This page is the detail for Setup overview — Step 1: Configure B2B.
Configure the B2B application settings to activate the invite flow, expose the Organization admin portal to org admins, and define how refresh tokens are invalidated based on member events.
If you don't have an application yet, in the Admin Portal, open Applications >create an app before proceeding.
To create the client:
- In the Admin Portal, open Applications > [your app] > Clients.
- Add a new client and set PKCE to disabled. Only clients with PKCE disabled can be used for inviting members.
- Note the client name — you will select it in Configure the invite flow below.
In Admin Portal > Applications > [your app], locate the B2B application section.
Configure the addresses for redirecting users after completing the invite flow.
Application URI for inviting members
The URL in your app where users are redirected when they accept a membership invite — for example,https://your-app.example.com/login. The URL must be reachable by the invited user.Client for inviting members
Select the OAuth client you created in Step 1 of this guide.
If you configure a B2B invite journey in SSO and Federation > Configuration > B2B invite journey, the journey is only invoked when the member belongs to an organization that is associated with the IDO SSO service app. Make sure the target organization is linked to that application before sending invitations.
Configure the URL to reach the Org admin portal:
Org admin portal domain
A subdomain prefix for the Org admin portal. The full URL will be:
<your-subdomain>.org.<environment-suffix>For example,
yourcompany.org.sbx.transmitsecurity.io. Each application must use a unique subdomain.
Set how long invite links remain valid after they are sent. Adjust to match your onboarding policy.
- Member invite link expiration in minutes
Accepted range: 5–10080 minutes (up to 7 days). Default: 2880 minutes (48 hours).
These toggles control whether a member's refresh tokens are invalidated when specific events occur. Enabling them forces re-authentication the next time the client tries to renew an access token.
Member suspension
Trigger: A member is suspended from an organization.
Recommendation: Enable — suspended members should not retain active sessions.Member password reset
Trigger: A member resets their password.
Recommendation: Enable — ensures sessions end after a credential change.Member role update
Trigger: A member's roles change.
Recommendation: Enable — ensures tokens reflect the updated role set immediately.
Enabling a toggle does not immediately end an active session. It invalidates the refresh token, so the session ends the next time the client attempts to obtain a new access token — at which point the user must re-authenticate.
Public sign-up is an application setting that allows non-federated login flows to automatically create new users on first login. For B2B applications, the setting behaves with two specifics:
- Public sign-up doesn't gate SSO provisioning. Members are always created on their first successful login through the organization's identity provider, regardless of the public sign-up setting.
- Organizations can override the application setting. When an application is connected to an organization, the organization can disable public sign-up across all its connected applications. The organization-level setting takes precedence.
Non-federated login attempts that would create a user when public sign-up is disabled return 403 public_signup_disabled.
For B2B applications that use an invite-only model — where users must be invited by an organization admin — disable public sign-up so that self-registration is not available outside the invite flow. To review or change this setting:
- Per application: open Applications > [your app] > general settings and check the Public sign-up option (see Manage applications).
- Per organization: open B2B Identity > Organizations > [your org] and toggle Public sign-up.