The Admin Portal gives an administrator at one of your customer organizations a short-lived link to a scoped setup task. Use it for customer-managed SSO, directory sync, or domain verification without giving that administrator access to your Authdog console.

This is different from the [Account Portal](/docs/account-portal). The **Admin Portal** is for customer organization administrators configuring their organization. The **Account Portal** is for end users signing in and managing their own profile, credentials, and sessions.

## Choose a setup intent

Generate a link for one organization and one task:

- `sso` — open enterprise SSO setup. This is the default when `intent` is omitted.
- `dsync` — open directory-sync setup.
- `domain_verification` — open domain-verification setup.

Keep each invitation focused. Generate another link when the administrator needs to perform a different task.

## Generate a link from your backend

Call the authenticated REST API from trusted server code:

```http
POST /v1/tenants/{tenantId}/environments/{environmentId}/portal/generate-link
Authorization: Bearer <server-held-token>
Content-Type: application/json

{
  "organizationId": "org_123",
  "intent": "sso"
}
```

A successful response includes `link`, `intent`, and `expiresAt`. The organization ID is required. Tenant and environment come from the path, so verify all three identifiers belong to the customer context before making the request.

Do not call this endpoint from browser code. Authentication to the endpoint and organization selection are privileged operations.

## Send and use the link

1. Authenticate the customer administrator in your application.
2. Check that they may administer the selected organization.
3. Generate the link immediately before use.
4. Redirect them to `link`, or deliver it through a secure channel.
5. After setup, verify the resulting SSO, directory-sync, or domain state before treating onboarding as complete.

Links are signed by the selected environment and expire after **15 minutes**. They open an Authdog-hosted `/portal` flow and do not require an Authdog dashboard login.

## Security guidance

- Treat the URL as a temporary bearer credential. Anyone who obtains it may enter its scoped setup flow until expiry.
- Never log the full URL or return its token separately to analytics, error reporting, or support tools.
- Authorize organization membership and admin rights in your backend before generating a link.
- Generate links on demand; do not precompute or store batches.
- Use the correct environment. Links are environment-scoped and signed with that environment's active key.
- Do not use an Admin Portal link as proof that setup succeeded. Read or test resulting configuration separately.

Link generation fails when the environment has no active signing key. Unsupported intents and missing `organizationId` are rejected.

## Operational notes

- Expired link: generate a new one; links are intentionally short-lived.
- Wrong task: generate a new link with the intended `intent`.
- Wrong customer or environment: discard the link and regenerate it with corrected identifiers.
- Production rollout: exercise each intent in a non-production environment first, then use production tenant, environment, and organization IDs.

## Related

- [Account Portal](/docs/account-portal) — end-user authentication and account management
- [SSO](/docs/sso) — configure and operate enterprise connections
- [Organizations](/docs/concepts/organizations) — organization and membership model
- [Provisioning](/docs/concepts/provisioning) — directory sync and lifecycle
- [Custom domains](/docs/custom-domains) — identity-flow domain setup
- [Security](/docs/security) — key and token security model
