Workaround for inviting users without Super Admin being in the org? #7381
-
|
I’m currently building a web app where a Super Admin provisions organizations, assigns an owner, and then adds additional members. The issue I’m running into is that the Super Admin must be a member of the organization, otherwise when attempting to invite users I get a member not found error. Is there any workaround for this? I’d rather avoid direct DB writes and continue using the built-in better-auth APIs if possible. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Hi @kxngHunter! I'm Dosu and I’m helping the better-auth team. The "member not found" error happens because the better-auth invitation API always checks that the inviter is a member of the target organization—there's no built-in way to bypass this, even for Super Admins, and no config flag to relax the requirement. Hooks like If you want to avoid direct DB writes, the most common workaround is to use a service account or system user that is a member of every org (or is added/removed as needed) and use their session to send invitations [source]. Some teams automate this by having the Super Admin join the org, send invites, then leave, but this is a bit clunky. There are community workarounds using custom middleware or "anonymous sessions," but these require advanced customization and aren't officially supported. They often involve tricking the session system or using a service account, but still need a valid session token for the inviter [source]. A feature for public organization invitation links (where anyone with the link can join, optionally restricted by domain) is proposed but not yet merged—this would eventually allow inviting users without the inviter being a member, but it's not available in the current stable release [source]. Right now, using a service account session is the cleanest approach if you want to stick to official APIs and avoid direct DB writes. To reply, just mention @dosu. Share context across your team and agents. Try Dosu.
|
Beta Was this translation helpful? Give feedback.
Hi @kxngHunter! I'm Dosu and I’m helping the better-auth team.
The "member not found" error happens because the better-auth invitation API always checks that the inviter is a member of the target organization—there's no built-in way to bypass this, even for Super Admins, and no config flag to relax the requirement. Hooks like
beforeCreateInvitationcan't override this check either; it's enforced before any invitation is created or sent [source].If you want to avoid direct DB writes, the most common workaround is to use a service account or system user that is a member of every org (or is added/removed as needed) and use their session to send invitations [source]. Some teams automate thi…