Skip to content

Reorganize and restructure Organization docs #2758

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 14 commits into
base: main
Choose a base branch
from
Open

Reorganize and restructure Organization docs #2758

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
0280654
Reorganize and restructure Organization docs
Oct 31, 2025
9f7ac66
fix linting errors, hopefully fix build errors
Oct 31, 2025
8ca739d
Merge branch 'main' into im2nguyen/refactor-org-docs
im2nguyen Oct 31, 2025
884b852
anotha attempt to fix build errors
Oct 31, 2025
f2ca024
last missing file error in build
Oct 31, 2025
be700f3
update copy for active voice
Oct 31, 2025
f58ef2a
add relevant links to sso and auth-checks
Oct 31, 2025
019a616
fix linting error, add placeholder diagram for org relationship
Oct 31, 2025
27bb678
docs review
alexisintech Oct 31, 2025
d734d2d
update overview
alexisintech Nov 5, 2025
6913823
another overview update; update metadata
alexisintech Nov 5, 2025
772f1d3
update authorization checks metadata
alexisintech Nov 5, 2025
faec6dd
link fixes
alexisintech Nov 5, 2025
4de425d
Merge branch 'main' into im2nguyen/refactor-org-docs
im2nguyen Nov 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion clerk-typedoc/types/organization-resource.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
The `Organization` object holds information about an organization, as well as methods for managing it.

To use these methods, you must have the **Organizations** feature [enabled in your app's settings in the Clerk Dashboard](/docs/guides/organizations/overview#enable-organizations-in-your-application).
To use these methods, you must have the **Organizations** feature [enabled in your app's settings in the Clerk Dashboard](/docs/guides/organizations/configure#enable-organizations).

## Properties

Expand Down
2 changes: 1 addition & 1 deletion docs/_partials/organization-sync-options.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ object has the type `OrganizationSyncOptions`, which has the following propertie
- `personalAccountPatterns`
- <code>[Pattern](#pattern)\[]</code>

URL patterns for resources that exist within the context of a user's [personal account](/docs/guides/organizations/overview#allow-personal-accounts).
URL patterns for resources that exist within the context of a user's [personal account](/docs/guides/organizations/configure#enable-organizations).

If the route also matches the `organizationPattern` prop, the `organizationPattern` prop takes precedence.

Expand Down
4 changes: 2 additions & 2 deletions docs/guides/configure/session-tasks.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ The following table lists the available tasks and their corresponding components

| Name | Component |
| - | - |
| [Personal accounts disabled (default)](/docs/guides/organizations/overview#allow-personal-accounts) | [`<TaskChooseOrganization />`](/docs/reference/components/authentication/task-choose-organization) |
| [Personal accounts disabled (default)](/docs/guides/organizations/configure#enable-organizations) | [`<TaskChooseOrganization />`](/docs/reference/components/authentication/task-choose-organization) |

> [!IMPORTANT]
> Personal accounts being disabled by default was released on 08-22-2025. Applications created before this date will not be able to see the **Allow personal accounts** setting, because personal accounts were enabled by default.
Expand Down Expand Up @@ -286,7 +286,7 @@ The `useAuth()` hook and helpers that access the [`auth` object](/docs/reference

##### Example: Personal accounts disabled

When organizations are enabled, [personal accounts are disabled by default](/docs/guides/organizations/overview#allow-personal-accounts) and your users will be required to select or create an organization after authenticating. Until completed, their session remains `pending`. Pages that are protected using Clerk's protection utilities will treat the user's session as signed-out.
When organizations are enabled, [personal accounts are disabled by default](/docs/guides/organizations/configure#enable-organizations) and your users will be required to select or create an organization after authenticating. Until completed, their session remains `pending`. Pages that are protected using Clerk's protection utilities will treat the user's session as signed-out.

For `useAuth()`, `isSignedIn` will be `false` and `userId` and `orgId` will be `null` if the user has a `pending` session.

Expand Down
2 changes: 1 addition & 1 deletion docs/guides/development/custom-flows/organizations/manage-user-org-invitations.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ description: Learn how to use the Clerk API to build a custom flow for managing

<Include src="_partials/custom-flows-callout" />

This guide will demonstrate how to use the Clerk API to build a custom flow for managing a user's [organization invitations](/docs/guides/organizations/overview#organization-invitations).
This guide will demonstrate how to use the Clerk API to build a custom flow for managing a user's [organization invitations](/docs/guides/organizations/invitations).

<Tabs items={["Next.js", "JavaScript"]}>
<Tab>
Expand Down
90 changes: 90 additions & 0 deletions docs/guides/organizations/check-access.mdx
View file
Open in desktop
Copy link
Member

@alexisintech alexisintech Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not convinced on this guide! We already have /authorization-checks
could you give me some of your thought process behind introducing this guide?

Copy link
Author

@im2nguyen im2nguyen Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the goal of having these "verb/" landing pages is for people who are completely unfamiliar with orgs to reorientate themselves

for example, adding members to your orgs. we support different ways to do that: invitations, verified domains (automatic suggestion/invitations), ent connections

based on the url itself, folks can grok/understand what the feature is doing

similar thing for "check-access", it's not supposed to be a top level. what the user cares about is "/control-access", to do that, they need to set up roles and permissions then checking access. the /authorization-check page is great but it covers authz checks in general (not org focused)

the check-access page should link out to /authorization-check and vice versa

Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
---
title: Check roles and permissions with authorization checks
description: Limit access to content or entire routes based on a user's organization role or permissions.
metadata:
title: Check roles and permissions in Organizations
---

Authorization checks verify that users can only access resources and perform actions they have permission for within an organization. These checks are essential for protecting sensitive data, gating premium features, and ensuring users stay within their allowed scope of access.

Clerk provides two primary ways to perform these checks: the `has()` method for server-side logic and the `<Protect>` component for conditional rendering in React. Both methods let you check against roles, permissions, features, and plans.

## What you can check

Authorization checks can verify roles and custom permissions. Roles like `org:admin` determine a user's level of access within an organization, while custom permissions like `org:invoices:create` provide fine-grained control over specific features and actions.

> [!IMPORTANT]
> Clerk links custom permissions to features. A permission check for `org:invoices:create` will only return `true` if the organization's active plan includes the `invoices` feature **and** the user has the permission. Learn more in the [roles and permissions guide](/docs/guides/organizations/roles-and-permissions#custom-permissions).

## Frontend checks with `<Protect>`

The `<Protect>` component is the easiest way to conditionally show or hide content in React applications based on what a user can access. This works well for UI elements like buttons, sections, or entire page layouts that should only appear to users with specific access. You can show or hide content based on roles and permissions, render different layouts for different access levels, or display fallback messages when access is denied.

Use the `<Protect>` component to conditionally render content based on role or permission:

```tsx
import { Protect } from '@clerk/nextjs'

export default function Dashboard() {
return (
<div>
<h1>Dashboard</h1>

{/* Only show to org admins */}
<Protect role="org:admin">
<AdminSettings />
</Protect>

{/* Only show to users with specific permission */}
<Protect permission="org:invoices:create">
<CreateInvoiceButton />
</Protect>

{/* Display fallback when access is denied */}
<Protect permission="org:reports:read" fallback={<p>You don't have access to reports.</p>}>
<ReportsSection />
</Protect>
</div>
)
}
```

## Server-side checks with `has()`

While `<Protect>` works well for the frontend, server-side checks are essential for securing API routes, backend logic, and data access. The `has()` method provides a way to verify access before performing sensitive operations or returning protected data. You'll use this when protecting API endpoints, controlling database operations, validating permissions before executing business logic, or returning different data based on user access.

Use the `has()` method from the `auth()` object to check permissions on the server:

```tsx
import { auth } from '@clerk/nextjs/server'

export default async function handler(req, res) {
const { has, userId } = await auth()

if (!userId) {
return res.status(401).json({ error: 'Unauthorized' })
}

// Check if user has admin role
if (!has({ role: 'org:admin' })) {
return res.status(403).json({ error: 'Forbidden' })
}

// Check if user has specific permission
if (!has({ permission: 'org:invoices:create' })) {
return res.status(403).json({ error: 'Forbidden' })
}

// Proceed with authorized action
// ...
}
```

## Next steps

Now that you know how to check roles and permissions, you can:

- [Read the complete authorization checks guide](/docs/guides/secure/authorization-checks) for advanced patterns including middleware protection and custom authorization logic
- [Learn how to check features and plans](/docs/guides/billing/for-b2b#control-access-with-features-plans-and-permissions) for subscription-based applications
- [Set up custom roles and permissions](/docs/guides/organizations/roles-and-permissions) to define your access control model
- [Configure default roles](/docs/guides/organizations/configure#default-roles) for new organization members
168 changes: 168 additions & 0 deletions docs/guides/organizations/configure.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,168 @@
---
title: Configure organizations
description: Learn how to configure global organization settings in the Clerk Dashboard, including pricing, membership limits, and optional features.
metadata:
title: Configure organization settings in Clerk Dashboard
---

Global organization settings control how organizations work across your entire application. These settings determine who can create organizations, how members join them, what roles they receive, and which features are available. You'll configure most of these when you first enable organizations, though you can adjust them later as your needs evolve.

## Enable organizations

Organizations are disabled by default. When you enable organizations, Clerk offers two workspace models:

- **Personal accounts disabled (default)**: Every user is required to belong to an organization. All new and existing users will be prompted to create or join an organization through the [session tasks flow](/docs/guides/configure/session-tasks) before they can access your application.

> [!IMPORTANT]
> Personal accounts being disabled by default was released on August 22, 2025. Applications created before this date will not see the **Allow personal accounts** setting, because personal accounts were enabled by default.

- **Personal accounts enabled**: Users can operate in their own individual workspace or join organizations. They start in their personal account and can switch to organizations using the [`<OrganizationSwitcher />`](/docs/reference/components/organization/organization-switcher) component.

Most B2B and multi-tenant applications leave personal accounts disabled. This ensures proper data isolation and team structure from the start. You should only enable personal accounts if your app serves both individual users and teams (like a tool that works for solo users but also has team features).

To enable organizations:

1. In the Clerk Dashboard, navigate to the [**Organizations Settings**](https://dashboard.clerk.com/~/organizations-settings) page.
1. Select **Enable Organizations**.
1. In the modal, toggle **Allow personal accounts** based on your decision above.
1. Select **Enable**.

Clerk measures Organizations by Monthly Active Organizations (MAOs). Refer to the [overview page](/docs/guides/organizations/overview#how-do-organizations-work) for pricing details and limits.

## Organization settings

Once organizations are enabled, you can configure core features and behaviors, such as membership limits, verified domains, organization slugs, and whether to allow personal accounts alongside organizations.

### Membership limits

There is no limit to the number of organizations a user can be a member of.

Each organization allows a maximum of 5 members by default. You can increase this limit as your customer base grows, or set different limits for individual organizations if you have different pricing tiers.

To change the membership limit for all organizations in your application:

1. In the Clerk Dashboard, navigate to the [**Organizations Settings**](https://dashboard.clerk.com/~/organizations-settings) page.
1. In the **Default membership limit** section, update the membership limit.
- **Free plan**: Allows a maximum of 5 members in an organization
- **Pro plan**: Allows unlimited members in an organization

To change the membership limit for a specific organization:

1. In the Clerk Dashboard, select [**Organizations**](https://dashboard.clerk.com/~/organizations).
1. Select the organization you want to update.
1. In the **Membership limit** section, update the limit for that specific organization.

### Allow personal accounts

When enabling the organizations feature, you were prompted to choose whether to allow personal accounts. This setting is disabled by default. Refer to the [section on enabling organizations](#enable-organizations) above for a detailed explanation of how personal accounts work.

You can change this setting after initial setup, which is useful if your product strategy evolves. For example, if you initially served only teams but now want to support individual users as well.

To change this setting:

1. In the Clerk Dashboard, navigate to the [**Organizations Settings**](https://dashboard.clerk.com/~/organizations-settings) page.
1. Toggle **Allow personal accounts**.

### Verified domains

Verified domains allow automatic or suggested organization membership for users with specific email domains (like `@acme.com`). This is useful for company-wide rollouts where you want to streamline enrollment for employees with company email addresses. Members with the [`org:sys_domains:manage` system permission](/docs/guides/organizations/roles-and-permissions#system-permissions) can manage verified domains and enrollment modes.

Learn more about [verified domains](/docs/guides/organizations/verified-domains).

### Organization slugs

> [!IMPORTANT]
> Organization slugs are disabled by default for applications created after October 7, 2025. For applications created before this date, you can opt to disable it.

Organization slugs are human-readable URL identifiers (like `acme-corp`) that help users reference which organization they're working in. Enable this feature if you need organization-specific URLs or if users frequently switch between multiple organizations.

You can also [use organization slugs in your application's URLs](/docs/guides/organizations/org-slugs-in-urls).

### Allow user-created organizations

By default, users can create organizations in your application. You can restrict this if you prefer to manually provision organizations.

You can also override this permission for specific users in their profile page under **User permissions**.

Learn more about [creating organizations](/docs/guides/organizations/create-and-manage).

#### Organization creation limit

{/* TODO: Come back to this. Is the max 100, or is it unlimited? By default, in the Clerk Dash, it says unlimited. But I thought Clerk caps each user to create up to 100 orgs per application instance */}

When user-created organizations are enabled, each user can create up to 100 organizations by default. You can configure this to set a lower limit or allow unlimited organizations.

To change the default limit:

1. In the Clerk Dashboard, navigate to the [**Organizations Settings**](https://dashboard.clerk.com/~/organizations-settings) page.
1. In the **Organization limit** section, choose between:
- **Users can create unlimited organizations**
- **Users can create a limited number of organizations** (specify the limit)

If you need users to create more than 100 organizations, [contact support](/contact/support){{ target: '_blank' }} to have the limit raised.

To override this limit for a specific user:

1. In the Clerk Dashboard, select [**Users**](https://dashboard.clerk.com/~/users).
1. Select the user you want to update.
1. In the **User permissions** section, configure their organization creation limit.

### Default roles

When users create or join organizations, they need to be assigned a role. These settings determine which roles are automatically assigned in different scenarios, whether someone is creating a new organization or joining an existing one.

#### Default role for members

The default role for members is assigned to users when they join an organization through invitations or verified domain enrollment. By default, this is set to [**Member**](/docs/guides/organizations/roles-and-permissions#default-roles).

This role is used:

- When sending invitations from the [`<OrganizationProfile />`](/docs/reference/components/organization/organization-profile) component (pre-filled as default)
- When users auto-join via [verified domains](/docs/guides/organizations/verified-domains)
- As the suggested role for new organization members

To change the default role:

1. In the Clerk Dashboard, navigate to the [**Roles & Permissions**](https://dashboard.clerk.com/~/organizations-settings/roles) page.
1. Select the three dots next to the role you want to set as default.
1. Choose **Set as Default role**.

Learn more about [roles and permissions](/docs/guides/organizations/roles-and-permissions).

#### Creator's initial role

When a user creates a new organization, Clerk automatically adds them as its first member and assigns them the organization's designated **Creator** role. By default, that role is [**Admin**](/docs/guides/organizations/roles-and-permissions#default-roles), giving them full control over the organization they created.

The Creator role must have at least these [system permissions](/docs/guides/organizations/roles-and-permissions#system-permissions):

- Manage members (`org:sys_memberships:manage`)
- Read members (`org:sys_memberships:read`)
- Delete organization (`org:sys_profile:delete`)

Learn more about the [Creator role and how to reassign it](/docs/guides/organizations/roles-and-permissions#the-creator-role).

### Allow new members to delete organizations

This setting controls whether organization members can delete organizations.

### Allow new members to delete organizations

By default, any member with the [`org:sys_profile:delete` system permission](/docs/guides/organizations/roles-and-permissions#system-permissions) can delete an organization. You can disable this if you want to prevent accidental data loss or require your own approval process before organizations are removed.

To change this setting:

1. In the Clerk Dashboard, navigate to the [**Organizations Settings**](https://dashboard.clerk.com/~/organizations-settings) page.
1. Toggle **Allow new members to delete organizations**.

> [!IMPORTANT]
> This setting only applies to newly created organizations. Existing organizations retain their current deletion settings.

Learn more about [roles and permissions](/docs/guides/organizations/roles-and-permissions).

## Next steps

Now that you've configured global settings, you can:

- [Create your first organization](/docs/guides/organizations/create-and-manage) and start adding members
- [Add members to your organization](/docs/guides/organizations/invitations) with invitations, verified domains, or SSO
- [Configure access control](/docs/guides/organizations/roles-and-permissions) with custom roles and permissions
Loading