In our guide on Protecting Backend APIs, we saw how to set up a /api/whoami route only accessible from logged-in users.

Now, we’re going to create a route that is scoped to an organization and can only be called by users with an Admin role in the specified organization.

Passing in an orgId in the URL

The API route we’re going to create is:

GET /org/:orgId/is-admin

This means that when the frontend makes a request, we expect it to tell us which organization is currently active. You can also configure PropelAuth such that each user can only be in one organization at a time, in which case you don’t need to pass in the orgId, however, we consider it good practice to be explicit here.

Choose your framework

  • Express

  • Node

  • Flask

  • FastAPI

  • Django

  • Python

  • Go

In the Protecting Backend APIs guide, we created this route, protected by requireUser:

const auth = require("./propelauth");

// requireUser is a middleware which validates the access token
app.get("/whoami", auth.requireUser, (req, res) => {
  res.text("Hello user with ID " + req.user.userId);

To create our new API, we can use the requireOrgMemberWithExactRole function:

// The extractor tells the library how to find the orgId
const orgIdInPathExtractor = (req) => req.params.orgId;
const requireAdminInOrg = auth.requireOrgMemberWithExactRole({
  role: "Admin",
  orgIdExtractor: orgIdInQueryExtractor,

app.get("/org/:orgId/is-admin", requireAdminInOrg, (req, res) => {
  console.log("req.user AND are set", req.user,
  res.text("Yes, you are an admin");

This middleware does a few things:

  • Makes sure the user is valid, and sets req.user if so. If not, it returns a 401.
  • Makes sure the user is in the specified organization, and sets if so. If not, it returns a 403.
  • Makes sure the user is an Admin within that organization. If not, it returns a 403.

Other authorization functions

You can also call:

  • requireOrgMember - to just check that the user is in the extracted organization
  • requireOrgMemberWithMinimumRole - checks requireOrgMember AND that the users role is at least the provided minimumRequiredRole
  • requireOrgMemberWithPermission - checks requireOrgMember AND that the user has the provided permission
  • requireOrgMemberWithAllPermissions - checks requireOrgMember AND that the user has all the provided permissions

A Note on Latency

Checking authorization information can be done with no external requests, as the tokens themselves contain authorization information. This means that checking the organization, role, and/or permissions adds virtually no latency to your requests.