The Admin Portal gives an administrator at one of your customer organizations a short-lived link to a scoped setup task. Use it for customer-managed SSO, directory sync, or domain verification without giving that administrator access to your Authdog console.
This is different from the Account Portal. The Admin Portal is for customer organization administrators configuring their organization. The Account Portal is for end users signing in and managing their own profile, credentials, and sessions.
Choose a setup intent
Generate a link for one organization and one task:
sso— open enterprise SSO setup. This is the default whenintentis omitted.dsync— open directory-sync setup.domain_verification— open domain-verification setup.
Keep each invitation focused. Generate another link when the administrator needs to perform a different task.
Generate a link from your backend
Call the authenticated REST API from trusted server code:
POST /v1/tenants/{tenantId}/environments/{environmentId}/portal/generate-link
Authorization: Bearer <server-held-token>
Content-Type: application/json
{
"organizationId": "org_123",
"intent": "sso"
}A successful response includes link, intent, and expiresAt. The organization ID is required. Tenant and environment come from the path, so verify all three identifiers belong to the customer context before making the request.
Do not call this endpoint from browser code. Authentication to the endpoint and organization selection are privileged operations.
Send and use the link
- Authenticate the customer administrator in your application.
- Check that they may administer the selected organization.
- Generate the link immediately before use.
- Redirect them to
link, or deliver it through a secure channel. - After setup, verify the resulting SSO, directory-sync, or domain state before treating onboarding as complete.
Links are signed by the selected environment and expire after 15 minutes. They open an Authdog-hosted /portal flow and do not require an Authdog dashboard login.
Security guidance
- Treat the URL as a temporary bearer credential. Anyone who obtains it may enter its scoped setup flow until expiry.
- Never log the full URL or return its token separately to analytics, error reporting, or support tools.
- Authorize organization membership and admin rights in your backend before generating a link.
- Generate links on demand; do not precompute or store batches.
- Use the correct environment. Links are environment-scoped and signed with that environment's active key.
- Do not use an Admin Portal link as proof that setup succeeded. Read or test resulting configuration separately.
Link generation fails when the environment has no active signing key. Unsupported intents and missing organizationId are rejected.
Operational notes
- Expired link: generate a new one; links are intentionally short-lived.
- Wrong task: generate a new link with the intended
intent. - Wrong customer or environment: discard the link and regenerate it with corrected identifiers.
- Production rollout: exercise each intent in a non-production environment first, then use production tenant, environment, and organization IDs.
Related
- Account Portal — end-user authentication and account management
- SSO — configure and operate enterprise connections
- Organizations — organization and membership model
- Provisioning — directory sync and lifecycle
- Custom domains — identity-flow domain setup
- Security — key and token security model