistency level is not achieved within this time, the request will fail with a 408 Request Timeout error. 408 Request Timeout error indicates that request was not handled within the timeout, but it may still be handled after request timeout. You can learn more about our replication model on our Cross-region Replication Model page.

Request Body
  • token_duration integer

    The number of seconds before a token expires

  • groups_claim_name string

    The name of the JWT claim holding the list of groups for the authenticated user identified in the token

  • requires_manual_approval boolean

    If true, new users are deactivated until the organization admin sets the person's active field.

  • deny_self_registration boolean

    If true, new users can only be created by the organization admin

  • allowed_factor_methods string[]

    Possible values: [webauthn, email_link, sms_link, otp_via_sms, otp_via_email, totp, oidc, saml, api, direct_id, password, impersonate, anonymous]

    Only allow authentication using the specified factor methods.

    Empty means all supported factors are enabled.

    This configuration doesn't affect API and DirectID authentications.

  • authn_link_allowed_redirect_uris string[]

    The URIs to where users can be redirected after authenticating with an email/SMS link.

  • new_person_handle_patterns string[]

    Only allow registration of new persons with a handle matching one of the patterns

  • sudo_mode_duration integer

    The number of seconds, after users authenticate, during which they can perform sensitive actions. Negative values will revert this property to its default (15 minutes).

  • authn_redirect_page_ui_config object

    UI configuration for the hosted page users are redirected to after clicking a magic link or password reset link.

  • canonical_identity_ai_matching_enabled boolean

    Enable or disable AI-based canonical identity matching. When disabled, falls back to deterministic field-level matching.

  • svid_jwks_urls object

    Map of SPIFFE trust domain (e.g. "spiffe://example.org") to JWKS URL. Setting this enables JWT-SVID actor_tokens from those trust domains in the token-exchange grant. Each URL must be https:// in production, use a DNS hostname (no IP literals, no zone identifiers), and have no userinfo, opaque payload, or fragment. At most 100 entries per organization. A null value for a trust domain DISABLES signature verification for JWT-SVIDs from that trust domain — every other check still applies (exp, iss/aud match, allowlist). The server logs a warning on every use. Intended for testing where a real HTTPS JWKS endpoint isn't available.

  • property name* string
  • allowed_spiffe_ids string[]

    Possible values: <= 100

    SPIFFE IDs allowed as actor in the token-exchange grant. Each entry may be a trust domain or a full SPIFFE ID. Matching is exact-string; the path component is case-sensitive. At most 100 entries per organization.

Responses

No content