Overview
Organizations are the top-level tenant in EdgeFlow SaaS. Every device, flow, deployment, and team member belongs to an organization. The platform enforces strict tenant isolation — users can only access resources within their organization.
Organization Structure
{
"id": "org_xyz789",
"name": "Acme IoT",
"slug": "acme-iot",
"plan": "pro",
"settings": {
"default_timezone": "America/New_York",
"notification_email": "ops@acme.com"
},
"metadata": {
"industry": "manufacturing",
"region": "us-east"
},
"created_at": "2026-01-15T10:00:00Z",
"updated_at": "2026-02-21T12:00:00Z"
}Team Roles
Each organization member has a role that determines their permissions. Roles are enforced by the API middleware on every request.
| Role | Users | Devices | Flows | Delete | Billing |
|---|---|---|---|---|---|
| Owner | Manage | Manage | Manage | Yes | Full |
| Admin | Manage | Manage | Manage | Yes | View |
| Member | View | Manage | Manage | No | No |
| Viewer | View | View | View | No | No |
Custom Permissions
Members can receive additional permissions beyond their role:
users:manage— Invite and remove team membersdevices:manage— Create, update, and delete devicesflows:manage— Create, update, and deploy flowsresources:delete— Delete devices, flows, and deployments
Subscription Plans
Each organization is assigned a subscription plan that determines resource quotas, available features, and pricing.
| Feature | Free | Starter | Pro | Enterprise |
|---|---|---|---|---|
| Devices | 5 | 25 | 100 | Unlimited |
| Flows | 10 | Unlimited | Unlimited | Unlimited |
| Projects | 1 | 5 | Unlimited | Unlimited |
| Team Members | 3 | 10 | Unlimited | Unlimited |
| API Calls/Day | 10,000 | 100,000 | 1,000,000 | Unlimited |
Plan Features
| Feature | Free | Starter | Pro | Enterprise |
|---|---|---|---|---|
| Basic Dashboard | Yes | Yes | Yes | Yes |
| Email Alerts | Yes | Yes | Yes | Yes |
| Slack Integration | No | Yes | Yes | Yes |
| API Access | No | Yes | Yes | Yes |
| Advanced Analytics | No | No | Yes | Yes |
| Custom Webhooks | No | No | Yes | Yes |
| SSO | No | No | No | Yes |
| Priority Support | No | No | No | Yes |
| Custom SLA | No | No | No | Yes |
Tenant Isolation
The platform enforces tenant isolation at the middleware level. Every authenticated request is validated against the user's organization context:
- JWT token is validated and user ID extracted
- Organization membership and role are verified
- All database queries are scoped to the organization ID
- Cross-tenant access is rejected with 403 Forbidden
API Endpoints
# List organizations
GET /api/v1/organizations
Authorization: Bearer <token>
# Get organization details
GET /api/v1/organizations/:id
Authorization: Bearer <token>
# Update organization
PUT /api/v1/organizations/:id
Authorization: Bearer <token>
{
"name": "Acme IoT Corp",
"settings": {
"default_timezone": "Europe/London"
}
}