Memberships | SqlOS Docs

Memberships link users to organizations. Each membership carries a role that your app can use for authorization logic.

For human onboarding, prefer Email Invitations over directly creating a user and assigning a password. Invitations are email-bound, expiring, one-time links that create or activate membership only after the invited identity is verified.

Create a membership#

SDK:

CSHARP

var membership = await adminService.CreateMembershipAsync(new CreateMembershipRequest
{
    OrganizationId = org.Id,
    UserId = user.Id,
    Role = "admin"
});

Admin API:

BASH

curl -X POST http://localhost:5062/sqlos/admin/auth/api/memberships \
  -H "Content-Type: application/json" \
  -d '{"organizationId": "org_...", "userId": "usr_...", "role": "admin"}'

Field	Required	Description
`organizationId`	Yes	Target organization
`userId`	Yes	User to add
`role`	Yes	Role within the org (e.g., `member`, `admin`)

Check membership#

CSHARP

bool isMember = await adminService.UserHasMembershipAsync(userId, organizationId, ct);

List user organizations#

CSHARP

var orgs = await adminService.GetUserOrganizationsAsync(userId, ct);

Syncing to FGA#

When using FGA, membership roles can be mapped to FGA grants. See Syncing Auth to FGA for the pattern.

Invite a member#

CSHARP

var invite = await authService.CreateEmailInvitationAsync(
    new SqlOSCreateEmailInvitationRequest(
        OrganizationId: org.Id,
        Email: "teammate@example.com",
        Role: "member"),
    httpContext,
    ct);

When the teammate accepts the invite, SqlOS creates or reactivates the membership. Existing active memberships are accepted idempotently and are not downgraded.