Authdog

Admin portal

Last updated Jul 19, 2026
View as Markdown

The Admin Portal gives an administrator at one of your customer organizations a short-lived link to a scoped setup task. Use it for customer-managed SSO, directory sync, or domain verification without giving that administrator access to your Authdog console.

This is different from the Account Portal. The Admin Portal is for customer organization administrators configuring their organization. The Account Portal is for end users signing in and managing their own profile, credentials, and sessions.

Choose a setup intent

Generate a link for one organization and one task:

  • sso — open enterprise SSO setup. This is the default when intent is omitted.
  • dsync — open directory-sync setup.
  • domain_verification — open domain-verification setup.

Keep each invitation focused. Generate another link when the administrator needs to perform a different task.

Call the authenticated REST API from trusted server code:

POST /v1/tenants/{tenantId}/environments/{environmentId}/portal/generate-link
Authorization: Bearer <server-held-token>
Content-Type: application/json

{
  "organizationId": "org_123",
  "intent": "sso"
}

A successful response includes link, intent, and expiresAt. The organization ID is required. Tenant and environment come from the path, so verify all three identifiers belong to the customer context before making the request.

Do not call this endpoint from browser code. Authentication to the endpoint and organization selection are privileged operations.

  1. Authenticate the customer administrator in your application.
  2. Check that they may administer the selected organization.
  3. Generate the link immediately before use.
  4. Redirect them to link, or deliver it through a secure channel.
  5. After setup, verify the resulting SSO, directory-sync, or domain state before treating onboarding as complete.

Links are signed by the selected environment and expire after 15 minutes. They open an Authdog-hosted /portal flow and do not require an Authdog dashboard login.

Security guidance

  • Treat the URL as a temporary bearer credential. Anyone who obtains it may enter its scoped setup flow until expiry.
  • Never log the full URL or return its token separately to analytics, error reporting, or support tools.
  • Authorize organization membership and admin rights in your backend before generating a link.
  • Generate links on demand; do not precompute or store batches.
  • Use the correct environment. Links are environment-scoped and signed with that environment's active key.
  • Do not use an Admin Portal link as proof that setup succeeded. Read or test resulting configuration separately.

Link generation fails when the environment has no active signing key. Unsupported intents and missing organizationId are rejected.

Operational notes

  • Expired link: generate a new one; links are intentionally short-lived.
  • Wrong task: generate a new link with the intended intent.
  • Wrong customer or environment: discard the link and regenerate it with corrected identifiers.
  • Production rollout: exercise each intent in a non-production environment first, then use production tenant, environment, and organization IDs.

Learn more