Stytch Resources and Roles

Out of the box, Stytch offers default Resources and Roles to gate permissions for certain Stytch API endpoints and their functionality. These defaults are included in your Project's RBAC Policy to provide access controls for Stytch objects such as Organizations, Members, and SSO Connections.

Default Resources

Stytch has four default Resources, all of which are prefixed with stytch. Custom Resources may not use the stytch prefix in their resource_ids.

Within your Dashboard, you'll find the following four default Resources:

  • stytch.self: access controls for the logged-in user's Member.
  • stytch.organization: access controls for the Organization.
  • stytch.member: access controls for all Members in the Organization.
  • stytch.sso: access controls for SSO Connections.
  • stytch.scim: access controls for SCIM Connections.

Each default Resource is scoped to the logged-in Member's Organization and has a predefined list of actions tailored to control specific functionality.

You can view the full list of Actions associated with each Stytch Resource in the Stytch Dashboard Roles & Permissions section.

Default Roles

To manage the default Resources, Stytch provides two default Roles for your convenience.

stytch_member: a Role that's automatically assigned to all Members (including the original Member who created the Organization). By default, it contains all stytch.self permissions, enabling permissions like updating your own Member object's name or untrusted_metadata. By default, this Role does not allow certain sensitive actions like editing your own Roles. You cannot delete this Role from any Member, but you can edit its permissions.

stytch_admin: a Role that's automatically assigned to the Member that creates a new Organization through the Discovery flow. By default, the stytch_admin Role includes all permissions for the stytch.organization, stytch.member, and stytch.sso resources.

Editing the descriptions or deleting these default Stytch Roles is not permitted. However, you can edit their permissions to suit the needs of your Project. For example, if you want to leverage Stytch's default Roles for billing tier gating, you could remove the stytch.sso permissions from the stytch_admin Role that is automatically assigned to new signups and instead create your own enterprise_admin Role with those permissions.

What's next

Learn about Role assignment and how Members are explicitly or implicitly granted permissions.