Enterprise

For Coding Agents

enterprise.md

AGNT Enterprise

Organizations and teams let your customers structure their users into enterprise workspaces with SSO, domain verification, and team-based access control — all scoped to your agnt account.

Concepts

Organization — an enterprise customer within your account (e.g., "Acme Corp"). Holds SSO configuration, verified domains, and a default team for new members.

OrganizationDomain — a verified domain (e.g., acme.com) that enables SSO auto-join. Verified via DNS TXT record.

Team — a named group of members within your account. Optionally linked to an organization. Members have a role (member, admin, owner) and a status (invited, active, archived).

TeamMember — a Member record's assignment to a team, with role and status.

Organizations

List organizations

bash
GET /organizations

Returns all organizations in the account.

json
{
  "ok": true,
  "organizations": [
    {
      "id": "org_123",
      "name": "Acme Corp",
      "defaultTeam": "team_456",
      "createdAt": "2025-01-01T00:00:00Z"
    }
  ],
  "page": 1,
  "perPage": 20,
  "total": 1
}

Create an organization

bash
POST /organizations
json
{ "name": "Acme Corp" }

Get an organization

bash
GET /organizations/:orgId

Returns full org detail including SSO config and connection status.

Update an organization

bash
PUT /organizations/:orgId
json
{ "name": "Acme Corp", "defaultTeam": "team_456" }

Delete an organization

bash
DELETE /organizations/:orgId

Deletes the org and all its domains. Teams that belonged to this org are unlinked (not deleted).

Domain Verification

Domains gate SSO auto-join. A user signing up with @acme.com can be automatically added to the org once acme.com is verified.

List domains

bash
GET /organizations/:orgId/domains

Add a domain

bash
POST /organizations/:orgId/domains
json
{ "domain": "acme.com", "autoJoin": true }

Returns the domain with TXT record instructions:

json
{
  "ok": true,
  "domain": {
    "id": "dom_789",
    "domain": "acme.com",
    "verified": false,
    "txtRecordName": "_agnt-verification.acme.com",
    "txtRecordValue": "agnt-verify-a1b2c3...",
    "autoJoin": true
  }
}

Add the TXT record to your DNS provider, then call verify.

Verify a domain

bash
POST /organizations/:orgId/domains/:domainId/verify

Performs a live DNS TXT record lookup. Returns the verified domain on success, or an error if the record is not found yet.

Update a domain

bash
PUT /organizations/:orgId/domains/:domainId
json
{ "autoJoin": false }

SSO-managed domains (source: "sso") cannot be updated manually.

Remove a domain

bash
DELETE /organizations/:orgId/domains/:domainId

SSO-managed domains cannot be removed manually. Disable SSO first.

SSO Configuration

Update SSO config

bash
PUT /organizations/:orgId/sso

Configure the SSO provider and settings. Supported providers: google_workspace, azure_ad, saml_generic.

Google Workspace example:

json
{
  "enabled": true,
  "enforced": false,
  "provider": "google_workspace",
  "googleWorkspace": {
    "adminEmail": "admin@acme.com",
    "directoryScope": true
  },
  "memberSync": {
    "enabled": true,
    "method": "scim",
    "autoProvision": true,
    "autoDeactivate": false,
    "defaultRole": "member"
  }
}

SAML example:

json
{
  "enabled": true,
  "enforced": true,
  "provider": "saml_generic",
  "saml": {
    "entryPoint": "https://idp.acme.com/sso/saml",
    "issuer": "https://idp.acme.com",
    "certificate": "MIIDpDCCAoygAwIBAgI...",
    "attributeMapping": {
      "email": "email",
      "firstName": "firstName",
      "lastName": "lastName"
    }
  }
}

SCIM provisioning:

json
{
  "scim": {
    "enabled": true,
    "endpoint": "https://api.agnt.ai/scim/v2/org_123",
    "version": "2.0"
  }
}

Disable SSO

bash
DELETE /organizations/:orgId/sso

Resets SSO config to disabled.

Regenerate SCIM token

bash
POST /organizations/:orgId/sso/scim-token
json
{ "ok": true, "scim": { "token": "a1b2c3..." } }

Generates a new SCIM bearer token. The previous token is immediately invalidated.

Teams

List teams

bash
GET /teams

Optional filters: ?organizationId=org_123, ?status=active.

Create a team

bash
POST /teams
json
{
  "name": "Engineering",
  "organizationId": "org_123",
  "adminApprovalRequired": false
}

organizationId is optional — teams can exist independently of an org.

Get a team

bash
GET /teams/:teamId

Update a team

bash
PUT /teams/:teamId
json
{ "name": "Platform Engineering", "status": "archived" }

Delete a team

bash
DELETE /teams/:teamId

Deletes the team and all its member records.

Team Members

List members

bash
GET /teams/:teamId/members

Optional filter: ?status=active.

Add a member

bash
POST /teams/:teamId/members
json
{ "memberId": "mem_abc", "role": "member" }

New members start with status: "invited".

Update a member

bash
PUT /teams/:teamId/members/:memberId
json
{ "role": "admin", "status": "active" }

Remove a member

bash
DELETE /teams/:teamId/members/:memberId

SSO Provider Reference

Providerprovider valueDirectory syncSCIM
Google Workspacegoogle_workspaceYes (domain-wide delegation)Via SCIM
Azure AD / Entra IDazure_adYes (app permissions)Via SCIM
Generic SAML 2.0saml_genericNoVia SCIM

Member sync methods

MethodDescription
scimIdentity provider pushes changes via SCIM 2.0
pollingAGNT polls the directory on a configurable interval
webhookIdentity provider sends webhook events