ReferenceorganizationsorganizationsMulti-tenant boundary. Teams, invites, MFA status, role management. Create a new organizationCreate a new organization and make the caller its owner.Get the caller's organizationReturn the organization the authenticated user belongs to.Update the caller's organizationUpdate the authenticated user's organization.Delete the caller's organizationSoft-delete the authenticated user's organization.Get the org's LLM model policyReturn the org's per-org LLM admission policy (self-host dataSet the org's LLM model policyReplace the org's per-org LLM admission policy.Get organization spend postureReturn current budget-window spend without feature-flag gating.Leave the caller's organizationLeave the authenticated user's organization.Transfer organization ownershipTransfer the organization's owner role to another member.List organization membersList members of the caller's organization with optional search and role filter.Get the organization's 2FA enrolment statusRead-only 'who in this org has 2FA on?' dashboard.List the organization's security audit logRead-only, newest-first view of the org's append-only audit log.Set the organization's 2FA enforcement policyEnable or disable org-wide 2FA enforcement.Remind all members without 2FA to enrolSend an in-app 2FA-enrolment reminder to every member without 2FA.Get the org's allowed sign-in methodsRead the org's allowed sign-in methods. Admin/owner only.Set the org's allowed sign-in methodsRestrict sign-in methods for the org.Get the org's SSO federation configRead the org SSO config. Admin/owner only. Never flag-gated.Set the org's SSO federation configConfigure SSO federation. Admin/owner only.Get the org's SCIM provisioning configRead the org SCIM config. Admin/owner only. Token hash never echoed.Set the org's SCIM provisioning configConfigure SCIM provisioning. Owner-only.List the org's custom rolesList the org's custom roles. Admin/owner only. Never flag-gated.Create a custom roleCreate a least-privilege custom role. Admin/owner only.Delete a custom roleDelete a custom role. Admin/owner only. Never flag-gated.Get the org's IP-allowlist + session-security policyRead the org security policy. Admin/owner only. Never flag-gated.Set the org's IP-allowlist + session-security policyConfigure IP allowlist + session security. Admin/owner only.Get a member of the organizationFetch one member of the caller's organization by public ID.Change a member's rolePromote or demote an existing organization member.Remove a member from the organizationRemove a member from the caller's organization.Create an invite linkCreate a link-based invite for the caller's organization.List organization invitesList invite links for the caller's organization.Revoke an invite linkRevoke an invite link, preventing further use.Create an email-bound invite and send itCreate an invite restricted to a specific email address and send it.Create a teamCreate a new team in the caller's organization.List organization teamsList teams in the caller's organization.Get a team with membersFetch a team with populated member and manager details.Update a teamUpdate a team.Delete a teamDelete a team. Owner/Admin only.Add a member to a teamAdd a member (optionally a manager) to a team.Remove a member from a teamRemove a member from a team.Toggle a user's team-manager flagGrant or revoke team-manager status for an existing team member.Org-wide dashboard overview metricsAggregate org-scoped, RBAC-filtered dashboard metrics.
List organization membersList members of the caller's organization with optional search and role filter.
List the organization's security audit logRead-only, newest-first view of the org's append-only audit log.
Remind all members without 2FA to enrolSend an in-app 2FA-enrolment reminder to every member without 2FA.
Get the org's SCIM provisioning configRead the org SCIM config. Admin/owner only. Token hash never echoed.
Get the org's IP-allowlist + session-security policyRead the org security policy. Admin/owner only. Never flag-gated.
Set the org's IP-allowlist + session-security policyConfigure IP allowlist + session security. Admin/owner only.
Create an email-bound invite and send itCreate an invite restricted to a specific email address and send it.