Introduction to OrgNet

OrgNet is a cloud-hosted identity and access platform that handles authentication, cross-domain single sign-on, role-based access control, and zero-trust security for AI agents — all through a single, consistent API.

Whether you're protecting a new web app, adding SSO across multiple domains, or securing OpenClaw agent actions, OrgNet provides the same foundation: OAuth 2.1 with PKCE, RS256-signed JWTs, and Redis-backed token revocation in under 1ms.

Quick Start

The fastest path to a protected page is three steps:

  1. Register your app in the OrgNet dashboard — you'll get a client_id
  2. Add the OrgNet SDK to your page
  3. Call orgnet.protectPage()

See the 60-second quickstart for full code examples including PHP server-side validation and AI agent authentication.

Identity Model — Person → Identity

OrgNet separates who you are from who you're acting as. This distinction matters when one person belongs to multiple organisations.

Example: alice@email.com works for Acme Corp (emp_id: E001) and Beta Ltd (emp_id: E099). She logs in with one email and password. If she has both, the org picker appears. Her JWT carries the active org's emp_id, org_id, and resolved permissions — so every app knows exactly who she's acting as.

JWT Claims Reference

Every OrgNet Access Token is a signed RS256 JWT. The payload carries standard IETF claims plus OrgNet-specific claims in the orgnet: namespace.

ClaimTypeDescription
substringOrgNet Person ID (ULID). Stable across all org contexts.
orgnet:emailstringLogin email address. Immutable identifier.
orgnet:emp_idstringEmployee ID from your system for the active identity.
orgnet:org_idstringActive organisation ID. Always present — never null.
orgnet:org_namestringDisplay name of the active organisation.
orgnet:rolesstring[]Array of role names active for this identity and app.
orgnet:permsstring[]Resolved permission strings (e.g. "doc:read"). Apps can enforce locally without a round-trip.
orgnet:mfabooleanWhether MFA was satisfied in this session.
orgnet:identity_countnumberTotal number of org memberships the person has. Used to show/hide org switcher UI.
jtistringUnique token ID (ULID). Used for revocation lookup in Redis.
expunix tsExpiry. Access Tokens: 15 minutes. Master Session Token: 8 hours.
issstringhttps://auth.orgnet.app
audstringThe target application's registered URL.

Cross-Domain SSO

OrgNet uses a Master Session Token (MST) stored as an HttpOnly Secure cookie on auth.orgnet.app to enable seamless authentication across all your registered domains.

  1. User logs in on any domain → OrgNet issues an MST (8hr TTL) in an HttpOnly cookie
  2. User navigates to a different registered domain
  3. The OrgNet JS SDK fires a silent POST /token/derive request via a hidden iframe
  4. OrgNet validates the MST and issues a fresh, short-lived Access Token scoped to the new app
  5. The SDK resolves with the token — the user is authenticated with no prompt

Logout propagation: Calling orgnet.logout() on any domain revokes the MST. The SDK's background heartbeat detects the revocation and logs the user out of all open apps within 60 seconds.

RBAC — Roles & Permissions

OrgNet uses a three-layer access control model:

System Roles (built-in)

RoleInherits fromTypical permissions
OrgAdminAll rolesManage users, roles, apps, and audit log for the org
AppAdminEditorManage users and settings within a specific app
EditorViewerCreate and modify content within the app
ViewerRead-only access within the app

Resolved permissions are embedded in the JWT's orgnet:perms claim, so your app can check permissions without a network call:

// JavaScript
if (user.perms.includes('doc:write')) showEditButton();

// PHP
if ($user->hasPermission('doc:write')) { /* show edit button */ }

OpenClaw — AI Agent Integration

OrgNet treats AI agents as Service Accounts — not users. Agents authenticate via the OAuth 2.1 Client Credentials grant, receive short-lived scope-locked tokens, and are subject to per-agent rate limiting and audit logging.

Zero-trust rule: Agents are never trusted by default, regardless of source IP or prior session. Every token is validated on every API call. Every action is logged.

Service Account Setup

  1. In the OrgNet dashboard: Org Settings → Service Accounts → Create
  2. Choose a name, set the allowed scopes (principle of least privilege)
  3. Copy the client_id and client_secret — the secret is shown once and stored hashed
  4. Store both in your agent's secrets vault (never in environment variables committed to git)

API Endpoints Overview

Authentication

POST/auth/login

Direct email + password authentication. Returns MST cookie and access token. Rate limited to 5 attempts per 15 minutes per IP.

POST/auth/logout

Revokes the MST and current access token. Clears the HttpOnly cookie. Propagates logout to all active sessions within 60 seconds.

POST/auth/signup

Creates a new person record. Sends email verification. Accepts: email, password, display_name.

POST/auth/forgot-password

Sends a password reset email with a signed magic link. Always returns 200 — does not reveal whether the email exists.

POST/auth/reset-password

Applies a new password using a valid reset token. Revokes all existing tokens for the person. Token is single-use, 1-hour expiry.

POST/auth/switch-identity

Switches the active org context. Accepts an identity_id that belongs to the authenticated person. Issues new tokens scoped to the new identity.

OAuth 2.1

GET/oauth/authorize

Initiates the Authorization Code + PKCE flow. Required params: client_id, redirect_uri, code_challenge, code_challenge_method=S256.

POST/oauth/token

Exchanges an authorization code for tokens, or authenticates a service account via Client Credentials. Supports authorization_code and client_credentials grant types.

POST/oauth/revoke

Revokes an access or refresh token immediately. Always returns 200 (RFC 7009 compliant — does not reveal whether token existed).

POST/oauth/introspect

Returns the active status and claims of a token. Restricted to registered clients. Returns {"active": false} for expired or revoked tokens.

POST/token/derive

Issues a new app-scoped access token from a valid MST. Used by the SDK for silent cross-domain SSO. Validates the requesting domain against the org's registered domains.

User & Identity

GET/auth/me

Returns the authenticated user's person record, active identity, and resolved permissions. Requires a valid Bearer token.

GET/auth/sessions

Lists all active sessions for the authenticated person across all apps and domains. Each session shows app, device, last active time, and a revoke button.

JWKS & Key Rotation

GET/.well-known/jwks.json

Returns the current and previous RS256 public keys in RFC 7517 format. Cache this response — it changes only on key rotation (every 90 days). Your SDK or PHP package fetches this automatically.

GET/.well-known/openid-configuration

OIDC discovery document. Standard-compliant — any OIDC client library can auto-configure from this endpoint.

Token Revocation

Token revocation in OrgNet is Redis-backed and takes effect in under 1 millisecond. Every token validation checks Redis for the token's jti (JWT ID) before accepting the token.

The following events trigger automatic revocation of all tokens for a person:

Individual tokens can be revoked via POST /oauth/revoke or from the Sessions UI.

SDKs & Libraries

SDKLanguageInstall
orgnet.jsBrowser / Node.jscdn.orgnet.app/v1/orgnet.min.js
orgnet/php-sdkPHP / Laravelcomposer require orgnet/php-sdk
@orgnet/reactReactnpm install @orgnet/react

All SDKs share the same API surface and are fully compatible with the JWT structure described above.