Organizations & teams for togo — multi-tenant auth with per-org roles, invites & branding.
togo install togo-framework/auth-platformauth-platform adds the organization / team layer on top of the togo auth plugin — what Fort calls platforms and Laravel Jetstream calls teams. Users join orgs as members with a per-org role, are added by email invite, and every request is scoped to a current org (resolved from a header, subdomain, or claim). Each org carries its own settings and branding. It composes with auth but works standalone.
import authplatform "github.com/togo-framework/auth-platform"
s, _ := authplatform.FromKernel(k)
// Create an org (the creator becomes the owner).
org, _ := s.CreateOrg("Acme Inc", "", ownerID)
// Invite by email, accept by token.
inv, _ := s.Invite(org.ID, "jane@acme.com", authplatform.RoleAdmin)
s.Accept(inv.Token, janeUserID)
// Roles & gating.
s.HasRole(org.ID, janeUserID, authplatform.RoleAdmin) // true
s.SetRole(org.ID, janeUserID, authplatform.RoleMember)
// Org switcher + per-org settings/branding.
orgs := s.OrgsForUser(userID)
s.SetSetting(org.ID, "feature.beta", true)
s.SetBranding(org.ID, authplatform.Branding{PrimaryColor: "#2C7BE2", LogoURL: "/logo.svg"})// Resolve the current org from X-Org-Id / ?org= / subdomain, then read it anywhere.
router.Use(s.ResolveOrg)
orgID := authplatform.OrgID(ctx)
org, _ := s.CurrentOrg(ctx)
// Gate a route by org role (403 otherwise).
router.With(s.RequireOrgRole(authplatform.RoleAdmin)).Post("/api/billing", handler)owner > admin > member (ranked — RequireOrgRole(admin) is satisfied by owners). Custom role strings are allowed and matched by exact name.
| Method | Path | Purpose |
|---|---|---|
GET |
/api/orgs |
orgs the current user belongs to (switcher) |
POST |
/api/orgs |
create an org (creator = owner) |
GET/PATCH/DELETE |
/api/orgs/{id} |
read / update branding+settings / delete |
GET |
/api/orgs/{id}/members |
list members |
POST |
/api/orgs/{id}/invites |
invite by email + role |
POST |
/api/org-invites/accept |
accept an invite token |
The current user is read from the auth context (or X-User-Id for standalone use).
No required env. Data is held in a bounded in-memory store behind a small interface — back it with a database for persistence in production.