Knogin
[Developers]

Organization Invitations

A joint counter-terrorism task force needs to bring analysts from three agencies onto the same investigation within hours, each arriving with precisely the role they need and nothing more. That is the scenario the Organi

Back to All Modules
Category: CollaborationLast Updated: Feb 4, 2026
collaborationcomplianceblockchain

Overview#

A joint counter-terrorism task force needs to bring analysts from three agencies onto the same investigation within hours, each arriving with precisely the role they need and nothing more. That is the scenario the Organization Invitations module is built for. IT administrators send cryptographically signed, time-limited email invitations that encode the recipient's role at the moment of dispatch. The invitee clicks once, passes token verification, and lands in the platform with access already scoped to their assignment. No manual provisioning ticket, no temporary over-privileged account.

Every new user starts from a zero-privilege baseline. Access exists only when a role has been explicitly assigned through an accepted invitation or a subsequent provisioning action. This default is non-negotiable across all multi-tenant deployments on the platform.

Open Standards#

  • GraphQL (June 2018 specification): All invitation and participant management operations are exposed as a typed GraphQL API, using queries and mutations that follow the GraphQL specification for schema definition, introspection, and response format.
  • SAML 2.0 (OASIS): The module integrates with SAML 2.0 identity providers (including Zitadel and Keycloak) so that invited users can complete the acceptance flow via federated single sign-on rather than a local credential.
  • OpenID Connect 1.0 / OAuth 2.0 (RFC 6749): OIDC is supported as an alternative federation path for invitation acceptance; the underlying OAuth 2.0 authorisation framework governs token issuance and delegation to the platform after an invitee authenticates.
  • RFC 4122 (UUID): Every invitation record, participant record, and email template is keyed by a version-4 UUID, and invitation tokens are generated using a cryptographically random URL-safe encoding of equivalent entropy.
  • ISO 8601: All expiry, acceptance, and audit timestamps are serialised and exchanged as ISO 8601 date-time strings, ensuring unambiguous interchange across time zones.
  • SMTP (RFC 5321) with STARTTLS: Invitation emails are dispatched over SMTP on port 587 using STARTTLS for transport-layer encryption, with both HTML and plain-text body parts conforming to RFC 2822 message structure.
  • Role-Based Access Control (NIST RBAC model, ANSI/INCITS 359-2004): Roles are assigned to invitees at dispatch time and enforced on acceptance, implementing the NIST least-privilege principle; participants begin from a zero-privilege baseline and gain only the permissions bound to their assigned role.

Last Reviewed: 2026-02-04 Last Updated: 2026-04-14

Key Features#

  • Email Invitation System: Invite users to join organisations via email with secure, time-limited tokens and professional email templates
  • Role Assignment at Dispatch: Assign organisational roles at invitation time so permissions are active the moment the invitation is accepted, with no manual follow-up step
  • Token Acceptance Flow: Secure, cryptographic verification of invitation tokens with comprehensive validation against replay, reuse, and expiry
  • Invitation Management: Full lifecycle tools covering expiration, resend rate limiting, and cancellation
  • Member Management: Manage organisation members post-invitation with role updates and access control
  • Multi-Organisation Support: Tenant-isolated invitation workflows supporting multiple organisations on the platform, with each invitation scoped to a single organisation
  • Complete Audit Trail: Full tracking of invitation creation, delivery, acceptance, and expiry recorded in PostgreSQL for compliance reporting

Use Cases#

  • Multi-organisation investigations requiring controlled information sharing between agencies
  • Task force formation where members arrive with defined access levels and nothing broader
  • Cross-jurisdictional case collaboration enabling joint investigation workflows between law enforcement and national security partners
  • Temporary access provisioning for external consultants, legal advisors, and technical experts
  • Inter-agency coordination establishing secure shared workspaces for joint operations
  • Multi-tenant platform onboarding for new partner organisations in government and enterprise deployments

Integration#

  • Identity providers (SAML 2.0, OIDC, Zitadel, Keycloak) for single sign-on and directory-backed provisioning
  • Email notification systems for invitation delivery and delivery tracking
  • Organisational directory services for downstream user provisioning
  • Compliance reporting platforms for audit documentation and NIS2 evidence packages

Ready to Build?

Get started with our APIs or contact our integration team for support.