Beta
The Neon Auth with Better Auth is in Beta. Share your feedback on Discord or via the Neon Console.
Neon Auth is built on Better Auth and comes with a pre-configured Organization plugin, so your app can support multi-tenancy without additional setup.
Preview Feature
The Organization plugin is currently in Beta. Support for JWT token claims is under development.
Why use this plugin?
Use the Organization plugin when you need multi-tenancy in your app. It supports:
- Multi-tenant apps where each tenant is an organization
- Workspaces or groups that share a Neon branch (same database)
- Inviting users and assigning roles: owner, admin, or member
- Role-based access: owners and admins can manage the org; the member role has read-only access
Better Auth also has a Teams feature (sub-groups within an org); that feature is not currently enabled in Neon Auth.
Prerequisites
- A Neon project with Auth enabled
- A signed-in user (organizations are associated with users)
Example application
neon-auth-orgs-example is a multi-tenant sample that uses the Organization plugin with Drizzle and @neondatabase/auth (see that folder’s README for bun setup from the monorepo root). For other runnable Neon Auth apps, see Example applications.
Configure the organization plugin
The Organization plugin is enabled by default for each branch; you can disable it or change settings in the Console or via the API. If the plugin is disabled, your application users and admins cannot create or manage organizations, and any organization-related API calls will return an error.
Open your project in the Neon Console, then go to Auth > Plugins (beta) and use the Organizations section (per branch). This tab is available when your project uses Neon Auth with Better Auth; other Auth settings, including your Auth URL, stay on the Configuration tab. From there you can customize:
- Enable Organizations (toggle): Turn the Organization plugin on or off for the branch. When off, all organization API calls are disabled and return an error.
- Limit: Maximum total organization memberships (created + joined) per user. Once reached, the user cannot create new organizations. Default: 10.
- Membership Limit: Maximum number of members per organization (default: 100).
- Creator role: Role assigned to the user who creates an organization: Owner or Admin. Choose Admin if you want the org creator to have fewer privileges than Owner (for example, they cannot delete the org or change the owner).
- Send Invitation Email (toggle): When on, invited users receive an email with an accept link. This requires Verify email at signup to be enabled in the Authentication configuration. Accepting the invitation requires the
AuthViewcomponent or a custom route that handles/auth/accept-invitation?invitationId=<INV_ID>in your application. When off, no email is sent and you handle invitations in your app (for example, via the invitation ID or the user invitation list).
Organizations
Use the following methods to manage the organization lifecycle.
Create an organization
Creates a new organization. The user creating it automatically becomes the Owner.
View parameters
| Parameter | Type | Required | Notes |
|---|---|---|---|
| name | string | ✓ | The display name of the organization |
| slug | string | ✓ | A URL-friendly identifier |
| logo | string | undefined | Optional URL to a logo image for the organization | |
| metadata | Record<string, any> | undefined | Optional JSON metadata for the organization | |
| userId | string | undefined | The user ID of the organization creator | |
| keepCurrentActiveOrganization | boolean | undefined | If true, does not switch the active session to the new organization |
const { data, error } = await authClient.organization.create({
name: 'My Organization',
slug: 'my-org',
logo: 'https://example.com/logo.png',
metadata: { plan: 'pro' },
keepCurrentActiveOrganization: false,
});Check organization slug
Checks if an organization slug is available.
View parameters
| Parameter | Type | Required | Notes |
|---|---|---|---|
| slug | string | ✓ | The slug to check |
const { data, error } = await authClient.organization.checkSlug({
slug: 'my-org',
});List organizations
Lists all organizations the current user is a member of.
View parameters
This method does not take any parameters.
const { data, error } = await authClient.organization.list();In a React component, you can use the useListOrganizations hook to fetch and display organizations:
import { authClient } from './auth';
export default function OrganizationList() {
const { data: organizations } = authClient.useListOrganizations();
return (
<div>
{organizations?.map((org) => (
<p>{org.name}</p>
))}
</div>
);
}Set active organization
Switches the user's active context to a specific organization.
View parameters
| Parameter | Type | Required | Notes |
|---|---|---|---|
| organizationId | string | null | The ID to set as active. Pass null to unset. | |
| organizationSlug | string | undefined | Alternatively, pass the slug to set as active. |
const { data, error } = await authClient.organization.setActive({
organizationId: 'org_12345678',
});Get active organization
Retrieves full details of the currently active organization.
View parameters
| Parameter | Type | Required | Notes |
|---|---|---|---|
| organizationId | string | undefined | Optional ID to get details for (defaults to active org) | |
| organizationSlug | string | undefined | Optional slug to get details for | |
| membersLimit | number | undefined | Limit members returned in the response (default: 100) |
const { data, error } = await authClient.organization.getFullOrganization({
query: {
organizationId: 'org-id',
organizationSlug: 'org-slug',
membersLimit: 10,
},
});In a React component, you can use the useActiveOrganization hook to fetch and display the active organization:
import { authClient } from './auth';
export default function ActiveOrganization() {
const { data: organization } = authClient.useActiveOrganization();
return (
<div>
<h1>{organization?.name}</h1>
<p>Members: {organization?.members.length}</p>
</div>
);
}Update organization
Updates organization details. Requires Owner or Admin permissions.
View parameters
| Parameter | Type | Required | Notes |
|---|---|---|---|
| data | object | ✓ | Object containing fields to update (name, slug, logo, metadata) |
| organizationId | string | The ID of the organization to update |
await authClient.organization.update({
data: {
name: 'New Name',
metadata: { plan: 'enterprise' },
},
organizationId: 'org-id',
});Delete organization
Deletes the organization and all associated data. Requires Owner permission.
View parameters
| Parameter | Type | Required | Notes |
|---|---|---|---|
| organizationId | string | ✓ | The ID of the organization to delete |
const { data, error } = await authClient.organization.delete({
organizationId: 'org-id',
});Invitations
Manage invitations to join an organization.
Invitation Emails
Invitation emails are supported when Send Invitation Email is enabled in the organization config. This also requires Verify email at signup in the Authentication configuration. Accepting an email invitation requires the AuthView component or a custom route handling /auth/accept-invitation?invitationId=<INV_ID> in your app.
When the email toggle is off, handle invitations in your app using the invitation ID or the user invitation list.
Invite member
Sends an invitation to a user.
View parameters
| Parameter | Type | Required | Notes |
|---|---|---|---|
| string | ✓ | Email address to invite | |
| role | string | ✓ | Role to assign (owner, admin, member) |
| organizationId | string | undefined | ID of the organization (defaults to active org) | |
| resend | boolean | undefined | If true, resends email if invitation already exists |
const { data, error } = await authClient.organization.inviteMember({
email: 'new-user@example.com',
role: 'member',
resend: true,
});Accept invitation
Accepts an invitation using the invitation ID.
View parameters
| Parameter | Type | Required | Notes |
|---|---|---|---|
| invitationId | string | ✓ | The ID from the invitation link |
const { data, error } = await authClient.organization.acceptInvitation({
invitationId: 'invitation-id',
});Reject invitation
Declines an invitation that the user has received and chooses not to accept.
View parameters
| Parameter | Type | Required | Notes |
|---|---|---|---|
| invitationId | string | ✓ | The ID of the invitation to reject |
const { data, error } = await authClient.organization.rejectInvitation({
invitationId: 'invitation-id',
});Cancel invitation
Cancel a pending invitation that has been sent to a user.
View parameters
| Parameter | Type | Required | Notes |
|---|---|---|---|
| invitationId | string | ✓ | The ID of the invitation to cancel |
const { data, error } = await authClient.organization.cancelInvitation({
invitationId: 'invitation-id',
});Get invitation
Retrieves details of a specific invitation.
View parameters
| Parameter | Type | Required | Notes |
|---|---|---|---|
| query.id | string | ✓ | The ID of the invitation to retrieve |
const { data, error } = await authClient.organization.getInvitation({
query: {
id: 'invitation-id',
},
});List invitations
Lists all pending invitations for an organization.
View parameters
| Parameter | Type | Required | Notes |
|---|---|---|---|
| query.organizationId | string | undefined | Defaults to the active organization |
const { data, error } = await authClient.organization.listInvitations({
query: {
organizationId: 'org-id',
},
});List user invitations
Lists all invitations received by the current user.
View parameters
This method does not take any parameters.
const { data, error } = await authClient.organization.listUserInvitations();Members
Manage users within the organization.
List members
Lists members with support for pagination, sorting, and filtering.
View parameters
| Parameter | Type | Required | Notes |
|---|---|---|---|
| query.organizationId | string | undefined | Defaults to the active organization | |
| query.limit | number | undefined | Items per page (default: 100) | |
| query.offset | number | undefined | Items to skip | |
| query.sortBy | string | undefined | Field to sort by (for example, createdAt) | |
| query.sortDirection | "asc" | "desc" | undefined | Sort direction | |
| query.filterField | string | undefined | Field to filter by | |
| query.filterOperator | "eq" | "ne" | "gt" | "contains" etc. | Operator for filtering | |
| query.filterValue | string | undefined | Value to filter for |
const { data, error } = await authClient.organization.listMembers({
query: {
limit: 20,
offset: 0,
sortBy: 'createdAt',
sortDirection: 'desc',
filterField: 'role',
filterOperator: 'eq',
filterValue: 'admin',
},
});Update member role
Updates a member's role.
View parameters
| Parameter | Type | Required | Notes |
|---|---|---|---|
| memberId | string | ✓ | The ID of the member to update |
| role | string| string[] | ✓ | New role(s) to assign (owner, admin, member) |
| organizationId | string | undefined | Defaults to active organization |
const { data, error } = await authClient.organization.updateMemberRole({
memberId: 'member-id',
role: 'admin',
});Remove member
Removes a member from the organization.
View parameters
| Parameter | Type | Required | Notes |
|---|---|---|---|
| memberIdOrEmail | string | ✓ | Member ID or Email address |
| organizationId | string | undefined | Defaults to active organization |
const { data, error } = await authClient.organization.removeMember({
memberIdOrEmail: 'member-id-or-email',
});Get active member
Gets the current user's membership details for the active organization.
View parameters
This method does not take any parameters.
const { data, error } = await authClient.organization.getActiveMember();Get Active Member Role
Gets the current user's role(s) in the active organization.
View parameters
This method does not take any parameters.
const { data, error } = await authClient.organization.getActiveMemberRole();Leave organization
Removes the current user from an organization.
View parameters
| Parameter | Type | Required | Notes |
|---|---|---|---|
| organizationId | string | ✓ | The ID of the organization to leave |
const { data, error } = await authClient.organization.leave({
organizationId: 'org-id',
});Access Control
The Organization plugin includes a Role-Based Access Control (RBAC) system.
| Role | Permissions |
|---|---|
| Owner | Full control. Can delete the organization and manage all roles. The user who creates the organization is automatically assigned this role. |
| Admin | Can invite members, update roles, and manage organization settings. Cannot delete the organization. |
| Member | Read-only access to organization data. Cannot manage other members. |
You can check permissions on the client side using checkRolePermission:
const canDelete = authClient.organization.checkRolePermission({
permission: {
organization: ['delete'],
},
role: 'admin', // returns false, admins cannot delete orgs
});
// console.log(canDelete); // falseLimitations
Because Neon Auth is a managed service, some Better Auth features are not currently supported:
- Teams: The Teams sub-feature is not currently enabled.
- Hooks: Server-side hooks (for example,
beforeCreateOrganization) are not supported. - Custom Permissions: You cannot currently define custom roles or modify default permissions.
- Dynamic Access Control: Dynamic creation of roles via API is not enabled.
Check the Neon Auth roadmap for updates on these features.
Need help?
Join our Discord Server to ask questions or see what others are doing with Neon. For paid plan support options, see Support.