Skip to content
  • Build on Kinde
  • Set up options

Set global access policies for your business

Access policies are the ground rules for who can join your product and how sign-in works across your entire Kinde environment. Settings here apply to every organization by default, so they are the first place to shape onboarding, security, and the experience your customers have when they register or sign in.

With access policies, you can:

  • Allow anyone to sign up for an account
  • Create an organization when someone signs up (usually for B2B businesses)
  • Allow only users from specific domains to sign up (e.g., @yourdomain.com only)
  • Enable profiles from social providers to sync with Kinde profiles (recommended if you allow social sign-in)

If you need different rules for specific customers, you can override these defaults per organization on the Kinde Scale plan. See Set access policies for an organization.

Set policies for all organizations

Link to this section
  1. In Kinde, go to Settings > Environment > Policies.
  2. Make the required changes and select Save when you’re done.

Allow self sign-up

Link to this section

Let people create their own accounts without you adding them manually. Allow self sign-up is enabled by default.

Turn this off if you want an invitation-only or admin-managed model—for example, internal tools, enterprise customers you onboard yourself, or apps where every user must be approved first. You can still add users manually, import them, or send invitations. See Disable self sign-up.

Allowed domains

Link to this section

Limit sign-up to specific email domains—for example, only @yourcompany.com for an internal app, or @partner.com for a partner portal.

Enter domains in the Allowed domains list. This only applies when Allow self sign-up is enabled.

  • Use the format domain.com and not https://www.domain.com.
  • If you leave this empty, users from any domain can sign up.

On the Kinde Scale plan, you can also set domain restrictions per organization. See Set access policies for an organization.

Allow organization creation on sign up

Link to this section

Let new customers create their own organization (workspace, account, team—whatever you call it in your product) when they register. This is the foundation of self-serve B2B onboarding: a company signs up, gets its own organization, and becomes the first admin.

Switch this on if you offer a “Start free trial” or “Create your workspace” flow where each customer is a separate business. Switch it off if you create organizations yourself—for example, when you provision accounts for enterprise customers or manage all organizations in the Kinde dashboard.

Your application must route users through the organization-creation sign-up flow for this to take effect. If you have developers on your team, see Allow organization creation on sign up and Organizations for developers.

Sign users in to most recent org

Link to this section

When someone belongs to more than one organization, Kinde normally shows an organization picker at sign-in. Enable Sign users in to most recent org to skip that screen and sign them straight into the organization they used last.

This works well if your app already has its own organization switcher and you want returning users to land in their last workspace without an extra step. Leave it off if you want users to choose their organization on every sign-in, or if most of your users only belong to one organization.

See Sign users in to last organization for more details.

Passkeys let users sign in with biometrics (Face ID, fingerprint) or a device PIN instead of typing a password. They are more secure than passwords alone and faster for users who sign in regularly.

Sync user profiles on sign in

Link to this section

When users sign in through a social provider (Google, GitHub, etc.) or an enterprise connection (Microsoft Entra ID, SAML, and so on), Kinde can refresh their profile details—such as name, email, and picture—from that provider each time they sign in.

Switch this on to keep user records accurate when people update their details at their identity provider. This is especially important if you rely on enterprise SSO, where profile data is managed outside Kinde.

Leave it on if you use social or enterprise sign-in. You only need to switch it off if you intentionally manage profile data only within Kinde and do not want external updates to overwrite it.

Some enterprise connections also have their own profile sync setting—both the global policy here and the connection setting need to be enabled for sync to work. See About users.

MFA/OTP Code expiration duration

Link to this section

When users receive a one-time code by email or SMS—for multi-factor authentication, passwordless sign-in, or password reset—this setting controls how long the code stays valid.

  • The default expiry duration is 120 minutes (2 hours).
  • The expiry duration appears in your email templates automatically.
  • Set a shorter duration for higher-security environments.
  • Extend it if users often need more time to check their inbox or phone—for example, in regions with slower SMS delivery.

If member invitations are available on your plan, an Invitations section appears on the Policies page. These settings control whether organization members can invite other people into their organization and which application handles invitation links.

Switch on Allow invitations to let users invite others into their organization.

In Invite application, select the application that invitation links should use. The list contains your standard Front-end and mobile and Back-end web applications. This determines where invited users land when they accept an invitation.

When Allow invitations is disabled, invitation features are hidden across the organization self-serve portal, and any attempt to accept an existing invitation is blocked.

Policy setting quick reference

Link to this section

Global access policies can be overridden at the individual organization level if you are on a Kinde Scale plan and activate the Advanced organization feature.

To…Do this…
Allow anyone to sign up to your applications.Select Allow self sign-up.
Allow only people from specificdomain.com to sign up to your applications.Select Allow self sign-up and enter specificdomain.com in the Allowed domains list.
Allow anyone to sign up to your applications and create an organization if they are a business.Select Allow self sign-up and Allow organization creation on sign up.
Let organization members invite other people into their organization.Select Allow invitations and choose an Invite application.