# Configure B2B application settings

> This page is the **detail** for [Setup overview — Step 1: Configure B2B](/guides/user/b2b/b2b_setup-overview#step-1-configure-b2b).
Configure the B2B application settings to activate the invite flow, expose the Organization admin portal to org admins, and define how refresh tokens are invalidated based on member events.


## Step 1: Create app and OAuth client

If you don't have an application yet, in the **Admin Portal**, open **Applications** >[create an app](/guides/user/create_new_application) before proceeding.

To create the client:

1. In the **Admin Portal**, open **Applications** > [your app] > **Clients**.
2. [Add a new client](/guides/user/manage_clients) and set **PKCE** to **disabled**. Only clients with PKCE **disabled** can be used for inviting members.
3. Note the client name — you will select it in [Configure the invite flow](#configure-the-invite-flow) below.


## Step 2: Configure B2B app settings

In **Admin Portal** > **Applications** > [your app], locate the **B2B application** section.

### 1. Configure the invite flow

Configure the addresses for redirecting users after completing the invite flow.

- **Application URI for inviting members**
The URL in your app where users are redirected when they accept a membership invite — for example, `https://your-app.example.com/login`. The URL must be reachable by the invited user.
- **Client for inviting members**
Select the OAuth client you created in Step 1 of this guide.


Using a B2B invite journey
If you configure a B2B invite journey in **SSO and Federation** > **Configuration** > **B2B invite journey**, the journey is only invoked when the member belongs to an organization that is associated with the **IDO SSO service app**. Make sure the target organization is linked to that application before sending invitations.

### 2. Configure the Org admin portal domain

Configure the URL to reach the Org admin portal:

- **Org admin portal domain**
A subdomain prefix for the Org admin portal. The full URL will be:  `<your-subdomain>.org.<environment-suffix>`
For example, `yourcompany.org.sbx.transmitsecurity.io`. Each application must use a unique subdomain.


### 3. Set member invite link expiration

Set how long invite links remain valid after they are sent. Adjust to match your onboarding policy.

- **Member invite link expiration in minutes**
Accepted range: **5–10080 minutes** (up to 7 days).
Default: **2880 minutes** (48 hours).


### 4. Configure refresh token invalidation

These toggles control whether a member's refresh tokens are invalidated when specific events occur. Enabling them forces re-authentication the next time the client tries to renew an access token.

- **Member suspension**
Trigger: A member is suspended from an organization.
Recommendation: Enable — suspended members should not retain active sessions.
- **Member password reset**
Trigger: A member resets their password.
Recommendation: Enable — ensures sessions end after a credential change.
- **Member role update**
Trigger: A member's roles change.
Recommendation: Enable — ensures tokens reflect the updated role set immediately.


How refresh token invalidation works
Enabling a toggle does not immediately end an active session. It invalidates the **refresh token**, so the session ends the next time the client attempts to obtain a new access token — at which point the user must re-authenticate.

## Step 3: Manage public sign-up

Public sign-up is an application setting that allows non-federated login flows to automatically create new users on first login. For B2B applications, the setting behaves with two specifics:

- **Public sign-up doesn't gate SSO provisioning.** Members are always created on their first successful login through the organization's identity provider, regardless of the public sign-up setting.
- **Organizations can override the application setting.** When an application is connected to an organization, the organization can disable public sign-up across all its connected applications. The organization-level setting takes precedence.


Non-federated login attempts that would create a user when public sign-up is disabled return `403 public_signup_disabled`.

For B2B applications that use an **invite-only** model — where users must be invited by an organization admin — disable public sign-up so that self-registration is not available outside the invite flow. To review or change this setting:

- **Per application:** open **Applications** > [your app] > general settings and check the **Public sign-up** option (see [Manage applications](/guides/user/manage_apps#advanced-settings)).
- **Per organization:** open **B2B Identity** > **Organizations** > [your org] and toggle **Public sign-up**.


style
[data-component-name="Markdown/Markdown"] blockquote {
        border-left: 4px solid #BBC5FF !important;
        border-radius: 2px;
        background-color: #F1F2FF !important;
        padding: 20px 10px 15px 10px;
        margin: 10px 1px;
    }