B2B Org/Workspace Lifecycle

Use this guide when your app needs organization and workspace scope throughout auth, API access, and admin operations.

Tenant lifecycle diagram

Authenticate user
      |
      v
Resolve membership set
      |
      +-- none ------------------> onboarding flow
      |
      +-- has organizations -----> choose/create org
                                      |
                                      v
                                 choose/create workspace
                                      |
                                      v
                              backend scope enforcement
                                      |
                                      v
                              org/workspace-scoped operations

Lifecycle sequence

1. User authenticates and lands in your app.
2. User selects or creates an organization.
3. User selects or creates a workspace in that organization.
4. Backend APIs enforce org/workspace scope for all protected operations.

Frontend implementation

Use SDK tenancy surfaces to manage active organization/workspace and account controls:

• React Router Organizations/Workspaces hooks
• TanStack Router Organizations/Workspaces hooks
• Next.js Organizations/Workspaces hooks

Backend implementation

Use backend SDK methods and scope-aware checks:

• Rust Organizations and Workspaces
• Backend JS SDK

Scope enforcement rules

• Treat org/workspace IDs as authoritative backend inputs, not frontend hints.
• Validate current membership/permissions for each protected request.
• Prefer explicit workspace-scoped resources where available.

Failure modes to handle

• User has no org membership yet.
• User has org membership but no workspace membership.
• Selected workspace is no longer accessible.
• Role/permission changed after token/session issuance.

Contract validation checkpoints

• Frontend API org/workspace surfaces
• Backend API org/workspace surfaces