Multi-Organization Support
Inkog supports enterprise multi-tenancy with organization-based isolation and role-based access control.
Multi-org support enables enterprises to manage multiple teams, projects, or business units with isolated scan data and fine-grained access control.
Overview
Organizations in Inkog provide:
- Tenant isolation - Scans, findings, and API keys are scoped to organizations
- Role-based access control - Owner, Admin, and Member roles with distinct permissions
- Audit trails - All actions logged with organization context
- Baseline management - Per-organization suppression policies
Organization Roles
| Role | Description | Permissions |
|---|---|---|
| Owner | Organization creator or designated owner | Full access including org deletion |
| Admin | Elevated privileges for management | Manage members, settings, API keys |
| Member | Standard access | View scans, submit feedback |
Permission Matrix
| Action | Owner | Admin | Member |
|---|---|---|---|
| View scans | Yes | Yes | Yes |
| Create scans | Yes | Yes | Yes |
| Submit feedback | Yes | Yes | Yes |
| Manage API keys | Yes | Yes | No |
| Manage members | Yes | Yes | No |
| Manage settings | Yes | Yes | No |
| Delete organization | Yes | No | No |
| Transfer ownership | Yes | No | No |
API Authentication
Organization-Scoped API Keys
API keys can be scoped to organizations for CI/CD pipelines:
# Create org-scoped API key
curl -X POST https://api.inkog.io/v1/orgs/{org_id}/api-keys \
-H "Authorization: Bearer {user_token}" \
-H "Content-Type: application/json" \
-d '{
"name": "CI/CD Pipeline - Production",
"scopes": ["scan:create", "scan:read"]
}'Using Org-Scoped Keys
When using an org-scoped API key, all operations are automatically scoped to that organization:
# Scans are automatically associated with the org
inkog -path ./agent -api-key ink_org_xxxxxUser Authentication
User authentication is handled through Clerk, with automatic organization sync:
Step 1: Sign in via Clerk
Users authenticate through the Clerk-powered sign-in flow.
Step 2: Organization Sync
Organization memberships are synced from Clerk automatically via webhooks.
Step 3: Access Scoped Resources
Users can only access scans and resources within their organizations.
Dashboard Features
Organization Switcher
The dashboard includes an organization switcher for users with multiple org memberships:
// Organization context is available throughout the dashboard
const { currentOrg, switchOrg, organizations } = useOrganization();Scoped Views
All dashboard views respect organization context:
- Dashboard home - Shows stats for current organization
- Scan history - Filtered to current organization
- API keys - Scoped to current organization
- Settings - Organization-specific settings
API Endpoints
List Organizations
GET /v1/orgs
Authorization: Bearer {user_token}Returns organizations the authenticated user belongs to:
{
"organizations": [
{
"id": "org_abc123",
"name": "Acme Corp",
"role": "owner",
"created_at": "2025-01-01T00:00:00Z"
},
{
"id": "org_def456",
"name": "DevTeam",
"role": "member",
"created_at": "2025-06-15T00:00:00Z"
}
]
}Get Organization Details
GET /v1/orgs/{org_id}
Authorization: Bearer {user_token}Requires membership in the organization.
List Organization Members
GET /v1/orgs/{org_id}/members
Authorization: Bearer {user_token}Requires Admin or Owner role:
{
"members": [
{
"user_id": "user_abc123",
"email": "alice@example.com",
"name": "Alice Smith",
"role": "owner",
"joined_at": "2025-01-01T00:00:00Z"
},
{
"user_id": "user_def456",
"email": "bob@example.com",
"name": "Bob Jones",
"role": "member",
"joined_at": "2025-06-15T00:00:00Z"
}
]
}Get Organization Stats
GET /v1/orgs/{org_id}/stats
Authorization: Bearer {user_token}Returns aggregated statistics:
{
"total_scans": 1234,
"findings_by_severity": {
"critical": 5,
"high": 23,
"medium": 89,
"low": 156
},
"avg_risk_score": 42,
"agents_scanned": 15,
"last_scan_at": "2025-12-28T10:30:00Z"
}Audit Logging
All organization actions are logged for compliance:
{
"event_type": "org.member.added",
"actor_id": "user_abc123",
"actor_type": "user",
"org_id": "org_xyz789",
"resource_type": "org_membership",
"resource_id": "user_def456",
"action": "add",
"metadata": {
"role": "member",
"invited_by": "alice@example.com"
},
"created_at": "2025-12-28T10:30:00Z"
}See Audit Logging for more details.
Best Practices
1. Use Org-Scoped API Keys for CI/CD
Create dedicated API keys for each pipeline:
# GitHub Actions example
- name: Run Inkog Scan
uses: inkog-io/inkog-action@v1
with:
api-key: ${{ secrets.INKOG_ORG_API_KEY }}2. Assign Minimum Necessary Roles
Follow principle of least privilege:
- Most developers should be Members
- Team leads or security engineers should be Admins
- Only one or two people should be Owners
3. Use Suppressions for Known Issues
Instead of ignoring findings, use suppressions with justifications:
POST /v1/orgs/{org_id}/suppressions
{
"pattern_id": "universal_prompt_injection",
"file_path": "agent/tools.py",
"reason": "accepted_risk",
"justification": "Input is sanitized upstream - see SEC-123"
}4. Review Audit Logs Regularly
Monitor for suspicious activity:
GET /v1/orgs/{org_id}/audit-logs?event_types=api_key.created,org.member.addedRelated
- Suppressions - Baseline and exception management
- Audit Logging - Activity tracking
- Authorization - Agent-level authorization