Manage the authentication experience
Auth and access
Access policies are the ground rules for who can join your product and how sign-in works across your entire Kinde environment. Settings here apply to every organization by default, so they are the first place to shape onboarding, security, and the experience your customers have when they register or sign in.
With access policies, you can:
If you need different rules for specific customers, you can override these defaults per organization on the Kinde Scale plan. See Set access policies for an organization.
Let people create their own accounts without you adding them manually. Allow self sign-up is enabled by default.
Turn this off if you want an invitation-only or admin-managed model—for example, internal tools, enterprise customers you onboard yourself, or apps where every user must be approved first. You can still add users manually, import them, or send invitations. See Disable self sign-up.
Limit sign-up to specific email domains—for example, only @yourcompany.com for an internal app, or @partner.com for a partner portal.
Enter domains in the Allowed domains list. This only applies when Allow self sign-up is enabled.
domain.com and not https://www.domain.com.On the Kinde Scale plan, you can also set domain restrictions per organization. See Set access policies for an organization.
Let new customers create their own organization (workspace, account, team—whatever you call it in your product) when they register. This is the foundation of self-serve B2B onboarding: a company signs up, gets its own organization, and becomes the first admin.
Switch this on if you offer a “Start free trial” or “Create your workspace” flow where each customer is a separate business. Switch it off if you create organizations yourself—for example, when you provision accounts for enterprise customers or manage all organizations in the Kinde dashboard.
Your application must route users through the organization-creation sign-up flow for this to take effect. If you have developers on your team, see Allow organization creation on sign up and Organizations for developers.
When someone belongs to more than one organization, Kinde normally shows an organization picker at sign-in. Enable Sign users in to most recent org to skip that screen and sign them straight into the organization they used last.
This works well if your app already has its own organization switcher and you want returning users to land in their last workspace without an extra step. Leave it off if you want users to choose their organization on every sign-in, or if most of your users only belong to one organization.
See Sign users in to last organization for more details.
Passkeys require a Kinde paid plan.
Passkeys let users sign in with biometrics (Face ID, fingerprint) or a device PIN instead of typing a password. They are more secure than passwords alone and faster for users who sign in regularly.
When users sign in through a social provider (Google, GitHub, etc.) or an enterprise connection (Microsoft Entra ID, SAML, and so on), Kinde can refresh their profile details—such as name, email, and picture—from that provider each time they sign in.
Switch this on to keep user records accurate when people update their details at their identity provider. This is especially important if you rely on enterprise SSO, where profile data is managed outside Kinde.
Leave it on if you use social or enterprise sign-in. You only need to switch it off if you intentionally manage profile data only within Kinde and do not want external updates to overwrite it.
Some enterprise connections also have their own profile sync setting—both the global policy here and the connection setting need to be enabled for sync to work. See About users.
When users receive a one-time code by email or SMS—for multi-factor authentication, passwordless sign-in, or password reset—this setting controls how long the code stays valid.
If member invitations are available on your plan, an Invitations section appears on the Policies page. These settings control whether organization members can invite other people into their organization and which application handles invitation links.
Switch on Allow invitations to let users invite others into their organization.
In Invite application, select the application that invitation links should use. The list contains your standard Front-end and mobile and Back-end web applications. This determines where invited users land when they accept an invitation.
When Allow invitations is disabled, invitation features are hidden across the organization self-serve portal, and any attempt to accept an existing invitation is blocked.
If invitations are enabled but the selected Invite application is missing or not fully configured (no Application login URI), invitation links are blocked and the invitee sees an error. Make sure the chosen application has a valid login URL configured.
This setting works together with the Members and roles function of the organization self-serve portal. See Enable self-serve portal for orgs.
Global access policies can be overridden at the individual organization level if you are on a Kinde Scale plan and activate the Advanced organization feature.
| To… | Do this… |
|---|---|
| Allow anyone to sign up to your applications. | Select Allow self sign-up. |
Allow only people from specificdomain.com to sign up to your applications. | Select Allow self sign-up and enter specificdomain.com in the Allowed domains list. |
| Allow anyone to sign up to your applications and create an organization if they are a business. | Select Allow self sign-up and Allow organization creation on sign up. |
| Let organization members invite other people into their organization. | Select Allow invitations and choose an Invite application. |