From 028065409e2df7ccc6336255ebde4650286b59da Mon Sep 17 00:00:00 2001 From: tu Date: Fri, 31 Oct 2025 04:10:22 -0700 Subject: [PATCH 01/14] Reorganize and restructure Organization docs --- .../{ => add-members}/invitations.mdx | 33 ++- docs/guides/organizations/add-members/sso.mdx | 79 +++++++ .../{ => add-members}/verified-domains.mdx | 26 ++- docs/guides/organizations/configure.mdx | 181 ++++++++++++++++ .../control-access/check-access.mdx | 90 ++++++++ .../roles-and-permissions.mdx | 23 +- .../organizations/create-and-manage.mdx | 72 ++++++ .../organizations/org-slugs-in-urls.mdx | 7 +- docs/guides/organizations/overview.mdx | 205 +++++------------- .../{metadata.mdx => set-metadata.mdx} | 21 +- docs/guides/organizations/sso.mdx | 59 ----- docs/manifest.json | 50 ++++- redirects/static/docs.json | 35 +++ 13 files changed, 629 insertions(+), 252 deletions(-) rename docs/guides/organizations/{ => add-members}/invitations.mdx (75%) create mode 100644 docs/guides/organizations/add-members/sso.mdx rename docs/guides/organizations/{ => add-members}/verified-domains.mdx (78%) create mode 100644 docs/guides/organizations/configure.mdx create mode 100644 docs/guides/organizations/control-access/check-access.mdx rename docs/guides/organizations/{ => control-access}/roles-and-permissions.mdx (85%) create mode 100644 docs/guides/organizations/create-and-manage.mdx rename docs/guides/organizations/{metadata.mdx => set-metadata.mdx} (63%) delete mode 100644 docs/guides/organizations/sso.mdx diff --git a/docs/guides/organizations/invitations.mdx b/docs/guides/organizations/add-members/invitations.mdx similarity index 75% rename from docs/guides/organizations/invitations.mdx rename to docs/guides/organizations/add-members/invitations.mdx index 3136e774df..e592dd60a0 100644 --- a/docs/guides/organizations/invitations.mdx +++ b/docs/guides/organizations/add-members/invitations.mdx @@ -1,18 +1,28 @@ --- title: Invite users to your organization -description: Step-by-step guide on how to send, manage, and track user invitations within your multitenant SaaS, all using Clerk Organizations. +description: Send, manage, and track user invitations within your multi-tenant SaaS using Clerk Organizations. metadata: - title: Send and manage B2C/B2B organization invitations via Clerk + title: Send and manage Organization invitations via Clerk --- -Organization invitations allow you to add new members to your organization. When you send an invitation, Clerk sends an email to the invited user with a unique invitation link. When the user visits the organization invitation link, they will be redirected to the [Account Portal sign-in page](/docs/guides/customizing-clerk/account-portal#sign-in). If the user is already signed in, they will be redirected to your application's homepage (`/`). If you want to redirect the user to a specific page in your application, you can [specify a redirect URL when creating the invitation](#redirect-url). +Organization invitations let you add new members to your organization. When you send an invitation, Clerk sends an email to the invited user with a unique invitation link. When the user visits the organization invitation link, they will be redirected to the [Account Portal sign-in page](/docs/guides/customizing-clerk/account-portal#sign-in). If the user is already signed in, they will be redirected to your application's homepage (`/`). If you want to redirect the user to a specific page in your application, you can [specify a redirect URL when creating the invitation](#redirect-url). -By default, only admins can invite users to an organization. +By default, only [admins](/docs/guides/organizations/control-access/roles-and-permissions#default-roles) can invite users to an organization. This feature requires that [**Email** is enabled](/docs/guides/configure/auth-strategies/sign-up-sign-in-options#email), as Clerk uses the user's email address to send the invitation. You can still disable **Email** as a sign-in option if you do not want users to be able to sign-in with their email address. To configure your application's **Email** settings, navigate to the [**User & authentication**](https://dashboard.clerk.com/~/user-authentication/user-and-authentication) page in the Clerk Dashboard. +## When to use invitations + +Invitations work well when you need precise control over who joins your organization and which role they receive. This approach fits scenarios where: + +- Teams are small and members are known in advance +- Onboarding requires manual approval or review +- Specific roles need to be assigned during the invitation + +If you want to streamline enrollment for users with company email addresses, consider [verified domains](/docs/guides/organizations/add-members/verified-domains), which can automatically invite users based on their email domain. If customers require centralized authentication through their Identity Provider, use [enterprise SSO](/docs/guides/organizations/add-members/sso). + ## Create an invitation Clerk's [prebuilt components](/docs/reference/components/overview) and [Account Portal pages](/docs/guides/customizing-clerk/account-portal) manage all organization invitation flows, including creating, managing, and accepting invitations. @@ -21,7 +31,7 @@ However, if you want to build custom flows, see the following sections. ### Client-side -To create an organization invitation on the client-side, see the [dedicated guide](/docs/guides/development/custom-flows/organizations/manage-organization-invitations). Note that this uses the [`organizations.inviteMember()`](/docs/reference/javascript/organization#invite-member) method, which does not allow you to specify a redirect URL; it will always redirect to the Account Portal sign-in page. If you want to specify a redirect URL, you must create the invitation on the server-side. +To create an organization invitation on the client-side, see the [dedicated guide](/docs/guides/development/custom-flows/organizations/manage-organization-invitations). Note that this uses the [`organizations.inviteMember()`](/docs/reference/javascript/organization#invite-member) method, which does not let you specify a redirect URL; it will always redirect to the Account Portal sign-in page. If you want to specify a redirect URL, you must create the invitation on the server-side. ### Server-side @@ -87,7 +97,8 @@ Once the user visits the invitation link, they will be redirected to the page yo ### Invitation metadata -You can also add metadata to an invitation when creating the invitation through the Backend API. Once the invited user signs up using the invitation link, the **invitation** metadata (`OrganizationInvitation.publicMetadata`) will be stored in the organization **membership's** metadata (`OrganizationMembership.publicMetadata`). You can find more information about organization membership metadata in the [Organization Membership](/docs/reference/javascript/types/organization-membership) docs. +You can also add metadata to an invitation when creating the invitation through the Backend API. Once the invited user signs up using the invitation link, the **invitation** metadata (`OrganizationInvitation.publicMetadata`) will be stored in the organization **membership's** metadata (`OrganizationMembership.publicMetadata`). You can find more information about organization membership metadata in the [Organization +Membership](/docs/reference/javascript/types/organization-membership) docs. To add metadata to an invitation, add the `public_metadata` parameter when creating the invitation. @@ -144,3 +155,13 @@ Use the following tabs to see examples for each method. To use the JS Backend SDK to revoke an organization invitation, see the [`revokeOrganizationInvitation()`](/docs/reference/backend/organization/revoke-organization-invitation) reference documentation. + +## Next steps + +Now that you know how to invite users to your organization, you can: + +- [Configure verified domains](/docs/guides/organizations/add-members/verified-domains) to automatically invite users based on their email domain +- [Set up enterprise SSO](/docs/guides/organizations/add-members/sso) for centralized authentication through an Identity Provider +- [Set up roles and permissions](/docs/guides/organizations/control-access/roles-and-permissions) to control what invited users can access +- [Add metadata to invitations](/docs/guides/organizations/set-metadata) for tracking or custom workflows + diff --git a/docs/guides/organizations/add-members/sso.mdx b/docs/guides/organizations/add-members/sso.mdx new file mode 100644 index 0000000000..4cbb696c07 --- /dev/null +++ b/docs/guides/organizations/add-members/sso.mdx @@ -0,0 +1,79 @@ +--- +title: Organization-level enterprise SSO +description: Integrate as many enterprise SSO methods within Clerk Organizations. Enable SAML SSO, OAuth/OIDC, and other secure MFA/single sign-on options for B2B SaaS apps. +metadata: + title: Set up organization-level SAML and OIDC for B2B/B2C apps +--- + +Clerk provides enterprise single sign-on (SSO) through a feature called **enterprise connections**. You can enable enterprise connections for specific organizations, allowing members to authenticate through their company's identity provider using SAML or OIDC protocols. When users sign up or sign in using an organization's enterprise connection, they're automatically added as members of that organization and assigned the [default role](/docs/guides/organizations/control-access/roles-and-permissions#the-default-role-for-members). + +## When to use enterprise SSO + +Enterprise SSO works well when customers require centralized authentication through their Identity Provider. This approach fits scenarios where: + +- Enterprise customers have security requirements that mandate IdP-based authentication +- IT teams need to manage user provisioning from a central location +- Organizations want to maintain existing identity management workflows + +If you need manual control over who joins and their [roles](/docs/guides/organizations/control-access/roles-and-permissions), use [invitations](/docs/guides/organizations/add-members/invitations). If you want automatic enrollment without IdP requirements, use [verified domains](/docs/guides/organizations/add-members/verified-domains). + +## Common onboarding flows + +The timing of when you set up enterprise SSO depends on how customers adopt your product. The two common approaches are to create the organization and configure SSO before users sign in (top-down) or to let users start individually and add SSO later (bottom-up). + +### Organization created first (top-down approach) + +This flow is common for enterprise sales where the relationship is established before users access the application. + +1. [Create an organization](/docs/guides/organizations/create-and-manage#create-an-organization) for your customer through the Clerk Dashboard. +1. Collaborate with the customer's IT administrator to obtain the necessary configuration details. +1. Configure the enterprise SSO connection for the organization. +1. Invite users to the organization, who can then sign in using enterprise SSO. + +### User-initiated setup (bottom-up approach) + +This flow is common when individual users try the product before company-wide adoption. + +1. An end user signs up to evaluate your application, starting with an individual account. +1. After adopting the application, the user [creates an organization](/docs/guides/organizations/create-and-manage#create-an-organization) for their company. +1. Configure enterprise SSO for the organization through the Clerk Dashboard. +1. All subsequent users from that organization can now sign in using enterprise SSO. + +## Add an enterprise SSO connection for an organization + +Clerk supports enterprise SSO via [SAML](/docs/guides/configure/auth-strategies/enterprise-connections/overview#saml) or via the [OpenID Connect (OIDC) protocol](/docs/guides/configure/auth-strategies/enterprise-connections/overview#oidc), either through EASIE or by integrating with any OIDC-compatible provider. + +To add an enterprise SSO connection for an organization, follow the appropriate guide based on the platform you want to use, such as the [Google SAML guide](/docs/guides/configure/auth-strategies/enterprise-connections/saml/google). When configuring the connection in the Clerk Dashboard, there will be an option to select the **Organization** for which you want to enable this connection. If you don't select an organization, the connection will be added for your entire application. + +> [!WARNING] +> A domain used for enterprise SSO can't be used as a [verified domain](/docs/guides/organizations/add-members/verified-domains) for the same organization. + +## Enforce enterprise SSO by domain + +Enterprise SSO connections are enforced on a per-domain basis in organizations, enabling flexible access management: + +- Configure enterprise SSO for your primary domain (e.g., `company.com`) to enforce enterprise SSO authentication for employees. +- Add additional domains without enterprise SSO for external collaborators (e.g., contractors, consultants). +- Each domain in an organization can have different authentication requirements. + +## Remove a member from your organization + +Users who joined through an enterprise connection cannot leave the organization on their own. You can remove them through the Clerk Dashboard, the [Backend API](/docs/reference/backend-api/tag/organization-memberships/delete/organizations/\{organization_id}/memberships/\{user_id}), or by another member with the [manage members permission](/docs/guides/organizations/control-access/roles-and-permissions#system-permissions). + +Removed users will automatically rejoin the organization on their next sign-in unless you also remove them from the IdP or disconnect the enterprise connection. + +## Move an enterprise connection to a different organization + +When you reassign an enterprise connection to a new organization, existing members stay in the original organization. They will automatically join the new organization the next time they sign in. + +To remove these users from the original organization, use either the [Backend API](/docs/reference/backend-api/tag/organization-memberships/delete/organizations/\{organization_id}/memberships/\{user_id}) or the Clerk Dashboard. + +## Next steps + +Now that you've set up enterprise SSO, you can: + +- [Configure verified domains](/docs/guides/organizations/add-members/verified-domains) for users who don't use SSO +- [Invite specific users](/docs/guides/organizations/add-members/invitations) to your organization +- [Set up roles and permissions](/docs/guides/organizations/control-access/roles-and-permissions) to control what SSO users can access +- [Configure default roles](/docs/guides/organizations/configure#default-roles) for users joining via SSO + diff --git a/docs/guides/organizations/verified-domains.mdx b/docs/guides/organizations/add-members/verified-domains.mdx similarity index 78% rename from docs/guides/organizations/verified-domains.mdx rename to docs/guides/organizations/add-members/verified-domains.mdx index 49d8b1c6cb..1cb3dffc9d 100644 --- a/docs/guides/organizations/verified-domains.mdx +++ b/docs/guides/organizations/add-members/verified-domains.mdx @@ -5,15 +5,25 @@ metadata: title: Verified domains within Clerk Organizations (Step-by-Step) --- -Clerk's **verified domains** feature is useful for organizations that want to restrict membership to users with specific email domains, and automatically invite or suggest users with that domain to join an organization. For example, if the domain `@clerk.com` is verified, any user with an email address ending in `@clerk.com` can be automatically invited or be suggested to join an organization with that domain. The role assigned to this user will be the role set as the [**Default** role](/docs/guides/organizations/roles-and-permissions#the-default-role-for-members) in the organization settings page. +Clerk's **verified domains** feature is useful for organizations that want to restrict membership to users with specific email domains, and automatically invite or suggest users with that domain to join an organization. For example, if the domain `@clerk.com` is verified, any user with an email address ending in `@clerk.com` can be automatically invited or be suggested to join an organization with that domain. The role assigned to this user will be the role set as the [**Default** role](/docs/guides/organizations/control-access/roles-and-permissions#the-default-role-for-members) in the organization settings page. A verified domain cannot be a disposable domain or common email provider. For example, you cannot create a verified domain for `@gmail.com`. > [!WARNING] -> A verified domain can't be added if it's already in use for the [organization's SSO](/docs/guides/organizations/sso). +> A verified domain can't be added if it's already in use for the [organization's SSO](/docs/guides/organizations/add-members/sso). The easiest way to add and verify domains, and manage all settings related to verified domains is to use Clerk's [``](/docs/reference/components/organization/organization-switcher) component. +## When to use verified domains + +Verified domains work well when you want to streamline enrollment for users with company email addresses. This approach fits scenarios where: + +- Company-wide rollouts need automatic or suggested membership +- Reducing onboarding friction for employees with approved email domains +- Enrollment can happen based on email domain without manual approval + +If you need precise control over specific people and their roles, use [invitations](/docs/guides/organizations/add-members/invitations). If customers require authentication through their Identity Provider, use [enterprise SSO](/docs/guides/organizations/add-members/sso). + ## Enable verified domains Enabling verified domains applies to all organizations and cannot currently be managed on a per-organization basis. @@ -44,7 +54,7 @@ After sign-up, a user will receive a **suggestion** for the organization if thei ### Membership requests -Membership requests are requests from users who saw an organization suggestion and requested to join an organization. Membership requests are only available for organizations that have the **Verified domains** feature enabled and the **Automatic suggestions** feature enabled in both the Dashboard and for the specific domain. +Membership requests are requests from users who saw an organization suggestion and requested to join an organization. Membership requests are only available for organizations that have the **Verified domains** feature enabled and **Automatic suggestion** enabled in both the Dashboard and for the specific domain. When a user sends an organization membership request, users with the `org:sys_memberships:manage` permission (by default, admins) will see a notification on their `` component. They will need to accept the request before the user can join the organization. @@ -77,3 +87,13 @@ domain.attemptAffiliationVerification({ code: '123456' }) // update domain enrollment mode domain.updateEnrollmentMode({ enrollmentMode: 'automatic_invitation' }) ``` + +## Next steps + +Now that you've configured verified domains, you can: + +- [Set up enterprise SSO](/docs/guides/organizations/add-members/sso) for centralized authentication through an Identity Provider +- [Invite specific users](/docs/guides/organizations/add-members/invitations) who don't match your verified domain +- [Set up roles and permissions](/docs/guides/organizations/control-access/roles-and-permissions) to control what auto-enrolled users can access +- [Configure default roles](/docs/guides/organizations/configure#default-roles) for users joining via verified domains + diff --git a/docs/guides/organizations/configure.mdx b/docs/guides/organizations/configure.mdx new file mode 100644 index 0000000000..251a70b607 --- /dev/null +++ b/docs/guides/organizations/configure.mdx @@ -0,0 +1,181 @@ +--- +title: Configure Organizations +description: Learn how to configure global organization settings in the Clerk Dashboard, including pricing, membership limits, and optional features. +metadata: + title: Configure Organizations settings in Clerk Dashboard +--- + +Global organization settings control how Organizations work across your entire application. These settings determine who can create organizations, how members join them, what roles they receive, and which features are available. You'll configure most of these when you first enable Organizations, though you can adjust them later as your needs evolve. + +## Enable Organizations + +Organizations are disabled by default. When you enable organizations, Clerk offers two workspace models: + +- **Personal accounts disabled (recommended)**: Every user must belong to an organization. After signing up, users are prompted to create or join an organization through the [session tasks flow](/docs/guides/configure/session-tasks) before they can access your application. + + > [!IMPORTANT] + > Personal accounts being disabled by default was released on August 22, 2025. Applications created before this date will not see the **Allow personal accounts** setting, because personal accounts were enabled by default. + +- **Personal accounts enabled**: Users can operate in their own individual workspace or join organizations. They start in their personal account and can switch to organizations using the [``](/docs/reference/components/organization/organization-switcher) component. + +Most B2B and multi-tenant applications disable personal accounts. This ensures proper data isolation and team structure from the start. You should only enable personal accounts if your app serves both individual users and teams (like a tool that works for solo users but also has team features). + +> [!NOTE] +> If you have existing users when you enable organizations with personal accounts disabled, they will be required to create or join an organization. + +To enable organizations: + +1. In the Clerk Dashboard, navigate to the [**Organizations Settings**](https://dashboard.clerk.com/~/organizations-settings) page. +1. Select **Enable Organizations**. +1. In the modal, toggle **Allow personal accounts** based on your decision above. +1. Select **Enable**. + +Organizations are measured by Monthly Active Organizations (MAOs). Refer to the [overview page](/docs/guides/organizations/overview#how-do-organizations-work) for pricing details and limits. + +## Organization Options + +Once organizations are enabled, you can configure core features and behaviors. These settings control membership limits, verified domains, organization slugs, and whether to allow personal accounts alongside organizations. + +### Membership limits + +By default, each organization can have up to 5 members. You can increase this limit as your customer base grows, or set different limits for individual organizations if you have different pricing tiers. There is no limit to the number of organizations a user can be a member of. + +To change the global default: + +1. In the Clerk Dashboard, navigate to the [**Organizations Settings**](https://dashboard.clerk.com/~/organizations-settings) page. +1. In the **Default membership limit** section, update the membership limit. + - **Free plan**: Maximum 5 members per organization + - **Pro plan**: Unlimited members per organization + +You can override this limit for individual organizations: + +1. In the Clerk Dashboard, select [**Organizations**](https://dashboard.clerk.com/~/organizations). +1. Select the organization you want to update. +1. In the **Membership limit** section, update the limit for that specific organization. + +Learn more about [adding members to organizations](/docs/guides/organizations/add-members/invitations). + +### Personal accounts + +You can change the personal accounts setting after initial setup. This is useful if your product strategy evolves. For example, if you initially served only teams but now want to support individual users as well. + +To change this setting: + +1. In the Clerk Dashboard, navigate to the [**Organizations Settings**](https://dashboard.clerk.com/~/organizations-settings) page. +1. Toggle **Allow personal accounts**. + +Refer to the [Enable Organizations section](#enable-organizations) above for a detailed explanation of how personal accounts work. + +### Verified domains + +Verified domains allow automatic or suggested organization membership for users with specific email domains (like `@acme.com`). This is useful for company-wide rollouts where you want to streamline enrollment for employees with company email addresses. Members with the ["Manage domains" system permission](/docs/guides/organizations/control-access/roles-and-permissions#system-permissions) can manage verified domains and enrollment modes. + +Learn more about [verified domains](/docs/guides/organizations/add-members/verified-domains). + +### Organization slugs + +Organization slugs are human-readable URL identifiers (like `acme-corp`) that help users reference which organization they're working in. Enable this feature if you need organization-specific URLs or if users frequently switch between multiple organizations. This is disabled by default for applications created after October 7, 2025. + +Learn more about [using organization slugs in URLs](/docs/guides/organizations/org-slugs-in-urls). + +## User-created Organizations + +After configuring organization features, you'll want to control who can create organizations. By default, end users can create organizations in your application, but you can restrict this if you prefer to manually provision organizations for customers. + +### Allow user-created Organizations + +By default, users can create organizations in your application. You might want to disable this if you prefer to manually provision organizations for customers through the Clerk Dashboard or your own admin interface. + +To change this setting: + +1. In the Clerk Dashboard, navigate to the [**Organizations Settings**](https://dashboard.clerk.com/~/organizations-settings) page. +1. Toggle **Allow user-created organizations**. + +You can also override this permission for specific users in their profile page under **User permissions**. + +Learn more about [creating organizations](/docs/guides/organizations/create-and-manage). + +### Organization creation limit + +When user-created organizations are enabled, each user can create up to 100 organizations by default. You can configure this to set a lower limit or allow unlimited organizations. + +To change the default limit: + +1. In the Clerk Dashboard, navigate to the [**Organizations Settings**](https://dashboard.clerk.com/~/organizations-settings) page. +1. In the **Organization limit** section, choose between: + - **Users can create unlimited organizations** + - **Users can create a limited number of organizations** (specify the limit) + +If you need users to create more than 100 organizations, [contact support](/contact/support){{ target: '_blank' }} to have the limit raised. + +To override this limit for a specific user: + +1. In the Clerk Dashboard, select [**Users**](https://dashboard.clerk.com/~/users). +1. Select the user you want to update. +1. In the **User permissions** section, configure their organization creation limit. + +### Default roles + +When users create or join organizations, they need to be assigned a role. These settings determine which roles are automatically assigned in different scenarios, whether someone is creating a new organization or joining an existing one. + +#### Default role for members + +The default role for members is assigned to users when they join an organization through invitations or verified domain enrollment. By default, this is set to **Member**. + +This role is used: +- When sending invitations from the [``](/docs/reference/components/organization/organization-profile) component (pre-filled as default) +- When users auto-join via [verified domains](/docs/guides/organizations/add-members/verified-domains) +- As the suggested role for new organization members + +To change the default role: + +1. In the Clerk Dashboard, navigate to [**Roles & Permissions**](https://dashboard.clerk.com/~/organizations-settings/roles). +1. Select the three dots next to the role you want to set as default. +1. Choose **Set as Default role**. + +Learn more about [roles and permissions](/docs/guides/organizations/control-access/roles-and-permissions). + +#### Creator's initial role + +The creator's initial role is assigned to users when they create a new organization. By default, this is set to **Admin**, giving them full control over the organization they created. + +This role must have at least these [system permissions](/docs/guides/organizations/control-access/roles-and-permissions#system-permissions): +- Manage members (`org:sys_memberships:manage`) +- Read members (`org:sys_memberships:read`) +- Delete organization (`org:sys_profile:delete`) + +To change the creator role: + +1. In the Clerk Dashboard, navigate to [**Roles & Permissions**](https://dashboard.clerk.com/~/organizations-settings/roles). +1. Ensure the role has the required system permissions listed above. +1. Select the three dots next to the role you want to set as creator role. +1. Choose **Set as Creator role**. + +Learn more about [roles and permissions](/docs/guides/organizations/control-access/roles-and-permissions). + +### Allow new members to delete organizations + +This setting controls whether organization members can delete organizations. + +### Allow new members to delete Organizations + +By default, organizations are deletable. any member with the ["Delete organization" system permission](/docs/guides/organizations/control-access/roles-and-permissions#system-permissions) can delete an organization. You can disable this if you want to prevent accidental data loss or require your own approval process before organizations are removed. + +To prevent members from deleting organizations: + +1. In the Clerk Dashboard, navigate to the [**Organizations Settings**](https://dashboard.clerk.com/~/organizations-settings) page. +1. Disable **Allow new members to delete organizations**. + +> [!NOTE] +> This setting only applies to newly created organizations. Existing organizations retain their current deletion settings. + +Learn more about [roles and permissions](/docs/guides/organizations/control-access/roles-and-permissions). + +## Next steps + +Now that you've configured global settings, you can: + +- [Create your first organization](/docs/guides/organizations/create-and-manage) and start adding members +- [Add members to your organization](/docs/guides/organizations/add-members/invitations) with invitations, verified domains, or SSO +- [Configure access control](/docs/guides/organizations/control-access/roles-and-permissions) with custom roles and permissions + diff --git a/docs/guides/organizations/control-access/check-access.mdx b/docs/guides/organizations/control-access/check-access.mdx new file mode 100644 index 0000000000..951963c408 --- /dev/null +++ b/docs/guides/organizations/control-access/check-access.mdx @@ -0,0 +1,90 @@ +--- +title: Check roles and permissions with authorization checks +description: Limit access to content or entire routes based on a user's organization role or permissions. +metadata: + title: Check roles and permissions in Organizations +--- + +Authorization checks verify that users can only access resources and perform actions they have permission for within an organization. These checks are essential for protecting sensitive data, gating premium features, and ensuring users stay within their allowed scope of access. + +Clerk provides two primary ways to perform these checks: the `has()` method for server-side logic and the `` component for conditional rendering in React. Both methods let you check against roles, permissions, features, and plans. + +## What you can check + +Authorization checks can verify roles and custom permissions. Roles like `org:admin` determine a user's level of access within an organization, while custom permissions like `org:invoices:create` provide fine-grained control over specific features and actions. + +> [!IMPORTANT] +> Custom permissions are linked to features. A permission check for `org:invoices:create` will only return `true` if the organization's active plan includes the `invoices` feature **and** the user has the permission. Learn more in the [roles and permissions guide](/docs/guides/organizations/control-access/roles-and-permissions#custom-permissions). + +## Frontend checks with `` + +The `` component is the easiest way to conditionally show or hide content in React applications based on what a user can access. This works well for UI elements like buttons, sections, or entire page layouts that should only appear to users with specific access. You can show or hide content based on roles and permissions, render different layouts for different access levels, or display fallback messages when access is denied. + +Use the `` component to conditionally render content based on role or permission: + +```tsx +import { Protect } from '@clerk/nextjs' + +export default function Dashboard() { + return ( +
+

Dashboard

+ + {/* Only show to org admins */} + + + + + {/* Only show to users with specific permission */} + + + + + {/* Display fallback when access is denied */} + You don't have access to reports.

}> + + +
+ ) +} +``` + +## Server-side checks with `has()` + +While `` works well for the frontend, server-side checks are essential for securing API routes, backend logic, and data access. The `has()` method provides a way to verify access before performing sensitive operations or returning protected data. You'll use this when protecting API endpoints, controlling database operations, validating permissions before executing business logic, or returning different data based on user access. + +Use the `has()` method from the `auth()` object to check permissions on the server: + +```tsx +import { auth } from '@clerk/nextjs/server' + +export default async function handler(req, res) { + const { has, userId } = await auth() + + if (!userId) { + return res.status(401).json({ error: 'Unauthorized' }) + } + + // Check if user has admin role + if (!has({ role: 'org:admin' })) { + return res.status(403).json({ error: 'Forbidden' }) + } + + // Check if user has specific permission + if (!has({ permission: 'org:invoices:create' })) { + return res.status(403).json({ error: 'Forbidden' }) + } + + // Proceed with authorized action + // ... +} +``` + +## Next steps + +Now that you know how to check roles and permissions, you can: + +- [Read the complete authorization checks guide](/docs/guides/secure/authorization-checks) for advanced patterns including middleware protection and custom authorization logic +- [Learn how to check features and plans](/docs/guides/billing/for-b2b#control-access-with-features-plans-and-permissions) for subscription-based applications +- [Set up custom roles and permissions](/docs/guides/organizations/control-access/roles-and-permissions) to define your access control model +- [Configure default roles](/docs/guides/organizations/configure#default-roles) for new organization members \ No newline at end of file diff --git a/docs/guides/organizations/roles-and-permissions.mdx b/docs/guides/organizations/control-access/roles-and-permissions.mdx similarity index 85% rename from docs/guides/organizations/roles-and-permissions.mdx rename to docs/guides/organizations/control-access/roles-and-permissions.mdx index 8b5c9046c8..3dce95b72d 100644 --- a/docs/guides/organizations/roles-and-permissions.mdx +++ b/docs/guides/organizations/control-access/roles-and-permissions.mdx @@ -1,17 +1,17 @@ --- title: Roles and permissions -description: Step-by-step guide on how to implement role based access control (RBAC) in B2C/B2B SaaS apps. You can set as many custom roles, assign privileges and access permissions, all using Clerk Organizations. +description: Implement role-based access control (RBAC) in your application. Set custom roles, assign privileges, and control access to resources using Clerk Organizations. metadata: title: B2B/B2C roles and permissions with Clerk Organizations --- -Clerk supports modeling your own custom role and permissions to control access to resources within your application when you use [organizations](/docs/guides/organizations/overview). +Roles and permissions let you control who can access specific resources and perform certain actions within each organization. Clerk provides default admin and member roles that cover common use cases. Clerk also supports modeling your own custom role and fine-grained permissions to that map to your application's features and team structure. ## Roles -Roles determine a user's level of access to the organization. You can extend a role's privileges and access to resources by adding [permissions](#permissions). +Each role defines what users can do and access within an organization. You can extend a role's capabilities by adding [permissions](#permissions). ### Default roles @@ -42,7 +42,7 @@ To reassign the **Creator** role: ### The **Default** role for members -New organization members are initially assigned the **Default** role. By default, that role is `org:member`. This role is used as a pre-filled default in `` invitations and for organization enrollment with [verified domains](/docs/guides/organizations/verified-domains). +New organization members are initially assigned the **Default** role. By default, that role is `org:member`. This role is used as a pre-filled default in `` invitations and for organization enrollment with [verified domains](/docs/guides/organizations/add-members/verified-domains). You cannot delete an organization role if it's used as the organization's **Default** role. But, you _can_ reassign the **Default** role to any other role. @@ -72,7 +72,7 @@ You can change a user's role in the Clerk Dashboard, or in your application, suc To change a user's role in the Clerk Dashboard: -1. In the top in the Clerk Dashboard, select [**Organizations**](https://dashboard.clerk.com/~/organizations) and select an organization. +1. In the Clerk Dashboard, select [**Organizations**](https://dashboard.clerk.com/~/organizations) and select an organization. 1. Select the **Members** tab. 1. In the list of members, find the one whose role you want to change. 1. Select another role from their role dropdown. @@ -107,7 +107,7 @@ Clerk's system permissions consist of the following: You can assign these system permissions to any role. > [!WARNING] -> System permissions aren't included in [session claims](/docs/guides/sessions/session-tokens#default-claims). To check permissions on the server-side, you must [create custom permissions](#custom-permissions). +> System permissions aren't included in [session claims](/docs/guides/sessions/session-tokens#default-claims). If you need to check permissions on the server-side, you must [create custom permissions](#custom-permissions) for authorization checks in your application code. ### Custom permissions @@ -138,7 +138,10 @@ It's best practice to always verify whether or not a user is **authorized** to a ## Next steps -- [Learn how to limit access to content or entire routes based on a user's role or permissions](/docs/guides/secure/authorization-checks) -- [Learn how to automatically invite users to an organization based on their email domain](/docs/guides/organizations/verified-domains) -- [Learn how to manually invite users to an organization](/docs/guides/organizations/invitations) -- [Learn how to automatically add users to an organization based on their email domain](/docs/guides/organizations/sso) +Now that you've set up roles and permissions, you can: + +- [Learn how to limit access to content or entire routes based on a user's role or permissions](/docs/guides/organizations/control-access/check-access) +- [Learn how to automatically invite users to an organization based on their email domain](/docs/guides/organizations/add-members/verified-domains) +- [Learn how to manually invite users to an organization](/docs/guides/organizations/add-members/invitations) +- [Learn how to automatically add users to an organization based on their email domain](/docs/guides/organizations/add-members/sso) + diff --git a/docs/guides/organizations/create-and-manage.mdx b/docs/guides/organizations/create-and-manage.mdx new file mode 100644 index 0000000000..dcbe1fc97e --- /dev/null +++ b/docs/guides/organizations/create-and-manage.mdx @@ -0,0 +1,72 @@ +--- +title: Create and manage organizations +description: Learn how to create and manage individual organizations in the Clerk Dashboard and in your application. +metadata: + title: Create and manage Organizations with Clerk +--- + +Organizations can be created by developers in the Clerk Dashboard or by end users in your application. Once created, you can manage individual organization profiles, update settings, and help users switch between multiple organizations. + +This guide covers working with individual organizations. For global settings that affect all organizations in your application (like enabling organizations, setting default roles, or configuring membership), refer to [Configure Organizations](/docs/guides/organizations/configure). + +## Create an organization + +Organizations can be created in the Clerk Dashboard by developers or in your application by end users. The number of organizations you can create depends on your [Monthly Active Organization (MAO) limits](/docs/guides/organizations/overview#how-do-organizations-work). + +### Create an organization in the Clerk Dashboard + +To create an organization in the Clerk Dashboard: + +1. In the Clerk Dashboard, select [**Organizations**](https://dashboard.clerk.com/~/organizations). +1. Select the **Create Organization** button. +1. Enter the organization's name. Optionally, upload the organization's logo, enter the organization's slug, and select the organization's owner. The slug is a unique identifier for the organization that is used in URLs, such as `example-name`. + +### Create an organization in your application + +By default, users have permission to create organizations within your application. When a user creates an organization, they become the organization's [admin](/docs/guides/organizations/control-access/roles-and-permissions#default-roles) with full control over settings, members, and permissions. + +**Default limits**: Each user can create up to 100 organizations. To change creation permissions or limits, see the [Configure Organizations guide](/docs/guides/organizations/configure#user-created-organizations). + +The easiest way to allow users to create organizations is to use the [``](/docs/reference/components/organization/create-organization) and/or [``](/docs/reference/components/organization/organization-switcher) components. The `` component is more comprehensive, as it handles all organization flows including creation, switching, and management. + +If the prebuilt components don't meet your needs, you can build [custom flows](/docs/guides/development/custom-flows/overview) using the Clerk API. + +## Manage organizations + +As an application owner, you can manage all organizations in your application. This includes the organizations you created and those created by your users. You can view, update, and delete organizations, as well as manage their members and settings. + +### Manage organizations in the Clerk Dashboard + +To manage organizations in the Clerk Dashboard: + +1. In the Clerk Dashboard, select [**Organizations**](https://dashboard.clerk.com/~/organizations) to view all organizations in your application. +1. Select a specific organization to view its details, members, invitations, and settings. +1. From here, you can update the organization's name, slug, logo, and public and private metadata. You can also adjust the organization's [membership limit](/docs/guides/organizations/configure#membership-limits). + +### Manage organizations in your application + +For managing organizations in your application, Clerk provides prebuilt components that handle organization management flows: + +- [``](/docs/reference/components/organization/organization-profile) - A profile page for the user's currently active organization where they can update settings and manage members. +- [``](/docs/reference/components/organization/organization-switcher) - A dropdown menu that handles all organization flows, including switching between organizations and managing the active organization's profile. +- [``](/docs/reference/components/organization/organization-list) - A list of organizations that a user is a member of, with options to switch between them. + +If the prebuilt components don't meet your needs, you can build [custom flows](/docs/guides/development/custom-flows/overview) using the Clerk API. + +## Switch between organizations + +Users who belong to multiple organizations can switch between them at any time. The currently selected organization is called the active organization. + +The [``](/docs/reference/components/organization/organization-switcher) component provides the easiest way for users to switch between organizations. If you need more control over the switching logic, you can use the `setActive()` method from the [`useOrganizationList()`](/docs/reference/hooks/use-organization-list) hook, or access it directly from the [`Clerk`](/docs/reference/javascript/clerk#set-active) object. + +If [personal accounts are enabled](/docs/guides/organizations/configure#personal-accounts), users can also switch to their personal account using the `` component. + +## Next steps + +Now that you know how to create and manage organizations, you can: + +- [Add custom data with organization metadata](/docs/guides/organizations/set-metadata) +- [Use organization slugs in URLs](/docs/guides/organizations/org-slugs-in-urls) for tenant-specific routing +- [Invite members to organizations](/docs/guides/organizations/add-members/invitations) +- [Set up roles and permissions](/docs/guides/organizations/control-access/roles-and-permissions) + diff --git a/docs/guides/organizations/org-slugs-in-urls.mdx b/docs/guides/organizations/org-slugs-in-urls.mdx index 995432a27d..1d77eec326 100644 --- a/docs/guides/organizations/org-slugs-in-urls.mdx +++ b/docs/guides/organizations/org-slugs-in-urls.mdx @@ -19,7 +19,7 @@ metadata: }, { title: "Enable organization slugs for your application", - link: "/docs/guides/organizations/overview#organization-slugs", + link: "/docs/guides/organizations/configure#organization-slugs", icon: "globe", } ]} @@ -31,7 +31,7 @@ metadata: ]} /> -Organization slugs are human-readable URL identifiers that help users reference which organization they're working in. A common pattern for organization-scoped areas in an application is to include the organization slug in the URL path. +Organization slugs are human-readable URL identifiers (like `acme-corp` or `marketing-team`) that help users reference which organization they're working in. A common pattern for organization-scoped areas in an application is to include the organization slug in the URL path, making links sharable and providing clear context about which tenant the page belongs to. For example, a B2B application named "Petstore" has two customer organizations: **Acmecorp** and **Widgetco**. Each organization uses its name as a slug in the URL: @@ -111,7 +111,7 @@ This guide shows you how to add organization slugs to your app's URLs, configure ## Configure `clerkMiddleware()` to set the active organization > [!TIP] - > If your app doesn't use `clerkMiddleware()`, or you prefer to manually set the [active organization](!active-organization), use the [`setActive()`](/docs/reference/javascript/clerk) method to control the active organization on the client-side. + > If your app doesn't use `clerkMiddleware()`, or you prefer to manually set the [active organization](/docs/guides/organizations/overview#how-do-organizations-work), use the [`setActive()`](/docs/reference/javascript/clerk) method to control the active organization on the client-side. With [`clerkMiddleware()`](/docs/reference/nextjs/clerk-middleware), you can use the [`organizationSyncOptions`](/docs/reference/nextjs/clerk-middleware#organization-sync-options) property to declare URL patterns that determine whether a specific organization should be activated. @@ -280,3 +280,4 @@ This guide shows you how to add organization slugs to your app's URLs, configure + diff --git a/docs/guides/organizations/overview.mdx b/docs/guides/organizations/overview.mdx index c91c3fca85..1ac696e067 100644 --- a/docs/guides/organizations/overview.mdx +++ b/docs/guides/organizations/overview.mdx @@ -1,190 +1,89 @@ --- title: Organizations -description: Learn how to use Clerk Organizations to build scalable B2B auth features, user management, role based access control (RBAC), and per-organization invitation flows into your B2B SaaS. +description: Learn what Clerk Organizations are, how they work, and how to build secure multi-tenant B2B applications with team workspaces, role-based access control, and streamlined enrollment. metadata: - title: Overview - Build a B2B/B2C multi-tenant SaaS with Clerk Organizations + title: Organizations - Build multi-tenant B2B applications --- -Organizations are a flexible and scalable way to manage users and their access to resources within your Clerk application. With organizations, you can assign specific roles and permissions to users, making them useful for managing projects, coordinating teams, or facilitating partnerships. +Organizations let you group users with roles and permissions. This lets you build multi-tenant B2B apps like Slack (workspaces), Linear (teams), or Vercel (projects) where users switch between different team contexts. + +Users can belong to multiple organizations, and Clerk provides the organization context in each session (memberships, roles, and the active organization). Your application uses this context to control what data to show and what actions to allow. > [!NOTE] -> To explore organizations in Clerk, check out the demo apps: +> Check out the demo apps to explore organizations in Clerk: > [https://github.com/clerk/orgs](https://github.com/clerk/orgs) -## Enable organizations in your application - -Organizations are disabled by default. - -To enable organizations: - -1. In the Clerk Dashboard, navigate to the [**Organizations Settings**](https://dashboard.clerk.com/~/organizations-settings) page. -1. Select **Enable Organizations**. - -Once organizations are enabled, you will be presented with the default settings, roles, and permissions that are applied to all organizations in that application instance. The following sections will explain these settings in more detail. - -## Roles and permissions - -Roles determine a user's level of access and permissions within an organization. Learn more about [how roles and permissions work and how to create your own with Clerk](/docs/guides/organizations/roles-and-permissions). - -## Membership limit - -There is no limit to the number of organizations a user can be a member of. - -However, there is a limit to how many total members can be in a single organization. By default, the membership limit is set to 5 members. To change this limit, scroll to the **Default membership limit** section and update the membership limit. - -If you are on the Free plan, you can update the membership limit to a maximum of 5 members. - -If you have the Pro plan, you can set the membership limit to unlimited. - -You can also change this limit on a per-organization basis: - -1. In the top in the Clerk Dashboard, select [**Organizations**](https://dashboard.clerk.com/~/organizations). -1. Select the organization you want to update. -1. In the **Membership limit** section, update the membership limit. Note that this will not apply to organizations that already exist. - -## Allow new members to delete organizations - -By default, organizations are deletable. Any member with the "Delete organization" permission can delete an organization. To prevent organizations from being deleted, you can disable the ability to delete organizations by following these steps: - -1. In the Clerk Dashboard, navigate to the [**Organizations Settings**](https://dashboard.clerk.com/~/organizations-settings) page. -1. Disable **Allow new members to delete organizations**. Note that this will not apply to organizations that already exist. - -## Verified domains - -Verified domains can be used to streamline enrollment into an organization. For example, if the domain `@clerk.com` is added to an organization, any user with a `@clerk.com` email address can be automatically invited or be suggested to join this organization. This feature is useful for organizations that want to restrict membership to users with specific email domains. See the [guide on verified domains](/docs/guides/organizations/verified-domains) for more information. - -## Allow personal accounts - -In the Clerk Dashboard, there are two types of workspaces: - -- **Personal account**: A personal account/workspace is a user's unique, individual space, independent of any organization. -- **Organization workspace**: An organization workspace is owned and managed by an organization, which can have multiple members, also known as collaborators. The organization workspace that a user is currently viewing is called the [active organization](!active-organization). - -Most multi-tenant applications want every user to be part of an organization rather than operating in an isolated personal account. Accordingly, **personal accounts are disabled by default** once you enable organizations. After signing up, [a user must create or join an organization before they can proceed](/docs/guides/configure/session-tasks). - -To enable personal accounts for your application, toggle **Allow personal accounts** in the [**Organizations Settings**](https://dashboard.clerk.com/~/organizations-settings) page. - -> [!IMPORTANT] -> Personal accounts being disabled by default was released on August 22, 2025. Applications created before this date will not be able to see the **Allow personal accounts** setting, because personal account were enabled by default. +## How do Organizations work? -## Organization slugs +Organizations live within your Clerk application instances. A single instance can contain multiple organizations, each with multiple users: -Organization slugs are human-readable URL identifiers that help users reference which organization they're working in. +``` +Workspace +└── Application (can have multiple) + ├── Development instance + │ └── Organization (can have multiple) + │ └── User (can have multiple) + └── Production instance + └── Organization (can have multiple) + └── User (can have multiple) +``` -To enable it, navigate to the [**Organizations Settings**](https://dashboard.clerk.com/~/organizations-settings) page in the Clerk Dashboard. +The organization that a user is currently viewing is called the **active organization**. The active organization determines which organization-specific data the user can access and which role and related permissions they have within the organization. Users can switch between organizations using the [``](/docs/reference/components/organization/organization-switcher) component. -When enabled, organization slugs will be displayed in the [``](/docs/reference/components/organization/create-organization), [``](/docs/reference/components/organization/organization-list), and [``](/docs/reference/components/organization/organization-switcher) components. +Clerk measures organization usage through **Monthly Active Organizations (MAOs)**. An MAO is an organization with at least two users that have signed in that month, where at least one has interacted with the organization during the current billing cycle. Free plans include up to 50 MAOs in development and 100 in production. Pro plans offer unlimited development MAOs and start at 100 free production MAOs, then $1 per additional MAO. Refer to the [pricing page](/pricing){{ target: '_blank' }} for complete details. -> [!IMPORTANT] -> Organization slugs are disabled by default for applications created after October 7, 2025. For applications created before this date, you can opt to disable it. +### Core workflow -## Active organization +The core workflow consists of three stages: -When a user is a member of an organization, they can switch between different organizations. The organization workspace that a user is currently viewing is called the **active organization**. The active organization determines which organization-specific data the user can access and which role and related permissions they have within the organization. +1. **Create**: Organizations can be created by developers in the Clerk Dashboard or by end users in your application through prebuilt components or APIs. Each organization has a profile, settings, and metadata. Users can belong to multiple organizations and switch between them with the [``](/docs/reference/components/organization/organization-switcher) component. -When personal accounts are disabled (the default), users must select or create an organization to continue. This is handled automatically in the [session tasks flow](/docs/guides/configure/session-tasks). +2. **Invite**: You can bring people into organizations in different ways depending on your needs: + - **Invitations** for bottoms-up adoption where individual users invite teammates with precise control over roles + - **Verified domains** for company-wide rollouts where users with matching email domains are automatically invited (and can join immediately) or suggested to join (requiring admin approval) + - **Enterprise connections** (for example: SSO, SAML, OIDC) for top-down deployments managed by IT with centralized authentication through an Identity Provider (IdP) + + You can combine these approaches: use manual invitations for external contractors alongside domain-based enrollment for employees. The active organization determines which members and roles apply to the current context. -When personal accounts are enabled, users initially sign in to their personal account with **no** active organization set. The easiest way to allow users to set an organization as active is to use the [``](/docs/reference/components/organization/organization-switcher) component. If the prebuilt components don't meet your specific needs or if you require more control over the logic, you can also use the `setActive()` method, which is returned by the [`useOrganizationList()`](/docs/reference/hooks/use-organization-list) hook. If you aren't using hooks, you can access the `setActive()` method from the [`Clerk`](/docs/reference/javascript/clerk#set-active) object. +3. **Control**: Access is managed through roles and permissions. Default admin and member roles cover common cases, while custom roles and permissions provide fine-grained access for more complex needs. You can perform [authorization checks](/docs/guides/organizations/control-access/check-access) in both frontend and backend code. -## Monthly Active Organization (MAO) +Beyond these core steps, you can also monitor organization health and growth with analytics in the Clerk Dashboard. This helps you spot which organizations are growing, staying active, or dropping off, so you know what's working and where you might need attention. -The number of organizations you can have in a single Clerk application depends on your [Clerk plan](/pricing){{ target: '_blank' }} and the type of instance (development or production), and is measured by Monthly Active Organizations (MAOs). An MAO is an organization with at least two users that have signed in that month, at least one of which must have interacted with the organization during the current billing cycle. +## Why Organizations? -With the Free plan: +Organizations help you build multi-tenant applications faster, support team collaboration at scale, and provide enterprise-grade access control. This model is especially valuable for B2B2C products in a growth stage and B2C products expanding into B2B. -- In development instances, you can have _up to_ 50 MAOs in a single Clerk application. Each MAO can have _up to_ 5 members. -- In production instances, you can have up to 100 MAOs in a single Clerk application. Each MAO can have up to 5 members. +### Enable secure team collaboration -With the Pro plan: +Modern applications need to support users who work across multiple teams or client accounts. Organizations provide the structure for this multi-tenant usage while keeping data boundaries clear. Users can switch between organizations without auth or data leakage between tenants. Each organization maintains its own settings, roles, and members, while users can belong to multiple organizations with a single account. -- In development instances, you can have an unlimited number of MAOs in a single Clerk application _for free_. Each MAO can have an unlimited number of members. -- In production instances, you can have up to 100 MAOs in a single Clerk application _for free_. Each MAO after the first 100 costs $1.00 per month. Each MAO can have an unlimited number of members. +### Automate team enrollment -For more information on pricing, see the [pricing page](/pricing){{ target: '_blank' }}. +Managing who can join an organization becomes easier when you can set enrollment rules. Verified domains let you automatically invite or suggest organizations to users with approved company emails. When a user signs up with a matching email domain, they can join the organization without manual approval. This streamlines onboarding for company-wide rollouts and reduces friction for IT administrators. -If you need more organizations or custom pricing, contact the [sales team](/contact/sales){{ target: '_blank' }} to upgrade to the Enterprise plan. +For B2B2C SaaS onboarding entire companies, verified domains handle the scale. When Acme Corp adopts your product, all @acme.com employees automatically join their company's organization without manual invitations. -## Manage organizations +### Support enterprise authentication -As the application owner, you have control over all of the organizations within your application - both those created by you and those created by your users. You can create, update, and delete organizations, as well as manage their members and settings. +Large customers often require centralized authentication through their identity provider. Organization-level SSO lets members authenticate with SAML or OIDC protocols through providers like Okta, Entra ID, and Google Workspace. When users sign in through their IdP, they are automatically added to the organization with the appropriate role. This satisfies enterprise security requirements and maintains existing identity workflows. -There are two ways to manage organizations: +As B2C products scale into enterprise customers, SSO becomes essential. Products that started with individual email sign-ups need to evolve to support IT-managed authentication for Fortune 500 buyers. -- [In the Clerk Dashboard](#manage-organizations-in-the-clerk-dashboard) -- [In your application](#manage-organizations-in-your-application) +### Control access with roles and permissions -### Manage organizations in the Clerk Dashboard +Organizations support role-based access control (RBAC) so the right people can do the right work. Default admin and member roles cover common cases, and custom roles and permissions let you create fine-grained access that maps to your features and teams. The active organization's roles and permissions are embedded in the session, enabling you to check for [authorization checks](/docs/guides/organizations/control-access/check-access) without extra network requests. -To manage organizations in the Clerk Dashboard: +### Monitor organization growth -1. In the top in the Clerk Dashboard, select [**Organizations**](https://dashboard.clerk.com/~/organizations). Here, you can view and manage all organizations in your application. -1. Select a specific organization to view its details, members, invitations, and settings. Here, you can update the organization's name, slug, logo, and public and private metadata. You can also set the organization's [membership limit](#membership-limit). +The Clerk Dashboard provides comprehensive organization growth tracking with the same level of insight you have for user growth. Track new, reactivated, retained, and churned organizations over time with detailed analytics. The organization growth chart shows activity breakdowns across each period, and you can analyze data across different time periods to see daily, weekly, or monthly active organizations. A detailed cohort table lets you drill into individual organizations and investigate specific trends by clicking chart segments. -### Manage organizations in your application - -For managing organizations in your application, Clerk provides a set of prebuilt components: - -- [``](/docs/reference/components/organization/create-organization) - A form for a user to create a new organization. -- [``](/docs/reference/components/organization/organization-profile) - A profile page for the user's currently active organization. -- [``](/docs/reference/components/organization/organization-list) - A list of organizations that a user is a member of. -- [``](/docs/reference/components/organization/organization-switcher) - A dropdown menu that handles all organization flows. It allows a user to create an organization, switch between organizations, and view their organization's profile, which allows them to manage the organization's settings, invitations, and current members. If [personal accounts are enabled](/docs/guides/organizations/overview#allow-personal-accounts), users can also switch to their personal account. - -If the prebuilt components don't meet your specific needs or if you require more control over the logic, you can rebuild and customize the existing Clerk flows using the Clerk API. See the [custom flows](/docs/guides/development/custom-flows/overview) for more information. - -## Create an organization - -There are two ways to create an organization: - -- [In the Clerk Dashboard](#create-an-organization-in-the-clerk-dashboard) -- [In your application](#create-an-organization-in-your-application) - -How many organizations you can create depends on how many [MAOs](#monthly-active-organization-mao) you have. - -### Create an organization in the Clerk Dashboard - -To create an organization in the Clerk Dashboard: - -1. In the top in the Clerk Dashboard, select [**Organizations**](https://dashboard.clerk.com/~/organizations). -1. Select the **Create Organization** button. -1. Enter the organization's name. Optionally, upload the organization's logo, enter the organization's slug, and select the organization's owner. The slug is a unique identifier for the organization that is used in URLs, such as `example-name`. - -### Create an organization in your application - -By default, users have the permission to create organizations within your application. To configure this permission for all users: - -1. In the Clerk Dashboard, navigate to the [**Organizations Settings**](https://dashboard.clerk.com/~/organizations-settings) page. -1. At the bottom of the page, in the **Limit creation** section, enable/disable **Allow new users to create organizations**. You can also configure the number of organizations that can be created by each user. By default, each user can create an unlimited number of organizations. - -If you want to only configure this permission for a specific user, you can override it on a per-user basis on the user's profile page in the Clerk Dashboard: - -1. In the top in the Clerk Dashboard, select [**Users**](https://dashboard.clerk.com/~/users). -1. Select the user you want to update. -1. In the **User permissions** section, enable/disable **Allow user to create organizations**. - -When a user creates an organization, they become the organization's admin. As the organization's admin, they have full control over the organization, including the ability to update the organization's settings, invite users to join the organization, and manage the organization's members. - -A single user within one of your applications can create _up to_ 100 organizations in that application. If you need users to be able to create more organizations than this, [contact support](/contact/support){{ target: '_blank' }} to have the limit raised. - -The easiest way to allow users to create organizations is to use the [``](/docs/reference/components/organization/create-organization) and/or [``](/docs/reference/components/organization/organization-switcher) components. The `` component is more comprehensive, as it handles all organization flows. - -## Organization invitations - -[Learn how to create and revoke organization invitations](/docs/guides/organizations/invitations). - -## Manage enterprise connections - -Single Sign-On (SSO) can be configured at the organization level, allowing organizations to use their own Identity Provider (IdP) for authentication. These are called **enterprise connections**. When configured: - -- Users can sign in through their organization's configured IdP -- Users are **automatically added as members** of the organization upon successful authentication -- Organizations can maintain their existing identity management workflows -- SAML 2.0 and OIDC protocols are supported - -For instructions on how to set up and manage SSO for your organizations, see the [dedicated guide](/docs/guides/organizations/sso). +For B2B products, organization-level analytics reveal which customer accounts are growing or churning. This helps you understand product-market fit at the account level, not just individual usage. ## Next steps -- [Learn how to limit access to content or entire routes based on a user's role or permissions](/docs/guides/secure/authorization-checks) -- [Learn how to restrict memberships to an organization based on their email domain](/docs/guides/organizations/verified-domains) -- [Learn how to manually invite users to an organization](/docs/guides/organizations/invitations) -- [Learn how to automatically add users to an organization based on their email domain](/docs/guides/organizations/sso) +Now that you understand what Organizations are and how they work, here's how to implement them: + +- [Configure global settings](/docs/guides/organizations/configure) +- [Create and manage organizations](/docs/guides/organizations/create-and-manage) +- [Invite members](/docs/guides/organizations/add-members/invitations) +- [Set up roles and permissions](/docs/guides/organizations/control-access/roles-and-permissions) \ No newline at end of file diff --git a/docs/guides/organizations/metadata.mdx b/docs/guides/organizations/set-metadata.mdx similarity index 63% rename from docs/guides/organizations/metadata.mdx rename to docs/guides/organizations/set-metadata.mdx index 49f1cfd541..2a39c41c04 100644 --- a/docs/guides/organizations/metadata.mdx +++ b/docs/guides/organizations/set-metadata.mdx @@ -5,7 +5,7 @@ metadata: title: Custom metadata for B2B authentication flows --- -Organization metadata allows you to store information about an organization that is not part of the standard fields, such as custom attributes that are specific to your application. +Organization metadata lets you store custom information about an organization that is not part of the standard fields, such as custom attributes that are specific to your application. This is useful for advanced user segmentation, analytics, or storing application-specific data like subscription tier, department, or region. There are two types of metadata: **public** and **private**. @@ -19,19 +19,26 @@ Both the `Organization` and `Organization Membership` objects have the metadata ## Set organization metadata -There are two ways to set organization metadata: +You can set organization metadata in the Clerk dashboard or using the [JS Backend SDK](/docs/js-backend/getting-started/quickstart). -- In the Clerk Dashboard -- Using the [JS Backend SDK](/docs/js-backend/getting-started/quickstart) - -### In the Clerk Dashboard +### Clerk Dashboard 1. In the Clerk Dashboard, navigate to the [**Organizations**](https://dashboard.clerk.com/~/organizations) page. 1. Select the organization you want to update. 1. In the **Organization metadata** section, select **Edit** next to the metadata you want to update. -### Using the JS Backend SDK +### JS Backend SDK To ease the flow of setting metadata, Clerk provides the [`updateOrganizationMetadata()`](/docs/reference/backend/organization/update-organization-metadata) and [`updateOrganizationMembershipMetadata()`](/docs/reference/backend/organization/update-organization-membership-metadata) methods from the [JS Backend](/docs/js-backend/getting-started/quickstart), which is a wrapper around the [Backend API](/docs/reference/backend-api){{ target: '_blank' }}. + +## Next steps + +Now that you understand organization metadata, you can: + +- [Use organization slugs in URLs](/docs/guides/organizations/org-slugs-in-urls) for tenant-specific routing +- [Add metadata to invitations](/docs/guides/organizations/add-members/invitations#invitation-metadata) to track invitation sources or assign attributes +- [Create and manage organizations](/docs/guides/organizations/create-and-manage) to see metadata in action +- [Check roles and permissions](/docs/guides/organizations/control-access/check-access) to control access based on metadata values + diff --git a/docs/guides/organizations/sso.mdx b/docs/guides/organizations/sso.mdx deleted file mode 100644 index ef132a1c46..0000000000 --- a/docs/guides/organizations/sso.mdx +++ /dev/null @@ -1,59 +0,0 @@ ---- -title: Organization-level enterprise SSO -description: Integrate as many enterprise SSO methods within Clerk Organizations. Enable SAML SSO, OAuth/OIDC, and other secure MFA/single sign-on options for B2B SaaS apps. -metadata: - title: Set up organization-level SAML and OIDC for B2B/B2C apps ---- - -Clerk supports enabling enterprise SSO connections for specific organizations. When users sign up or sign in using an organization's enterprise connection, they're automatically added as members of that organization and assigned the [default role](/docs/guides/organizations/roles-and-permissions#the-default-role-for-members), which can be either `member` or `admin`. - -## Add an enterprise SSO connection for an organization - -Clerk supports enterprise SSO via [SAML](/docs/guides/configure/auth-strategies/enterprise-connections/overview#saml) or via the [OpenID Connect (OIDC) protocol](/docs/guides/configure/auth-strategies/enterprise-connections/overview#oidc), either through EASIE or by integrating with any OIDC-compatible provider. - -To add an enterprise SSO connection for an organization, follow the appropriate guide based on the platform you want to use, such as the [Google SAML guide](/docs/guides/configure/auth-strategies/enterprise-connections/saml/google). When configuring the connection in the Clerk Dashboard, there will be an option to select the **Organization** for which you want to enable this connection. If you don't select an organization, the connection will be added for your entire application. - -> [!WARNING] -> A domain used for enterprise SSO can't be used as a [verified domain](/docs/guides/organizations/verified-domains) for the same organization. - -## Onboarding flows - -The two common onboarding flows for organizations with enterprise SSO are to either create an organization first or to have users initiate the setup themselves. - -#### Organization created first (top-down approach) - -This flow is common for enterprise sales where the relationship is established before users access the application. - -1. [Create an organization](/docs/guides/organizations/overview#create-an-organization) for your customer through the Clerk Dashboard. -1. Collaborate with the customer's IT administrator to obtain the necessary configuration details. -1. Configure the enterprise SSO connection for the organization. -1. Invite users to the organization, who can then sign in using enterprise SSO. - -#### User-initiated setup (bottom-up approach) - -This flow is common when individual users try the product before company-wide adoption. - -1. An end user signs up to evaluate your application, starting with an individual account. -1. After adopting the application, the user [creates an organization](/docs/guides/organizations/overview#create-an-organization) for their company. -1. Configure enterprise SSO for the organization through the Clerk Dashboard. -1. All subsequent users from that organization can now sign in using enterprise SSO. - -## Enforce enterprise SSO by domain - -Enterprise SSO connections are enforced on a per-domain basis in organizations, enabling flexible access management: - -- Configure enterprise SSO for your primary domain (e.g., `company.com`) to enforce enterprise SSO authentication for employees. -- Add additional domains without enterprise SSO for external collaborators (e.g., contractors, consultants). -- Each domain in an organization can have different authentication requirements. - -## Manage memberships - -### Remove a member from your organization - -When a user is tied to an organization through their enterprise connection, they cannot leave the organization themselves, but they can be removed either in the Clerk Dashboard, using [Clerk's Backend API](/docs/reference/backend-api/tag/organization-memberships/delete/organizations/\{organization_id}/memberships/\{user_id}) endpoint, or by another organization member with the [manage members permission](/docs/guides/organizations/roles-and-permissions#system-permissions) (`org:sys_memberships:manage`). However, the user will be added back to the organization on next sign-in, unless they are removed from the IdP or the enterprise connection is no longer associated with the organization. - -## Update an organization from an existing enterprise connection - -When transitioning an enterprise connection to a new organization, existing members will remain part of the original organization. However, they will automatically join the new organization upon their next sign-in. - -To remove members from the original organization, you have two options: utilize [Clerk's Backend API](/docs/reference/backend-api/tag/organization-memberships/delete/organizations/\{organization_id}/memberships/\{user_id}) or manage memberships directly through the Clerk Dashboard. diff --git a/docs/manifest.json b/docs/manifest.json index c935a3fba2..9777c6d1c4 100644 --- a/docs/manifest.json +++ b/docs/manifest.json @@ -657,27 +657,55 @@ "href": "/docs/guides/organizations/overview" }, { - "title": "Verified domains", - "href": "/docs/guides/organizations/verified-domains" + "title": "Configure Organizations", + "href": "/docs/guides/organizations/configure" }, { - "title": "Roles and permissions", - "href": "/docs/guides/organizations/roles-and-permissions" + "title": "Create and manage Organizations", + "href": "/docs/guides/organizations/create-and-manage" }, { - "title": "Invitations", - "href": "/docs/guides/organizations/invitations" + "title": "Add members", + "collapse": true, + "items": [ + [ + { + "title": "Invitations", + "href": "/docs/guides/organizations/add-members/invitations" + }, + { + "title": "Verified domains", + "href": "/docs/guides/organizations/add-members/verified-domains" + }, + { + "title": "Enterprise SSO", + "href": "/docs/guides/organizations/add-members/sso" + } + ] + ] }, { - "title": "Metadata", - "href": "/docs/guides/organizations/metadata" + "title": "Control access", + "collapse": true, + "items": [ + [ + { + "title": "Roles and permissions", + "href": "/docs/guides/organizations/control-access/roles-and-permissions" + }, + { + "title": "Check roles and permissions", + "href": "/docs/guides/organizations/control-access/check-access" + } + ] + ] }, { - "title": "Manage enterprise SSO connections", - "href": "/docs/guides/organizations/sso" + "title": "Set organization metadata", + "href": "/docs/guides/organizations/set-metadata" }, { - "title": "Use org slugs in URLs", + "title": "Use organization slugs in URLs", "href": "/docs/guides/organizations/org-slugs-in-urls" } ] diff --git a/redirects/static/docs.json b/redirects/static/docs.json index 5d87745b86..1ac752fd49 100644 --- a/redirects/static/docs.json +++ b/redirects/static/docs.json @@ -4178,5 +4178,40 @@ "source": "/docs/authentication/saml/google", "destination": "/docs/guides/configure/auth-strategies/enterprise-connections/saml/google", "permanent": true + }, + { + "source": "/docs/guides/organizations/invitations", + "destination": "/docs/guides/organizations/add-members/invitations", + "permanent": true + }, + { + "source": "/docs/guides/organizations/verified-domains", + "destination": "/docs/guides/organizations/add-members/verified-domains", + "permanent": true + }, + { + "source": "/docs/guides/organizations/sso", + "destination": "/docs/guides/organizations/add-members/sso", + "permanent": true + }, + { + "source": "/docs/guides/organizations/roles-and-permissions", + "destination": "/docs/guides/organizations/control-access/roles-and-permissions", + "permanent": true + }, + { + "source": "/docs/guides/organizations/metadata", + "destination": "/docs/guides/organizations/set-metadata", + "permanent": true + }, + { + "source": "/docs/guides/organizations/create-and-manage/metadata", + "destination": "/docs/guides/organizations/set-metadata", + "permanent": true + }, + { + "source": "/docs/guides/organizations/create-and-manage/org-slugs-in-urls", + "destination": "/docs/guides/organizations/org-slugs-in-urls", + "permanent": true } ] From 9f7ac662ff5a2fd40d249b85ebebd6aa77af5b56 Mon Sep 17 00:00:00 2001 From: tu Date: Fri, 31 Oct 2025 04:18:31 -0700 Subject: [PATCH 02/14] fix linting errors, hopefully fix build errors --- docs/_partials/has-warning.mdx | 2 +- docs/guides/billing/for-b2b.mdx | 2 +- .../account-updates/user-impersonation.mdx | 2 +- .../manage-membership-requests.mdx | 2 +- .../manage-organization-invitations.mdx | 2 +- .../organizations/manage-roles.mdx | 2 +- .../organizations/update-organizations.mdx | 2 +- .../override-clerk-types-interfaces.mdx | 2 +- .../sdk-development/backend-only.mdx | 2 +- .../development/sdk-development/fullstack.mdx | 2 +- .../upgrade-guides/core-2/backend.mdx | 2 +- .../organizations/add-members/invitations.mdx | 3 +-- docs/guides/organizations/add-members/sso.mdx | 1 - .../add-members/verified-domains.mdx | 1 - docs/guides/organizations/configure.mdx | 9 ++++--- .../control-access/check-access.mdx | 12 ++++----- .../control-access/roles-and-permissions.mdx | 1 - .../organizations/create-and-manage.mdx | 1 - .../organizations/org-slugs-in-urls.mdx | 1 - docs/guides/organizations/overview.mdx | 25 +++++++++---------- docs/guides/organizations/set-metadata.mdx | 1 - docs/guides/secure/authorization-checks.mdx | 4 +-- docs/guides/secure/basic-rbac.mdx | 2 +- docs/guides/secure/features.mdx | 2 +- .../create-organization-invitation-bulk.mdx | 2 +- .../create-organization-invitation.mdx | 2 +- .../create-organization-membership.mdx | 2 +- .../update-organization-membership.mdx | 2 +- docs/reference/backend/types/auth-object.mdx | 4 +-- docs/reference/components/control/protect.mdx | 4 +-- .../organization/organization-list.mdx | 2 +- .../organization/organization-profile.mdx | 2 +- docs/reference/javascript/organization.mdx | 2 +- docs/reference/javascript/session.mdx | 4 +-- .../organization-custom-permission-key.mdx | 2 +- .../javascript/types/organization-domain.mdx | 2 +- .../types/organization-invitation.mdx | 2 +- .../types/organization-membership.mdx | 4 +-- .../types/user-organization-invitation.mdx | 2 +- 39 files changed, 58 insertions(+), 65 deletions(-) diff --git a/docs/_partials/has-warning.mdx b/docs/_partials/has-warning.mdx index 0100d10827..5a9d932314 100644 --- a/docs/_partials/has-warning.mdx +++ b/docs/_partials/has-warning.mdx @@ -1,2 +1,2 @@ > [!WARNING] -> Using `has()` **on the server-side** to check permissions works only with **custom permissions**, as [system permissions](/docs/guides/organizations/roles-and-permissions#system-permissions) aren't included in the session token claims. To check system permissions, verify the user's role instead. +> Using `has()` **on the server-side** to check permissions works only with **custom permissions**, as [system permissions](/docs/guides/organizations/control-access/roles-and-permissions#system-permissions) aren't included in the session token claims. To check system permissions, verify the user's role instead. diff --git a/docs/guides/billing/for-b2b.mdx b/docs/guides/billing/for-b2b.mdx index aaafd8c25b..e0a8e75bc2 100644 --- a/docs/guides/billing/for-b2b.mdx +++ b/docs/guides/billing/for-b2b.mdx @@ -12,7 +12,7 @@ Clerk billing for B2B SaaS allows you to create plans and manage subscriptions * ## Create a plan -Subscription plans are what your customers subscribe to. There is no limit to the number of plans you can create. If your Clerk instance has existing [custom permissions](/docs/guides/organizations/roles-and-permissions), the corresponding features from those permissions will automatically be added to the free plan for orgs. This ensures that organization members get the same set of custom permissions when billing is enabled, because all organizations start on the free plan. +Subscription plans are what your customers subscribe to. There is no limit to the number of plans you can create. If your Clerk instance has existing [custom permissions](/docs/guides/organizations/control-access/roles-and-permissions), the corresponding features from those permissions will automatically be added to the free plan for orgs. This ensures that organization members get the same set of custom permissions when billing is enabled, because all organizations start on the free plan. To create a plan, navigate to the [**Plans**](https://dashboard.clerk.com/~/billing/plans) page in the Clerk Dashboard. Here, you can create, edit, and delete plans. To setup B2B billing, select the **Plans for Organizations** tab and select **Add Plan**. When creating a plan, you can also create [features](/docs/guides/secure/features) for the plan; see the next section for more information. diff --git a/docs/guides/development/custom-flows/account-updates/user-impersonation.mdx b/docs/guides/development/custom-flows/account-updates/user-impersonation.mdx index 9529495049..97618fd35e 100644 --- a/docs/guides/development/custom-flows/account-updates/user-impersonation.mdx +++ b/docs/guides/development/custom-flows/account-updates/user-impersonation.mdx @@ -13,7 +13,7 @@ This guide will walk you through how to build a custom flow that handles user im - The following example builds a dashboard that is only accessible to users with the `org:admin:impersonate` permission. To use this example, you must first [create the custom `org:admin:impersonate` permission](/docs/guides/organizations/roles-and-permissions#custom-permissions). Or you can modify the [authorization checks](!authorization-check) to fit your use case. + The following example builds a dashboard that is only accessible to users with the `org:admin:impersonate` permission. To use this example, you must first [create the custom `org:admin:impersonate` permission](/docs/guides/organizations/control-access/roles-and-permissions#custom-permissions). Or you can modify the [authorization checks](!authorization-check) to fit your use case. In the dashboard, the user will see a list of the application's users. When the user chooses to impersonate a user, they will be signed in as that user and redirected to the homepage. diff --git a/docs/guides/development/custom-flows/organizations/manage-membership-requests.mdx b/docs/guides/development/custom-flows/organizations/manage-membership-requests.mdx index b6ef5af467..d2fdb4ce1d 100644 --- a/docs/guides/development/custom-flows/organizations/manage-membership-requests.mdx +++ b/docs/guides/development/custom-flows/organizations/manage-membership-requests.mdx @@ -5,7 +5,7 @@ description: Learn how to use the Clerk API to build a custom flow for managing -This guide will demonstrate how to use the Clerk API to build a custom flow for managing [organization membership requests](/docs/guides/organizations/verified-domains#membership-requests). +This guide will demonstrate how to use the Clerk API to build a custom flow for managing [organization membership requests](/docs/guides/organizations/add-members/verified-domains#membership-requests). diff --git a/docs/guides/development/custom-flows/organizations/manage-organization-invitations.mdx b/docs/guides/development/custom-flows/organizations/manage-organization-invitations.mdx index 8c6e8ffeb3..64cbb21ee7 100644 --- a/docs/guides/development/custom-flows/organizations/manage-organization-invitations.mdx +++ b/docs/guides/development/custom-flows/organizations/manage-organization-invitations.mdx @@ -5,7 +5,7 @@ description: Learn how to use the Clerk API to build a custom flow for creating -Organization members with appropriate [permissions](/docs/guides/organizations/roles-and-permissions) can invite new users to their organization and manage those invitations. The invitation recipient can be either an existing user of your application or a new user. If they are a new user, they will need to sign up in order to accept the invitation. +Organization members with appropriate [permissions](/docs/guides/organizations/control-access/roles-and-permissions) can invite new users to their organization and manage those invitations. The invitation recipient can be either an existing user of your application or a new user. If they are a new user, they will need to sign up in order to accept the invitation. Users with the appropriate permissions can also revoke organization invitations for users that have not yet joined, which will prevent the user from becoming an organization member. diff --git a/docs/guides/development/custom-flows/organizations/manage-roles.mdx b/docs/guides/development/custom-flows/organizations/manage-roles.mdx index c0ec7885e2..3db79da092 100644 --- a/docs/guides/development/custom-flows/organizations/manage-roles.mdx +++ b/docs/guides/development/custom-flows/organizations/manage-roles.mdx @@ -5,7 +5,7 @@ description: Learn how to use the Clerk API build a custom flow for managing mem -Organization members with appropriate [permissions](/docs/guides/organizations/roles-and-permissions#permissions) can manage a member's [role](/docs/guides/organizations/roles-and-permissions#roles) and remove members within an organization. +Organization members with appropriate [permissions](/docs/guides/organizations/control-access/roles-and-permissions#permissions) can manage a member's [role](/docs/guides/organizations/control-access/roles-and-permissions#roles) and remove members within an organization. This guide will demonstrate how to use the Clerk API to build a custom flow for managing member roles in an organization. diff --git a/docs/guides/development/custom-flows/organizations/update-organizations.mdx b/docs/guides/development/custom-flows/organizations/update-organizations.mdx index 519e9d0048..10ef856773 100644 --- a/docs/guides/development/custom-flows/organizations/update-organizations.mdx +++ b/docs/guides/development/custom-flows/organizations/update-organizations.mdx @@ -5,7 +5,7 @@ description: Learn how to use the Clerk API to build a custom flow for updating -Organization members with appropriate [permissions](/docs/guides/organizations/roles-and-permissions) can update an organization. +Organization members with appropriate [permissions](/docs/guides/organizations/control-access/roles-and-permissions) can update an organization. This guide will demonstrate how to use Clerk's API to build a custom flow for updating an organization. diff --git a/docs/guides/development/override-clerk-types-interfaces.mdx b/docs/guides/development/override-clerk-types-interfaces.mdx index 19e208b88d..8609cc4cf7 100644 --- a/docs/guides/development/override-clerk-types-interfaces.mdx +++ b/docs/guides/development/override-clerk-types-interfaces.mdx @@ -42,7 +42,7 @@ declare global { When defining custom types for roles and permissions: -- Custom permissions are merged with [system permissions](/docs/guides/organizations/roles-and-permissions#system-permissions) +- Custom permissions are merged with [system permissions](/docs/guides/organizations/control-access/roles-and-permissions#system-permissions) - Custom roles completely replace default roles (`org:admin` and `org:member`) ```tsx {{ filename: 'types/globals.d.ts' }} diff --git a/docs/guides/development/sdk-development/backend-only.mdx b/docs/guides/development/sdk-development/backend-only.mdx index 7ebe95f963..32d9d71d51 100644 --- a/docs/guides/development/sdk-development/backend-only.mdx +++ b/docs/guides/development/sdk-development/backend-only.mdx @@ -12,7 +12,7 @@ The source of truth for all BAPI endpoints is the [BAPI reference docs](/docs/re - User only needs to provide their [Secret Key](/docs/guides/development/sdk-development/terminology) - Centralized request authentication (e.g. in a middleware or plugin) - Give access to the instance of BAPI client (so that users can use all methods) -- User should be able to limit access to routes by checking for [roles and permissions](/docs/guides/organizations/roles-and-permissions) +- User should be able to limit access to routes by checking for [roles and permissions](/docs/guides/organizations/control-access/roles-and-permissions) > [!IMPORTANT] > BAPI has [rate limits](/docs/guides/how-clerk-works/system-limits) to help protect users against brute-force attacks or stop abuse of Clerk's platform. Be sure to include a backoff mechanism into your fetching logic and respect the `Retry-After` header to gracefully handle any active rate limits. diff --git a/docs/guides/development/sdk-development/fullstack.mdx b/docs/guides/development/sdk-development/fullstack.mdx index 0ef762d88b..bdd687bdcf 100644 --- a/docs/guides/development/sdk-development/fullstack.mdx +++ b/docs/guides/development/sdk-development/fullstack.mdx @@ -14,7 +14,7 @@ A fullstack SDK combines the [frontend-only SDK](/docs/guides/development/sdk-de - User should be able to use [ClerkJS options](/docs/reference/javascript/clerk#clerk-options){{ target: '_blank' }} - Centralized request authentication (e.g. in a middleware or plugin) - Give access to the instance of [BAPI](/docs/guides/development/sdk-development/terminology) client (so that users can use all methods) -- User should be able to limit access to routes by checking for [roles and permissions](/docs/guides/organizations/roles-and-permissions) +- User should be able to limit access to routes by checking for [roles and permissions](/docs/guides/organizations/control-access/roles-and-permissions) ## Optional features diff --git a/docs/guides/development/upgrading/upgrade-guides/core-2/backend.mdx b/docs/guides/development/upgrading/upgrade-guides/core-2/backend.mdx index 987390cb5b..fcd2383faf 100644 --- a/docs/guides/development/upgrading/upgrade-guides/core-2/backend.mdx +++ b/docs/guides/development/upgrading/upgrade-guides/core-2/backend.mdx @@ -714,7 +714,7 @@ As part of this major version, a number of previously deprecated props, argument - The `MembershipRole` type was replaced with `OrganizationCustomRoleKey` (related to [roles and permissions](/docs/guides/organizations/roles-and-permissions)). An example of where this type might be found: + The `MembershipRole` type was replaced with `OrganizationCustomRoleKey` (related to [roles and permissions](/docs/guides/organizations/control-access/roles-and-permissions)). An example of where this type might be found: ```js import { useAuth } from '@clerk/clerk-react' diff --git a/docs/guides/organizations/add-members/invitations.mdx b/docs/guides/organizations/add-members/invitations.mdx index e592dd60a0..f27fd1d078 100644 --- a/docs/guides/organizations/add-members/invitations.mdx +++ b/docs/guides/organizations/add-members/invitations.mdx @@ -97,7 +97,7 @@ Once the user visits the invitation link, they will be redirected to the page yo ### Invitation metadata -You can also add metadata to an invitation when creating the invitation through the Backend API. Once the invited user signs up using the invitation link, the **invitation** metadata (`OrganizationInvitation.publicMetadata`) will be stored in the organization **membership's** metadata (`OrganizationMembership.publicMetadata`). You can find more information about organization membership metadata in the [Organization +You can also add metadata to an invitation when creating the invitation through the Backend API. Once the invited user signs up using the invitation link, the **invitation** metadata (`OrganizationInvitation.publicMetadata`) will be stored in the organization **membership's** metadata (`OrganizationMembership.publicMetadata`). You can find more information about organization membership metadata in the [Organization Membership](/docs/reference/javascript/types/organization-membership) docs. To add metadata to an invitation, add the `public_metadata` parameter when creating the invitation. @@ -164,4 +164,3 @@ Now that you know how to invite users to your organization, you can: - [Set up enterprise SSO](/docs/guides/organizations/add-members/sso) for centralized authentication through an Identity Provider - [Set up roles and permissions](/docs/guides/organizations/control-access/roles-and-permissions) to control what invited users can access - [Add metadata to invitations](/docs/guides/organizations/set-metadata) for tracking or custom workflows - diff --git a/docs/guides/organizations/add-members/sso.mdx b/docs/guides/organizations/add-members/sso.mdx index 4cbb696c07..5bc98b52a5 100644 --- a/docs/guides/organizations/add-members/sso.mdx +++ b/docs/guides/organizations/add-members/sso.mdx @@ -76,4 +76,3 @@ Now that you've set up enterprise SSO, you can: - [Invite specific users](/docs/guides/organizations/add-members/invitations) to your organization - [Set up roles and permissions](/docs/guides/organizations/control-access/roles-and-permissions) to control what SSO users can access - [Configure default roles](/docs/guides/organizations/configure#default-roles) for users joining via SSO - diff --git a/docs/guides/organizations/add-members/verified-domains.mdx b/docs/guides/organizations/add-members/verified-domains.mdx index 1cb3dffc9d..c5e3f718c5 100644 --- a/docs/guides/organizations/add-members/verified-domains.mdx +++ b/docs/guides/organizations/add-members/verified-domains.mdx @@ -96,4 +96,3 @@ Now that you've configured verified domains, you can: - [Invite specific users](/docs/guides/organizations/add-members/invitations) who don't match your verified domain - [Set up roles and permissions](/docs/guides/organizations/control-access/roles-and-permissions) to control what auto-enrolled users can access - [Configure default roles](/docs/guides/organizations/configure#default-roles) for users joining via verified domains - diff --git a/docs/guides/organizations/configure.mdx b/docs/guides/organizations/configure.mdx index 251a70b607..87a34c066f 100644 --- a/docs/guides/organizations/configure.mdx +++ b/docs/guides/organizations/configure.mdx @@ -12,9 +12,9 @@ Global organization settings control how Organizations work across your entire a Organizations are disabled by default. When you enable organizations, Clerk offers two workspace models: - **Personal accounts disabled (recommended)**: Every user must belong to an organization. After signing up, users are prompted to create or join an organization through the [session tasks flow](/docs/guides/configure/session-tasks) before they can access your application. - - > [!IMPORTANT] - > Personal accounts being disabled by default was released on August 22, 2025. Applications created before this date will not see the **Allow personal accounts** setting, because personal accounts were enabled by default. + + > [!IMPORTANT] + > Personal accounts being disabled by default was released on August 22, 2025. Applications created before this date will not see the **Allow personal accounts** setting, because personal accounts were enabled by default. - **Personal accounts enabled**: Users can operate in their own individual workspace or join organizations. They start in their personal account and can switch to organizations using the [``](/docs/reference/components/organization/organization-switcher) component. @@ -123,6 +123,7 @@ When users create or join organizations, they need to be assigned a role. These The default role for members is assigned to users when they join an organization through invitations or verified domain enrollment. By default, this is set to **Member**. This role is used: + - When sending invitations from the [``](/docs/reference/components/organization/organization-profile) component (pre-filled as default) - When users auto-join via [verified domains](/docs/guides/organizations/add-members/verified-domains) - As the suggested role for new organization members @@ -140,6 +141,7 @@ Learn more about [roles and permissions](/docs/guides/organizations/control-acce The creator's initial role is assigned to users when they create a new organization. By default, this is set to **Admin**, giving them full control over the organization they created. This role must have at least these [system permissions](/docs/guides/organizations/control-access/roles-and-permissions#system-permissions): + - Manage members (`org:sys_memberships:manage`) - Read members (`org:sys_memberships:read`) - Delete organization (`org:sys_profile:delete`) @@ -178,4 +180,3 @@ Now that you've configured global settings, you can: - [Create your first organization](/docs/guides/organizations/create-and-manage) and start adding members - [Add members to your organization](/docs/guides/organizations/add-members/invitations) with invitations, verified domains, or SSO - [Configure access control](/docs/guides/organizations/control-access/roles-and-permissions) with custom roles and permissions - diff --git a/docs/guides/organizations/control-access/check-access.mdx b/docs/guides/organizations/control-access/check-access.mdx index 951963c408..9968205a47 100644 --- a/docs/guides/organizations/control-access/check-access.mdx +++ b/docs/guides/organizations/control-access/check-access.mdx @@ -29,7 +29,7 @@ export default function Dashboard() { return (

Dashboard

- + {/* Only show to org admins */} @@ -60,21 +60,21 @@ import { auth } from '@clerk/nextjs/server' export default async function handler(req, res) { const { has, userId } = await auth() - + if (!userId) { return res.status(401).json({ error: 'Unauthorized' }) } - + // Check if user has admin role if (!has({ role: 'org:admin' })) { return res.status(403).json({ error: 'Forbidden' }) } - + // Check if user has specific permission if (!has({ permission: 'org:invoices:create' })) { return res.status(403).json({ error: 'Forbidden' }) } - + // Proceed with authorized action // ... } @@ -87,4 +87,4 @@ Now that you know how to check roles and permissions, you can: - [Read the complete authorization checks guide](/docs/guides/secure/authorization-checks) for advanced patterns including middleware protection and custom authorization logic - [Learn how to check features and plans](/docs/guides/billing/for-b2b#control-access-with-features-plans-and-permissions) for subscription-based applications - [Set up custom roles and permissions](/docs/guides/organizations/control-access/roles-and-permissions) to define your access control model -- [Configure default roles](/docs/guides/organizations/configure#default-roles) for new organization members \ No newline at end of file +- [Configure default roles](/docs/guides/organizations/configure#default-roles) for new organization members diff --git a/docs/guides/organizations/control-access/roles-and-permissions.mdx b/docs/guides/organizations/control-access/roles-and-permissions.mdx index 3dce95b72d..d13cd14111 100644 --- a/docs/guides/organizations/control-access/roles-and-permissions.mdx +++ b/docs/guides/organizations/control-access/roles-and-permissions.mdx @@ -144,4 +144,3 @@ Now that you've set up roles and permissions, you can: - [Learn how to automatically invite users to an organization based on their email domain](/docs/guides/organizations/add-members/verified-domains) - [Learn how to manually invite users to an organization](/docs/guides/organizations/add-members/invitations) - [Learn how to automatically add users to an organization based on their email domain](/docs/guides/organizations/add-members/sso) - diff --git a/docs/guides/organizations/create-and-manage.mdx b/docs/guides/organizations/create-and-manage.mdx index dcbe1fc97e..ddc950a5c9 100644 --- a/docs/guides/organizations/create-and-manage.mdx +++ b/docs/guides/organizations/create-and-manage.mdx @@ -69,4 +69,3 @@ Now that you know how to create and manage organizations, you can: - [Use organization slugs in URLs](/docs/guides/organizations/org-slugs-in-urls) for tenant-specific routing - [Invite members to organizations](/docs/guides/organizations/add-members/invitations) - [Set up roles and permissions](/docs/guides/organizations/control-access/roles-and-permissions) - diff --git a/docs/guides/organizations/org-slugs-in-urls.mdx b/docs/guides/organizations/org-slugs-in-urls.mdx index 1d77eec326..39714b2ca1 100644 --- a/docs/guides/organizations/org-slugs-in-urls.mdx +++ b/docs/guides/organizations/org-slugs-in-urls.mdx @@ -280,4 +280,3 @@ This guide shows you how to add organization slugs to your app's URLs, configure - diff --git a/docs/guides/organizations/overview.mdx b/docs/guides/organizations/overview.mdx index 1ac696e067..ecb6422d87 100644 --- a/docs/guides/organizations/overview.mdx +++ b/docs/guides/organizations/overview.mdx @@ -5,7 +5,7 @@ metadata: title: Organizations - Build multi-tenant B2B applications --- -Organizations let you group users with roles and permissions. This lets you build multi-tenant B2B apps like Slack (workspaces), Linear (teams), or Vercel (projects) where users switch between different team contexts. +Organizations let you group users with roles and permissions. This lets you build multi-tenant B2B apps like Slack (workspaces), Linear (teams), or Vercel (projects) where users switch between different team contexts. Users can belong to multiple organizations, and Clerk provides the organization context in each session (memberships, roles, and the active organization). Your application uses this context to control what data to show and what actions to allow. @@ -38,14 +38,13 @@ The core workflow consists of three stages: 1. **Create**: Organizations can be created by developers in the Clerk Dashboard or by end users in your application through prebuilt components or APIs. Each organization has a profile, settings, and metadata. Users can belong to multiple organizations and switch between them with the [``](/docs/reference/components/organization/organization-switcher) component. -2. **Invite**: You can bring people into organizations in different ways depending on your needs: - - **Invitations** for bottoms-up adoption where individual users invite teammates with precise control over roles - - **Verified domains** for company-wide rollouts where users with matching email domains are automatically invited (and can join immediately) or suggested to join (requiring admin approval) - - **Enterprise connections** (for example: SSO, SAML, OIDC) for top-down deployments managed by IT with centralized authentication through an Identity Provider (IdP) - - You can combine these approaches: use manual invitations for external contractors alongside domain-based enrollment for employees. The active organization determines which members and roles apply to the current context. +1. **Invite**: You can bring people into organizations in different ways depending on your needs: + - **Invitations** for bottoms-up adoption where individual users invite teammates with precise control over roles + - **Verified domains** for company-wide rollouts where users with matching email domains are automatically invited (and can join immediately) or suggested to join (requiring admin approval) + - **Enterprise connections** (for example: SSO, SAML, OIDC) for top-down deployments managed by IT with centralized authentication through an Identity Provider (IdP) + You can combine these approaches: use manual invitations for external contractors alongside domain-based enrollment for employees. The active organization determines which members and roles apply to the current context. -3. **Control**: Access is managed through roles and permissions. Default admin and member roles cover common cases, while custom roles and permissions provide fine-grained access for more complex needs. You can perform [authorization checks](/docs/guides/organizations/control-access/check-access) in both frontend and backend code. +1. **Control**: Access is managed through roles and permissions. Default admin and member roles cover common cases, while custom roles and permissions provide fine-grained access for more complex needs. You can perform [authorization checks](/docs/guides/organizations/control-access/check-access) in both frontend and backend code. Beyond these core steps, you can also monitor organization health and growth with analytics in the Clerk Dashboard. This helps you spot which organizations are growing, staying active, or dropping off, so you know what's working and where you might need attention. @@ -55,17 +54,17 @@ Organizations help you build multi-tenant applications faster, support team coll ### Enable secure team collaboration -Modern applications need to support users who work across multiple teams or client accounts. Organizations provide the structure for this multi-tenant usage while keeping data boundaries clear. Users can switch between organizations without auth or data leakage between tenants. Each organization maintains its own settings, roles, and members, while users can belong to multiple organizations with a single account. +Modern applications need to support users who work across multiple teams or client accounts. Organizations provide the structure for this multi-tenant usage while keeping data boundaries clear. Users can switch between organizations without auth or data leakage between tenants. Each organization maintains its own settings, roles, and members, while users can belong to multiple organizations with a single account. ### Automate team enrollment -Managing who can join an organization becomes easier when you can set enrollment rules. Verified domains let you automatically invite or suggest organizations to users with approved company emails. When a user signs up with a matching email domain, they can join the organization without manual approval. This streamlines onboarding for company-wide rollouts and reduces friction for IT administrators. +Managing who can join an organization becomes easier when you can set enrollment rules. Verified domains let you automatically invite or suggest organizations to users with approved company emails. When a user signs up with a matching email domain, they can join the organization without manual approval. This streamlines onboarding for company-wide rollouts and reduces friction for IT administrators. For B2B2C SaaS onboarding entire companies, verified domains handle the scale. When Acme Corp adopts your product, all @acme.com employees automatically join their company's organization without manual invitations. ### Support enterprise authentication -Large customers often require centralized authentication through their identity provider. Organization-level SSO lets members authenticate with SAML or OIDC protocols through providers like Okta, Entra ID, and Google Workspace. When users sign in through their IdP, they are automatically added to the organization with the appropriate role. This satisfies enterprise security requirements and maintains existing identity workflows. +Large customers often require centralized authentication through their identity provider. Organization-level SSO lets members authenticate with SAML or OIDC protocols through providers like Okta, Entra ID, and Google Workspace. When users sign in through their IdP, they are automatically added to the organization with the appropriate role. This satisfies enterprise security requirements and maintains existing identity workflows. As B2C products scale into enterprise customers, SSO becomes essential. Products that started with individual email sign-ups need to evolve to support IT-managed authentication for Fortune 500 buyers. @@ -75,7 +74,7 @@ Organizations support role-based access control (RBAC) so the right people can d ### Monitor organization growth -The Clerk Dashboard provides comprehensive organization growth tracking with the same level of insight you have for user growth. Track new, reactivated, retained, and churned organizations over time with detailed analytics. The organization growth chart shows activity breakdowns across each period, and you can analyze data across different time periods to see daily, weekly, or monthly active organizations. A detailed cohort table lets you drill into individual organizations and investigate specific trends by clicking chart segments. +The Clerk Dashboard provides comprehensive organization growth tracking with the same level of insight you have for user growth. Track new, reactivated, retained, and churned organizations over time with detailed analytics. The organization growth chart shows activity breakdowns across each period, and you can analyze data across different time periods to see daily, weekly, or monthly active organizations. A detailed cohort table lets you drill into individual organizations and investigate specific trends by clicking chart segments. For B2B products, organization-level analytics reveal which customer accounts are growing or churning. This helps you understand product-market fit at the account level, not just individual usage. @@ -86,4 +85,4 @@ Now that you understand what Organizations are and how they work, here's how to - [Configure global settings](/docs/guides/organizations/configure) - [Create and manage organizations](/docs/guides/organizations/create-and-manage) - [Invite members](/docs/guides/organizations/add-members/invitations) -- [Set up roles and permissions](/docs/guides/organizations/control-access/roles-and-permissions) \ No newline at end of file +- [Set up roles and permissions](/docs/guides/organizations/control-access/roles-and-permissions) diff --git a/docs/guides/organizations/set-metadata.mdx b/docs/guides/organizations/set-metadata.mdx index 2a39c41c04..f8a463f635 100644 --- a/docs/guides/organizations/set-metadata.mdx +++ b/docs/guides/organizations/set-metadata.mdx @@ -41,4 +41,3 @@ Now that you understand organization metadata, you can: - [Add metadata to invitations](/docs/guides/organizations/add-members/invitations#invitation-metadata) to track invitation sources or assign attributes - [Create and manage organizations](/docs/guides/organizations/create-and-manage) to see metadata in action - [Check roles and permissions](/docs/guides/organizations/control-access/check-access) to control access based on metadata values - diff --git a/docs/guides/secure/authorization-checks.mdx b/docs/guides/secure/authorization-checks.mdx index 93dbbb36f7..6f0a2c5e5b 100644 --- a/docs/guides/secure/authorization-checks.mdx +++ b/docs/guides/secure/authorization-checks.mdx @@ -10,7 +10,7 @@ It's best practice to always verify whether or not a user is **authorized** to a Clerk provides two main features that can be used to implement authorization checks: - [Organizations](/docs/guides/organizations/overview) - - Users can be assigned [roles and permissions](/docs/guides/organizations/roles-and-permissions#permissions) + - Users can be assigned [roles and permissions](/docs/guides/organizations/control-access/roles-and-permissions#permissions) - Useful for role-based and permission-based access control - [Billing](/docs/guides/billing/overview) - Users can subscribe to plans and features @@ -38,7 +38,7 @@ This guide will show you how to implement authorization checks in order to prote ## Important considerations - When doing authorization checks, it's recommended to use permission-based over role-based, and feature-based over plan-based authorization, as these approaches are more granular, flexible, and more secure. - - Note: Using `has()` **on the server-side** to check permissions works only with **custom permissions**, as [system permissions](/docs/guides/organizations/roles-and-permissions#system-permissions) aren't included in the session token claims. To check system permissions, verify the user's role instead. + - Note: Using `has()` **on the server-side** to check permissions works only with **custom permissions**, as [system permissions](/docs/guides/organizations/control-access/roles-and-permissions#system-permissions) aren't included in the session token claims. To check system permissions, verify the user's role instead. - Checking for a role or permission depends on the user having an [active organization](!active-organization). Without an active organization, the authorization checks will likely always evaluate to false by default. - If you would like to perform role-based authorization checks **without** using Clerk's organizations feature, see [the Role Based Access Control (RBAC) guide](/docs/guides/secure/basic-rbac). - If you have both organizations and billing enabled, a permission check will only work if the feature part of the permission key (`org::`) **is a feature included in the organization's active plan**. For example, say you want to check if an organization member has the custom permission `org:teams:manage`, where `teams` is the feature. Before performing the authorization check, you need to ensure that the user's organization is subscribed to a plan that has the `teams` feature. If not, the authorization check will always return `false`, _even if the user has the custom permission_. diff --git a/docs/guides/secure/basic-rbac.mdx b/docs/guides/secure/basic-rbac.mdx index 06aa291ad4..fd2c398034 100644 --- a/docs/guides/secure/basic-rbac.mdx +++ b/docs/guides/secure/basic-rbac.mdx @@ -4,7 +4,7 @@ description: Learn how to leverage Clerk's publicMetadata to implement your own sdk: nextjs --- -To control which users can access certain parts of your app, you can use the [roles feature](/docs/guides/organizations/roles-and-permissions#roles). Although Clerk offers roles as part of the [organizations](/docs/guides/organizations/overview) feature set, not every app implements organizations. **This guide covers a workaround to set up a basic Role Based Access Control (RBAC) system for products that don't use Clerk's organizations or roles.** +To control which users can access certain parts of your app, you can use the [roles feature](/docs/guides/organizations/control-access/roles-and-permissions#roles). Although Clerk offers roles as part of the [organizations](/docs/guides/organizations/overview) feature set, not every app implements organizations. **This guide covers a workaround to set up a basic Role Based Access Control (RBAC) system for products that don't use Clerk's organizations or roles.** This guide assumes that you're using Next.js App Router, but the concepts can be adapted to Next.js Pages Router and Remix. diff --git a/docs/guides/secure/features.mdx b/docs/guides/secure/features.mdx index 6b841f47a4..957d96fea5 100644 --- a/docs/guides/secure/features.mdx +++ b/docs/guides/secure/features.mdx @@ -7,7 +7,7 @@ Features are specific capabilities or functionalities in your application that y Features can be used in two ways: -- With Clerk's [organizations](/docs/guides/organizations/overview) feature to create custom permissions. Custom permissions are always tied to a feature, and are formatted as `org::`. For example, you could create a feature called **invoices** and then create a new permission called **create invoices**. The custom permission's key would be `org:invoices:create`. Learn more about [custom permissions](/docs/guides/organizations/roles-and-permissions). +- With Clerk's [organizations](/docs/guides/organizations/overview) feature to create custom permissions. Custom permissions are always tied to a feature, and are formatted as `org::`. For example, you could create a feature called **invoices** and then create a new permission called **create invoices**. The custom permission's key would be `org:invoices:create`. Learn more about [custom permissions](/docs/guides/organizations/control-access/roles-and-permissions). - With Clerk's billing feature to create features specific to a subscription plan. See the [billing docs](/docs/guides/billing/overview) for more information. To manage your features, navigate to the [**Features**](https://dashboard.clerk.com/~/features) page in the Clerk Dashboard. diff --git a/docs/reference/backend/organization/create-organization-invitation-bulk.mdx b/docs/reference/backend/organization/create-organization-invitation-bulk.mdx index 55a7f97b88..196edcc983 100644 --- a/docs/reference/backend/organization/create-organization-invitation-bulk.mdx +++ b/docs/reference/backend/organization/create-organization-invitation-bulk.mdx @@ -53,7 +53,7 @@ function createOrganizationInvitationBulk( - `role` - [`OrganizationCustomRoleKey`](/docs/reference/javascript/types/organization-custom-role-key) - The [role](/docs/guides/organizations/roles-and-permissions) to assign the invited user within the organization. + The [role](/docs/guides/organizations/control-access/roles-and-permissions) to assign the invited user within the organization. --- diff --git a/docs/reference/backend/organization/create-organization-invitation.mdx b/docs/reference/backend/organization/create-organization-invitation.mdx index 74c0cb4551..b2e5b49b4a 100644 --- a/docs/reference/backend/organization/create-organization-invitation.mdx +++ b/docs/reference/backend/organization/create-organization-invitation.mdx @@ -41,7 +41,7 @@ function createOrganizationInvitation( - `role` - `string` - The [role](/docs/guides/organizations/roles-and-permissions) to assign the invited user within the organization. + The [role](/docs/guides/organizations/control-access/roles-and-permissions) to assign the invited user within the organization. --- diff --git a/docs/reference/backend/organization/create-organization-membership.mdx b/docs/reference/backend/organization/create-organization-membership.mdx index ba9e5f9ba3..cc54c0bb1a 100644 --- a/docs/reference/backend/organization/create-organization-membership.mdx +++ b/docs/reference/backend/organization/create-organization-membership.mdx @@ -34,7 +34,7 @@ function createOrganizationMembership( - `role` - `string` - The [role](/docs/guides/organizations/roles-and-permissions) to assign the added user within the organization. + The [role](/docs/guides/organizations/control-access/roles-and-permissions) to assign the added user within the organization. ## Example diff --git a/docs/reference/backend/organization/update-organization-membership.mdx b/docs/reference/backend/organization/update-organization-membership.mdx index 8cd8b478a5..b248a394c0 100644 --- a/docs/reference/backend/organization/update-organization-membership.mdx +++ b/docs/reference/backend/organization/update-organization-membership.mdx @@ -34,7 +34,7 @@ function updateOrganizationMembership( - `role` - `string` - The [role](/docs/guides/organizations/roles-and-permissions) to assign user. + The [role](/docs/guides/organizations/control-access/roles-and-permissions) to assign user. ## Example diff --git a/docs/reference/backend/types/auth-object.mdx b/docs/reference/backend/types/auth-object.mdx index 21628b4a69..084ccb29df 100644 --- a/docs/reference/backend/types/auth-object.mdx +++ b/docs/reference/backend/types/auth-object.mdx @@ -135,14 +135,14 @@ function has(isAuthorizedParams: CheckAuthorizationParamsWithCustomPermissions): - `role` - `string` - The [role](/docs/guides/organizations/roles-and-permissions) to check for. + The [role](/docs/guides/organizations/control-access/roles-and-permissions) to check for. --- - `permission` - `string` - The [permission](/docs/guides/organizations/roles-and-permissions) to check for. + The [permission](/docs/guides/organizations/control-access/roles-and-permissions) to check for. --- diff --git a/docs/reference/components/control/protect.mdx b/docs/reference/components/control/protect.mdx index 409f8885b4..9a6b759d0e 100644 --- a/docs/reference/components/control/protect.mdx +++ b/docs/reference/components/control/protect.mdx @@ -1130,14 +1130,14 @@ The following example uses ``'s `condition` prop to conditionally rende - `permission?` - `string` - Optional string corresponding to a [permission](/docs/guides/organizations/roles-and-permissions) in the format `org::` + Optional string corresponding to a [permission](/docs/guides/organizations/control-access/roles-and-permissions) in the format `org::` --- - `role?` - `string` - Optional string corresponding to a [role](/docs/guides/organizations/roles-and-permissions) in the format `org:` + Optional string corresponding to a [role](/docs/guides/organizations/control-access/roles-and-permissions) in the format `org:` --- diff --git a/docs/reference/components/organization/organization-list.mdx b/docs/reference/components/organization/organization-list.mdx index 5320a7169d..465fc03617 100644 --- a/docs/reference/components/organization/organization-list.mdx +++ b/docs/reference/components/organization/organization-list.mdx @@ -6,7 +6,7 @@ sdk: astro, chrome-extension, expo, nextjs, nuxt, react, react-router, remix, ta ![The \ component displays organization-related memberships and automatic invitations and suggestions for the user.](/docs/images/ui-components/organization-list.png){{ style: { maxWidth: '460px' } }} -The `` component displays organization-related memberships and automatic [invitations](/docs/guides/organizations/verified-domains#automatic-invitations) and [suggestions](/docs/guides/organizations/verified-domains#automatic-suggestions) for the user. +The `` component displays organization-related memberships and automatic [invitations](/docs/guides/organizations/add-members/verified-domains#automatic-invitations) and [suggestions](/docs/guides/organizations/add-members/verified-domains#automatic-suggestions) for the user. ` component allows users to manage their organizatio This component's **General** tab displays the organization's information and the **Leave organization** button. Admins will be able to see the **Update profile** button, **Verified domains** section, and **Delete organization** button. -The **Members** tab shows the organization's members along with their join dates and roles. Admins will have the ability to invite a member, change a member's role, or remove them from the organization. Admins will have tabs within the **Members** tab to view the organization's [invitations](/docs/guides/organizations/overview#organization-invitations) and [requests](/docs/guides/organizations/verified-domains#membership-requests). +The **Members** tab shows the organization's members along with their join dates and roles. Admins will have the ability to invite a member, change a member's role, or remove them from the organization. Admins will have tabs within the **Members** tab to view the organization's [invitations](/docs/guides/organizations/overview#organization-invitations) and [requests](/docs/guides/organizations/add-members/verified-domains#membership-requests). The **Billing** tab displays the plans and features that are available to the organization, as well as the user's billing information, such as their invoices and payment methods. diff --git a/docs/reference/javascript/organization.mdx b/docs/reference/javascript/organization.mdx index 3dca293fb4..07ad8d9bda 100644 --- a/docs/reference/javascript/organization.mdx +++ b/docs/reference/javascript/organization.mdx @@ -227,7 +227,7 @@ function getDomains(params?: GetDomainsParams): Promise #### Example diff --git a/docs/reference/javascript/session.mdx b/docs/reference/javascript/session.mdx index e0bd31eeb6..d10c9d833b 100644 --- a/docs/reference/javascript/session.mdx +++ b/docs/reference/javascript/session.mdx @@ -266,14 +266,14 @@ type CheckAuthorizationParams = WithReverification< - `role` - `string` - Accepts [role](/docs/guides/organizations/roles-and-permissions#roles) key. + Accepts [role](/docs/guides/organizations/control-access/roles-and-permissions#roles) key. --- - `permission` - `string` - Accepts [permission](/docs/guides/organizations/roles-and-permissions#permissions) key. + Accepts [permission](/docs/guides/organizations/control-access/roles-and-permissions#permissions) key. --- diff --git a/docs/reference/javascript/types/organization-custom-permission-key.mdx b/docs/reference/javascript/types/organization-custom-permission-key.mdx index 4cfdb429cb..58431d8171 100644 --- a/docs/reference/javascript/types/organization-custom-permission-key.mdx +++ b/docs/reference/javascript/types/organization-custom-permission-key.mdx @@ -6,4 +6,4 @@ sdk: js-frontend `OrganizationCustomPermissionKey` is a type that represents a user's permission in an organization. It will be string unless the developer has provided their own types through [`ClerkAuthorization`](/docs/guides/development/override-clerk-types-interfaces#example-custom-roles-and-permissions). -Clerk provides [default system permissions](/docs/guides/organizations/roles-and-permissions#system-permissions). However, you can create [custom permissions](/docs/guides/organizations/roles-and-permissions#custom-permissions) as well. +Clerk provides [default system permissions](/docs/guides/organizations/control-access/roles-and-permissions#system-permissions). However, you can create [custom permissions](/docs/guides/organizations/control-access/roles-and-permissions#custom-permissions) as well. diff --git a/docs/reference/javascript/types/organization-domain.mdx b/docs/reference/javascript/types/organization-domain.mdx index d48c2826be..340a5fd221 100644 --- a/docs/reference/javascript/types/organization-domain.mdx +++ b/docs/reference/javascript/types/organization-domain.mdx @@ -33,7 +33,7 @@ The `OrganizationDomain` object is the model around an organization domain. - `enrollmentMode` - `'manual_invitation' | 'automatic_invitation' | 'automatic_suggestion'` - An [enrollment mode](/docs/guides/organizations/verified-domains#enrollment-mode) will change how new users join an organization. + An [enrollment mode](/docs/guides/organizations/add-members/verified-domains#enrollment-mode) will change how new users join an organization. --- diff --git a/docs/reference/javascript/types/organization-invitation.mdx b/docs/reference/javascript/types/organization-invitation.mdx index aa5375e4fe..0caa5192e5 100644 --- a/docs/reference/javascript/types/organization-invitation.mdx +++ b/docs/reference/javascript/types/organization-invitation.mdx @@ -40,7 +40,7 @@ The `OrganizationInvitation` object is the model around an organization invitati - `role` - [`OrganizationCustomRoleKey`](/docs/reference/javascript/types/organization-custom-role-key) - The [role](/docs/guides/organizations/roles-and-permissions) of the current user in the organization. + The [role](/docs/guides/organizations/control-access/roles-and-permissions) of the current user in the organization. --- diff --git a/docs/reference/javascript/types/organization-membership.mdx b/docs/reference/javascript/types/organization-membership.mdx index 604e0fb95d..bf9c707da0 100644 --- a/docs/reference/javascript/types/organization-membership.mdx +++ b/docs/reference/javascript/types/organization-membership.mdx @@ -26,7 +26,7 @@ The `OrganizationMembership` object is the model around an organization membersh - `role` - `string` - The [role](/docs/guides/organizations/roles-and-permissions) of the current user in the organization. + The [role](/docs/guides/organizations/control-access/roles-and-permissions) of the current user in the organization. --- @@ -81,5 +81,5 @@ function update(updateParams: UpdateOrganizationMembershipParams): Promise diff --git a/docs/reference/javascript/types/user-organization-invitation.mdx b/docs/reference/javascript/types/user-organization-invitation.mdx index 4f88f34215..e98d544b50 100644 --- a/docs/reference/javascript/types/user-organization-invitation.mdx +++ b/docs/reference/javascript/types/user-organization-invitation.mdx @@ -46,7 +46,7 @@ The `UserOrganizationInvitation` object is the model around a user's invitation - `role` - [`OrganizationCustomRoleKey`](/docs/reference/javascript/types/organization-custom-role-key) - The [role](/docs/guides/organizations/roles-and-permissions) of the current user in the organization. + The [role](/docs/guides/organizations/control-access/roles-and-permissions) of the current user in the organization. --- From 884b85269475975cdb08f17280cd8b444d1023db Mon Sep 17 00:00:00 2001 From: tu Date: Fri, 31 Oct 2025 04:31:25 -0700 Subject: [PATCH 03/14] anotha attempt to fix build errors --- .../types/check-authorization-params-from-session-claims.mdx | 4 ++-- clerk-typedoc/types/organization-custom-role-key.mdx | 2 +- clerk-typedoc/types/organization-resource.mdx | 2 +- docs/_partials/organization-sync-options.mdx | 2 +- docs/guides/configure/session-tasks.mdx | 4 ++-- .../organizations/accept-organization-invitations.mdx | 4 ++-- .../organizations/manage-organization-invitations.mdx | 2 +- .../organizations/manage-user-org-invitations.mdx | 2 +- docs/guides/sessions/manual-jwt-verification.mdx | 2 +- docs/reference/components/billing/pricing-table.mdx | 2 +- docs/reference/components/organization/organization-list.mdx | 4 ++-- .../components/organization/organization-profile.mdx | 2 +- .../components/organization/organization-switcher.mdx | 4 ++-- docs/reference/javascript/organization.mdx | 4 ++-- docs/reference/javascript/overview.mdx | 2 +- docs/reference/javascript/types/organization-invitation.mdx | 2 +- 16 files changed, 22 insertions(+), 22 deletions(-) diff --git a/clerk-typedoc/types/check-authorization-params-from-session-claims.mdx b/clerk-typedoc/types/check-authorization-params-from-session-claims.mdx index 24a67f0074..67490f70f6 100644 --- a/clerk-typedoc/types/check-authorization-params-from-session-claims.mdx +++ b/clerk-typedoc/types/check-authorization-params-from-session-claims.mdx @@ -3,7 +3,7 @@ | Property | Type | Description | | --------------------------------------------- | ---------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | | `feature?` | `Autocomplete`\< user:${string} \| org:${string} \> | The [feature](/docs/guides/billing/overview) to check for. | -| `permission?` | `DisallowSystemPermissions`\<`P`\> | The [permission](/docs/guides/organizations/roles-and-permissions) to check for. | +| `permission?` | `DisallowSystemPermissions`\<`P`\> | The [permission](/docs/guides/organizations/control-access/roles-and-permissions) to check for. | | `plan?` | `Autocomplete`\< user:${string} \| org:${string} \> | The [plan](/docs/guides/billing/overview) to check for. | | `reverification?` | [`ReverificationConfig`](reverification-config.mdx) | The reverification configuration to check for. This feature is currently in public beta. **It is not recommended for production use.** | -| `role?` | `string` | The [role](/docs/guides/organizations/roles-and-permissions) to check for. | +| `role?` | `string` | The [role](/docs/guides/organizations/control-access/roles-and-permissions) to check for. | diff --git a/clerk-typedoc/types/organization-custom-role-key.mdx b/clerk-typedoc/types/organization-custom-role-key.mdx index 5a0af4dce8..942f239fca 100644 --- a/clerk-typedoc/types/organization-custom-role-key.mdx +++ b/clerk-typedoc/types/organization-custom-role-key.mdx @@ -1,3 +1,3 @@ `OrganizationCustomRoleKey` is a type that represents the user's role in an organization. It will be string unless the developer has provided their own types through [`ClerkAuthorization`](/docs/guides/development/override-clerk-types-interfaces#example-custom-roles-and-permissions). -Clerk provides the [default roles](/docs/guides/organizations/roles-and-permissions#default-roles) `org:admin` and `org:member`. However, you can create [custom roles](/docs/guides/organizations/roles-and-permissions#custom-roles) as well. +Clerk provides the [default roles](/docs/guides/organizations/control-access/roles-and-permissions#default-roles) `org:admin` and `org:member`. However, you can create [custom roles](/docs/guides/organizations/control-access/roles-and-permissions#custom-roles) as well. diff --git a/clerk-typedoc/types/organization-resource.mdx b/clerk-typedoc/types/organization-resource.mdx index 06983d809a..cf570c5156 100644 --- a/clerk-typedoc/types/organization-resource.mdx +++ b/clerk-typedoc/types/organization-resource.mdx @@ -1,6 +1,6 @@ The `Organization` object holds information about an organization, as well as methods for managing it. -To use these methods, you must have the **Organizations** feature [enabled in your app's settings in the Clerk Dashboard](/docs/guides/organizations/overview#enable-organizations-in-your-application). +To use these methods, you must have the **Organizations** feature [enabled in your app's settings in the Clerk Dashboard](/docs/guides/organizations/configure#enable-organizations). ## Properties diff --git a/docs/_partials/organization-sync-options.mdx b/docs/_partials/organization-sync-options.mdx index 1dc9e50a29..29af69fe07 100644 --- a/docs/_partials/organization-sync-options.mdx +++ b/docs/_partials/organization-sync-options.mdx @@ -26,7 +26,7 @@ object has the type `OrganizationSyncOptions`, which has the following propertie - `personalAccountPatterns` - [Pattern](#pattern)\[] - URL patterns for resources that exist within the context of a user's [personal account](/docs/guides/organizations/overview#allow-personal-accounts). + URL patterns for resources that exist within the context of a user's [personal account](/docs/guides/organizations/configure#enable-organizations). If the route also matches the `organizationPattern` prop, the `organizationPattern` prop takes precedence. diff --git a/docs/guides/configure/session-tasks.mdx b/docs/guides/configure/session-tasks.mdx index 9efcba40a6..1f1952a6ef 100644 --- a/docs/guides/configure/session-tasks.mdx +++ b/docs/guides/configure/session-tasks.mdx @@ -35,7 +35,7 @@ The following table lists the available tasks and their corresponding components | Name | Component | | - | - | -| [Personal accounts disabled (default)](/docs/guides/organizations/overview#allow-personal-accounts) | [``](/docs/reference/components/authentication/task-choose-organization) | +| [Personal accounts disabled (default)](/docs/guides/organizations/configure#enable-organizations) | [``](/docs/reference/components/authentication/task-choose-organization) | > [!IMPORTANT] > Personal accounts being disabled by default was released on 08-22-2025. Applications created before this date will not be able to see the **Allow personal accounts** setting, because personal accounts were enabled by default. @@ -286,7 +286,7 @@ The `useAuth()` hook and helpers that access the [`auth` object](/docs/reference ##### Example: Personal accounts disabled -When organizations are enabled, [personal accounts are disabled by default](/docs/guides/organizations/overview#allow-personal-accounts) and your users will be required to select or create an organization after authenticating. Until completed, their session remains `pending`. Pages that are protected using Clerk's protection utilities will treat the user's session as signed-out. +When organizations are enabled, [personal accounts are disabled by default](/docs/guides/organizations/configure#enable-organizations) and your users will be required to select or create an organization after authenticating. Until completed, their session remains `pending`. Pages that are protected using Clerk's protection utilities will treat the user's session as signed-out. For `useAuth()`, `isSignedIn` will be `false` and `userId` and `orgId` will be `null` if the user has a `pending` session. diff --git a/docs/guides/development/custom-flows/organizations/accept-organization-invitations.mdx b/docs/guides/development/custom-flows/organizations/accept-organization-invitations.mdx index 5b07d79c4f..11651dc3f5 100644 --- a/docs/guides/development/custom-flows/organizations/accept-organization-invitations.mdx +++ b/docs/guides/development/custom-flows/organizations/accept-organization-invitations.mdx @@ -5,11 +5,11 @@ description: Learn how to use the Clerk API to build a custom flows for acceptin -When a user visits an [organization invitation](/docs/guides/organizations/invitations) link, Clerk first checks whether a custom redirect URL was provided. +When a user visits an [organization invitation](/docs/guides/organizations/add-members/invitations) link, Clerk first checks whether a custom redirect URL was provided. **If no redirect URL is specified**, the user will be redirected to the appropriate Account Portal page (either [sign-up](/docs/guides/customizing-clerk/account-portal#sign-up) or [sign-in](/docs/guides/customizing-clerk/account-portal#sign-in)), or to the custom sign-up/sign-in pages that you've configured for your application. -**If you specified [a redirect URL when creating the invitation](/docs/guides/organizations/invitations#redirect-url)**, you must handle the authentication flows in your code for that page. You can either embed the [``](/docs/reference/components/authentication/sign-in) component on that page, or if the prebuilt component doesn't meet your specific needs or if you require more control over the logic, you can rebuild the existing Clerk flows using the Clerk API. +**If you specified [a redirect URL when creating the invitation](/docs/guides/organizations/add-members/invitations#redirect-url)**, you must handle the authentication flows in your code for that page. You can either embed the [``](/docs/reference/components/authentication/sign-in) component on that page, or if the prebuilt component doesn't meet your specific needs or if you require more control over the logic, you can rebuild the existing Clerk flows using the Clerk API. This guide demonstrates how to use Clerk's API to build a custom flow for accepting organization invitations from a link. diff --git a/docs/guides/development/custom-flows/organizations/manage-organization-invitations.mdx b/docs/guides/development/custom-flows/organizations/manage-organization-invitations.mdx index 64cbb21ee7..cc21365866 100644 --- a/docs/guides/development/custom-flows/organizations/manage-organization-invitations.mdx +++ b/docs/guides/development/custom-flows/organizations/manage-organization-invitations.mdx @@ -12,7 +12,7 @@ Users with the appropriate permissions can also revoke organization invitations This guide will demonstrate how to use the Clerk API to build a custom flow for inviting users to an organization and managing an organization's pending invitations. > [!NOTE] -> This guide is for creating and managing organization invitations client-side. You can also create an organization invitation using the Backend API. See the [organization invitations reference](/docs/guides/organizations/invitations) for more information. +> This guide is for creating and managing organization invitations client-side. You can also create an organization invitation using the Backend API. See the [organization invitations reference](/docs/guides/organizations/add-members/invitations) for more information. > > Also, see the [custom flow for accepting organization invitations](/docs/guides/development/custom-flows/organizations/accept-organization-invitations). diff --git a/docs/guides/development/custom-flows/organizations/manage-user-org-invitations.mdx b/docs/guides/development/custom-flows/organizations/manage-user-org-invitations.mdx index a20547d9a7..64c6f75686 100644 --- a/docs/guides/development/custom-flows/organizations/manage-user-org-invitations.mdx +++ b/docs/guides/development/custom-flows/organizations/manage-user-org-invitations.mdx @@ -5,7 +5,7 @@ description: Learn how to use the Clerk API to build a custom flow for managing -This guide will demonstrate how to use the Clerk API to build a custom flow for managing a user's [organization invitations](/docs/guides/organizations/overview#organization-invitations). +This guide will demonstrate how to use the Clerk API to build a custom flow for managing a user's [organization invitations](/docs/guides/organizations/add-members/invitations). diff --git a/docs/guides/sessions/manual-jwt-verification.mdx b/docs/guides/sessions/manual-jwt-verification.mdx index 27cec70633..8a07eba212 100644 --- a/docs/guides/sessions/manual-jwt-verification.mdx +++ b/docs/guides/sessions/manual-jwt-verification.mdx @@ -41,7 +41,7 @@ The following example uses the `authenticateRequest()` method to verify the sess ### Optional: Check for a `sts` claim - If you are using Clerk's [organizations](/docs/guides/organizations/overview) feature and [have not enabled personal accounts](/docs/guides/organizations/overview#allow-personal-accounts), users are _required to be part of an organization before accessing your application_. If the user has completed registration, but is not yet part of an organization, a valid session token will be created, but the token will contain a `sts` (status) claim set to `pending`. You may want to reject requests to your backend with pending statuses to ensure that users are not able to work around the organization requirement. + If you are using Clerk's [organizations](/docs/guides/organizations/overview) feature and [have not enabled personal accounts](/docs/guides/organizations/configure#enable-organizations), users are _required to be part of an organization before accessing your application_. If the user has completed registration, but is not yet part of an organization, a valid session token will be created, but the token will contain a `sts` (status) claim set to `pending`. You may want to reject requests to your backend with pending statuses to ensure that users are not able to work around the organization requirement. ### Finished diff --git a/docs/reference/components/billing/pricing-table.mdx b/docs/reference/components/billing/pricing-table.mdx index dca3c339ae..5bac704cd9 100644 --- a/docs/reference/components/billing/pricing-table.mdx +++ b/docs/reference/components/billing/pricing-table.mdx @@ -266,7 +266,7 @@ All props are optional. - `for` - `'user' | 'organization'` - A string that indicates whether the pricing table is for users or [organizations](/docs/guides/organizations/overview). If `'user'`, the pricing table will display a list of plans and features that **users** can subscribe to. If `'organization'`, the pricing table will display a list of plans and features that **organizations** can subscribe to. Defaults to `'user'`. + A string that indicates whether the pricing table is for users or [organizations](/docs/guides/organizations/create-and-manage). If `'user'`, the pricing table will display a list of plans and features that **users** can subscribe to. If `'organization'`, the pricing table will display a list of plans and features that **organizations** can subscribe to. Defaults to `'user'`. --- diff --git a/docs/reference/components/organization/organization-list.mdx b/docs/reference/components/organization/organization-list.mdx index 465fc03617..dbaf4a9529 100644 --- a/docs/reference/components/organization/organization-list.mdx +++ b/docs/reference/components/organization/organization-list.mdx @@ -287,7 +287,7 @@ The `` component accepts the following properties, all of wh - `afterSelectPersonalUrl` - ((org: [Organization][org-ref]) => string) | string - The full URL or path to navigate to after selecting the [personal account](/docs/guides/organizations/overview#allow-personal-accounts). Defaults to `undefined`. + The full URL or path to navigate to after selecting the [personal account](/docs/guides/organizations/configure#enable-organizations). Defaults to `undefined`. --- @@ -308,7 +308,7 @@ The `` component accepts the following properties, all of wh - `hidePersonal` - `boolean` - A boolean that controls whether `` will include the user's [personal account](/docs/guides/organizations/overview#allow-personal-accounts) in the organization list. Setting this to `true` will hide the personal account option, and users will only be able to switch between organizations. Defaults to `false`. + A boolean that controls whether `` will include the user's [personal account](/docs/guides/organizations/configure#enable-organizations) in the organization list. Setting this to `true` will hide the personal account option, and users will only be able to switch between organizations. Defaults to `false`. --- diff --git a/docs/reference/components/organization/organization-profile.mdx b/docs/reference/components/organization/organization-profile.mdx index fd7242fb2c..451ee9cbe9 100644 --- a/docs/reference/components/organization/organization-profile.mdx +++ b/docs/reference/components/organization/organization-profile.mdx @@ -10,7 +10,7 @@ The `` component allows users to manage their organizatio This component's **General** tab displays the organization's information and the **Leave organization** button. Admins will be able to see the **Update profile** button, **Verified domains** section, and **Delete organization** button. -The **Members** tab shows the organization's members along with their join dates and roles. Admins will have the ability to invite a member, change a member's role, or remove them from the organization. Admins will have tabs within the **Members** tab to view the organization's [invitations](/docs/guides/organizations/overview#organization-invitations) and [requests](/docs/guides/organizations/add-members/verified-domains#membership-requests). +The **Members** tab shows the organization's members along with their join dates and roles. Admins will have the ability to invite a member, change a member's role, or remove them from the organization. Admins will have tabs within the **Members** tab to view the organization's [invitations](/docs/guides/organizations/add-members/invitations) and [requests](/docs/guides/organizations/add-members/verified-domains#membership-requests). The **Billing** tab displays the plans and features that are available to the organization, as well as the user's billing information, such as their invoices and payment methods. diff --git a/docs/reference/components/organization/organization-switcher.mdx b/docs/reference/components/organization/organization-switcher.mdx index b63cd362dd..437d135a83 100644 --- a/docs/reference/components/organization/organization-switcher.mdx +++ b/docs/reference/components/organization/organization-switcher.mdx @@ -6,7 +6,7 @@ sdk: astro, chrome-extension, expo, nextjs, nuxt, react, react-router, remix, ta ![The \ component allows a user to switch between their account types - their personal account and their joined organizations.](/docs/images/ui-components/organization-switcher.png){{ style: { maxWidth: '436px' } }} -The `` component allows a user to switch between their joined organizations. If [personal accounts are enabled](/docs/guides/organizations/overview#allow-personal-accounts), users can also switch to their personal account. This component is useful for applications that have a multi-tenant architecture, where users can be part of multiple organizations. It handles all organization-related flows, including full organization management for admins. Learn more about [organizations](/docs/guides/organizations/overview). +The `` component allows a user to switch between their joined organizations. If [personal accounts are enabled](/docs/guides/organizations/configure#enable-organizations), users can also switch to their personal account. This component is useful for applications that have a multi-tenant architecture, where users can be part of multiple organizations. It handles all organization-related flows, including full organization management for admins. Learn more about [organizations](/docs/guides/organizations/create-and-manage). ` component accepts the following properties, all o - `hidePersonal` - `boolean` - A boolean that controls whether `` will include the user's [personal account](/docs/guides/organizations/overview#allow-personal-accounts) in the organization list. Setting this to `true` will hide the personal account option, and users will only be able to switch between organizations. Defaults to `false`. + A boolean that controls whether `` will include the user's [personal account](/docs/guides/organizations/configure#enable-organizations) in the organization list. Setting this to `true` will hide the personal account option, and users will only be able to switch between organizations. Defaults to `false`. --- diff --git a/docs/reference/javascript/organization.mdx b/docs/reference/javascript/organization.mdx index 07ad8d9bda..07e99ee83f 100644 --- a/docs/reference/javascript/organization.mdx +++ b/docs/reference/javascript/organization.mdx @@ -6,7 +6,7 @@ sdk: js-frontend The `Organization` object holds information about an organization, as well as methods for managing it. -To use these methods, you must have the **Organizations** feature [enabled in your app's settings in the Clerk Dashboard](/docs/guides/organizations/overview#enable-organizations-in-your-application). +To use these methods, you must have the **Organizations** feature [enabled in your app's settings in the Clerk Dashboard](/docs/guides/organizations/configure#enable-organizations). ## Properties @@ -317,7 +317,7 @@ For an example on how to use `getMemberships()`, see the [custom flow on managin Retrieve the list of membership requests for the currently [active organization](!active-organization). Returns a [`ClerkPaginatedResponse`][pag-ref] of [`OrganizationMembershipRequest`][org-mem-ref]-request) objects. > [!WARNING] -> You must have [**Organizations**](/docs/guides/organizations/overview#enable-organizations-in-your-application), and [**Verified domains** and **Automatic suggestion**][verified-domains-ref] enabled in your app's settings in the Clerk Dashboard. +> You must have [**Organizations**](/docs/guides/organizations/configure#enable-organizations), and [**Verified domains** and **Automatic suggestion**][verified-domains-ref] enabled in your app's settings in the Clerk Dashboard. ```ts function getMembershipRequests( diff --git a/docs/reference/javascript/overview.mdx b/docs/reference/javascript/overview.mdx index a3dfb872e6..a045254d31 100644 --- a/docs/reference/javascript/overview.mdx +++ b/docs/reference/javascript/overview.mdx @@ -38,4 +38,4 @@ The [`SignUp`](/docs/reference/javascript/sign-up) object holds the state of the ### `Organization` -Organizations are a flexible and scalable way to manage users and their access to resources within your Clerk application. With organizations, you can assign specific roles and permissions to users, making them useful for managing projects, coordinating teams, or facilitating partnerships. Users can belong to many organizations. One of them will be the [active organization](!active-organization) of the session. It is represented by the [`Organization`](/docs/reference/javascript/organization) object. To learn about organizations, see the [dedicated guide](/docs/guides/organizations/overview). +Organizations are a flexible and scalable way to manage users and their access to resources within your Clerk application. With organizations, you can assign specific roles and permissions to users, making them useful for managing projects, coordinating teams, or facilitating partnerships. Users can belong to many organizations. One of them will be the [active organization](!active-organization) of the session. It is represented by the [`Organization`](/docs/reference/javascript/organization) object. To learn about organizations, see the [dedicated guide](/docs/guides/organizations/create-and-manage). diff --git a/docs/reference/javascript/types/organization-invitation.mdx b/docs/reference/javascript/types/organization-invitation.mdx index 0caa5192e5..11ac8f7825 100644 --- a/docs/reference/javascript/types/organization-invitation.mdx +++ b/docs/reference/javascript/types/organization-invitation.mdx @@ -81,7 +81,7 @@ The following example demonstrates how to revoke an organization invitation. It It assumes: - you have followed the [quickstart](/docs/js-frontend/getting-started/quickstart) in order to add Clerk to your JavaScript application -- you have [enabled the Organizations feature in the Clerk Dashboard](/docs/guides/organizations/overview#enable-organizations-in-your-application) +- you have [enabled the Organizations feature in the Clerk Dashboard](/docs/guides/organizations/configure#enable-organizations) ```js {{ filename: 'main.js', mark: [22, 23] }} import { Clerk } from '@clerk/clerk-js' From f2ca02499e50ef1f69ae785e9a9048f7e48c6ef3 Mon Sep 17 00:00:00 2001 From: tu Date: Fri, 31 Oct 2025 04:34:07 -0700 Subject: [PATCH 04/14] last missing file error in build --- clerk-typedoc/shared/use-organization-params.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clerk-typedoc/shared/use-organization-params.mdx b/clerk-typedoc/shared/use-organization-params.mdx index dd8b326d19..03c61ed8f5 100644 --- a/clerk-typedoc/shared/use-organization-params.mdx +++ b/clerk-typedoc/shared/use-organization-params.mdx @@ -1,6 +1,6 @@ | Property | Type | Description | | ----------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `domains?` | true \| \{ initialPage?: number; pageSize?: number; \} & \{ enrollmentMode?: "manual_invitation" \| "automatic_invitation" \| "automatic_suggestion"; \} & \{ infinite?: boolean; keepPreviousData?: boolean; \} | If set to `true`, all default properties will be used.
Otherwise, accepts an object with the following optional properties:
  • `enrollmentMode`: A string that filters the domains by the provided [enrollment mode](/docs/guides/organizations/verified-domains#enrollment-mode).
  • Any of the properties described in [Shared properties](#shared-properties).
| +| `domains?` | true \| \{ initialPage?: number; pageSize?: number; \} & \{ enrollmentMode?: "manual_invitation" \| "automatic_invitation" \| "automatic_suggestion"; \} & \{ infinite?: boolean; keepPreviousData?: boolean; \} | If set to `true`, all default properties will be used.
Otherwise, accepts an object with the following optional properties:
  • `enrollmentMode`: A string that filters the domains by the provided [enrollment mode](/docs/guides/organizations/add-members/verified-domains#enrollment-mode).
  • Any of the properties described in [Shared properties](#shared-properties).
| | `invitations?` | true \| \{ initialPage?: number; pageSize?: number; \} & \{ status?: ("expired" \| "revoked" \| "pending" \| "accepted")[]; \} & \{ infinite?: boolean; keepPreviousData?: boolean; \} | If set to `true`, all default properties will be used.
Otherwise, accepts an object with the following optional properties:
  • `status`: A string that filters the invitations by the provided status.
  • Any of the properties described in [Shared properties](#shared-properties).
| | `membershipRequests?` | true \| \{ initialPage?: number; pageSize?: number; \} & \{ status?: "expired" \| "revoked" \| "pending" \| "accepted"; \} & \{ infinite?: boolean; keepPreviousData?: boolean; \} | If set to `true`, all default properties will be used.
Otherwise, accepts an object with the following optional properties:
  • `status`: A string that filters the membership requests by the provided status.
  • Any of the properties described in [Shared properties](#shared-properties).
| | `memberships?` | true \| \{ initialPage?: number; pageSize?: number; \} & \{ query?: string; role?: string[]; \} & \{ infinite?: boolean; keepPreviousData?: boolean; \} | If set to `true`, all default properties will be used.
Otherwise, accepts an object with the following optional properties:
  • `role`: An array of [`OrganizationCustomRoleKey`](/docs/reference/javascript/types/organization-custom-role-key).
  • `query`: A string that filters the memberships by the provided string.
  • Any of the properties described in [Shared properties](#shared-properties).
| From be700f35c265daa5514dbbf6aa363ce9e946fa03 Mon Sep 17 00:00:00 2001 From: tu Date: Fri, 31 Oct 2025 05:01:15 -0700 Subject: [PATCH 05/14] update copy for active voice --- docs/guides/organizations/add-members/invitations.mdx | 4 ++-- docs/guides/organizations/add-members/sso.mdx | 6 +++--- .../organizations/add-members/verified-domains.mdx | 8 ++++---- docs/guides/organizations/configure.mdx | 4 ++-- .../organizations/control-access/check-access.mdx | 2 +- .../control-access/roles-and-permissions.mdx | 2 +- docs/guides/organizations/create-and-manage.mdx | 6 +++--- docs/guides/organizations/org-slugs-in-urls.mdx | 4 ++-- docs/guides/organizations/overview.mdx | 10 +++++----- docs/guides/organizations/set-metadata.mdx | 4 ++-- 10 files changed, 25 insertions(+), 25 deletions(-) diff --git a/docs/guides/organizations/add-members/invitations.mdx b/docs/guides/organizations/add-members/invitations.mdx index f27fd1d078..054a674ffc 100644 --- a/docs/guides/organizations/add-members/invitations.mdx +++ b/docs/guides/organizations/add-members/invitations.mdx @@ -5,7 +5,7 @@ metadata: title: Send and manage Organization invitations via Clerk --- -Organization invitations let you add new members to your organization. When you send an invitation, Clerk sends an email to the invited user with a unique invitation link. When the user visits the organization invitation link, they will be redirected to the [Account Portal sign-in page](/docs/guides/customizing-clerk/account-portal#sign-in). If the user is already signed in, they will be redirected to your application's homepage (`/`). If you want to redirect the user to a specific page in your application, you can [specify a redirect URL when creating the invitation](#redirect-url). +Organization invitations let you add new members to your organization. When you send an invitation, Clerk sends an email to the invited user with a unique invitation link. When the user visits the organization invitation link, Clerk redirects them to the [Account Portal sign-in page](/docs/guides/customizing-clerk/account-portal#sign-in). If the user is already signed in, Clerk redirects them to your application's homepage (`/`). If you want to redirect the user to a specific page in your application, you can [specify a redirect URL when creating the invitation](#redirect-url). By default, only [admins](/docs/guides/organizations/control-access/roles-and-permissions#default-roles) can invite users to an organization. @@ -97,7 +97,7 @@ Once the user visits the invitation link, they will be redirected to the page yo ### Invitation metadata -You can also add metadata to an invitation when creating the invitation through the Backend API. Once the invited user signs up using the invitation link, the **invitation** metadata (`OrganizationInvitation.publicMetadata`) will be stored in the organization **membership's** metadata (`OrganizationMembership.publicMetadata`). You can find more information about organization membership metadata in the [Organization +You can also add metadata to an invitation when creating the invitation through the Backend API. Once the invited user signs up using the invitation link, Clerk stores the **invitation** metadata (`OrganizationInvitation.publicMetadata`) in the organization **membership's** metadata (`OrganizationMembership.publicMetadata`). You can find more information about organization membership metadata in the [Organization Membership](/docs/reference/javascript/types/organization-membership) docs. To add metadata to an invitation, add the `public_metadata` parameter when creating the invitation. diff --git a/docs/guides/organizations/add-members/sso.mdx b/docs/guides/organizations/add-members/sso.mdx index 5bc98b52a5..4cc3bf4a50 100644 --- a/docs/guides/organizations/add-members/sso.mdx +++ b/docs/guides/organizations/add-members/sso.mdx @@ -5,7 +5,7 @@ metadata: title: Set up organization-level SAML and OIDC for B2B/B2C apps --- -Clerk provides enterprise single sign-on (SSO) through a feature called **enterprise connections**. You can enable enterprise connections for specific organizations, allowing members to authenticate through their company's identity provider using SAML or OIDC protocols. When users sign up or sign in using an organization's enterprise connection, they're automatically added as members of that organization and assigned the [default role](/docs/guides/organizations/control-access/roles-and-permissions#the-default-role-for-members). +Clerk provides enterprise single sign-on (SSO) through a feature called **enterprise connections**. You can enable enterprise connections for specific organizations, allowing members to authenticate through their company's identity provider using SAML or OIDC protocols. When users sign up or sign in using an organization's enterprise connection, Clerk automatically adds them as members of that organization and assigns them the [default role](/docs/guides/organizations/control-access/roles-and-permissions#the-default-role-for-members). ## When to use enterprise SSO @@ -43,14 +43,14 @@ This flow is common when individual users try the product before company-wide ad Clerk supports enterprise SSO via [SAML](/docs/guides/configure/auth-strategies/enterprise-connections/overview#saml) or via the [OpenID Connect (OIDC) protocol](/docs/guides/configure/auth-strategies/enterprise-connections/overview#oidc), either through EASIE or by integrating with any OIDC-compatible provider. -To add an enterprise SSO connection for an organization, follow the appropriate guide based on the platform you want to use, such as the [Google SAML guide](/docs/guides/configure/auth-strategies/enterprise-connections/saml/google). When configuring the connection in the Clerk Dashboard, there will be an option to select the **Organization** for which you want to enable this connection. If you don't select an organization, the connection will be added for your entire application. +To add an enterprise SSO connection for an organization, follow the appropriate guide based on the platform you want to use, such as the [Google SAML guide](/docs/guides/configure/auth-strategies/enterprise-connections/saml/google). When configuring the connection in the Clerk Dashboard, there will be an option to select the **Organization** for which you want to enable this connection. If you don't select an organization, Clerk will add the connection for your entire application. > [!WARNING] > A domain used for enterprise SSO can't be used as a [verified domain](/docs/guides/organizations/add-members/verified-domains) for the same organization. ## Enforce enterprise SSO by domain -Enterprise SSO connections are enforced on a per-domain basis in organizations, enabling flexible access management: +Clerk enforces enterprise SSO connections on a per-domain basis in organizations, enabling flexible access management: - Configure enterprise SSO for your primary domain (e.g., `company.com`) to enforce enterprise SSO authentication for employees. - Add additional domains without enterprise SSO for external collaborators (e.g., contractors, consultants). diff --git a/docs/guides/organizations/add-members/verified-domains.mdx b/docs/guides/organizations/add-members/verified-domains.mdx index c5e3f718c5..1d9badb8b1 100644 --- a/docs/guides/organizations/add-members/verified-domains.mdx +++ b/docs/guides/organizations/add-members/verified-domains.mdx @@ -5,7 +5,7 @@ metadata: title: Verified domains within Clerk Organizations (Step-by-Step) --- -Clerk's **verified domains** feature is useful for organizations that want to restrict membership to users with specific email domains, and automatically invite or suggest users with that domain to join an organization. For example, if the domain `@clerk.com` is verified, any user with an email address ending in `@clerk.com` can be automatically invited or be suggested to join an organization with that domain. The role assigned to this user will be the role set as the [**Default** role](/docs/guides/organizations/control-access/roles-and-permissions#the-default-role-for-members) in the organization settings page. +Clerk's **verified domains** feature is useful for organizations that want to restrict membership to users with specific email domains, and automatically invite or suggest users with that domain to join an organization. For example, if the domain `@clerk.com` is verified, any user with an email address ending in `@clerk.com` can be automatically invited or be suggested to join an organization with that domain. Clerk assigns users the [**Default** role](/docs/guides/organizations/control-access/roles-and-permissions#the-default-role-for-members) set in the organization settings page. A verified domain cannot be a disposable domain or common email provider. For example, you cannot create a verified domain for `@gmail.com`. @@ -39,7 +39,7 @@ In order to enable this feature: You can enable the following enrollment modes to be available for your application: -- [**Automatic invitation**](#automatic-invitations) - Users are automatically invited to join the organization when they sign-up and can join anytime. +- [**Automatic invitation**](#automatic-invitations) - Clerk automatically invites users to join the organization when they sign up and they can join anytime. - [**Automatic suggestion**](#automatic-suggestions) - Users receive a suggestion to request to join, but must be approved by an admin before they are able to join the organization. Then, in your application, when a user with the `org:sys_domains:manage` permission has added and verified a domain, they can enable an enrollment mode. Only one enrollment mode can be enabled for a verified domain at a time. @@ -60,9 +60,9 @@ When a user sends an organization membership request, users with the `org:sys_me ## Add and verify domains -Domains can be added and verified under an organization by any user with the `org:sys_domains:manage` permission. By default, admins have this permission. To add and verify domains in the [``](/docs/reference/components/organization/organization-switcher) component, select the **General** tab. There will be a **Verified domains** section. +Any user with the `org:sys_domains:manage` permission can add and verify domains under an organization. By default, admins have this permission. To add and verify domains in the [``](/docs/reference/components/organization/organization-switcher) component, select the **General** tab. There will be a **Verified domains** section. -Domains can be verified through an email verification code sent to an email that matches the domain. If the user adding the domain already has a verified email using that domain in their account, the domain will be automatically verified. +You can verify domains through an email verification code sent to an email that matches the domain. If the user adding the domain already has a verified email using that domain in their account, Clerk will automatically verify the domain. An application instance may only have one verified domain of the same name, and an organization may only have one domain of the same name (verified or unverified). diff --git a/docs/guides/organizations/configure.mdx b/docs/guides/organizations/configure.mdx index 87a34c066f..fcfa6a2df0 100644 --- a/docs/guides/organizations/configure.mdx +++ b/docs/guides/organizations/configure.mdx @@ -30,7 +30,7 @@ To enable organizations: 1. In the modal, toggle **Allow personal accounts** based on your decision above. 1. Select **Enable**. -Organizations are measured by Monthly Active Organizations (MAOs). Refer to the [overview page](/docs/guides/organizations/overview#how-do-organizations-work) for pricing details and limits. +Clerk measures Organizations by Monthly Active Organizations (MAOs). Refer to the [overview page](/docs/guides/organizations/overview#how-do-organizations-work) for pricing details and limits. ## Organization Options @@ -161,7 +161,7 @@ This setting controls whether organization members can delete organizations. ### Allow new members to delete Organizations -By default, organizations are deletable. any member with the ["Delete organization" system permission](/docs/guides/organizations/control-access/roles-and-permissions#system-permissions) can delete an organization. You can disable this if you want to prevent accidental data loss or require your own approval process before organizations are removed. +By default, any member with the ["Delete organization" system permission](/docs/guides/organizations/control-access/roles-and-permissions#system-permissions) can delete an organization. You can disable this if you want to prevent accidental data loss or require your own approval process before organizations are removed. To prevent members from deleting organizations: diff --git a/docs/guides/organizations/control-access/check-access.mdx b/docs/guides/organizations/control-access/check-access.mdx index 9968205a47..e6b3d4d8de 100644 --- a/docs/guides/organizations/control-access/check-access.mdx +++ b/docs/guides/organizations/control-access/check-access.mdx @@ -14,7 +14,7 @@ Clerk provides two primary ways to perform these checks: the `has()` method for Authorization checks can verify roles and custom permissions. Roles like `org:admin` determine a user's level of access within an organization, while custom permissions like `org:invoices:create` provide fine-grained control over specific features and actions. > [!IMPORTANT] -> Custom permissions are linked to features. A permission check for `org:invoices:create` will only return `true` if the organization's active plan includes the `invoices` feature **and** the user has the permission. Learn more in the [roles and permissions guide](/docs/guides/organizations/control-access/roles-and-permissions#custom-permissions). +> Clerk links custom permissions to features. A permission check for `org:invoices:create` will only return `true` if the organization's active plan includes the `invoices` feature **and** the user has the permission. Learn more in the [roles and permissions guide](/docs/guides/organizations/control-access/roles-and-permissions#custom-permissions). ## Frontend checks with `` diff --git a/docs/guides/organizations/control-access/roles-and-permissions.mdx b/docs/guides/organizations/control-access/roles-and-permissions.mdx index d13cd14111..15f7d9c9fb 100644 --- a/docs/guides/organizations/control-access/roles-and-permissions.mdx +++ b/docs/guides/organizations/control-access/roles-and-permissions.mdx @@ -22,7 +22,7 @@ For each instance, there are currently two default roles: ### The **Creator** role -When a user creates a new organization, they're automatically added as its first member and assigned the organization's designated **Creator** role. By default, that role is `org:admin`. +When a user creates a new organization, Clerk automatically adds them as its first member and assigns them the organization's designated **Creator** role. By default, that role is `org:admin`. You cannot delete an organization role if it's used as the organization's **Creator** role. But, you _can_ reassign the **Creator** role to any other role with the right permissions. For example, if you want to delete the `admin` role, you will have to assign another role as the **Creator** role. diff --git a/docs/guides/organizations/create-and-manage.mdx b/docs/guides/organizations/create-and-manage.mdx index ddc950a5c9..8e0036da71 100644 --- a/docs/guides/organizations/create-and-manage.mdx +++ b/docs/guides/organizations/create-and-manage.mdx @@ -5,13 +5,13 @@ metadata: title: Create and manage Organizations with Clerk --- -Organizations can be created by developers in the Clerk Dashboard or by end users in your application. Once created, you can manage individual organization profiles, update settings, and help users switch between multiple organizations. +You can create organizations in the Clerk Dashboard, or end users can create them in your application. Once created, you can manage individual organization profiles, and update settings. Clerk provides components to help users switch between multiple organizations. This guide covers working with individual organizations. For global settings that affect all organizations in your application (like enabling organizations, setting default roles, or configuring membership), refer to [Configure Organizations](/docs/guides/organizations/configure). ## Create an organization -Organizations can be created in the Clerk Dashboard by developers or in your application by end users. The number of organizations you can create depends on your [Monthly Active Organization (MAO) limits](/docs/guides/organizations/overview#how-do-organizations-work). +You can create organizations in the Clerk Dashboard, or end users can create them in your application. The number of organizations you can create depends on your [Monthly Active Organization (MAO) limits](/docs/guides/organizations/overview#how-do-organizations-work). ### Create an organization in the Clerk Dashboard @@ -19,7 +19,7 @@ To create an organization in the Clerk Dashboard: 1. In the Clerk Dashboard, select [**Organizations**](https://dashboard.clerk.com/~/organizations). 1. Select the **Create Organization** button. -1. Enter the organization's name. Optionally, upload the organization's logo, enter the organization's slug, and select the organization's owner. The slug is a unique identifier for the organization that is used in URLs, such as `example-name`. +1. Enter the organization's name. Optionally, upload the organization's logo, enter the organization's slug, and select the organization's owner. The slug is a unique identifier for the organization that you can use in URLs, such as `example-name`. ### Create an organization in your application diff --git a/docs/guides/organizations/org-slugs-in-urls.mdx b/docs/guides/organizations/org-slugs-in-urls.mdx index 39714b2ca1..f71a8bba06 100644 --- a/docs/guides/organizations/org-slugs-in-urls.mdx +++ b/docs/guides/organizations/org-slugs-in-urls.mdx @@ -45,7 +45,7 @@ Alternatively, [organization IDs](/docs/reference/javascript/organization#proper ### When to use organization slugs -This feature is intended for apps that **require** organization slugs in URLs. **Adding slugs to URLs isn't recommended unless necessary.** +This feature is intended for apps that **require** organization slugs in URLs. **We don't recommend adding slugs to URLs unless necessary.** Use organization slugs if: @@ -155,7 +155,7 @@ This guide shows you how to add organization slugs to your app's URLs, configure Failed activation occurs if no organization with the specified slug exists, or if the given user isn't a member of the organization. When this happens, the middleware won't change the active organization, leaving the previously active one unchanged. - For troubleshooting, a message will also be logged on the server: + For troubleshooting, Clerk will also log a message on the server: > Clerk: Organization activation handshake loop detected. This is likely due to an invalid organization ID or slug. Skipping organization activation. diff --git a/docs/guides/organizations/overview.mdx b/docs/guides/organizations/overview.mdx index ecb6422d87..d6281f22ba 100644 --- a/docs/guides/organizations/overview.mdx +++ b/docs/guides/organizations/overview.mdx @@ -36,15 +36,15 @@ Clerk measures organization usage through **Monthly Active Organizations (MAOs)* The core workflow consists of three stages: -1. **Create**: Organizations can be created by developers in the Clerk Dashboard or by end users in your application through prebuilt components or APIs. Each organization has a profile, settings, and metadata. Users can belong to multiple organizations and switch between them with the [``](/docs/reference/components/organization/organization-switcher) component. +1. **Create**: You can create organizations in the Clerk Dashboard, or end users can create them in your application through prebuilt components or APIs. Each organization has a profile, settings, and metadata. Users can belong to multiple organizations and switch between them with the [``](/docs/reference/components/organization/organization-switcher) component. 1. **Invite**: You can bring people into organizations in different ways depending on your needs: - **Invitations** for bottoms-up adoption where individual users invite teammates with precise control over roles - - **Verified domains** for company-wide rollouts where users with matching email domains are automatically invited (and can join immediately) or suggested to join (requiring admin approval) + - **Verified domains** for company-wide rollouts where Clerk automatically invites users with matching email domains (who can join immediately) or suggests they join (requiring admin approval) - **Enterprise connections** (for example: SSO, SAML, OIDC) for top-down deployments managed by IT with centralized authentication through an Identity Provider (IdP) You can combine these approaches: use manual invitations for external contractors alongside domain-based enrollment for employees. The active organization determines which members and roles apply to the current context. -1. **Control**: Access is managed through roles and permissions. Default admin and member roles cover common cases, while custom roles and permissions provide fine-grained access for more complex needs. You can perform [authorization checks](/docs/guides/organizations/control-access/check-access) in both frontend and backend code. +1. **Control**: You manage access through roles and permissions. Default admin and member roles cover common cases, while custom roles and permissions provide fine-grained access for more complex needs. You can perform [authorization checks](/docs/guides/organizations/control-access/check-access) in both frontend and backend code. Beyond these core steps, you can also monitor organization health and growth with analytics in the Clerk Dashboard. This helps you spot which organizations are growing, staying active, or dropping off, so you know what's working and where you might need attention. @@ -64,13 +64,13 @@ For B2B2C SaaS onboarding entire companies, verified domains handle the scale. W ### Support enterprise authentication -Large customers often require centralized authentication through their identity provider. Organization-level SSO lets members authenticate with SAML or OIDC protocols through providers like Okta, Entra ID, and Google Workspace. When users sign in through their IdP, they are automatically added to the organization with the appropriate role. This satisfies enterprise security requirements and maintains existing identity workflows. +Large customers often require centralized authentication through their identity provider. Organization-level SSO lets members authenticate with SAML or OIDC protocols through providers like Okta, Entra ID, and Google Workspace. When users sign in through their IdP, Clerk automatically adds them to the organization with the appropriate role. This satisfies enterprise security requirements and maintains existing identity workflows. As B2C products scale into enterprise customers, SSO becomes essential. Products that started with individual email sign-ups need to evolve to support IT-managed authentication for Fortune 500 buyers. ### Control access with roles and permissions -Organizations support role-based access control (RBAC) so the right people can do the right work. Default admin and member roles cover common cases, and custom roles and permissions let you create fine-grained access that maps to your features and teams. The active organization's roles and permissions are embedded in the session, enabling you to check for [authorization checks](/docs/guides/organizations/control-access/check-access) without extra network requests. +Organizations support role-based access control (RBAC) so the right people can do the right work. Default admin and member roles cover common cases, and custom roles and permissions let you create fine-grained access that maps to your features and teams. Clerk embeds the active organization's roles and permissions in the session, enabling you to perform [authorization checks](/docs/guides/organizations/control-access/check-access) without extra network requests. ### Monitor organization growth diff --git a/docs/guides/organizations/set-metadata.mdx b/docs/guides/organizations/set-metadata.mdx index f8a463f635..a32088a37b 100644 --- a/docs/guides/organizations/set-metadata.mdx +++ b/docs/guides/organizations/set-metadata.mdx @@ -9,8 +9,8 @@ Organization metadata lets you store custom information about an organization th There are two types of metadata: **public** and **private**. -- Both **public** and **private** metadata are set and can be accessed from the [Backend API](/docs/reference/backend-api){{ target: '_blank' }}. -- Only **public** metadata can be accessed from the [Frontend API](/docs/reference/frontend-api/){{ target: '_blank' }}. +- You can set both **public** and **private** metadata and access them from the [Backend API](/docs/reference/backend-api){{ target: '_blank' }}. +- You can access only **public** metadata from the [Frontend API](/docs/reference/frontend-api/){{ target: '_blank' }}. Both the `Organization` and `Organization Membership` objects have the metadata fields: `publicMetadata` and `privateMetadata`. From f58ef2a00fa639456253e3580dcee888731d45e4 Mon Sep 17 00:00:00 2001 From: tu Date: Fri, 31 Oct 2025 05:08:33 -0700 Subject: [PATCH 06/14] add relevant links to sso and auth-checks --- docs/guides/organizations/add-members/sso.mdx | 6 +++++- .../organizations/control-access/roles-and-permissions.mdx | 4 ++-- docs/guides/organizations/overview.mdx | 4 ++++ 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/docs/guides/organizations/add-members/sso.mdx b/docs/guides/organizations/add-members/sso.mdx index 4cc3bf4a50..228a9ec1db 100644 --- a/docs/guides/organizations/add-members/sso.mdx +++ b/docs/guides/organizations/add-members/sso.mdx @@ -5,7 +5,9 @@ metadata: title: Set up organization-level SAML and OIDC for B2B/B2C apps --- -Clerk provides enterprise single sign-on (SSO) through a feature called **enterprise connections**. You can enable enterprise connections for specific organizations, allowing members to authenticate through their company's identity provider using SAML or OIDC protocols. When users sign up or sign in using an organization's enterprise connection, Clerk automatically adds them as members of that organization and assigns them the [default role](/docs/guides/organizations/control-access/roles-and-permissions#the-default-role-for-members). +Clerk provides enterprise single sign-on (SSO) through a feature called [**enterprise connections**](/docs/guides/configure/auth-strategies/enterprise-connections/overview). You can enable enterprise connections for specific organizations, allowing members to authenticate through their company's identity provider using SAML or OIDC protocols. + +When users sign up or sign in using an organization's enterprise connection, Clerk automatically adds them as members of that organization and assigns them the [default role](/docs/guides/organizations/control-access/roles-and-permissions#the-default-role-for-members). This process is known as [Just-in-Time (JIT) provisioning](/docs/guides/configure/auth-strategies/enterprise-connections/jit-provisioning). ## When to use enterprise SSO @@ -72,6 +74,8 @@ To remove these users from the original organization, use either the [Backend AP Now that you've set up enterprise SSO, you can: +- [Learn more about enterprise connections](/docs/guides/configure/auth-strategies/enterprise-connections/overview) for advanced configuration options +- [Understand JIT provisioning](/docs/guides/configure/auth-strategies/enterprise-connections/jit-provisioning) to customize how users are automatically added to organizations - [Configure verified domains](/docs/guides/organizations/add-members/verified-domains) for users who don't use SSO - [Invite specific users](/docs/guides/organizations/add-members/invitations) to your organization - [Set up roles and permissions](/docs/guides/organizations/control-access/roles-and-permissions) to control what SSO users can access diff --git a/docs/guides/organizations/control-access/roles-and-permissions.mdx b/docs/guides/organizations/control-access/roles-and-permissions.mdx index 15f7d9c9fb..075a805b67 100644 --- a/docs/guides/organizations/control-access/roles-and-permissions.mdx +++ b/docs/guides/organizations/control-access/roles-and-permissions.mdx @@ -140,7 +140,7 @@ It's best practice to always verify whether or not a user is **authorized** to a Now that you've set up roles and permissions, you can: -- [Learn how to limit access to content or entire routes based on a user's role or permissions](/docs/guides/organizations/control-access/check-access) +- [Perform authorization checks](/docs/guides/secure/authorization-checks) to limit access to content or entire routes based on a user's role or permissions - [Learn how to automatically invite users to an organization based on their email domain](/docs/guides/organizations/add-members/verified-domains) - [Learn how to manually invite users to an organization](/docs/guides/organizations/add-members/invitations) -- [Learn how to automatically add users to an organization based on their email domain](/docs/guides/organizations/add-members/sso) +- [Learn how to automatically add users to an organization through enterprise SSO](/docs/guides/organizations/add-members/sso) diff --git a/docs/guides/organizations/overview.mdx b/docs/guides/organizations/overview.mdx index d6281f22ba..8bae021281 100644 --- a/docs/guides/organizations/overview.mdx +++ b/docs/guides/organizations/overview.mdx @@ -78,6 +78,10 @@ The Clerk Dashboard provides comprehensive organization growth tracking with the For B2B products, organization-level analytics reveal which customer accounts are growing or churning. This helps you understand product-market fit at the account level, not just individual usage. +### Monetize with subscription plans + +Clerk's [billing for B2B](/docs/guides/billing/for-b2b) lets you create subscription plans and manage payments for organizations. You can gate features behind specific plans, ensuring organizations only access functionality they've subscribed to. Billing integrates directly with roles and permissions, so when you create custom permissions tied to features, those permissions only work if the organization's active plan includes that feature. This makes it easy to build tiered pricing models where higher-tier plans unlock additional capabilities. + ## Next steps Now that you understand what Organizations are and how they work, here's how to implement them: From 019a616d141af0436a7ab8f86315cb9779ca25b4 Mon Sep 17 00:00:00 2001 From: tu Date: Fri, 31 Oct 2025 11:14:49 -0700 Subject: [PATCH 07/14] fix linting error, add placeholder diagram for org relationship --- docs/guides/organizations/add-members/sso.mdx | 2 +- docs/guides/organizations/overview.mdx | 15 +++------------ public/images/orgs/relationship-diagram.png | Bin 0 -> 155507 bytes 3 files changed, 4 insertions(+), 13 deletions(-) create mode 100644 public/images/orgs/relationship-diagram.png diff --git a/docs/guides/organizations/add-members/sso.mdx b/docs/guides/organizations/add-members/sso.mdx index 228a9ec1db..fbc6cfbe60 100644 --- a/docs/guides/organizations/add-members/sso.mdx +++ b/docs/guides/organizations/add-members/sso.mdx @@ -5,7 +5,7 @@ metadata: title: Set up organization-level SAML and OIDC for B2B/B2C apps --- -Clerk provides enterprise single sign-on (SSO) through a feature called [**enterprise connections**](/docs/guides/configure/auth-strategies/enterprise-connections/overview). You can enable enterprise connections for specific organizations, allowing members to authenticate through their company's identity provider using SAML or OIDC protocols. +Clerk provides enterprise single sign-on (SSO) through a feature called [**enterprise connections**](/docs/guides/configure/auth-strategies/enterprise-connections/overview). You can enable enterprise connections for specific organizations, allowing members to authenticate through their company's identity provider using SAML or OIDC protocols. When users sign up or sign in using an organization's enterprise connection, Clerk automatically adds them as members of that organization and assigns them the [default role](/docs/guides/organizations/control-access/roles-and-permissions#the-default-role-for-members). This process is known as [Just-in-Time (JIT) provisioning](/docs/guides/configure/auth-strategies/enterprise-connections/jit-provisioning). diff --git a/docs/guides/organizations/overview.mdx b/docs/guides/organizations/overview.mdx index 8bae021281..ee64c0182a 100644 --- a/docs/guides/organizations/overview.mdx +++ b/docs/guides/organizations/overview.mdx @@ -15,18 +15,9 @@ Users can belong to multiple organizations, and Clerk provides the organization ## How do Organizations work? -Organizations live within your Clerk application instances. A single instance can contain multiple organizations, each with multiple users: - -``` -Workspace -└── Application (can have multiple) - ├── Development instance - │ └── Organization (can have multiple) - │ └── User (can have multiple) - └── Production instance - └── Organization (can have multiple) - └── User (can have multiple) -``` +Organizations live within your Clerk application. Each application can contain multiple organizations, and each organization can have multiple users. You define roles and permissions once at the application level, and they apply across all organizations within that application. + +![Relationship between Clerk organization, users, roles and permissions](/docs/images/orgs/relationship-diagram.png) The organization that a user is currently viewing is called the **active organization**. The active organization determines which organization-specific data the user can access and which role and related permissions they have within the organization. Users can switch between organizations using the [``](/docs/reference/components/organization/organization-switcher) component. diff --git a/public/images/orgs/relationship-diagram.png b/public/images/orgs/relationship-diagram.png new file mode 100644 index 0000000000000000000000000000000000000000..2c222e85b18fe8848c2e6f4d049bb7e835d55170 GIT binary patch literal 155507 zcmce8Wmr{R*DfNG5^hRqq(Mr$Q*_hat>mV=LkTwsNOyOGbSo*{d(+*ibaR&P4q4e9 z4_uzxMOa|`+;{YVLYmT6n8~21 zbC&`ZDTYE>rnDl9Z=<&2gx|_*j!WJjc<}_`owKk(9GagL`I^?F_p${N!J~+DP{kMi zQ`pAo&CSomKN5;rJ+xj*amp1IxMfNmXtT(RFh9CXq|(IiH>5=QxIU(PmvYZRdf&9R z&KR^=5u_$0LjWrN^lW2aY3LIhje77!DYei`bYp7-Mco%9)f&d8anGs6Od@7b*K`v& zz6Q8O3G#&VboQWMJ}|-|7Eht<4SP)fg`p1zg~8hJZUo(4n3c>}=p#h(=xaS?^6Hmo zl^w_W{h#gmByLn%twvCC@62AwBfid!urPzVNn9noHB$Eib*g@Rh~5c}#DR#CFbqR6 zh`)fD2Ueu8X20WA_G!MLh=WppyJPe&5tJan6L@D3Pe&e3Dv(CA@d|5M=2Gh?Ws$B? z1k#Pzz0nKJ^f&F`r?4lzbivp?&+#516&d&RJ_n1Zg!G)|T;5d{Ro16+@_2kFJ11O6 zW^(8FxVrwxzT+*%(ejGw_A1TT&6Znix|<2N2&eWsb}M$kLl#to7a4wBqyq@kqI09O z6Bvi8LSlZ{?aQibr+@``5Xpzu!e|csy+7sJ4p|rXZu@my5$GUjG3W!j*azixcmB1 zM;@Ji2s(9}SXjKNAu;FW$p2BIcd}T@wg=O#LQr zxLKiIf>u%SR+9r3PO7vLiGOZx*M&JuAh4x?HSw&)v{g{cgmzv2R9;A)T+RD3Yx=Tp z@Ovs{DiyAo>3S9Kk5EeEpVWvw_Akun%rp>U7Re`f_tgfLTptPK4SSUSQ+B5POSI=0nTMtB7Byp<0KJjN~L*Zs4Gh0G#_9I6{ z%A`Q={P2zq(hqu?d9dW3W+>(}_zSU1dtkLm5KtLHz3Z#ev=*r=y)1-eO8%VME4GIBB|uk_g$^DW5ycvr{#itklOYaIK^pJX zn?wmM@U)mkrf!Clim+l$0Zi4_QjjaTF+p3*IwLJ_A+uFkMTJAqo`5bJMfC-bajVk(qPn_lPQUuIWSH^N31wEHD^A%Wzx``*YXEv z01*aP5hoEBi$!yW%2u2cmN!w$XMK5*H*KPalR4(v77kpONf?~PoY)Y3_#WKYTy7*} ztZ!VqOfBD8ez%YtJS#1rs8gU<(xP{rb0&e@&1Poz46z&3jn!=-Rfnb2qaB zJ-s=R^vLz_JT2R4ftzik>}+n8!)(XeAb!MC&pMwDyqq$&o5^r38PY7Td|#RS7W-3+ z$w#7@XWc|YTyr*4HdD6mtnjR;xn|6r#tPsG7JFtX*3Cl~1@;kW9i2UrR$qqJ5_&n} zSVBAcOw=mmE3afR###*BOCRO?8Gq{0EJ2ja2wJ7#1xV?IP>3WxX+YzOXUB-f;vzzFf%fhfl;G>g->C9iCIz zsvAE<>xqjVoE~&vK3rox7FoLw+U-pp79#U|goF}`;v2$DTMgge(}gP*EyzDwxz9wE9zw zB=;+Sdi{x+f~HZ}C`Yz$2xYfqk7}1-cq)zn>zOPGm5qn4-rTO+{YC80I$SFd9-1}u zq;sNkrjrN!01Sz0q>V@y^gX(K_u-wrgCjZv4ZDe%^nJ`%hTVLp{KmYv9Q|ZVA?LFR z$MMH`>+%9GQ-xDSZVibjnHfr1_Nhcd3`YFVaZg}@I|R` zd@>tI8)c}8k9*T(>M^7%Ql&sZJInBTO=W%XlK;o+Ha(;43n}}yulX58OZz3AS}10a z!MFjN^tU`_(G$PT)~FG|XL6U7;c5KDak>-cTuM$=a22d9F@dR~x?XY^Bx8m#}`}cyt+G z21iCF*6VuRiktXDS}%>C^It*8rCkH&+%3~D=DaLI7vq9T zrF8mhTkrL6Zo{m<%@P%t7WLQR))89yHdER6B$7{wOdN1dY1JN&v-FmgB~2x%)Ev~* zI0rd1?T&i9@*X~zm?u0(+Ox2+GoPxBZ>X~(pUR&)xAL92gP^oyRg=CWx4IZT>X8e6 z8Z1p5+07T`EvF@?H`qIv8Z3cbSL0Sga@G4YU#~Q;RPD7>M2VoZkhYi8lIC*d-RjtC z3*AcvL965im+Q5)Xbt(UlpS7Dm#e*DF_Cn^4nD`dlJjYpW7;OxefwSRcJu6Iw+sAC zqOI}HqoAWS`{(=Xz>QEcLLGiOXR?+x&+X22zkU&eWj#J$t|QCMng9q-S-$>ZBW3f? z6Vrpi_&RhO@A{T4tY!Iay}_pS^T&s3_ommg3oLbIROb&5>O?+z+FfTZEg!!=dQILG zNrXXb{KRe(nYpGtcW#SmA-Qn8 zWV+R8x^uWJE){9KU)XJilP|=yPWtK`hu;P7I+&Q)IGWo!J)E;91}>o4z0q<+Kp>#`^?3kRrv3rkf678t(@9fKmjA7-HH*HJ}2tC)7Q>2iv zbugjeW?^GtdoGMlK|vwt@XnN9SyJkEci=an=jKjMcKocYuCA^ut{g134rZ+Ee0+SY zY%f_~zGMbkFgv>2I2pMy+c;AFb(6pEBWdFJ*1^Kg$->r#;@5qRjBTBrgq}bD^`L)# z{(4UnH;aEi$;R>buz&%w{`!WMorR6{pL+vc1%F-TSF~_5vC@*Xumc2 ze|7jTU;X=$|It&t^bO})7iqL9Z4s?0)*=lMs`xz;TTVjT0A55!}+pV=|du-gCFNVeq$ zp|k&K^$?JDs7CS?(%BwdYZ+MTV*2+X;b1XwtbBTj6xAv2D;02CmNS=#YZA4A^Cv^d z_<>~ADGXptN ztef7w{K3fXm3_D7`5rnXA~C?Yp5W=wW8U&Mh$tRWPekB~8)0xEhM@mpZuaHBh7Zmv zm>@i;oG;G&!6V80!V8}#&#%?+dxX;4`Y7~24n`aC)3k=nr{i&uD6gzc(W~L(j;Ix* zsVq!?<3E_V=mshUg=v|zLpo(Z$DD@IG5XTo62(*Q2o8on^g=+gq@h5`SnddZ-T&zc zdxd(GE*&CjaPhD=-dY$wHuK^ zN}=v9645IrQ<5Xpn17fn9CNk@uAdCRt4}8kzcPO&X*a@9b(nd+gJQDu)qi;#gn4~_ zn0}@_^x=?OsnPz}sT;L^^*(@kP;>nqrvPg3v(kjKzBuBvm@ehnQ2ulOKfPu(_Jhuj zvt`|wCJGXQTw2JBp4wR(VtuH&CY3159|!m@#Sb6b^JL5D3Yd+bb5Skf0F+Hdo(Nnl z0PFO!BN&_KV-TtCles_HH^s<1M0H$IL93TrDRdEb3CHLqT-O6E1+gS>u|I*`5%_CJ zFfZPE)!hsg95r}fjPLDvMONk)E~l-LPwU}(e+Iyj$B0x?pV%IvU_Fi|V>9&I1^|P@ zMk0xi*3T|swXc|Kw*;ce#8>vm@vkKV<44mEh=Iq^?80Vo2-mc?>@oke3n}iAO5mB&?NO$e<-<~O018BMa-#jI^ie!bI(8abD=e?`9LP*k#Ki=U3Wa+phtj4L1J2|p7fcn88aCnmYVWU zj)#xV&*$?ox|QA86D;D#oT0tb&mMYTov>d8|Is7>&-0`LLJBI2IimpZf_VfB2TLa- zisAX6<}?Et(WO+PJr;&g?iUa2fC}Z?=gX#hxXS{6>V<$9hrs`y<{MqR(YINIg`h{} zh9Q4kfP!d*W$9fc&5ZshSQx5__OHZvKV`QI|7lYrAia3d9;*%VdQL*njJc$*`vX1C z?T@q04@@!)twJ=OiiDuxk5aA8@Sl1`pZ%?rQ zX!pR@vIkt^KfU;Ni3#c*7>NEfVHy5NC3$RyUlGOu&y1WWtL*+9*lGDQMK8;1qgU-U zX?W%T_@dQMA8-Z|6#ocVc}_y>$Ixyw+nY$L7%-Fb_>VKP@uZ?Z{d8-zH}2H zc!YK%$IA^G=YWpp302I?IhR@Mj$#}vh+hxQpSt=JQ2CXO7~_+v=mvB=rGGX33WZf# zP8sV@b|QL=mchiCZVx*IX7rS(h|1UL2mg{i!ylKU3pInOS~IW*k8qg{Sz5_u^joNM zbj-s)f|eKJ7W$xB%BcXbm0N;#zLS$SW4Y=6iF4qXvjcsY)tA}3Uh#hNSB}wh`jIt3 zz5YkG%bAYQD1Q9R>=p|(SgSmf|L8SJ`9rdJ@jrP3?N30TP&GGM`zKg$Gw@6ZNt@}p zzab;9HA{Pd*qwmbft^Ff}) z1Tbx4=K$xp>}VTseLMuY^ci|MU8=ExGb-j}%{m z+X{5>U9=p5w;5Fv(nRYJTaVKnle`4u5QqFYlHJ9&w#%gt*je7MNu6V~-bKF3I&`0@ zKWx1oP}9)EH*ud-)8O*luhBS34ch}vd7sY@4vXBAnEcqQ8s_F0V3RmW#YCNuSW0zW zVDBOGv`Pq|)zkI**(J+ZfI<&felIR){}}!EHa2(vWp9f>sAS|ni$L1^ zHCATyw-GR)3ZBn7ZUC>zW8iaX5>h3j5b0O{4VgFqF{>Gc=~=rGjW~%dHsCn+#TuLs z?N`Hil5}iaxR5fSPm(D7#WJRmI3H~F(xr34^;}c=PA60bRaN9B_jIC!|DHc)c?7-8 zE@DwdF91yI9`L*QGsS29c3FKm7poB>16*+3w`6Wh{x8jP1vu|-j+3b(1jkfC*iW#= zf3B5m0PNa|Wl>$h8z8tFx95x4>?ixPJSn=PJF@h?j%c5VxcYPfdof-69=RO0wjN?P zrMr=X_1p9Nv2USQBmUP%gHXM$_v`}XQI z6viWXxfU%~XEPt7XD$t2Msk@pA8a9$l;H%2K)n@75u*byQC30@#H1WD) zBu*n@PzVzx$wuuo9^)!%aA47pEWQ*j6EZd#$p*Nsa5L3aKkw+ZX$aU5IOT4;J=0O; z4d_69MEv*0=8Oce0(W_X+9IGMMOBq~I_CpiJPh*NOfG3Cz8wM#n2F)*oZ~QQ5K$>@ z^)%0-7cTneBYh|9VWD%*;?mlrCZ-uF-cO1ZqyB&=6u|NMX6ya!5n;gYKw-ia>BJ!= zvcDeN|kXMfs94+G;nl$*?lt=PGaBr z#I%ng|757_<`gg+?jCaA=F7{?^z3M0K3uYYc;U*jiB%8VP>=xpz=irjKu36v!JKD5 zvFBmSIk(8o4++ihfcY%GXuCP;VrHZ1e+)DkP<{05cPLPe2dqh4(ZN*vbCPajhHiO& zH};)K<=>=v42SpTM@LwvFa$set$LWz=1}T>S&@is+pUXZ2PRL9Zhj4x=h>dt7XGKu!pe4Y}b!1ax+5WJfUO+rc1FCcU%r6OtNgQ*Fkvl$_fO$1Fb)e*5A&o z4jl6)%vWnIZ-6Oy{S`Q6VR za#NU=8Q1Y3j{*4VeBL#^VW+4#>qJA(S*;4L@A+zRnx2NjwgiCS8LzAD{EfEz+w#bY zm;2S@K~|e7jzeS7yBBA_z*fV+d(!K4QbX$f1&QN;QKR#&dX%vzdT`%xyn)ZNyX%|d zVF}yC!u&M;f#k(J>6cm^g!XD8_Xkaf1D&`ER;Ec7v>e9+9Kq>a)bNd{!?yc{n@y2> z_Fr2{trU(I@!MaS%<@xN;K&X`}*}S zU}OxfrAzlZsvzw-jaiDsitRR&~A1amWj$9kUu z3!b8;$u*t(K|>iT$kaLHHudS$_Wa~%!aRU-h)rdGoAYz(i z^LAcxncSBe^k5J@fR_)Bx3VLGvQ&}-K9J(daVohT%5hJ3zWDO}xqW{1bpGd}U#3}a z@S)Z$%{}iDn1De5(5%utb{Mk#^&l#;?15U4(wa|W@uFIxcJxwasm|*3^;1qX=-+Xx z2}V~wU<;#449`@@^f(R+@w_uS@A9@B(K9ZWRDuZXReaET8^*NbfZ4UB{|x_gYntN)^sz@5nlvS@)2-au%1jdT7Q279>yK zI`#G{=Hqz20(sSxacE#uF+SELZOj3&ZSyiMacy82&qDpX^xNl=KLA_dRuKFt3HF{{ zy^7(b5ZfZZzX;Z{@4{ya;kFb2Y}6wm04c4XrRl}o9pL6kJ#MAlLOA9ntm5@OwnNT; zl*hku1Ar=l(7=nm@^BhLEzaDu_hq?-`bh09=;y>Hnfuz4Y;Ih$m6|@r;s9qYYhU;6 z-1zn@H(+DPh;ucaM}BQSXxt65F4SI@+NOV8J<}k&FL&RUc(wR8LWrOYTF_eJ688>- zNvQ9({JGS}teETc+3D{=uso9lIZ6`=3L5^pB zf?m~yMulA2;7jdSM2zZ0)wdB{-aB>Un8V&Xh56lgKD)L7yJ5b2l|4jqQ6q~S(19XP z-!Q{@g_ZiDS;G&Q126ku;Km2qEec=ny`_frog^P5u~yvg8r;7G=uD_5`t090FPdQk zkO60^0dK&kH*Uh&4bjsOTu z=uw1I+7ulxm4&#t)B`|u*@H407>cA&-*ro!BS5lTc^D|5~6p2 zP~I7v9U;trk_2rr3QR51aFydqE&FDH84%BbW=NOnq}*KEfC~Ac|Vrang0Qczko5*WFUdvG(za?<4hyWC-${P z6nIaKew=riew(PtcfSVCEwEp$LN7S$4NiaC6V4?O^q5^izI?M{PgO7)BLh7qV)NOUAzq=j-+H*e0GyFJT5Q5eDY3~f5_)=heM%=0k}Qw z0{mT~fDYqHGqAus>Tq;z^h8`(y_inq*q*9UXcqL z^h)+TXz1Wq^#<&d3?#fFyI{*0D*n1rzxb|!F3rt2fzY?@`W8Ta%&u5ovf7AZ68jz+ z5?Xh!9WrzahGA7Er>67CT5-ps$M*Y*)~e!V&1&Nbf<(grtNfv=$E3v83sHJrE%;$| zYMW>>jP_|k1a+cdfamE>tP}5C`Jz*hE8^A0b*G3tBs^BuNlq6cnd{&)R zD%j$!T5vj`eta(IZYoU?PiLIs9AoFUl^GnQ-wyVzS~)86E;5^}vqcRSe$x84o;~?k#Y?si&Z=o5!wS*}F7XKZ;41h*NYXWfLV~=;5HhGMjh?W&U+!C2jQhedU zECP`A%1HBdX(8~K9F)YgGWU_y)mj#Ur)AewE&E{miu`K@?E^P zB?AxCe3lTaCOo}U8loMoob?&@T}9X{B8#&kh4Kl{* z+<1MW5IDbrbD39H;#II<%lzU)IX}gZs&cX;l88*aJ9X9*1xiMmGN-t3>b-5A`C5ka zgn1X=#XVtYANuQ}GhSeNgPYc&K0riP^Ak(m;I{4lx^3!+hsk;}xi5E-3qFw!Q1|1J zP?fgZB2V}I?Q=DKXzQD@+9D{0Jxr-Rb7%U_JMw~|TwHDw)WN_ZQ}rm_}1H=j$(_AHqG+A-(s=B)_xNoxIWwoT=Z`Ywg zi$KSH(?AFYD%&+1jx;Rg;$B6fG~lgS?Sg?VH89tx@l3VchggXS#7F(5@qPJF^wI__-BUy_TbQZxdy)^~-09Aq zPhdkeMAS0IkN#R56lU4>T{0(#RGX##}DGD_9KSb$ld68V^qo@Y%&Ab`3kb zTpty_B`Z2u1$YA)#%!eLK+w-m5ITMZ{b3Os;d01*oN<%W^WnQWlSQEBO$p2cu^NQKNbj-HOCs`L;_BM$67SnFr zg!mtcY(fHv_Q^cD>Is%Bo}NC{LFadSLE!RRrb2(U6hv%;+M;fiNiA=V(A2_QYFBXj zUALSM6H%smjNc`8fP5m(EUXh5O{BF8EtucnJRH|%Zr3~V&29s@xssM$HY<}DSotO2+`aTd`pg$tB4uvA&3oN~0Wra%F(;m{r4tvxWuyhV{xw98} zosp16pC?FmNE2*AbJ=3-cc*C3fUhB}5no zYqMcn(EGT6QU}^YNqgs6=!}Q%#{piz=OhaXuFlkX8i?2)^-VOIwO$&9^+SE{YP7Qz z5tFPH_*oA5OY?Vbs@$tA~f8kVmaJ-rB9sP3)>oZ(JbWz=iz!Bl~F&84;j9x zzRyebqFC0xWdg5_Iv;Vy2A6QT2lq-0@#GdZy1@6C=9x$AJENB3ykDXu8 z(Qm}>BPD+e0*SN~lxtABw2wy#Yq_|oBROFJ;3CVdM{Wi^odX27fjAwTL`IE9{fGDH zZ_VUBoPy50jsqp2ghUl;^v%-h@&FrnK01Pr%85|sb-BF3I8QfdZ}377h$+M~nGUqw z1HpnZ3|5)QUrO`Ck7yO}?SBm7lQ_$sW_s8Uo~Nl42)d`_GFJ(%;<=0@!5&UD+8+r! zF#~tqjFn8_jH4zg+Ap|4_k_s3xH{c6!*i*M0-x9kZFz|?ZF>Y>s+#Mc%DATi5;zt2 zC+ifuf>z^>P1@Y@+Z_dd4U=jD!lbhyfy2ig$uq}zEHM18y&7^MvWf0W!{37>Ljz3 zpYcPrEpgRjR2QSa7r3N#-_(Gk#lJC@6pAb96mPi7?H+<}YF66H)X3HcnINV!M?WT8 zbX8iM4;SX=W9#=7ct@e=YNeki%bauU>UYbUg2?u5d{%1LmsuigAS>lu=FyLr*`SZF z|1TA$SE4InO+$$R>`+(`##-h z!9|{E$`Qg>=1xV;`_zKe?zU2N;fpu|>w`(+FN&C(AYs#QYrL-7GuvF==5l%uPvl&U zHfCuPD?_NIzn82%+FF30Tg@?`PVSU{C>)8hEHC4YRj+`zP!ANRt#K9l_N8B6XK=3u zwWuX4P~FTpT{!3PA`?B4T4#HelqN@e16X?4co!d?C12V@VeP=aS zjZEw$PhhUPn~natTBeCzZywhy%OxkCy&}|8eLi!&5YFwpE_~XQ zbIMp+S~bLP^wH>AFC9SCK8W(o3mG1TyIMg5y+d2QRalF!aC@dgz~SF$&0r zd`$?Te!j448UKc%+kl7p7tXS!`H4*F^m=A$EsdcDANfSrrPWYB86bfm{^H zJ`)YZZ64>AFei&keH!hX|tebrgqqBE&CY3 z_F1|OlHOu^X}U*SmN5)_MLTo&HY?%*mZXw$$Q9}`?{4DHM%HK74 zNMql|>$$LB#ekQZ03P@D5&68rKG?YUMJbB8n*;tm_(X$PZOQ_I{(y;9V{whL=tm)} zI&ER6xZI`DE`liPGRG{?K z^Z#)hEdjD9M@JB5=uwIP4?x)9ciw835hUHA-Aq)_U+;ejR3 zG03^x=zQ1JYFB?Y0||cb@2fxO3Pd5o>#wM78Q~shd(S+G8?TcpnU$6ST|Ode!6=yY z6HL@`ACN%8k<;tTPd zxBFz@p4tAhC~Z7}l|*{N5<?XopH$g{AaqA!G$+G2sI_T8JWyoe7W>C}q_OyKK*d zUFjG@X_VlCkn&4xp-V+!)lSp20SIz{q$9uw&1XGwrXEi0Bc9q@aG6v7-| zHnN$njw^^@!bPitsi*owYqX=!3z>|&(0)pfTc0<^i_ho%q-TmJhXyp(P4yjH0Ybf$ z_ekpJjNRz=@6w7cyP1*3rd4Bc2u-Wu0&#|;ho5~SirDY#q}yAVl$lDyL0G3e;=A#A z?Cu6K%`S57nLZk;0N912U;mxUGUxs!r{fO!T%iU}muDwAzCkH}MoRdbcQ{CVJ#Sa+ zrXk{D3^3Nl0npBuw7l9vgI_`1uML*QN@7zt?_zp;3NMdQb(erii6Oo>CeeoWg zV#r{mARa8ctU~jtcg`a+fkyqH5rQt{2(atG&7C&hLt$Uh^s%Df{p^5iUrS1jDo@PV+?a>QQfaA7v(RZmCmk873sD0sGW|OxA zVMAf3+8pC|fH}3Z_1Ta?erkpvd%+~}cx0VkqXkcvtUl`@S{|_`wfZ}J{QL-@^jZah z;e$X{u;<8jXMTH0u1jX+H>;P$8M)E{J<}DqyI39cIv(6Su)L~eQrtGRPh-nZbxCpu z!YraRLTCUeQx_lsfqA+>N@QLIRM!vCuP@!7p5f{-eN%?mHtbfsLLsittOx{=zH2>? zCRerxq-maH>sl?hGQg)+n#;Y<3U~!UuVEafOKhJ@15^lWL4%u9cvO4G3}>{kx02#Y zt)vb7#*sSha(`B6aZw(GMUw-5?D$Fqtrrwi%w8IqFX(%*99+nvqN$4Z@rVtyNDaJ_ z0S>rv=-|AA+_DWxqXvMF)4WAYwC6*OV#1i)+gQ znnSP8_91v7Q#@#apna30?qj&)$#C5wO?yabdu`+XAeqAPGk{pSod~_aFKQ(EDX_gT zD61og$3LxIO4h&AcBJc+m`jl}Uy73NBrTQ62<9Y{wNOs5fjDFE>^@Qx+g`EB7U@_QjzQgmm5hqn$a#PvLKw zEJPd#Z0NbPJo$iv1+(}|rtPJ~^5-v6|B}hfQ6Cskj}t*2B0n~NGlTxt9Bvb3ZVsoJ z5Ym;QBGGpmeYF9|CJ`*-e%>kh3QppEn1My(hSd<^Xb)gRWX%E@Dhc);?1sW?>58Zy zuouUVxLldVOBv|wHE6LpO1n&7(YaIg;dTeTc6udZKq05C!8$l&Y|(cMWB}sao_4$A zUagmC@Zw>+3-rn;Kc>FY#+F%k-$*pWg4>o%LS&u?HRG&*qhmjqcU_cwd|Y@(_289w zifx%)!CUQe#dc-w<6ZipWEJ<=*BOG#UMjqkK&r8SfW3!gv~Ainxm0paDXls#tA=-Z zgm7pDR#^?#xCWA(3Q50|-bUGFLp?D@e#P~movw78<&brbA>M4h-I6NCyq)r8OV-bJ zr7nA4)Mi~<#K?iHh2txVJgrb%taS^z;n(oh10V&<2{^^*mXeKO!5mV$@ZCC_qQbn8 zK7c7qdc1}he?*dofNw|6eO~cacm6ve@Mn{=|n^ykC8+x6G&l zCD8DI9KI76Rl)sR?}wozNrb=`sXzjFzbwdyQ8ryr#uvzgvFSl^wBd?*&EV#!uF|f& znwvFudX?D`{$LQt+%3p}X736yr0nu+)^@P<`k;7l#Pam%kx=)Vb#8ML%zRmKdsi4n z9ngO~d8(}qsL7usE2O3XVGLA@5x5rno!ez^D(YQyfT98Ki9}x#`Xn# ztu&wCP7V=P)^tE5kE*!HVrJtx>TbUq)HkcB9}FYngD(Gy4`BzYSN3GZXRW6`()85} zv4Fts^3<|cH_5W@SNaiZ{^F-PrR91d3A}vnWDQNgYO2CK9t{i{k@Nh21*Yv<91|(?ALL3oH^|wn=8rN>Q?~GD?z0&Z*x>B$^TX ztAs|`x+flgnJrC*@@(uIhEf(#spGLqp2Rg?Df8uiY1P53JaVhiaI!~%ej1CRvCy={L8Ew=p`h>c$0xJK;N2>6T ztvntQ#uZ4SJn( zkDV{07A#Doxx4$(fvv<3N}-kqbIQL3c?vthTt4X#j}V@ZdF(cv$D8Mau^ZL(6N}Kp@#1RL;t%4yelck*F_ZR!d73D}kI8L!UN~L6(SAX|uN&zZfdP(K#xj0ta6jsxNuZgAccED^w~N7W##Gh~fGi4f!=={{E$_427m zfn|D4LHBD)c}I;ft7XOW#`6Ww!AT8+{RQsF7)2G%gKX{<78JAEZ9ccM`SPg)K+%qk zYoIfWtt5OcY|G<}VW3dZey$oAD0y~86qr`b3D7l1mw9cgwhRY?BzqoW3sy+hN9E6I zLrT>gTs%>O0U^3rNfTzIi+!H1s2a)FENt@cmaL`|T;Bqv z0h~p2@DBDNnSsML@UC3<0`(NbvWk24M)1%t(40ZNJ3@@6kMCCXl^(}jtsmr`O#sSW z<8=>0JwYZkNJZs&l?uX_)Oc(A4db#La`af!ik+YnsR%M_?BMn)q^;__8|-H<$VT3g@)p4I;-ky!D;#|Ft$}3pc6`^%wgwgiTO#0U-4c6Q(JGv8 z<0%y@69iq0aX7VF9NNM%n2*Hjt~p>D*ha6RvH zWv$enHv>+>>6JFH{<)d%TiYAhws|&Vns*D7#Uwfo@zFJwb62~R36hN`NUA}L%evUl z9yy#ox^>Cb>XD258UYKh=T0q(ce);fxhH%qA z_qNp=Ks2KZ5m!Hg9-P*(kw>Eeg2b>(LkgW}Ndv9jWA?MID9^3H>K$u^e161v>+ zkTL(}$EDzjao3tjhrDa^tPY@tgFH2_7e~8pJV`Ko{nk=q&(e3srQj^z=kgS8FuP`a z{i(^+JVnFAsj_N0w8NhAL+W_89Q5kQsRr_S=Aq>W?aeWs)bd5**-d9bYfVd$l>J}D zO?N}Ho}2>Kr_btA^PZSkFWf9Tx+BYM9X}Ggg>4~$725| zZRSWC(N^47OF4agP!rzKc-ap##B(|lbqbz5}o^Vp)efiaWrbxNd z%`=VUufOUg@xE{m0d-%RUuv^qNh$?1IcSeT3p8W(pYWws$%0yWGTX>9W}Ti_mNUt(YXm+N#5LWvv&bOO^9M`xH7ofU9c-=EoUYG5Ndry1ZNfDwD zgPdX)d5=5ni&Cv>Ce@d1y_7HUebn|R@pV^yvXc^BQh4k3zVru)8${JrNqV9MfU@ggANfd)QYKGOVbNM|Iv5-#YDhd6Tn za-xQ*tUha$$PN5qjGqq3lQ`B8BsW`7KX1(YrU*?&7qRR@gz{qxUl`V>W$aeweLK26 zn`M0wksLH{qp+-)72NEnyK%IoBJ}3QJg3kH|A1>K3c10#OnjQLI^DKNB{1Dtg6nE? z>JUhnRj$XW^bqJ+RVr2|0JTExcKJmbXf2?DGN7m?8>hGoyf)>w8aA&t>H^esHCpJR z4gvo%1BwAk)E!oa{?J~vJ^hNIvC_S3vsQN#=)MtDOZbAEb>(-4kTo1lizZyRCX#f+>@C~eAxbAbl7uZ@*c01qXiamY~ zCy6zruhg)*ZGAUhT+N*xPzICdyg%b{lushpdI64hy|N zC?8G83H`=}<^l4-ubsHV0(Ytq!w-X*lD7G87tG(wDz`KPLAiCi#;$EDZJW8beq}5L z!`Uxs`-0f;x+c5Fj=k7S8k1&>KziqTEs6s66lC7KvEv-E zqcZ}m*w+TtDhm^7G&l9M!))#sU5Nq4P^=wK^zH51hn_xTNq+nXn_`gj%lFW$j04Ju zmHHF>aHU)ETe>0YYKDP)16TBO`X}Nm9|E}1=s-Sthn%Ocp*es$297xa3O)!n1ZI}4 zV|G_TdZ(;~FOEdx@@=Dfn-mb^S*2%>)d<+5>^2k>NBE9vRZ-uxky={6fd+qZXg7Cz zf1G}h>63G|n?%c7z%t27eW6)v)4Cp8ud;N?^m9T!e8l-EPyWbUjlVIS7U?1nqGnKJ zmYn7pPHXy|Y9b``fZdvh!@9Jp2o2w!tfaB7uNbIdxf{2KhF*EDVa)TJ$~k9_G$uU; z%EzK7d?(tdFLe6f+qnU?OR;Oc8-qTUh+zSSkN=|Ez#sW=MgeO_WwF7*9MItf(<#y& z|E6NJLjBt_P@;V=e)TXzTSf6h&14dC{Q5Im);Lae00TJFfxv*xE3e5$Ki88%u<%HY zK~={SBe<^)`EK2PO`D^=uTY;WVNaVVBA!wrD1eOnzzhoAZ;ayZ9HvkPl*4T>~q4J*~)SwQ6wlysnO(Q-+p&97KRczOZ0%T!9FPf9y zVmA3TyYa}8tj~Gcjulb8xXNUC_V1PFYNT}#lLU{c?M`>$<&thC)$&=LuzuDyL0B~3 zfe$F4y38<_YujnRKq*_ia*j}Qb*$!^x~Q*MYyIaVbu@XK%e84H+udr~NabZwn#MdX zG$Rn0W={ITRl-4Cn@%a3(J72oJ+A3|Ooo*-BnDQ+x;)gGdPq z(%m5~Qqt+r9YZ6HqzXuPH%hk*Aw6{0&|O34zWF83|LpVZ^X|OaZ|5`jnss06T33I+ z!(&#g)Z_b4HRrz%J()@)5IcGR)f31&Cp3x={YBs~M6Az97b#=rPq1RD5X0(s>ln4y z7`uAJ*Q8lg-d5>0x)Hg8Rewg{U~y3HmcC*5A>r2)jzN>_rqcOte8?sFZC;G&@)SdE z5^i9i(`okP_s$IG>@S`xh;2X?l`!h}F6Ba9x@f?YPn3Ja6CX<*A=biJDy zn086@a*F+FlM1B%@d@LocaklAX$>&XCeRz(Y@NSL^-yB%?YoV!;>1R)c18IY19eH= z&0DJLy7W-yfE$&!8eCScE%|fB8*{)YMWvpRP`j*Q*p%Kk{rsQ7)re{&Aa>3-Ho1ql zz$kuDvkis!)erE|Ua5>;vzcb3a)xbESEAZn1MBsPj%^DP4VCFq$-yaukh$zjn<0P9 z7#kov!P+VY#$=Rm6P96aj+>;P^0|MU&x#%S~}6|h=EiVP2#1( z-2|O9iawY3MX@@`cw2C-A!Mv>?P41DbgyOu+@gqI|u8|6-fq)#BBa^W=0GNNz@2)~h_pAO0A^+=6 zG2#sfSMk4DCNdJ@U@3g(cIcwyQZGX#o!F&lpN6(Z_4{!dvSMe$D~z}O0!3wW?y_8LsM=3_O9r7WF!|TgEoyUx_`6H zOOnR;*7+Qp@AK9sp^TozWDNS`hkO;>gJrT@+gMy$RU2H?O4?LNFz3`VPrg09f7V4! zH-M`wCl26Ob=};VH_Y7cHIJ+!E5O`L^^#KIT9F$!-w}!5WHBS_w>O(GN+_eU;p$N{ zjGWj^y^v(^p=Y2z8MnwoZB>RQ@K6T z|5Qekp{^D0Z!Umqsg-wp%5UFi7gxp7DK{3B7I<2)hCj_sLJf4gmI>Gl((&KaotMc*5#=DH?+%K=V^GoOdPNkB?>I@7aVq z%#*O>9d@$9u#@2LWcW@IG`|3L6OGo!?&H-zep~S3pVM{4@R@fQnfhHB))c>*DW= zdH*@%@4$1Q!oaY9qDsKEr>)%8*R*4*8CW0&Brn=0MUa^lbl&6s`=HO_UBlRV_C4#r zpFKob4hIA?XI^x0F2QZdKir%378xq1`sK;}@4Uc01G=Ta;Hpu^l1{xdM>4NdNK^U$ zU=~PgyxRcb#`YXCjHTX58Qj0V;6(l6@71;HlVg9Ajv@dXM@^bmvR30D+perwHG z3=jW9ApZmU`hR~1(DDB(H{t)Q2me3nfoVIIpkZ6^l{zWSy{p}c=(9UpZ}OZ%0*VOT zmnb#p{uksu75MemW zcYQE3$PStE;%H;Ib6Jb_RSHZir+|U}9|N&&i@*;|$|6aO;hX0UX{z60qnbj;S~vzM zeFnTPRL4DAcrtWm3D4a5rn(;g^BAz{_qfjv`svvWm-E`nX~>^b(k_0+nlJ%h5|KS? zZeeS~VZ~b^2Fi^FsiDOHPa-ckOAmpT!rExquS&^vBOQw;JDn zU<>x=u}U-k*BvbTe|k)5OfBhUdDVjQIq1f6HR)+#{^T-IQ@)Ed={*mG@Gu3&_~4~O z4Sk(x{B!#}1ON|&_UX`rdyi~}!m_OVE6ua#1go_lzk&ZT&R=X0mfBh)`(A+s@$tnM z)5XQPvdkRI0ytd)ZPL4Q^8Sf|D5Vfx0u}W%T*vW;Vx!rj0N+acmEqS7KiJmw*%Svx zF__BG;2|-M#J|UhL~YxXtQdL!T1iphN^U37w5I@mGC*7lqJK@eF zX};&-XO1MBNlkCi*o(>hlEqVm@Dt--`#-<-NJ_%zy1n;MJ&IR$e z{#FsJ|9fr(ct?BbG}RQ?u!=&8V*vXKENK%6EYzS(TO+ ze~j@=zYe^Ya@g&W)WPN%#Jxu(| z2EDAV$kFIjhj0;K#*DGk4Y?W?j)RFlgL0p@;1dt*Xsb8)Yo^?jF}`J@l*ji-Vg}F< zLyj=?tUN#JsOMGjC+P_Q+PoRRvKqn!w&h!(j2qYXaIud2c5j0ZQB-90+xRkjQFC<& zb-%A2W4Q*FR;}_-{Ch_zOA$j3G4#-HnYPd>qk}98=swwg5GbF~{Nl7A#sPu8Ez`kI`9s&W4Tz5>BxC$0~_Q0sX2py1`& zPIC6xp}me4pv6}4PeF4DEH0{6H$TtnisHT^icrR6p&haM(tm~t-I(c zjRo-#I9Kc|rcJbCKx&2mNUa@^TASR;3_CUJJz|0ZVFc$6`$%#Dx!ap-k~n+#w?(2R zS4(N4dk1m(=aQB@UQfDC6v5-T}oiA$@uTmP_Z7Z8c6!C+udv|v^LRdEiwuNLd|M2Hc$$J}~TETeW zs96(dD7xMwS5rmobM|_cXFRxPi7+X@1ih0wAxdG%#>}(*c5ly}0zUlwty~E9-yH)a zql18kuO9R{ds{FpioFqwAg-eSnxC^7rL60o*m-jYWsRrhJsinH#FTz`rUW z{1s&xxOz_-%Ci{RGx)QV{{~=RfxBrbyt&zz}YR~p(_Ng=Poez#Ffe$|h?>@$S(G;D|Jpu6l zDS#T#|3(0u%m6ylOwjo0zjq<63$bc?X?Y(@EC|c$Fxgx-#pGNX9eH;T=hxk1)GOz zfHe1H6EYB*JTUi}MF~PGS^jGo1TOBsvF>-*=pDXK5jJpeda6$LtoOu>j&rvRb-}N@ zML2yyg2MoPjY(s6x6^mv%A-RJ3JR9~s-@ml8hq}ye2L%qkL$MRn8;_kV0Z?GbeU)d0$U7A9d;#Gg07yBgpsRP8-P2}1p(sm}#K zs2F+vT&C<7X2jpT8FxpoBJrn?)m4*|?#EvUcgxHNzbw03Bs?u1%8r8t*RaXAPtFG1 zfUj*_!6rBAJ+%h5?>XROazI z82wn%eEuWPn31`;EZ!j^K4UL@&gCHH>uU0;VE8v3+ndS0Az3CIPv$8};wGDB_z&0f zN^on2BJV~UC{$kU6>;FVL;jm1lGP~1W~|dbK`r(2DVfk1(lvBM$}d)bDz4!4PSDJ? z{K6%L7b|%F7BbJ*Z7I*+B@QZ3P>##bNto$IZZeb>?q0G%} zson?4=ew7Kpo@(hfCGjI7(QrEW()t^NpTlwj0r8+s z24FdJjWfEw}xl_6EW5KE08<*qoQv_OyIH=%l$JPE4bT#%(bG(AG94IF~ zCo10Hq961lV2x9jiL*4`HD_b9QAc(B_GEf*HD@~Y>M}uiVb*X-wKpqD;qbJ{*Q)WN z;}Uc>O%afddppYq#|>)TPv$BlWCIfk1LK- z@n5ti9|&Vv&DyO2yUn%WxJGO275KFZNdD%CR}om2ZZGCdhMXcgb;TxEZXR$If$d%^cR8 z9~SOS)AD*jx67S5_^d9m%LfovkU|8o`KPb0dP+ZUydWERkxxUA%p!yZy2H6i#gZ!;m|&1?4vype`i2`B!7C zeFfA)c#8b+oZ7PxcNyoss#Z79aZD&*i(C}fUfu0^SugIcqJY=wx5KTTUF4*X9f-$t z)7Cwea;25ASk>?|y#(<2^BAs3C-Ia}dCD#5et4SAe=#=i(Q(#+F~dg>)UiAVuDIgJ z+}nJ#;w9XAM-fI6_1f4WYMJ&2drv45qWT-ss`6aYx{f6gO1*FDeo z-(p->6DCQ$M8kIdAkHXAHShT#e7%?#t3_^q||cI>m;TIB;ph-jTbb zU2Y^o0wOREZ>A@H_{1(@g8<@^=p(k%|RPpJpT6`>(yinH8!2t{Jsj2;NC%@YvTR07LTKY*wuVWbN|iWDS!dVJVMZs zgzYqmZCVHO_UbCsrZ4?bp#R28MWL%R*<~W0{dKZLx4l5ZoDf7U3GSj*9dcM%$m6zr zoV;(sW2vx0CWY;dyAxy~P?X&Uh*@npO!EDv8vr`Onii#s0u%tsn0L%|!gJI>-;5IU zB%}_&+-Nz?zj!O0UUYK3wqP5M)u$~~HlMTF3%5ayN?|$ka>FTc4AdX<7-Yhnhx%~@ z3SPL(T%;5CzCY{dpIR9g)F=1ym`O9{fxWZP_Bw4{FALVmNlqwhbuF?yoEbv=DR>v3 z%W^@r@#hG!s^^$+Hr(1n9jo+3M!@i^9_rp~^;trc&qh1DEXHQ3;c5|0^(4%V7ZE&L zzFL_&Xd<kGn`c1_y|6GWHyts-E?3kyJq4!Jg)U* z9wL<82mb81hFL41tu;ul@^<7V$l9WL>?)rn7@6EP{cBLNWyV6hd8rO3OAqsGqve@W zF`MV$3OLB(dNT2rjlO45B>vDEFi1aZH!p%R44I~ktjm8ZYy}{gR}4=NxW_^orf6O| zx-`|AV78m>jRbnCp3U&>xxbd%qp)E5D2VRg#uao+cU4kZ2A;QT44h?@Ma_PKH7a=f zj6&DB-A(m^E7Nie|6QF9uk+$A zf~p*UrC!DCqvSK!{^Wm`4k}0!AawIB@uHojQ(J{jh~XzwxKvDgf9F zP)O7G&w~*M-~usUPEXs8@3_ZvsA=%4zAtUK(dAB;-?Hl=rUB*Dx#B7Eo~?&w95Yo0 z&i$g?UIRwtH4h?i4Um&L*^fjk=_s5!IdgvdI!u&eUPh~L-UOvmG~&^tb#cu{aK`Gn zd%Iw}W~aD!3;qxVx3Uh3+zFeH-U74HiUVRGW+P_^q`|0nfmp0@RR{AQ)=lygQVqa1 z^dKfq#s9A;I%~?%yYLCn1OkOu$ChP3%)^%QBp01A_QUU6B`Gy5K?SkR6Z*G(ljrM; zUfqtmAnLPZ{#Hpi&%`3e-7EU)3o;6O>R)!ui(~;Soa$YqZ60Y7zPPmu!@lHC=c!+_ zeZ6e*Ce4AVxSyV0C|ZzqJ5QZZfObY>QL1~c*91?Y_$Y3E2nNt<%>c3N%rAL|=H*pA z&RYo_>N{r5V@IxiWec^3>2}Z_aK#N-Zyo$5^)>r#pp$0OwGs)cwfE640Kz#CP)afq$#yK(7fgK*3g2ty0_n zXO1SP>XbBsfH?EeAJuQNS6$}}S|D5e5VzPOmvC~@WXHU&k5jCG@Itcpy$Z4BywQ=O z5#+L;xQH5$i?KdI)C@-wy>TnsIbza;oy}36&|KM~z~gYf)bE(ji&MvMKgj{fz+@33 zk=+*x+6>w9_H(j{2IVr)vT0gKT6~q`oP6;y$_(2;b}O4yVE>Sw;ubvNY~a#;>v2>| zWDAKIyzxAppvR!Y-^sHR!x zmpaxzwpda52|B!9iPbO8WNvz+=Lz>a--6!80}h+CB%Ix8!RcKnLsHS0!Z$)cLpS+J zGkdlkIh`pCQQGWTV6=Nj+kzz@t4+0;B0)gUMo7(-c$O~e*$)Z?iN6x7(1C8vOpIf+ zAZvEyC!uf@_sir+G3XoFqY3J&NS)9D^6FIZ>}f;o&G+As(u5JGE*|7cS5T=GceMHv z?68{)!?;5drApAf^%L zrYk3WI(E!z&{9()B$NfKnGExci$fZ|E{7e-pD0qK8_@7@Y{atd|eI%vsA=8E2`zPBH1*IpxRGowF$Z z2>Fu0HGdFYyVgPoA^O3oQ@r=ng2l)UNQY2Oe45{QSw%F0cdWka8a`w@Y*g$m)5nYi zBPao5l0U~cC9E@#zhgs0veEOiI7}-Df`>-Xzk#AJIS0k@0@J^9>Uy`g4T$zVt+Mng zX@aHegU)+kg62 z&t-`J5`qG6SD%m3eof_6tnYm7X2FbyRzQQC%zP?%lu>(7MF$Z8lFQ)1ZE*2{!|^e8 z;^{414?aC%w=<>tbHSrLaZV)pSldyzzOc`PxJlEy1FN5*bS=5gCed+*%p8g>coKp- z{@`;yxR|+SG^a4YX-{{}#^TG?BwSCOq+Zdt0xrd%QFWN^Y_I*@9+3AuA(x$-y$(E2yzMN9qTZ(*8`)pI25H z#_o!3N8pRiQXZ!4>!oXpR@EP5}2+J|PdIj<3)*?5|GFPSZhdKHY;IHnnF6hnY7b7|UB6<2a(a%jY!&@5Zflz#xLg^AVsk|b9%!CLtW%7`&(VBb znD&%o>XSB7+`Qdaj=^Fr13Jp1jS73iTg8nPcga}hDW7}8cksD+cj4z`Y{5gBGliQS z@Y0xK_34;NY`-#5@mBu4K%?JxwrZ~}vQ~O9MTAHi^`FH%%WZd{;7e_~%7*#ZY~Ei{ zXHEgHg84%PAPUhr5tt1l<9kgya}J{CKO(W?xt9c;MS!-hDVOgk6>Bh^C0jifg;_!VKr6;}{Y zY}3~F*5hZ78dV~j2uyY=mw_Cpp%W@j>G6+6-pSi6X6G54_kP?;75 zw!~S@(v4t@!717JDL81JBQA@xfJMbjzWg+j*Co+*p;MO{W?SmlU!{j9q{s^z7tW(l zF9i~P8dCp(F4^OxdD4ng(2sEjxzVy|a<0R?x5H!Vn$|E|T;B`5B#v^$j#*#|jQ-_c zwZf6_>J9dz04FuSQy$Uz?r*AR@`pT^%U)J(jhgw%&b#ufm0a`K%;Wx9Mp*MD^6!sP zf)ci!wse+gR~TSX5tu1>9f~aG4w=z>AXLHCe6rtd?ds z8r0yP1%PzSUF2|zrK)DXTM#vZ+u~EYkg;o98+g1H&1ZO=Q)y#&XHF?TO*Gy-76d=9-d3}eHT#XF@Ige8iuKoKY!otxzU5a5oGjTE|; zq;I;uxlC2cBTgCr>j%!9o@!?>4C&5CM3TXr}z2p(~`>5 z{`%DKE;$S%>jzRhIDEq+_*g4EXB}D;;)|wnpAT+d)vHh%?(!(KIZB{mYJWITdApG#Io{PHaa`kfO3nCn`0}edk#n`gCX&loketKwj8;OjhA!`7(k;0A0Jndt^$GRYLk0|7H zuQ}AI5`L0dH#m|~qBC)mS%6qy9f6`nlmf5adUpPoiURjWZXvwjT=Pd`z*xbz$s(|s z){t;7P`o1FM-}}R!4)t$+T#eAEE3dpJ!F_8euAnlT8Y^;l`GPR%j4=FtBZ`gsLe9| zSFHN9!|9jks$Nr#6%cl)GnjMci z%CPO`8=JKWjrP9HC{Aw=(KOY+JdK*!=W}Kg0SL^2IhztNjVVW3oz58eM;dl4oCCJKMlFY781fuh^|UOujEWk!Q|j6d@{Cf zVz-k26$-K@+N(LOwH=C|%{7@CRoCq;dLqspU*0n3cS1huLGHDkZ7_nalZgU&scP4* zl@h}Ix%3xIYG~mbXhCk|qkMT8<((sA1eiB{{6>WEmY~#lLOsuM4_tA=ADrW)Y(b(% zNoxjda{|OPq&F8^9~_R-7&Gh(_%*9U$rIcZzr>xUVheFWk?}079B~>+ZXB9l^*$F^ z{n-v|`TWQN?oFqwaadB=^(dqwLptv8Fsi!vc^W-ysKw=WlhRqg@#*N{>r{Y#%w|NX zh4q>9&!4-w;Cduqk4-WKJm-1r&C^Eg8!g)thgNZ{pkgomF^q_Y6KcpML zWO2Yp-(Q#(#iQR@v@CzhNY_xh;^;i-#U0t!x4@miny^s5ZaV}H9m0_?^MA#KJ!+kb+q>_%RDA0n+egs* zLWn0$X?L2zXKk8fsgdn>z~)TuVuJr}PqMsC3_ih|dh7YZ@H6*$G3NMmE&<|3dPd_u z7;=?PW;;HXRRUU{8+fQbJYdy--`|WU8(Fj0QDq(MbN0Vf{{7 z$~CbkXQra$=kkX>1VCf$kCsy2o7INAQIsGzYce*FB@XL;BFo_?NQ{;iP}_%1IfNe; z@fq#+i5P!6wLBE5@F|v$Tp${&t^jyh=r(Irww?-IE}}R6LtY3a`&Nmm^ps>$J%UymtDRTL(V<&Y8)iR&7xgAH-zfk6~CAJ zYOd8RDpBDKEo#uO&<2*76k;anADT5D;uS_$l7HSKb0BbO(Hu7ZCE$CiCp1zrmMpZ< zOVYcZ>V>KpQ|30ua2b6RfCsG+OqwXb8?nKfGbz_c*yZQkSXUNte7Ylnhf@5E0p|4X zmMqg@Tash%5Fpc&(C4{Xw#bmqEST=|L#=Kc*GiW^B5YLDc08X|LVPZP{0$73^ReAd z)N2lZ*1Esf^8Yz~N>hWqGwe^{v%!&l>qkkK%F~NMajxW|jeSFy^20mPX{5k)lKY@{ z;iE}g%@O;v^jN>Ffq=UFG3JV`sjkqC3K92;_^wR=P?6g(w#*Y}-1Ih`B@%5sj{Pka zm6YG(F|0|jLwTDae5w?dI~LNgT+l4WLIz&O`Up?+NytRjHIVc?{OIDDWE(3v@v=)C zU$5zWSIS}F38Cbizci!>)RziAAXDnb^?Y#?&33y|^8W0(xA1D&qbd{-S!@&HB|yG- z?*EW4pnP=c@cH0o8ucS8um`uct01}i@(E3D4opj$TSbUxKNvmZowE73=D6Kq7wxOs z*z1fNd+`MZePkpLW`(|vYJgA?;imSM;ACh*QLiG5WMVKN92ct{9<2ZP;#BC0bX98c z_J@=ug_~#xh-D(btSu68tF}}0$?3ju+wqvZm1HW0O{e$WKUMtM5N;1^g1;_g`xti5+01VcA)W6;7hn&y7iV5 zAkk!R-O70ms=e-X>?)1KDS0U+4E8Q*at#4L)|}%ei;nV|!_guWwrm03I2C7S7F0QM z!xcHh5EmxW;6gWKrRZ=_0;GEiHOoz%gp}zN=QL%xB@+vbHrML* z2~%vDxS`#PoJo2TwfAOXR$_>davyTwn?)W$(z8h(R3$bX_rdce0Xe67OQ?Z!yveH{Bri}siIUHwLn7UsqYhE;}Y_1G(=y7Y??EG?IMrr)e z@9}kUfbyvvR6;i3<>|$q_Zfrs@7CSnq6w$*mpZM66UB=D=_Ku9ey@I0j5344@p;g>XAJ#W!h%})c!IW%p4>anD$_G`m5*323u#vid`>Vdz!whnK7 z(n3s5hgjZTyi?Q1YXy>kekBB6nA_p_KZN5 zD*Y*OK~gx@Snf7>pJ$Lk+K(Af*;(hzM45@O#0}Dq^b-SV6D?AD#z1?FDHQHvd8ecu z{~IM8C6J&xKT2XXVQI;Ea?%TL?L&&4#dqD>sI_}{n=CWN>Abgu7PNcAKJ6y;#k6L5 z5snO{Gb_p4B}JtipS}7}GvX62`u;Ui0FSm+cDr2Z!X%$U!_RTfC5?u7Am*Px#ByK% zq24>|Q@u7mf29wm^Lh#K|1P@TICp4}*VBe)!O!Bny$36A_OuRlzx^qF30<>`V%({{ zI0_Iec5u;Tf%Qi&FY0D;Tt^74B$$rx@|6%)1(`~f4TgauB~gN^XU?Ms>kH(d7jCg? z!E^RwcXjF^GG3GRkM41e;4QM0*O9a7EqrZ2*%)i=aq_Pu_su4&27+tHYt%rytlHQY64uw8<`~pU7s-}OWW}~CK|^a zGpqO>XhQ?=T#egN1#CCYD7v~wT$~l!HbxTpJ;W=vT1?oK+LConaW3HeJp;cqNMc0_xa10oJ=SmOfx7$R!S$(gHe1#^h@)C8z1;i)IWXl zTE*Zl&I`9!HB_?-APD|u*} z^TOdus6jc*Qq8JKF5mTjbsM16qOeG?ySdDJ?0xUz-H4?~q4u$)!8sK{u7Z^x_w+QK zzAUh%7iW2x=N=n{_F?B2fwlYNMUC4YzE!yTwtOx-)tFmdQE$`t~C7?oaKuCY49%R<7k}g>(vzY;p0MDRjg%Ez!(oTu`Tos@7O6vo4 z{LMAOarVg$*Y#yUgq~yVYW1uFx{?&xph~i*riE&O3TiWb058{Z6j21KbS+N|KE7PZ zHm3Lb6aunuDzmsWvR0`r%KVHi^Vioij=!Ty&Sj6_0H3`W?FG3KO3=Dgrcn4N)bcp) z#Mew8Dzp;?Z>Bfs&f-x6g-?4*o3-L`P7wsN#fM?_Q0J6+^a)u3}pjz9xrpZXU#=m>T;tx^xAFCIR{%1n#z zWv3^lEuSf}C(A{9?V4_Ds_GaP{Rk0_n$&RhHOMjtO*e{u+$`0TCCcdWbbrSJjG2cm z)Xru}(y5Z7o~_Rq;Z&Z&k3|vQS;lzS4%ENFGcHO~@ku#veeg{`eE$AA4ivHgE@_nx z%C4u`zkv3Po8y&*jv`YiI`9qzub*0TLev(--fRCVhbc>lG7HcnI%J3#G&$?vHczM8 zGUr}8_x30Eq4B@Cg5|P}`nl0IB9^k4q6Ois>vN9N>SrgSWa&N`4z%Hg?XT9SsyQ6# z6Z+1}@FwyT(Dv(j-)5%Ps~EIXgYtSl_3@ZgsL_#5X9#}-RBL?hD$hdq^ehv5K+r6L zVV|iPZ~r%9vm93!*2h&|n{E(`}WYDLBm{c05|EEZ@DS~Bo=`4Tq_A@lgN zd|4Gw4Lh)>s;xqiXZOH@meak=m~hey1Gb7#H|ksgDrgQxTbw!w8y2B#vsF9FIp`(O)P^DDQbHBvr zMIFD~!iX#{4{PXRY|pZFpSaF<+F1`_Z%9M(wZGLoIgVf`yU<8^)5E1B^mJn?%peZB zCWzYRBRn&`uf+1r>p?&(y(ujlCR$Jz6IY@3?|ffbU3yYYd@|~l2R;y#pjDjtDE0rGne=_v=~Izrd(!WK)Q7-A{#_f+HiI^M>Kd z!Ek8xC9#`Xvzs|)OhTT9SCoFSxXjUY{p?;+b0Q)D=Yo0+yEp>f+P_?V!`(k^ox|Y{?IwOGcWqBRCw@O=*7 zeg@H=RZP`L>z(B5yqi|J-GET_0{p_mCaN`nZ_c!@PH)x+1+EeQ6zdJ%O-9NT;^24u zhb*WV!@oEmIvIRAIe6Y;LGGe8BJIjq{o+d>;v&$K=k(z8_MAMn)`jgCVM!G@TVefl zlMbdfO)S-HoC{Cwri&%%nrK0*ChS<@f+6F@G&1vKe@eAl;slRB#Zo>Ob+noI>F0di zIapdRxMEApc)i<{UC0?(lg#DT5pg@fSd!D1R4O=Xjn_036*=(u>${)JSP^mf00UG5 z{nX;O@3r9tR-hcS^5%8ASKH=F#7(5_6jd|eqbHYz{cEe>HOg^_WuvcbD9D|m2Kg<1 z882>*8cl`G^m`}%QN6qqw4lft?|_(Q$@1o)rk*A0%awAuZ=ai_lmf&)U~i0i`|B%J z6*A6}3~i^$r0JCzPrjTb)Yv;>gI^?AJd#+ILkr6B7CVAVVeUk&Vpi#rUo3D-Ew{zb zZjBAS7V4jOQ`(DPAsKxp*@V3R3DHoPa@XpN9!FZ}6U5*tdsO`6fL7!0iK-<_DlIh3 zPqB(aBEH&x5;g#O>M{C&tw`j$&DB>JO!Cy3Fg!q$0ZIKd3?Qp4n_#mV%6U7u_^B~T zB+ij*5-n)GvzhHcmcwil91$PyxY2!VMMG*xnX{(aszY~lcvYq)Boz5AaI&^s<6+2U z*-MI!u;-$X)`dcsGDsx-T75UU%4PDWOEDP?Pw7jud9}Qzm8g?>QR|U_Gw1?vc z*qZh?2ppXGRn+ED&mN)I`?b8mz%ZbJ&A7^n(L_nZ2DBt&xA3w1hU1XF_lhy?O<4q! zZpMV1U;Bf8D%4@GV4*HQ@TtM(EyGNGL}Bo~!BELxjPg_MQK1d#4jTW5&jB%7`{S{% zh4XA$<9ofCF_GCJF4C$r`iR{5VWATc)o34o-h}dHYaWgW^A2XjeHH- zStGaUNv4rix1e%vAb6`*A1Scf37XnF|FQd{77uWsLw(}Yazj}4?WaDRi=j)ob-pjv zNU#POudn2^0;MUup6husLMuGtE_-YCn_X{pWbjfIPJU1 z3GMBlP19ml<0w>@N!%SuRp)zTiF?pZo|_N49F1-DV8p^6^unvxI+JhfYpqaBgEn=u z4Jw1jiQTdn1FRDOqe7_XmFoK}bU*<;$OK=ByUo0*J}APe7rmC~cw4`H$GToc{n9+D zxv!!*+Tut?Py;DW8irGza5>A;-G?a`KsMm0c*;H6zvq3G%@WK2gE&Me|0b<%CSBD+ zBCU+u6ZGeM@#WE9b_UDCU*j-D0w2rApjUY>PnyDG3-^bHo&UUSuya`(WxD1l+GfF= z34KMQr5K=I{EsqL9=VNXA(qyHc_={W4kf1UA|KF5^p6n=tFs#MUhqoH5=aTMjdHfO z$;1UnH0QB^BvVHX(GkT_*DUnreiJn{tTgNpoY!6@Jc;PinRfSGY(YR~vUBlcAXO`< zi85+wBl*4etZ5A9paaRfyv$?GuGTE=5}(iPgrw_Ixy`Wo6lU!4h6b~=o6qm~w zJTh+zNmGLf4AA*|ZuTx)p+uCnMobDMiw)#=++n^T*5NeUxL*76Zl|P|HOm2zbk)H( z@3C-#>urOduaDk7tfo%r_LrYn3<vPrzN&r)O$tCIMfDP7w(HxTIghW7x$N7ih)1u` zKk;=pU-$$cB|kQ={kFPmO+>-QUS8eH+@3y+H9fb;EoAyA;09Fc zuauoBZ;u?9j;_W%>MKIrZEg6@dpC5?hv4T?x~2EwkbOLjiX}lRm68ZNRxJIG2S$>1^5p`zf=e9 z2b9+(Yt^HLJc*qa8a9nqg)B|E*W`ygN9UTx#9O-N6Z+~qH&pjqa9C{a%p=3#`<={S~S{dYo?-C2-^qAyyDFSeqJE$$w9y%~`(oTB&*lUg4f3 z4cpIF7gAZ$z3p@*xM0Q(Vo^08vnmaE_QLc#bAVVicWu;1#KpP5NQCO6NA#qUB5d(y z@3`eawHhnD3i#TGqOgI2^=AyoC@(~~***IL4l2KuoGm^l)%D(5nj+Lm`BVWAAXx}e z|IXpqI66X)8qu2S#Xz`v3=zsCvh;t&=2hoenpzt*MOxIqZ7W_kJ+t+!NaVKyLVC92 zhe+OnNKWJg^D>;Afx6=+MP2Dc8LMIi{-ywTCca3)>yiZS6_PcajX4)5y4q+P_q|72 z@=*pHRBHGM>3dF7xtS-`!2_%7k5uWb>_=!_nv=IK%_zQOR$Y{3*_w)dwR=k`@Rx^c z!XTn1N6f&%GPx;xJ8QS+u#0ZM@k}k?9I5C9zGpxMr&ng{>g38-2xlM<}n}(WXSgl&sb6Be= z>dfY5Ug{b+_u8LSIkaZ^)#Rk|e2{k4e^)B(z3OGA2ktR4A5>(Vkp*LJXKb3vGJ;qF z#F8j7rr{eNs?X<88WVPwUKLIjs2Aq#HtygiIp5`iz;3?Ql3xcho?%LGSI$yxR-66!;o-TMAdU9$n%wV# z&!mZ3!xDaA1ejE6pW{`g%vI3dmeKXKcA+}x^;i_f6XM-$iM6J436pXU22wNw>+_H^hb}9Bt>IVo?rpa%Y37wH+9bc!SW7tfJi|nZgHZ8y zQX`)#OcUu;->5sCk5bRt*B)g!Z%`=xxD(8>E0UZR2n$n7@7E_){ru zbfUvP^xi3@p4X1p_zMAD91Bu5L~bIH z!~F*&O9)lB5Yv7R#CP6mw)vH=>LS;|Jxtei@{P;N$9D;*7T^b|-U8FLVb1Vp0x*R$ zWdesS@G-c z;#8!NqV*(-Snkq~79sPFj6ODo6SK3)UKtEwm&M(1qaZJ&CIi$*$VqD--h4H(w7NVD zPL$zJs@9LMJBXlr(uX>(osQHQ=u}OLWCQT5+Wcl6oS&*hh5RT^lCM^tGeGXF68EXB3g@do>NO~j&JzRFFQ6yZ} z_8zUjV$l%fre>U51NyzLvOtceX^D#}ON~wLnbrhwQudKk|)>z8I2N)y@Qh4CS{xH#Q z=HP3w%OaMCkOv-X*ZH2L&wr^1PEm0RmaVuhOg8SZjMID??-t7e9JG02&X-NS7oY=g9{u<&#j?@L z3IK2FC9bjmRUDgZ>J;Dt=3FV`U(V!S;_GeRAR&mW1{ba~J8ucJC1aRfHqK-O^h|2` z%VwQ6-y|n>g-pciPsd7KsX(aIhE5vHE#{q>1zPqWhoS}=>75HJLaxMrW|oW=Vv=mA z27y?5Vj=0$ftQoweWdD1DXonW0d(ggBFSp++H1)~HXl61aPQ(@3r-NQZ8GSb4 z)<<%IDr1L()tI~huOKQ|s^lq9fu&2$zf%^POOh0KBik~IfoM~ z8pM2rv6JqWQ-#=T7*v{E)}s9?$lZX`v2!Q3hONo2e|rYTootr!JH=I9J}${b60dO3 zdeoQpN;Cne=ZM;p6!ksbsaR5@8VGB4>to)$E0ElpD{G;6vE^EwB|KvA%8`L3KK7z+ zhZ+9x6To`2rl`K)I+j!Kx~kfa+^-%QG@ z1)sGtG1g0O2c7weqPW?tJ-?;)A$|U*@;R&<$(r{>!8)|zSo)c z5;Hmd;GE(nax1AYaY6EVUg}DLfa9qew|M>IrtV&8>3s&SvoTqf><~VDUah&$Ci_nR zi@moDtFr6Xh5>1$OQaD=2|-#Kq`L(vkw&^(8k7)_ZplSScOxO4l8f%HMe|(?@B6vk z`+c_iJKmq~@f^qc0T(d2=A0wWagH&^bkT})GPmBX=6&O18Z7mCv{`TC)hViWf_Yfd zZZzGDar5n2?v{POHe0Z#|Vo%3`J< z$)n9{OA#(OXzdyuZ;xn9U^>%UfBk z>z(mIO5M6eAE)n?o49C)AFiwYyVU9@8hDE~L#2cqqptE!`U3@DoRCo5 zOl}iX_;iAZ=#lvVX73po0;8)SAlQnJjt!}qn7$jFLb$ne2@vfNrzImDndSg34572e z`c2g>(IPXd?vwpgGl=Yc$mszHp(G}|>+>uPI9ZoW3>T!I6jl7(YmOXNYjCs-O`F80 zAFt}_Cv3vy%5%Agl}gqu_qF;r#m4SDOKxZ~=EHnw*A1p03P?1-KJd|G3idf_E`V%K zdnh(~tomAP`ipiX91XwV*g7nt>DrnE6|r_NbU_YH=Ixi31^fY4X-s6<6#+4;&zA=^ z$hGiX5Ctz#Xcmd|XCRAg{!!`@#R5LYqQW!Nqc89G7?4St&7PZHLeP@OMat?hTv@Va zIskWAVm{dm*46rEmqPZ!y8|DE)znLB9d{gK8qXshMh1>`&J0n7dp1j#2|;B|7>);mdu7o@dmy`#xM-W-X_*i{1W_f2pyRWlgtTh77UXb9bD2Dmhvl$bJ#|I)= z6XszM2jzje6 zutanFz^_D5wm8Pe>CN4|3H)Vtw2QEINxaFnT`LQJ@TxP$)bu2%T3aq4whE_Vu3r{YzU4Xb`Kk3BK!MLPjUyaX{B-=X22A?moQryqp(AY*NJo)ku>-?B({m+$__ z#l<*uKG;fn#dvKc+QMg8$)+yp_Tah^lbl1h2z*fQj$%kBreu9@$m1{~$^-6^tj(X1 ztnU&5hFs8E%O|zB?@mKm&j*hasb8eb@Yy<=5a!5j@2ZO?z0Y5HsGdHG0%pJ&qI@NR z?T0pxg|vv}dQ@D{W;w?xLB0_W&!k-yL-5T@O>jUvr(d97l@-OW)IP<0Z%3B|Y`ZKT z9wNQ-vNU6{qxKEHDPCc)CL3Ps#3smhY*oU4ereL@K|o|y;j*Bwc%0&y?Pfg z@Z8_1P(KC+)@Gq{y_VF7C!#3LCiwW#$M)mxeI*I2Yv<@hKI@Q6`KyI!qMukyd};2< zqf!zc>^~1Gu`#07B$<%CzWz{$>m~Qof5h6VPbM4dc`_v%fFFcoMDUHIWTfd+as7o- zfSM-`MMt&ea5r|}-R(O09JXGGz|9d7hx?v_JYFGOo@z$&>u(Gte)A1l58h~?4hWqU z&v*7e$`eMqW3YnDAD*x0*_=WSipR3qPB)o-x$vqGCV)KJ?e(J$n63}vf}jM!XHH0h z)C2vKsU_yBB`Ys~Tt@(&*6)g1(FM+y+(DnX>EPWDzG^1e5*y8!T%-`v9PjnauYxOQ zGNgJ7#*cGsOj9xIfmYhXG;iaq{(xO&Fgcz z43);sI=Ax3l312@4VV)$1uoCTSKHK%V#Ywklhb>$YK)=$0hU4ct6z>l=YMeo+T7PG z$6Dqc8wXc(`-t4v*$7j;?58#Qw&QKh=~mt$L&|9LDSY9Xw%;Q z{+R`EbT4)zS$8(^a#PLRNQQb{Lj-ShJzlrMmDfCJ``smQfjnE zU+(%aYChQn&m4raG@fOgIbXOo`NFclu_u3k*vKr9-O`fNkzqqe4I~3Iv4154#ToVH z8+VbRVGkx)$_irwH`xi&&#k@|FM#FwL@T+^-zIomzSPiXTq(aVO52DEM?sM(VrkIify zml*R+LWXe>z9|nA1IawjHp-FI<^vOiY7!amd0yeMD_NdE7`F*CiM*;V`1&E%ACo)P zl8@(^bkt9XSV#DGO)|$DyGe0^QG9Ev7qeQZZ(vY^l!j!DALC&}YrR*m4Oc;kYf$8_ zVBme#3k%oDL;`nsrP8c2*!;5djU4Sy35>nf?Jk>IP6N20L;K1EiP7Zf*&wZ|cz$=~ zB)^KDE<3xrmWiEYL-o}mJ{Cr-E_W&wDg?x5^C>5>Z$E$6;h-4|+8m*A!=I+7tr}yO zW8};2$B);&BjRlP@|CnA;1(YI*pLm;m`~#2R(2_qv`@Zt;meqzCM%io!?E@hQR{V# z)$^}s_Kq)lmLFU&ued9bU|K24kbEL4p3OEhbbp3>a$w*z)qNKIN> z$Oj)jei1CL9plrDfSVx+>25>n?e-;2H@UZT_Mbtb)&H_8a8 zLHQd8uXRxF>3yz0(EB(jmh5mFE6jSe>S00NJmtP1bIOvhd(U#vEGBLCgGCX5OjADoZf8#DI?@uEdtMv=61=5-(Log47 zvCvyPjrDsKxMK+0pXoj zaPp0|3U{_~f#j;?2A-Z-+pzcS@y8aOK&R=Bi3+pcTlJ)jTo8b3arR zIf$(XGjsoCqcS?khSD%=?jhwo4K!Rjo^AWy3aJ&VP8fb4=%Ze5toEiV7WJF~U7CD% zFLs)6NqVg+8gh7cE;)cujZ?~ae zjYt8c@Rs%<7+%r`o=xVS9GKVrgO3%1qZWdji4mgV-N(bIHp4zL0KP~0t6B;7(%|_F z@I5saEG%jewvZ7H@Qs$#{ix}Gq8xyKE~%e{lWtQZXL}4Ck$M5=m*&4$vJHa1n_W0i zQIX7O*Tjkv>GKq7jhXbGyn6u^V%ZRS5Q{Q*-_p{jU)H#92{XLp6&!V>CLA6HuC_xT zH!$Niln$U1j@7xpw|<`h3a|)xzQBl7Ez3pFca*z-$A$k#-qB^_8`s$PPe~~zWM17( z1-4mk;$F90qigvQf_L*$xw4y|w=(6s2zlgafRz@4n|k$EZfl0H3qlD946HjGqehX& z+b#u1YwoLxCu*zGtFy~(d(ias&xQj5;5TsS9zr((?O1-^9hzevlA&=9rzbJC)%vT{ z#rP1ZOXCT2u)jXY;=le&5QF?Hn!g`HB^&l0*(t$~V5ZwVLg+Wj5ng0XST&B_=2o-m zK?@KCWxl2UXBY}!5+Jn=t&Ou^c(TIy8Ib0`KmLH2b9&^(p#(pJ`e|4nyM-4(TLI>k zUjwy2yInXphYHuK1K(0U616Vbu_(UJUXb0UR+obi3p8P5Us5x&&FrtAYR zf*tHmEHL&1UhF=ag%RShNo+G9Ahi3Ha5fxG=7?ihUWc2%UsAK>|58@Pm zfN4-8`S%AZde9I}07*ckiRvFgiWH)Q%4CpRf=~CoRKn09$*TYsM&vKN_qT=lTafNo z6-ts|swIDv{cW|Ok^y8rGm-yPhwUBVCx+m)xF(>Nhjf!TVxGG>P7wju7LVfFN!wG3K>DA@*zyjgIuUlqWq6h`j^mC`2NQz{mYE~ z$0+?z#bLiII@BNj$0+@qTHgN{rT-wMe;nEW9a75X_HWm+Cje=cdn^B>>Pt+iuKds~ z`MdgQ$)p3P40!e@Y)am!0;!Jo$B>Wru6^b@df~zEzI_A>05j<6$jtW+8J-n45k8>Z zpCDPT>K@(AD0BNOo*!9|E74V4Xg<0RtbRcTyJQ$d3f^Rg4bE(##Zrp*Rf}kBi$wn* zB??$?ILr1cd-^Rcq93_7nyR0B8iBh|?S3#@4g4A!sO!^*4$b>$K4Z_NMyP!g z;rp9+_JJ4DZ;c2W6S=W&)wxly#;#gjcn~0pRC`4}bHI$c_YYQt0WM?#W&$JYpZo3^ z@PGUjalhaJGr`x4-}w$LrLO`ChB3HF#?NfV>-rZBN}n_Tvkd^!#BsUX#T@%uEnqY6 zp&b$gM5TKRvU5+5+78Cz6hneRvRB!N%k_zwZBprA$I5)BO)epF#$yn|WG z)Lpj?Fz_w;K>Itm`hcu|b`)=*z#CVx?d#ZP3Zf-`oSTUuf#2@Y!=XG0R_%aquUmtXBw>h zQXSQa3@a%g{4+eT(s+R|>ZFEib~zfP%G|1#i&+XOKB+Bzp(FaN48}sTefR^fBE=(>=F3^ zX6Ar?!M}m}?FAl&=!YMf8$jrh$J$te108aTppDX#*sU3!?DsgspOV5$na!#=rfpGu zG1BUsRgZ4@_o&YWr4)Vtsq*>Td%<)GlxmJ{GZ>L!6~Da~OyI1+yM@&+8I!r`Z8E=W z6?J543wj*5fQ}?}*~gGr;0Dt6==Yy@-Y;&i(EZ}JvxnpZOoL&**4jO~1qus)w7q@t zn>6_vKJ^hs^0ylH`eYH5Y;|sU1Ak%j`_Cicf$#w38AaX6gQaN&lx|K12}z(z-=B5) ziz;-#-f2H6;A=?c30->4bfCv6RbL&O{6iGs*kL`=XBJ1N+DcOKF100!tw!yzf`4Z4&`d?O7 z8kiFvM%d|tmGWn?a=@I1x;?BTzj>erHM!U=QA2r+wSUiRM2f?6ZvbRNn1IRe zCS?U4YKiELp=$C7eULgwWRW!_+c;tUFPi25l;`^?bzZ_AE&jfH8Gyc#KTg<3hi>-} zp@Mw!SAfyz{2v&NvS1h_QaTdj;q^X^dur)kYr~Z=oF7>Zbn9w4I|JhR?_|Vwb>N#{S0L>?EgKB(M@%)k@4bb?0NzJOvw&vB8TzHp;GrT z&;&;%!zR8%xxDYMQ8L~wKL0Nv^*5aRDH-0t{8wu;1hqDw`XGqV?cNBZrIm*=q=x?k zf1xFIuaV^&_G_TubU+^JgcA+FK&9?KM&>_8<~Q>6KSt(1M#lI5pOL}RhD+kIR-dt| zeq(vu^%3gugh+mQU6N**HF_@OYe<^%9mKo#u-HQehwhngf6|@G-A(mWt>@KlHH#(N zfalbhUK==~KZ%QHzjDrL=Ga;)s_Ef;ve-TFF#i+qh{8SJ`$1$rr69O2Q!N%kI`(|` z^*SHn+QRzNALG?}vV+btMJW~qIsL@I(_El9>_)xl+%+~j`*CGKzA+NlCzUgi)zvuk z=7IVpbV2B?21s7cQRoM7Vr5fV%AJ3WO9Hv!cuTDE zeZQNU_x{|tFB4?&T-$oOLW`fWq|o~W(e=@?3wytU%)NS&xiHP!j;D3ug9+= zjSFrPXf?kXP~&tH+%M$kKQE-qVUGr0hp2T;p&p@{d)({!QT49nRL?iU!R(^T##eda zgvsWqq2srs5e?~H@d8~vD(&Ch^X=3CHw3$*Px`wPf)O7LJ%t0-i)#f$6r5 zYK}~HR&ehf-->sqhaWfY`As!=9BJRPkd{hb#ryi!WV-MRz4mL;kxTvYqk}a(tkDre ze=8}N8_Sbw?AIi2KD_yFXFdvg9r3A*cW~wA;XIYe6PR?aP83R%xyjb58@&6tcXgMh zTQ^&4LaSDC`<{peSHK5;NdyWmrA7V#E}87$gxd^2Z!wg*QXEt_)(sFQQzp@syl*Zv zn%wD0*4mZw{O(R(46z7YzLs-Y_B>rD_s&n+Yy8q?fciOJ>2mAXIxwzf)_=?4~*uO&8y7H!rIbNp+&UpU;ZNqy~w89YJ1c44ab&b!lXmgax~w~NqK z)ya86ZgpxAa38TGg&~~jemK!>%nZvsLEB>QD(Dn`M9Dl_w`itLj?qzd=81BXTJc%j z_lMrfO!4)SYWeC~r!|*`2w^f0sUy+uu~E#Qun`q47Bz|bM2>fHO@_qAdVlJ34StTT z3pj`p_cI^rlMo{CfbyW=zeYvKDQ5gY^LF2k4 zmmz;!L9u)F7DuP@@!ICRZH^aRGCI4B0SOeNgPh{&q-Mx26Q+i~d z{Wi@-T<)qMeNzQBhKt)M?W-Y6`N`7IW5`dL!lnmeW(83%B>=ec}5%Sb+YvWH}{FtSL?QvC`LcHdU>_F zF@36^rru*#n%gI9XdU4#5rTah3NOzKKcncF){{D^$~gWUM#_Cb+N`c{>vplJF`juL zSi7%UWUS_>1!kt7@px~v7b(;M-*mk~d^&I*vL`JnB{15ym`m=FG4HZTx^8PF&-043 zpdW&Wa27YDH&!fd+@}Os{FJ(t-hlw8QJjwWbt#JQdtp+AhIa=41JI_T)kh7AWzbN4 z=k%=T%T2|st2`*HvUcR`Y)$&^W?ipKc2n@~I*af8-O0nQ&u$!(h_pr9)t`$ggt*w;p z(o9+vviuJFk8%qibI!}8WW7;kjTEYa2EB($i#Om@1U1ZYX{!tZ zb+M7ssFC|It#Z~j)vV(YJ_0%TR>iM(bjn}5AW3II>@Ev7m9}r^d$kHHI(oI@=h2CE zUC$g($8*7T)dmM!E9LSI5w)Ul!1NLS+w{u?KhTm)-kOeYZG6cftMb})<5>BEU7Vm& zal_nPT(2v4;+-*KV1$D#0~3uQm~s^0rf`+fCH5M{CZtsBN{7%p1t49TCp^E{*6n|Y zEFNsT{TvgiENV@huU?{)#j3SZ!8j5J*geS+8g)zeBqIHQ(g3iu_SQ;B;}^^6LPi8os@XtmQPCXk!(y z`;F&mt2=ou9bfW{?k+ep#GS-=eNgaL83GmfjXow1Xn|C!k^v0_B=8RIgC+u=5dbx72eRI## z#8E(QceEnIous1N_1Ifp8-Ex4>FyR}ZYuaw4W#kS91T93ex34hk!F?h-TduV1v`U< z;3r8zy7ajkWeENdbK%!cg$l~yKxRvyyRNjjLPd~zp`F({P+_uDv5%HSw)eK4O|UV< zT3#s{oRGM0lttriA-K6aw)`YbNrsTczWALqw^-T(MkkFeFPgT1xj{8|Qw@A!-<#|r zBbtq-t(NJb$F?+ZSa-guon@4YG$w#ZFUIF#|nxuc*+29W!T(8 z)S)teqbTRfrSQ@`f0=BixH9o%0`GMA>tF@-1hhtqVoUnzO~P51TQ0kijSdOQcD&%T*4DSl zu>SpbRs+u7AvoG8bITXqNNq>ijAQMhWcFu=;Ld3iQMo}Fg!#oTt>YB#+%)e{^D!fq zF0MZJ5;^5C!e_QOKP0K*D?QJj2jx9@CijX-yG%!JJf#%sX-&MIF!ik!s%I6PY1x-f z-=*K+T~EC{?$%s?K5ni)40=%C`$W{5vTxpXuCZ7UyR`A>yRO@US^bb%4|dWnp{G!gd;yAr@V>9f_O2T;ulSj*jj!fqje7omxO*rhW484~z zA=XdlxKPO@j7ja$TI_PgK@U`k-{fAy^=>csq-_gVtcKISJIprv&Xg}V!Z~ei?YLqa zL?2%VoVpm3IwoSB;ymo{aXYXNJi28PBNg%VrZ)vsXW%zM?N-AWwhcHz6laX8Mj z^UGGN(O#aJ-N8Eak5xOx_4}DyTi%Wp370t2LGFq^isw~lR*m|5RFkg*I_3<5NF8R1 z3V4@l)aCiK2Cl67!83jsfguV#c=2R*z-2|nRJ5-IdJUUeQdPo-6*z5-IN}et zsK>FoqvXPzq}ooCZ-R{M+vgC3S;47qG~ODf3brU`%M>)#4VH?AT0d1wv>EXh)%d#? zfUOUk5S?0GjLPi@i)hkwz=uP_7X^Wn zWg7w$es0rrkm5)p-;;=Re;^Snx>3$if;P_6ANcEA6raqnn7{->des$CI30>ml+< zb9My#)#NK~|NUT-lirTn^0nHYikF!IyczAbKo=H22+`d&@z&M;k-9@6Q=R9O&bAGs^JiW=ZK=x-LGydKPb(aS*=7% z?)0%u2v_3ib9IRD$rr2%iQHL}_uhBA&W@9(kXjw5qU!RkiFFb7P=XqQ{NeUghXDge z=H8{K423+oq$A^jq^QCAm1h!kU+fd~@f|&TJE}kL5tFiCOM!ja7r(sU)?j(Ac+^{7 zl5gGovkr&y4e!CI+xu$v6X!(l2`8GZuPX?Kr~X_tAi=wCV)*D|FKrKN(gA)g;LXPO z%h+xvNgRIq7ATE2;;RR~tu!c51md=>!U56~@ZAB8mrC{ziz(4x+~2yzS`r=??7sEw zc%4;~%0&uWB9kUji*(jtj#oleW9Y{n=Y^)Nj?rmuPsHYr3C-1}ek2|)_NN;U6!K5& zJW26b50R{FWaqD5DX@{0&?dXmK1zgS%GsGUhb5!9thw$a4O-{Wu93QQ--bu}k0toc`FBbcBD~#TWlUz$H&KRGpyBF_#T^CKis^L z^HZpz>f%AWR9c?%cLj$ubc0%hWyC#O17|X#%bN1XxR7N}#MyZ+u#Z1Ii6P>J_w?*| zXxgzisHQrZ41SyIz)oXl03HA?xw0ONn@z)$T}?$_%-Iu#7w;;XsS1Pr&Lf1W#%%3N z`}eKeWfVRQ(mpnP#eIvYZzrb3-}0bb+d`v6tvsjScAGji0>7*gQ76$_kqOrkXYfN_ zh=+6wq{@Dd*WBa=LKuy9z=g&5VKGb`?vako)Kp#SE=}%i5l>`I5P@K;>K0kwSA(Z^ zDEufeAin+=Q7|;m9X36ik_en7Td41I8EcRhPaHZ_UtiCC2XAKsvXi52W=3f{bx0c_ ziF&eBi#4Segw-}Dri#}GETc(xzB>ti8d{+Et)b26W#PsV;xVM^cD|mkd2$3v=n8Ya zf-Yfmsf*w z!8iMi)b|Q{U*8l%!wei~nDIIG4^%!7W&lU-jD! zurZz!6M7+GQ@l=@DavB>;i0X*MgpTBXtC`jOwJ~>vZ8I8OpoAUJVlRJu=3h~Em&+q zA4?qHCV?#t*^>+lNrxU(XW)lygcW0oeRW+qEE*f8Jr6UfxoulsP7dceJJgM@b@AtP z-{43>A%BZSE&kFkU+AE{#h2^nrHTw~FU1>`ho9H=Pxb0YXSP~H8SHwe3<*wtB-X<} zv^yC$)@j&30uku$jbg0bUGNQ(JTsn2&FD`LO{a&nv&@&f`H1zMbzcCzcm@T}$`TLz zA)k}CN^Y>fgteFucSt&vJw2(pT=K}#lUr0=Y8gXEWICH`&bZaRvu~=lTXj+nsu1W7 z`An~#kf)Gvu5Q_+WRUP4Ejl$Cd@=ON$-mg5Yh$X-*heTLVHHRJXuA)Mk1n426fyXg zMewHJ${A&n&yi1Mw{kyqK98Z7Hw1;aeb3`3{+Xh;{3Ix{(YWKF`oIq&;GnLyY|Sjf z(YRD9aTkU*CS^~d#D>Y9tBJo|6vsOL;#Em9z5({3`xbC$nw&-|dS>>?y ztp(kb@Qtk~CeX9PDH)*me5*V@oDswI9tFA=%bTUf-DH0dN1G%%5D$U*c2mc9DZZr8 zun_GM2p^gTHQ_P7e>UMC{6*vUT;E)+3gxNRW}e|svL8(8ZK)YAR~NGJ9i6vVq&t1Z z1=>#p%d;*?a?4*STV{JQi&&J;ge2xLA$YL?H=Kn>-(ZLZuNRLJ z(7j36up~>%kM#i-gI&n-V(r*$fZjppdFkS55#8Z)zB2=UEGj<&Zavk-A(GjaV60C-vDlpYr>4fI6SaI0)#bW>Dl zYjQ&{=t5IqRNPww^GGC5J`mGX!on-PwCV20tSP_tGhUX^qJ6IK>x%||&a%s~uoROc zlIzJK`pI(%AA-LShvg;Nzd$P4p^w}lRJd_~2Ia6LKDkUcI^>;+KVD%R`P7k;{L66i zTr3`EKcV%BJz>3Lq8x4J!(s>mUqsHV1!f0_m24y{oBBRQ*9;L7x+>F7LnD!S{Mp2^ zvAKG~UFYXbGMrZtHUt8`9s2TS&sigQkwhIObFLw!DsKV(0PUuQfZVcX%|xwr|6;CW z>oNBQQs%~jZ~L3_4L%FK$T-uq4P!~=`Xk)k`pbUXecmYvqBj@KWYfx`;>V6hyI|*S zWam{{nh%B|ra2-2X;&U$EWd#6mZr1Ma$ze>e!WM$XU~$YUAg&c1p|dT@*WT*{#ly( zU>#K`{OSAa@3_V|7OB=GZrBbsY#PlKlPbh~qy!JEW97O1UHhu_64FcCkVtoKt94Qb zY5k+q*9H47J@*FuJgdC`+jrb>@ROV4xW0(}(_%fg0EtRK zl;11HLTWLe5RHeD=jib9W*&!8oQL_INfi1vchXFjF_Sb=eOTF&i}-#GO_08IL-0(- z2R(^%o2b%5@TV;&{5fxD0w+2nv`1G+~QsO3g zys`C-(Lt7nyD|qD)H&Mx;a7oMYVC$q6&Yvs{^O_*sTZE!+pBr&4_(xXkKop%$!F8v zm%TAaHJE3=NXa)}N>Z6sneWlxLwJiMLVo!IYXPkkXSC9=a&^aOGE%iQ1^nTW!dmm39 zE|EL$+QO>a*o-V%P)^CKnhoyyADi@gl#^F7!Zz>8S%2b>7(CsG$BlRx+IvhL2`vDT zQ1SRPjR4q+LkbnFhmS3T(*469%kH#{DMWzkYh7h&Nuh)fh0CqVnQ%RiAn1@CZ- zudJuBFhs!(vUgGxvNhNqaQKQ4EXEr=bkZQ) zz{mYR1mQsGBUl?H0ccjh{>clpLrp%v>puzBP?^8#=0OLyu_Bqtqn_N(w~d6PZ7N7X z0=o1jn9+~=wzDD*1yfSN9kd}4Y6(l*q@LLEBwT)w3(w+h-IkLABJwL!(K*}Q#^RrA zR$%FC>I%jvjT*0WuW3yADucGh>eN1C>* zAKHAfE$q^1hKT>vJHqJ!4mV%nAHas{KWSK>>%5bqaJ}a)`~FO5M*^jhT4eF-!uQm( z``Z$@!MhVbmNDS=*yUtMVlO)%&8JF1;rI!9%a&)_=Qb@n8lw?&?{4bo3J=))fV(^n zN8bUVMXOeUgA~UuDB*pX9L7(Ht8JMy@4^@Uk7y|8T6{a&Cw9(TUsCjOBv1mfVwPwa zS!5mI{+^`3OY064ojqZNp#ek$v;C=?s`Ki>9sR8ADE86F(9TD7&L4F>EBmC-7&R#a z4YkJ(e97qC6fhr2`H&}jo}j)!(OqOUT@YXD@>Pq!#5=8q!vJnbHh6{ijtNY4?W^n2 z8885O@)51Rb4z?|@xq=kfA9p%`4SD*8&^Mdk~p&<+Pdkw_|m9%UH)hu<i?hBudElx}B_5S;FPb&+)|9@RMk zz63#}>GHf;R!uHz$3ONoU!m7DS~qPABN^-USCuTssoPdFM&(YiSM2vH4c1T9%O;r@ zHQLKT9`V`4+Cb1nPkPImlaF&9%}WwFtv|EKk0Ak4YQ5(icL@Q%3}fNMRiDy3Vll9P z2E$BWiW=_=Ulw(bSPK3ZA0uoys!C4=U(QkrVab7EsXfYs^MWIv$kFv0q0z&-G#3oc z5kx6xH-AF1B_1{n?s!}&l7ysF50Js1ycs9+I4;SLmIy~sg5o=q2Bcn&aPXmFC9R~a zCTM0m02v$KCK2lSlM<5xLNapNAk^EjNTej6aYaMJ+zZNn)hl*|Zf9*(Dg+#k&h$CR zShb;c0erh?7w`I|?N&)Tb-y32E3k&-# zE!JDjZi#a{`%9{WlY&vBpkZabvui-R!&*)iJ}7TXWekkkg0IefeYNjB_5{LT{Dnn( z@j&8DK*HRm`~KdSpneQ^t`%7Cw-YtqCKC+j$5FhdIY2aXaELwKytwo7F3_Fpefq%e z^st9VujgpR=SjSLp2&FG9L(-&kv5jaxHMNe&*LfQf$Tc>or1a(0Wizs!By^GC4q+w zEt3(!Fgj0W-<=c80BojekiC2;-RX5t3vX|~#@y;9fj{ws8un5YUA>RGxOem58DG(2 zxr9P`lC~mP+1XrFOiWkRn+n#!7qw~NcgGi%&iVPw+mjq>c6*i2+tXChPK@aN9d3NN z0pamJnbSv*kgdC{Er`#jO&8!=6Bl##p95Jpio}lP%(D}*(UaU}y%C$uY&JuoO>@lT zEnU5}+o*r%-9s3*`~_~09;<$R#^?9O47n~?Suj%W)i zccFiDscx90UuC?1sZ3+ac&8_`!`Z4Ja3DN|44Iw0`7VJ`R_gI)70~-9Nvpvnke;NM zo$}nO`o_sTIyEKKM;^XoR2B5Ip-F|h2x#Oy%9DVD@y!hbv@sH(+LmE9@w|^A+qyZv zSl7+G;dle;UkaG0f9B5scT;;pWFfE3N|KsHv1-9`jj93C__J4lV_TgBdTOedEa^h_ zj1twxPJ4hVzjO7LELH%T_(u|6xcfU$6pI>FqstK96$-fB;c^_$kfX|CNXEX(31}DQ zn%_Tn6DQM0Bm}8j`I+raZbuK1NIt7q(c)OBVjQKBS!89RdNp*P{f)%;h0mlY1u_%n z`e43U@QR!JR_q=>d-(`ywBHa{luebB%#dkw<0|Xw89Bf0=9gRNdfSGkCV-x0dnW_3 z*q7WjnZd)blFb3m9M<6nxzIKw$q5mYSlRlgJGtOY#~u~$e@x30NInU%4;IiD+^uSP zL2q#eNi>VP9D5it_LdW(lSo_blwA_9cOq|s7(Dvj!m033okY084 zE~)kwOMU9=f1mGzi}_<9F2uWt^?^)Xhtj1#HZjFW@c1KV+hQHZc7@+%7rw{SON3x& z%~r(WVjxLSU^!K`)f1FvpOu4)VMTmvEP)duO0r|~-rWl0knnWRB6@b+AeK~p1|h&% zFXd~F{PoY;j}7gUx&|UZx+o=9b*<5s0Hc2j#IbFv7k5*ipoKXb6oGyISQzotP^iO}- z%qTh)3sk9+H#)F8Bg-OFNQuRQQ`*xQ4#vrXtM|l1B#Pn@Xr`p%0zNRjRV@z!$D}SNHqw)v1zKlH&4BJOCrYG7K2>d48-|`D@s!7 zdV!}y4=Z8?G2h~4oZUfF#$+o&s!wZLggjUx{v_i%e6+rr_(5n zcMNGxL?Pi5UV~rw2L11vWKP+mxS9`EX~B7igN=(iaB|szIP=U+KV(J329rRF-37Ovt8?t+AbnJf zI~;sb{xLX0;2(}nN%oOA2z4*gXk zRG1X(K4mo`@edFu9fA}$R!!w)pFrP4s4seJUYXtTYG~1 zdmJ~~PhHnzbk?T~i^q~H>m~f$w%W+n3A(j` zD?oM+amOU01swPNdRlQEgG}75$X?K0v%U>?a~nh3dv^}+YmLR;aCe4eKB7&|oeNxY z;^z6$pmd>CIBU)qF*uP`Yb#EnB-jYG$e0YRoZMvbz+xBID*5aa4XoEwxmJw<_v&BO zDCU9obwC7(Lv+=_oiZ;Ad43T6z?&xk1?!Wz{l@f%gl`|rI$^L0*}P}$%W22MSM0HknP!E+jusQ(_}xkJl)q%6pJX3PXy7o z7yj(57v_$!QJra5+vW`Vk)eBY9pVNVZ)nvl=63jILko8g03WrQbWlsSP{Mex0rdl$ zBR=`!@jB0BS!oXzZ`&jIRY`$lYf{V<7fN}X_r%H6R)WO$x=n{o$JDnOLh}AMjs0J3 zHY%~6xSq@;s&gcg&Z?%kIq`A5{yZJ~KIb&ttRH@Yx_H=ldf3F>p(YiJ(>Viod`6dT zKf+BA=nH;iepy%LS)#MYf)HE6V=!cKDY!wFO6yB~&!s9y|Ivi|e6l&;B^<3FuhU2| z(J0VSdgJ<5fkUeVCb8xn!VrC3w5!jarJLUrPtX)zyu$PLZsCX;#tTdFC+ET*+p&;Y zqig?Kz}I>)diALpy0|EIJzPUHa8mrx-=`45ce9;PuoM1{G`jR4quNjR!Za{X4D~Bf z<)f3)wx?T*lo7R40fS=a?K1eBxAjWswWqLF7-t%^iMw2p4E+d#%*sHO)8?zG{MqoW zqwP8i_L%Hh`zpS_Gr8|i7{(d4r+Vh*-cF$~k{E}o<=o@BnyE`}G1s=if^(uGfD|X# zexh3WwOpEdM7 z2I~yM32fxE)Q2@U(m;c!l|gGX_UnUh&u~HV+YV*s(+%HXer3^zPLlce`ypH}!Za@upVxs`(M*#KQcd3?J2)zocmu)he~j z!M7nB2g877bpn7ZDQYv};hRVZm?y-V-9Qtrf%OM&r$ol$Pg=$npSo4PW!fDaB<`E4 zXAKzLPLvtLFzbtT2$*{y`7;5f5lYK1UTG9*?gkG(f)Sz9D)_opfOLMnm5fWdAXs88 zdM^KgXHM1NHW{Jrx;im$?k!7W!E4NyuA-`rBUdlSJg?Cu3H7&J4?jGWufTaKoo8_( zlulW7wl&RgPlU&B^L6Dbq}Pr!2CbLh%!mPzWWGiy~YfCN2b9;6O{* zPB)SCxP!2Wzp*J?+Dlnz^z!wb1$1@M%XW+TY!1BH-YqQp+^|H_uFBt3WQ7k%fK4FdV1&}mKp_53n@#j4{SI^HpevCr><(_s-`Ey8U3BY>1 zHCO!{qzv2gS9R=P)*rN3OpJzgDpj25|j8$6@ex zin|j7#hQ@_cSrexo^6G0KMlLRf%3sf(;L+IXE%F4Hn%!yyOs%PNnEcDwl;9XXYEvN z9^By_*j5=0E3Z?DefQ!zRR^k_IQ3S5#5#Rn%oiVwCN7NPsbIDQEWfqBYbE}R1N+bX zT`%xt#V!Kywf%X{6{4_WZGwGC`9X~tuMuP zY)?CV1*C0n^!TMH%8TlP+NL4&RV5nhAwXlW>p zKwO`G6Q5jcqEU^W>aXK&W7fftXrDNk=>bzw8J}#V!m}>w231&4cTU4ql#>c;=cmA) z7jN9sO6G{h>;?_iO9byGjFlv6;9zG-9k%Tae5)E`U!weDMA*{2x_C4q}( z!B7s7bvR`Fi!g5XP}5_#D@kXyd4Vgl*3HZ!tKhGdjQwRTO=eNB6ATLwkMGsx$)@7A zZx=kn`)#3xrCLxF-Xkq;^(|*#uFj0NcbgzY^x)HS|zA;?p0n8PS0^l<13p-|pk z;%e&y5fyO#PGy$)&l+D>X`sHULsY*GhvwPSiua?^gIoL}7(lM_y=GA$ek`<#**7-m zQH#sw=HXV*rv0q@;`TS7aJ;6gtX#6ZEmQ`@g&B~DU7v+)@@0RA%!gF(L>`LNVOo4! z&kb;eqYGcmMJ(q8se+bPFw3h}`kRB70)bY3)WHec2mKf8pQp_O#N&PYfvK4kFOe$cv!$&RO%g`~TQ`@1UrNZx*+}YTtC?XS(^%~9SE`c}5u5URPEUHvi@y(waxG@={nBpJ3ZDxfS?~AOTczGi zE-N;PP0(gDSu~a?A6vMUI)C`hc!|#eC-X`kzZ%w{tA*22!Y_tuy!WyjdjYo726ec! z;AW+LcQB-c5gcNG5KW|8ZZZ$1I>=~cOOwFLFo{Uwsn8!^q^n~qYJ-gMjkBX7z_D#l z7A=VGzy$5y3-}Q%-p6fy+Lvj&IIf$wG8&pb4up8LXh!RdTWZYHhm{t$wjx`%Bhimd z+U#_aznfPV7H_k4T11wBL3~|M)1T7$W~deTKQuB*DOYRr);5d2XW_29mb&gVM6#&6#OT57K77Ge*(E)`r@0a$}Bq~M7SOkm6WC=^A>6QB!U+Pu5 zMd})0J2k7u&h)-w!-vYbUrZ}kt8G=~<+Ot9vvH`dWv&*#A$39Usy1)n2PkG@s0`Oc z&fp9pk)Q_8J^%}OzIhH=b>wt-n4oOB!f5ooKR_&BDVpcWy2YC*qBFGWHI5|OT%w|e zxjL!h9QDk?gyT@5q4rFb2(E6nOIx;18LC2109+v7VXWZP%l*)ADSqjU(N46txBO0| zQKCmb>xU{{Wce@K^9**P$=g1k&qS4gR@z9qH|XPzfkdRsH;3!0npgyvbRLZ4++sGP0$wHMvS6YnOD7>{wzb8R1Pcp#vts-MQ@Co3vYSb6w0 zJ6ne)qIWSkB_J{#Bz&icI8Ez`BBT$rMSaj;M?e$z=p}2W_g1gd+k+_Y@=vu*dx~@v zW?<$pI$33MJpMuXt~+OAimG9hhol{^quxvU^uTX8v`cGr5}9fFMzZ2Fe0i# zSICTrf@eShItFkb?%o}7Ul>iunHx^hs2l=m9F&+bS13Wntwoo&^uMCW^~#^c8Y}H& zlxK8ROclQ&?;tgF4rVs`6oxdP9)7|;L-K~&+Gv%DP>Dz)U6R}{{ye8_m(S<*FP^rX z=dVwQ8-snP39bzd97>1(rO%KQ>|OEPLZi8GBPP zdxD7143c8E8|m~UBhEgEG&*#kuv{9BDs^ysIKL5-u{TJ)q^RPunZB$!lAdE*X5d+! z|MS|>*o4gU#R!`!Tkg8VgMPWVQ1?11oxbJ!owpwD5{}>>@%`|asaafx(eKyZ&au)F zA>VH*eKh`M8ne9cYpBFHPol|_013Zsl!>wa0hyL@%jI$5)pY9#^Vu84>nRU8km#v5 zBR^GyHL@Z~eF}RGl3a;KC1}X80>^5SyE-Q6@oQEB^N4Fr1NB(Q^HcDb%*0?3ir1pg zGIj>>5truq_?oo;E90dt(VR%ASBtO20JuDQrnJbDe3&7wH%(fa0iT60J4IWS zdb=I@kNfvjRiTw#W_NXnb0;Iem_!(S>CREzP)K?j!a_Xh>RrP&eK_%AZ&AGEpi9+e zh`HEyvqiOoGwl53(zdyR^eT4G!eJXM$=dOUg$8lW4%eRa%$77BMw;lBTXz+d&sANG zppvYmTIuN^-FJR>yVC9w`9w>E*JR)D<%7*{sG<}V;lnVuk6ZBvFZMlJZfUu-H}3ln zDK{;q-V$`P4;mk-%Nf_vOMDt^WX6|h+>vHP%b)EWp!ZlH_l}@WUg-gxg>}By*sG0> z)SlZS%G|g%F^u|y*34n@4{iR!AN7X@K1ZrUcl;#=rY57<%jdn&l-r1*qwd>sOkOe* zr5u^L`58m^@;5Czu=Nv|whUzA)T+Y!_$hmBXe-R-*}#t(H`PC@&@A`pCm}T%zvlVt zN6{CD1yn%qUMEG}L`Y*zVuTIj?G#w;nCcxpr0jD!oLW;ew_n`YcW`}o-cpk`zu!jY z;txNo+|{)|n-Ig8rMGWv5A?Z`xy)VCg0Tc$m0+9RtEm#Aa!2-((&XpW^k zoNh!Tg!(8lvW)w5Xz?jKeoUvt@x`+5x;L9$P!`xKm!f{V?k({~;ByIm&{2#RZ3qQs z{fg=Bx#=}Rgz3|I-3us=`mFH40d<`1JQ{ojhBs~RZqO9#xsL6U#wcDnn2%>Kld|mC zezvW?oHo*I@7JudQb5zvW8Tpl_l>UDBpkGn?Dwo)DQpUsp4HpxUwdNZdagA~FW(~okiuw zm(Xd9s%+=iiNp5pj*C$b*2@}8W_PFKTV5IH+ zs=69uDaro#!ptk>diSYx4pI9@^ViCj-+s&>DjG=MGTc)tOLx9A)E>o^y7Mh(;vfj@1H=Hxn+0&*e}Ck;pf^cr{%0>I4YR zhuIHWBlt_+oQ3P&cC|W(iTnOKO(_3bz-VzFgRbO#e3!}O+*iXF)Z;dp0uJ=uGyS6X z-@HSUYBzm~@E4<@#8Tv^!OwrZph=8HNHB99pB~rbhU9MIubVO+sh&3mzR4^uU(Gx} zrb$}LuVcf;qHqB#%YXd_VRGs+sM7eNAoO19+;Vu zL<)s8A?Gm}s0a{IcbqcL13u8;8~ogee)6eoKBpvo=icjZ;a|f0uR98C!a6_nSyUO9 zPfqDArI2&Q3RbO!m{m<&)$d=5)of1a6E=CaGKv@(5aG?mHBY%5X0an z<+1(j`2Se@9buUVC84=}Ch_C#>9J`-Yrl~Gd%jkJ2g&Sx%8m$6&%goyZ342aXV2?z z5j=lRe$3&vJJML*7}zkBogICMjLE^wMtonKEn0r{TaMfEM15}A_g_I*++F5_TuL$- zOmw;z%!X_ydES4v=`QRRHrYeQ8_q1DThM2dJgN>%Y|>MZMBMBz5TcO9Z&9W2q=X~_ z7N?bAK!dN*W|eJxA`$QHUM5)*G`_07q%*o;11cPzS&LMRQrLXwp)4N0IjAZ}i80-~<<7VFQ5U&l1Rav$Zw)>ym31iBo%b5w z3p1%5#V<^OFu3?o1)F>Rf_?J5j8nK-xirOhfyEu(Um=sOsYw8H< zmq)jBRJqx#S~au@m*owi#-pVTw7|mSV_k#YHWC|#zXz~R;PWnAtgHI*g3b=tQS3RV zJLzYBt7BtHMRVhj5XCWuZ7}ys_-d``_e;SUVl?zvxfKWg;KyxV*yK95a=^P6>9 zkI$hs&yg{FwPz_f+G|?+%{8O)xs?E$A9(?i1};JCDL6~6jj`)V>lYaW`f~0Vra0Hp zUc|PittJyz{Dd|XMseVEkSU14>faZ>qne_-r06sM0%mu zrM8!Kj*M!*{t~}fRu^g5n*C)DXM|!ttJj|LClfO%udMFbbKv)sox06*hi`B<2aDW;Nc;d@{1$fzB_Hn#K{{@nkHHhgHe% zb#Plnij=mr=phf@hFS>azJ7j#av?y&29|5t`OEcw$~Wz7#r0`+y4j z-3^E$%m1FD8{U0~=nv6ehr1(F}_6x79kxm?BiQAq0X;Lt3Wl}@PZfCcsUn>1}q_Xj)A>!AJ? z0fgb^oW9`At9T>Sdd@Wc<-RTf!um=b^WV$Bz;wWV?OGuQ5>aV_?nF;K?BZO4a+Hv@?(ra>sU$PzW$=HGZL0q-#&%m3^0n5y3qU(#zLGCvm3CnO%I}<>7J-{v}E3e zzn39e4LjC=DT*7Ir;r`5SCduJ$8}NfmAcoOK7P<-?aQlpE9DHym+o&KtiCng2P>yB zZXIJd8!)~-g;78cFsQ?yvP1Hvki-a5-k5^WN!W zI*zjHl~^h*CwdB*>O6!uYIkj4{$H_uv%9A_#_TWm5K?AdG&Ya?LGK z*r#_*Je!|Sn9AdKpX85%J?A@d#N6^&r;ul4fyI^)OcB{|*!8XHYJ4|D0Do^NkHh@n zMB2~nj-AFZI>rFLknZIl3LnV;3<2hm+;s?JX&~hb4vHgOu_zsJ!qg%;;>=SD)=GG+ z{yAz_2>z_@{~;5ieg)y>_OvW|HJ9AFG5-P<{EDt)p43RmWaQ$L6|cjZ5f33@9E9j2 ztjwI!FO;13C1>s{L~b{}^m5>`Xl4B>L@8d)?_C$6+sd|on8I>CR1R^cj@E2PzU(qi zdPwz0GgA1twruq;Ukj$$y5^qW)jos628>XuXz+5s; z_eUT1CLxtd6n>H^BMQ@RQ+!?mNuh!~YNcPIa`s`z2Pzs3VoXd*>?vx#DuKDM8cRl5 zwBK|u<&vF_(K912{B||k1j%1X@x$M(3wHP9Q(SIs1>GIBlc9Ee7cJmoGks|nMAw95 zLJte}_nHveS2$4|O7N${iHzlXxosKAm*51rnqv2A59o(~q&AaPio669P_lx?7`c3M z>H1(v{8$Dm!^74UljnM{=Yy96 z|1N@+Q-ZZmPdQLpb;f^t(DbnSApw)ruV8^CyL^*)BSrqOK{3;$=-l!iBY{cj;(>?J zH^Y?Q5~RgdE8QKLC>qV-nf)wvRLL03KO=ef;RadpQrW!r<>&O`G#uXP8matIG%~Pr z=Y|qXh#OYu@Tc3O=6MDmCE;^V)8p2P-5V@;yi}-{TWY2(P+^OSv`1SneQ2=(ex?}D z?pG)F1H7u9+VeJ{Ypg?FyswVYrAH%9Z}qlini_rj~Ki$|tL)6kdUkGLfk z$JeGYeQUPd?R5iq6?t1AvvWfV{&a6Pm2ucVP5%})zVOaHE|gtYvYbr-TT$a#p-siG z>cT$bc?Oj@D`{Aqee+Gfcc1k62zR<7D_`+u@s8aL9{b8GI3CEw{HbY-h9Iswvg*Jb zK!Eu@E(X?xT08RUblA+-?a-TjQF)*-*M8O7t7%YuY6sC>DQ-{^i<7e8+z|`Jgpj6+m-I$icfWNmGO)tEKS(^xE z0d%2V!50Ca(e{LhEr)K0SHG>d1OEUaRt9)~#?zaE5&#`9R5`o{th9%)7)Eov(i?4A zzV9(m9H4Vc`FyLto5%1QoKj&@bTJF}51PhGJ)t)^R1Ybz? zdzSi2?DNg>iJy?az!$rKi>U?PuT?=DM+?w>GTw_vSc2+dc!v^J?&E@y@{Tz^nxxADKLBRC&R)NCa8(@KxnObGgMp+UTncPBkdImoW?mUSh+>{vw z#6`ma-$~eCTgU=*)2{R{{9xt$sE9Mkygo9pqU0zNLLh9?F@oZEflNKR&4x|F2g&XE z4M;6{*GcItYfW+erCUz?utZYO>(5^p!Jby0$DrW=Pu@!)#_^^AA2!=g1ZvN@mT(hD z!)Cv_eH`Gm>r|}%JmBrzS`YIGv{8k)L+qsRMWk%;Jbh1cP>a` zIA%5VV!_I(;4PTP(r?h!>hBBardPg}7!97d6Ls~4e+=M$JNDi>23YX!MM7>A2ewp_ z`AI03_@iE2cL31#5Q&XJ07*E9s{c#TAPm&!y@$sFrRyPp@_hzY_{{1ip9fA5%)r3_XcTr!Dq zEd6YcA4=5%R6@o#ol4+|4~iGXq`(to7Fdv$a92^EFKKxQS*HMO@4yray$P<|V1lmy%N ztrjWRV24@UI-M*nR zGYsGfrBAOD=)e{k7lxuy z1qzf^Nq#I)+Q?wukJo^RT{Dnx4+YeARA@Xg0xLJF)KA$58d!e9$B01U#s1qIV1h zPcZxxSA7efsE-o;$F%-qTK_Sv|CrW)Oe@ptW4dHcr`?uL`N+++n^y*pk+!fki$RBynX*Rd)Y8n8dI1%d9SmzI*T2>#P(4%8A zLgl$LW<;&Y&=&8xH+#Qov1q7$@k`4sqsVXgJp>?9beJlakIyTl2S&$W$Ib+u*76yg|G(gd1%c?w_rPkD6&m&X$Bx)g( zdAUDtax@1WVxN81G4Uugu!wb+c1+r0Lf{&LfGdIW$1h7z@`qIsH<4~YE z`81`31jSL8RjI{zav%y!`o%vxiUId=Tba6LM!LvMyP|?N)jY1QoH&>`~tv48l8M`s3I(c8C!5nTz^KJRSZf z*LO1G_`DRbNt^lKppVdgWt%4(3PQo7Zm^EO0WH2p>zskp@4P541?)^I?;7!K`C3!i z4~s4LyAp*WHTxi_7MJjog=)vYJq}IV7jfbJQEv)W2oZbarg*s>{at{udjt2Nj}VW0 zZ>!(B2E}`<4J>up1c;jtH?#RqGUKMOOTpfTFxLy@H&7hc+qTR(XFKB*GM)gasL6j3 zEO4%xc7DaX(AqGV>MMZ``mLH;Zkq|L@3t$MH3g2RCJ7Eh%<{v z^?ec9LKRy4&3$5|mIRk_p$RQMqP?`2@r1tyEfu~J^((OhmhS$%-3k09iuEfmU3Xm4 zgSiP1!Zpv1Zu?Mwu+BhVfb%-Gvw5K);fcskrlbUiYg-eA;*(QKC68YhPVO_B?TJv8 zGU~$>gbkFm`5{B?bhOhTGVF%jH@@q6u!E|)#M58xv0z5c!Y1@dF$#68!P_G)T&H8}cw}JkS8hW?qf^QvXh)X;^T<-f zwP%f>$f|v@V!hp_LulL4tRZ+&SDTd@+G4HA0&eQQ;m2NBFa7H#}e_kZ7 zLiw{?^_Y7}eULB&%*lw`=z5$wiPv0u>Tv0F-2CBMWEHW;TwcR9hZffSKm(^9tr3Lq z1}&qL+x`$z_<^2^2)aPvaA!QAqfgiDQgNTL8wnb{k36aj4P8HbRku33e5uR^3=(vh z&#gKPnXKKw1lwWYt~0r9^qRMOS*K0ro(i`V|i;g8-mA9AZ zZt?pC1A0fPp8oP)@@L7J(d|tYK|kKkw)J=-JG))l;n8mNY&J!TTq9N4i81c!eOl8G z7sIW2MxTyP^{7?Kz~)l3GvpA{ac=D%YoYOuV0TO!Zx2O-r68Nwiioc3mnL2 zj(~}yurGJ17^hmw%5S%a5?w>qOI1gQWdt$2@cXp5#Yj)L?Paecx6Z9KdhZtYD)-JZ zT_jLnt_Bw^Pox&0)U(I^)v^9fv0nBx(S`wOYt1%U2AVfPUQ@N3RB8A>WQZk=%W55I zxyRN(Y6+bx^GzL&?9!*Zi~qNK1Rv zuh{z6{Lk443T48E-Zj$|a~>Q_i-^n&_}B;hpg#D8^HTEFuqXWMW-n!}q)iJ`F%5b> z{>U(kRL;Jh+@j<>5d+@f($UuZUnd65b!^=eqFD~9<+S47c%&U|J4k&mz!&?pq znX7)3BMzI}&YYq@&NA>=xUTHqMul)5+&Y&I2gzj}lrNE>-(R zv{%gqN{!ML)psUA5XWW{JCkcDh~D@a8#C;rKhc|X=40TSG`fr``P@QQx(R*>98)Mn&k}_uDI4s}OfR zOk{0gD>kGZC)K^@y*J&)KB4#8K6=a|&h^udtc`6M2pD_sK8bk{77iJa{dSj1jU&N2 zQlN!dYyU|LFEiqk*Ib_JS#|-B;c@s-6Cn5k|DCXaRBC5Xl47kX%ysUj{O|Pi&G7JL z%{oz=`ap7<-N{H7;7XpUiIkd;-K|^=5?lMIST`wu)2lAw082eCx@ZR#;4-|q+Ca_z zAj#_bzTj#tQI48FFj#~>hn5Y&ucZ%Zfe-Qqh6?7?t+vTxKdF~!-(p;P!?rj8w*gq6 zvi`-3COa<#z&|3`?jNDIbCG-7)n_he1;`BK>A^m2u+}72)8HfMh-`$AT4zG>OCfov z*^K{kBL&LqI=3I%0rhaV@YM1GaRg&KnI}kYbAWH=wr|$2>;^%EqvgkOkF)V&cY|*e zBH$D0sZ77mjj5X2l^P^x_|m&;{fI`gi%0cykuyJ%M)u}&my3q&6&Q7tn|fZ?u-RYy z@pWr3vtKbsHq78UesSZX$|O(V?N!=<+Rt6`EIlqyh!N3NU;H4mjn3CJft(G{jhgOs zjeu!Vo?dAivAO-Q0t;8=X}bVJ@10JG%OugU?rTj_CR8@mrRJX-z4Vf8TimMd1W1%> zWo&GQK}z6!tOSjdH_Eq+(*8>mb;4+hlDC2XODsX48H%=}U+_yteIom;cWKi@LoxI%k zfje_D{|k$@o;isNP@L|&wpS4#P>6S%7C`F#XU#Y{qU@rLBw;*9Jr|DRI1fPT-4rkh z4~h7oFj3B2wai>=>cH+h{`L4S=q-B?6Cr{^Gbrpg!=x!1I7}PYv2>s#p!RgEi!m+5 z9E*HKNM_hUkIcneCHLS0ozCT7A$OccQfk#4#U$3Mdl~>}d+&4V3E3jJLN>l&Mp8oQxrGAm5_g zcDt`{fG6jW?+%XOZ4uY!LyD)qguPyXeD^^N{s?e7Hy6?5F55;8Ke#U6XhP7e3d-#ISyZV5}deOGL!*eTtb9>RakxO(^?={^O z;H{Jy*YaHT9NM@8EQt1mk?t|z4BW?7)PKLN+{v9?2S*`#?IOx<rZ>Gkm*Nrg?o%>^oSQhWseFLs3l@))t{5=vWRhxK-lsfi5+P%+SC0!P73Zmf4 z@I34KlheEml$p%JYx6(dI;AM-Lg9ZjpTon|rZEKd(nNAWw0WPAi&NF%W^RDd z2U`PPL%ubrq_`c+M7wT@jiQ%N!tS)@m;{FMRHX?u0?x_98sB- zcqj$Kmy&itxAl$8<;2=2Mc;X>z8a`7lB8v_w_UmYbuU{gg{mdo!+yT=ON+_j8Y$zu zA@;W7{>^#B-ZqdTySpQf8nlF<0{`~*S_^yM-SAAyN&g#Fti{9jn-3g>-Uj zrQvIf5#+tgt!|6)sOZ5i&{Srw?SW9}+-|;-43+&wFf$kj z3nXnunNU0y-U_iT+qFCr06v=Af7vZ+%~0$p@C(?^??z9@UZ3{Bt0dcLL|3eTCQd?R?X`QN!y2h9onSaV9QZa*QO!*FB&! zDzF;!lDC}og%4NXlnX4CB=t+$c+ceC4$HhuIjNAO3CpOEx#pT&@=+B0ubDld>r>xOb^ z>wD$CybFiR`o(TgP~bfDP~0lMj2Bq^T*%`4R$b_c9D{NTJ^97E%Jpyc2_162b zvgb;v?x&h31@UBvFs@P}cYKB{;yvb~Th>W!OU8UqUmKO)#?T2M^ecDj*vr;CM5=al zClUp5l;h%OfY)bKTdYbCkVw4w;s6|@nX3JLiJESyyO*S_MpS&sR*X}iwlp*bNjem{ z@9k3BfZ-w?8>B$@ZS!X0;{By^Qfl_R+AB-IaOBuBcbE)=6GzN2kM32%7&?AX#(~`I zGeP?O3Y!FBuLC$K$*k%hUWWVfX5ICvW(U^k38?WTD>)O+bPFW*=Agvhv4%$MNL;-~ zRKJo_k_moSVf78h9cxlJs45|KATm&j`NcC}UsHKD`VU``hheQhy`fuRyEqQ%uUsgO zxeX`$(Ua?Xf$7%4RQt0(K+?nD@)KaDmw->ZnbQl^xz5i|zQ#TCmd3s=R8XOf-JW|4 zNMF65t^w>y!I0*1KoW| zN7mAbcQ2dY-VN$V3)zO`R$!(2%%r)87_3)KbB_)O&Sb51eFr)me-39sCwnb?-5y=~ zy6jX0y&`+9j|+XQizzVI%0yqWQhBwj11fvc z<8){>Pga_i{yejbKSbcD+Il7bz7FC2tYhbeQoEi!Eba8|ENPZ)01(w)%9r0SR%XVG zlOrx%%GAEz!RuIOo&DNI9+KC@iGZqr-2-3|K`0s(d3A(kjXi*Qi>Hw-4mSA!7ddwY*hzq%Gf@# z->ZP6*6}z@wUQT%Ohwxo`y$kmq%Y|&BkzpjtM&RF5P8#nm)Lqc-n@Q^9sJK;xQhL2 z&GKn^|EE@l?0HQjDv(bOeLA_7OedDA96NV;nPn)CTnOq#S_1qC#gjhdkstiP>#uf=k5HKxpRdH> zt*LbvLbxvKvR;A`Smv?6lGmWt3fEBt z-|QrIMn5{g?yN|7iSC*tt7HBGkYZ(p@T2`S*M&*pOn2Bp4gn>v!@ko@aFzU) z4n|I1Jq6WW(jT|F+(C+!syOs=3i=4-2wAT`D-W6^|7b5Y0aRghX7K+Y6OLYub2RXF?Xo8S#QQkn_n6v!at^>$@hdq9|P7mRsemMt0xMDlhGd zxNR*I5jOXz(p{3Q0Dey2y7;m2O>?H!VCiBFX!%GU@Gi)k~tEpo66N~IrFbJ|1C`!-y2vy!dO%=#iv zi{&y5mtjOFw$c@AykoITvE7}<-$PFf_^+|5mVV!cLT)z@{4I)D?&ofJyoZC7_D(c+pc#Cm7#H*uBv4Cn zu02h7x|Fz~GOP1-%gw~b|H#;FvCw91qRD1{k;jG7)|)qrzrkHcOR3_+IK0l3JBISj zI}ofzvfxv$Gv)4<_bXlx+V-tEoO;XY?zQ^_Mg>n3D|C-?*9o^E`5EC`^ZpArK_+y9 z!slpO1ou2+fv37iq?ACZjnf|PC=Do^`Ibzez5%YEdQv%nr^x}l?X4lqqyaZDFK#z9 z`hkL)R4a|X45-+Sj%te+(nYd}CyFVw_-4)8k$JyseS01K}2aId}l?WdVkT5Bhry#=detyOKB6~&WSDtxpm)6G!7An)7`?jTrJT7hK zcT1p?eh`&_^A1%%7M9QX))>B@M&K^qCex2-n8CoNzgYIoU;SsG9$|~^96p}6Dt5cb zk^8pvqL+;4JWHbgf-e5={^o{e?G6ojomZFKKx@MSc`TX=I>aiF5V1GJt`^F_b6B87 zI_6unSk_I(Bp%MFlceQ?ry(|CoH z!?4y=^nI`YalOJ#zZ#@6`lZ{d30GE1>{FUfF7Lbm_PO4XM~iXW@qJV#PY=&-?++c_ z$*ub=f~`on(mo)jy9jkDL|LCxh31;Ui=$-d_H z8+<-hg*-l9-kk2U!PP!f=L3zhczlp0US>Pf@%yR!;|1ld4s@cpjuN8v6t|~l`fe{q zAj`?wE4y=R91L->8EK|#?QIO}zLN>#nM1_||8=0rjT>O1$t7r_$zLtu1hk+px{DY= z$Rj20^QZroNe*;z%Bj{^O+lUFHP7XD%)qdProxk4%PUHl)}LnG^T*A%?^PW>G5_63 zOmp#g?#I9Fnmn1CbgBz`Bm8(wOeK#fKK`GTb#jAZO(Xgzm zT&=>}=$}!aqpi|NUegzSmi^SL@QCi=QS&>3THE~Yxgz<&HFEW z{w4^T0Nc65%g^dU9gx;=rUBlu?)BlX+bYu$DbCRhr{-@sU|;i?;dC)uEcIElCFxSd zpuxxafN8dadG++93MOb41fTMV&E)aal6MLgZndWTrB>;F5R22rVHa>kR%vqY9`!ST zDNNCg3RnN$8!*JAfZ$O@;Sc%oNVp8_AS%N8jy8CShB=?tKM8M#rZ9siM@m$+a@XnpWgoA3tmI+6IFKJ;*D`uM z^9I4YasAvOctiDz(}O==g7F;GtrGLc!)X3%o3Q3h{IfBF>no%C)V74aLK5aOe`xSd z#%(0=`J(utB+=k;-CYwMEwNftw=OW+#=(^Bk33aJ1F4xW!iGkwbWd89I@TsmF0`6i zL2{mA3GWY7WuVnPMKKKxcE;7$ZQX>3Hp#&%3p`}p#V53XkIsRnyv$pSKvNGk^$dhS zmxSd*tXgwOTK3rR&)iGF{j)$!Tx?npYrJ?Xei~kt9CO}mhkyo}dBcI-#@hn*h8C-< z{m!|kcjpoQS-j{u>?{?24xf$$LUpM>$lf`)y3{o;T2Zt-TTn>~Er$7L3ix}wcPG~x z9AoEXdQQEwjP9OC7YLqoW*?ZH0>Oho5VGD->fa}U+=3kHsMcn-JSi$<4d>@MHNB+q z`SVRVoca~=JK`C*|03ytnjB`X+IlG4&x@Uar%jJfr2OTi?wn!xR~p4Ba&%6}S!Ry4 z!utaff_co6n^4_b4Z)pp)-#~kW)#ePKDoO~QE!m`JA%T%A}9DPJPYP9y_A+E`Fmq9 zupuJxkXq(G{ryl4JOU%^n5^5G*~76bRV(H)9gX)etQboq_py(6j~?lEM?dM#xi9o{AJ7h*s|F!Is1NE`v zet<`KgAQ!ll#jpps-A8}|F1F??|2U{UW`83|J0sAMEWde+?KFffa*3RFq-dycKEUD zr!JaKk>e_w zk6vjK{wt9UD@IxmeS?k*9dJd-v!r1RF%M3JUa{nx8uux3fSy6*Ahq}h$o_yp8{e=( ztNsh3h4xXs-Z{`WUlHy6_3U)1leaZ2Z^D}av^S;j-K9QTGG=);$$eQO*Y=8p%@grig?$8KoYND(s(*Qfva zH(V)E1{wyXVGd1rO0yWO=>B~?Wb-TTQ}15{cH6eY+_(>#Gc{K6F3`oR*0iFOlE)rm zrFu9ovFTF~Kb%d1x3JIGXMfHzP(I8?H(>oydkjq46=+6IRnMW@#5;1>?U?W5E34fq8ca1oyCVwxG#J&sFJJKt-P3_pLzdDsSFJSyIB#bsS7`7KITd>Jy}0Y$tURhm=sHLoacYkB{z z&Lme>s`QN?AKYH@eJPUk>_P2V^i%ShOdhTah`*m{I*w=Rj&HmF>%}V=1GIeR=g9fg z7#%}%CLPKzr?@McK#FDGlXzgSx1S+Vo9GZY=Jq&o;mjY>Iu${%!S!|&xerYQTgEd( z62Zyb&I#1oLgEUhB2{TFb&~CzvW^LNFpmPv7cHph@MF#JOv?1W(4I1HIM5io>e)5= zV|HIL6psd8L;j(I)(N{&Ar_Q8#n__~r}RalT7*$*-#Nv%1{2;$27ar&x#$!}+kj)f zOEioA3dJc~?HpS|gor$g&k_f}=@Q$_;Ad+a*6ON#Ov&kER^cf>JyXjj)mal#LAtd16lO;|j82%j^n4E7+e#xp8Xp$Wl!sWC4 zglOW|-$)o(M$o*x8=q-;Kp8H`l1FAG;_Yi@+2be6v>lruV-q8Xm0mpB|u=dpz%Ms}R%P?zCBh zMxs&Z4N)Br-eZen)usbJ`}g$bfA!h2zQ;+3S0A`eiJ~3>w1l=}G5co;P-)3OT=+kT z3kO~p7#K%KEaDMQ|C-;jV03<1tA_HLeu@y=b$?>@FBj9Z%>C%zvZj0?7B}}3At4-; zjaYc_=7F4iO3;FV?AtA+{ZBn!aT*T%pn7fDWeMFrY}?M)u`>%=9b=+g;#{UYms`2k zE8PwlL+|-t$Fd$Q$Q#@QMYAMN_rq9og&oRy^ahF7waS1T#M6rD_ z2x+iZMSsObFBemMxVYbg?KYy2Suplhbxi25uaBSAAWXPK9r&R62J$K=pvV73MDXk5OM-$ir5V34?^AD-tY*h57(>&A z3&(%J3E@?IqY)PWjyLeLvl7KG`KwnDgiCf-6kuh4EtBpQ1}T*+Ogc><|K?wR155Wk z3s7FF))SMu(4ZKBE~C*>&=Ur}$mYAKv6h_i#3dVK%# zMLlk(PY2oU4$^LYVLu6#r}yEZwWhCnthz9CzJ%}w+9Aw-9<%D?~9nBNSXLJ`HjK#X~dKZKXH z6Th+9588>pXuB=_oX5RB#I-V^cTEoV>^o6FG?-AG^_wo!R|2qT=|61t#-%+bi*T;p z>cT0M``#GVJNLS?AdGV_EyxsT;bhX;yI}*+hS9=jG+bLxp@U!?G>4mEn@zjf;K~@y%vDr%(vIv80{{;9tkTSa9Zx{l9z> z2!t`7^FbVYTA}+DMBGX(iovf2H}f}LWMlXZp9ue!Zb=&P6S7{FaYc*&ADe?b*8SpKaC=pAWHb_;~Bpiti|V9F{j`qY0LnhE%2hI zFIuw2gJN*Oyb?JS$9K!$bV--g$ruI3|lMajEqa!5^|{t^$>~EZqiSm~uSz z$s@jkFzx=J67^d}g~J=HPNC3Xo%KJ~(W{Se9!&nr7v%JS&t{E+CaO<%uj31i`PC@_ z4cGon7sq$1U?uv$CEr){6|fnAELkLrW~Q1J%;Wpp z-mfL7uuSJSXuB8vMNZLLBc_{{0dqLiA( z4z_+S-=7N9yWi8yeZMV(`~Jv>&5yOCT~mXpF=;eM$YM(pxZ=ybkGiY(y?fif`-<}5 zW*L|2v+5Nn-V1(yv>kG^s8RZ&KUMv#nt7G{M@{@G_5RMC?xYSmz6k%lhCU)vqtRg< z4bcp?nBvY4;|F{W!7$q=bv~Pvbz6%=Qt4ecvI}3>lQjG5BdF=-x__aNr$tyX@iPq!3T8Vqe!cROZ3`e}C6u6c?X_vUB*fob7u5_nZ}gl4 zTaJ4iftV|K~bu-T&*lADsth-49udH89`V^Vxg9_iMjD z#a|IA+(rS(!H~&|jg;&RL;z_VE3p_6ZlG1#I7od{z;^Og=ID2gkJBd-H^>F_E}50Po$E*~DbEWbJ>3S)F@?vz7Ey}L`|)&DMu zzhRnZ#;fqJ7+rX=Z8Kq<8TfNO1t-~I_Qe7XklE~mnZx5m--karybe8=f>4d4r2(;6~%>K1V|%56lP6p|QW^Fq?36YI5kHoE!2Im;si z!?cw6ANO}3&|$Jvk4&HZbKX-w61A-QEG+cm;py%rU0n_{ zdM}JG!6P`sXWY0d=vM3Mte*$_T$<9W@w_OrF6^=JG>POr^!a#nTEnDM91>rIMnu%4 zr(I-ZGNF#g-?k#~il!*6%09%U+cQsMM>w1c;&Z@5&Xb`)saQM2kC+nQa@_ z#xy~jW_?b}Z2Dx7mS!&=vTosG_gheh1I3(7-bXhygMc#BhCP==e)O#jQA7?)HEGzw zLq6J<6vBnzWC6!%X4asS@H8eikI00|-Gv;m zaXww|(7uhziWFK(t7bsS-)H)#sGWXj5Qt8gc717vTFy7Eoe^vMFwdUs-|l8l=JHUKlk9hXsS5*%CtepYFG>Jx=SNGY=PVol)RlB-`2xz^cRRUld*l@&qW*d-puWIW@mO1j64=anMzOJ!D!KFxDc(_2`-AvW zXKGA{f}Ma6i}LPJr7!w773&)&Db(Qm5OO&w95ni`IsRLu{^X(-@tJc)g#|&z;&aE> zN86A0XYJ{rj#EDjc3mtss2cRGk5s5TACU-*zWtke2iNeF7i1#tp`PIRuGvnBvnxVZ z+!9ACaAOWe$TBnib}CXk66963uU1W_wKE6z^e;t$r!VDS+Jh|ky79bDyHl?twr`92AtMP9irYb0F zme4CR=EgXouya1+Xi*n-bswNwW1J=T>r28#BbG>K?u^a0YBDVHQ2Jdm*6({#yR4!I z{dFN>tLN?eO9k;+;ZJ3YjsN~kswDK(^mfpXChYPdU$b9PwP`2*_MAPmse+K!x^&m; zLu*?1^AAa$5YA0q_Ob>Y2`vds$-Ue&n~6uk{f`9aJevw$u?J+UsQyfF3w!W47c2eS zT>R-1Ot!8s)QGGOb4CR$a8jZx-+;w^R}6KKQQ+WVh@x2Ob&5@2#AT&Itlwp%haZx` zUKEcRN^ciwmoQq6CfBkOKzdzPry6~u^f|o6nQoMUlUi>1nj`-M?*e3QQ*_C=*{WWj zW6_G<=^<)!+oUo~Z!~)6XUFhW3puoMxz`Y681e{@Zbbsk+ki*>{Nsm34Za`XUV+uA zIsPUogQr?~s!Cm|9=YyfB_>r!%Hm?Z??1eFnLs!f3>TIV&A31oNjIy@ofw*1Y%YC} z*+nd=cVV3e-G_?$x%-#rl&AIdc!G{sV+qd7lAI-TdWi4r72Y>Nk{(x(H^rFEsiOas zo!(6!UdYqjzY5&&9+0Xq$xf4z38*POosJv9;B@%Y_MST#l{6E5c~7w3KmPxFChnShCe zNjdf61msV=$WZbi({k;}d%Y#~hUbAjDjAYB@M~>1;oZ$j%(3r=mh1NrWLDGOw;V4c zlzbpvoL&LI{q=PR4ZWGqd`%Z~XRpO+35|X@RAe)S-It+QV*9!M6ubpWJe14T2JPz5 zSW0Hnvwp}bYK}}v6(m=n*`50udHtoa_3R8G!@1^p_#^ILl{7j>n#T z?JN>;?f8d?P5}){II^bGIYGbGb4@O8wR;tK6P_z#*W=WuT8@2euCT2W6P?1 z&MddU_~z${{^Q5?#z;%aK} z%Gi-9_h+JZbyR0guC``MasqE-nrk1a_Lv3jWTDrB=|!LUhTG?};H37{(eO;}dL&fP zNeKvPrCmU^b{b2w7IAzRyz(o>*wY+Cc4#**ldk=;nDDDCK8*`{nOGGutzJsUu<7iq z1PMm*STzDyGEz&c4(-oy>de+A2o>({f4SLL_%>}@Qd~waFuxMy4QjrtXt15S%L(?* z)7VWJFB|lHTO#>Zl>7%8_2<*BCZ6-24xC$rGcQhC67#&?&wbhdK>lkL_$2x~WNxVJ zTL9-x;;mz1ivkBJ$awtbgV1+V?%x|dWTQ-ymYT`I>Re>toTCqEdBGQL7=Ug4O(O}I$BB1WO}yS#mb%X zV{;t8GwK0e5o=NJZLxA~)Vcs7`015gr(FiWz0*)5Mo<*zHazx$J^H@_y}{kV|TaRUf}tt+h)@ z*mEB>yFF`gyK#$=*M(f|ukVPbN1UXOv($5^zSMiFW1@VdT$)#TS`fqa&sa9ZV_5{h{Kq#oSYif^X=-Yk@$W zT>R0ZBPw!gr%8hZq^Ym7xp_F2^X8Gmw+Hctd3G#j3y*>B7Ifheq~EzZtCYl)Z4Ny5 zeI2tR)u1a8qsD_Hs!_{v_u9FjDC6b;tC9mrV!qMN&e#lu>`yrV$xrNjYEHbepaS{lg|L@JegyhgLtfnS!u4MT zblR|6QkT(f7B4;&R_dQh&zk)CQSY-f`)ez}Tg=5iL0a<4fMVJhED_geK_X=NM7u~+ z!`M@nY9BSYaDYB1=~Zt^PA|*TjA{#mHR(08xUubv^28?P-%s@w2iIXT-go3+^488* zq353qI%L}4jBUy9eIwppIvq7>N?$}5Al1{@qbP^5g&z239tY@}Yn0B_<4Zr6&sXS! z2j5E^e80YWPfOF$?Dn}mz3q=erdvL|)9NT#l$O+JsZfJ?%Suh2HjneywL_Qe!1(n8 zVyz=f@5gbfp1B)Xeqx`E5kAxsTipJEY zC>7DPSn_e$J$VubI1X}w{3y!W#20uVh!*9F43ElHEu|WN6&%iEbMY4OWIvDj%`gjF z_m+)nQRPbC#gt)r-=-km`GP4LqxwkeZ7=2ghvp&nFpJsOii)q-52?&$jyeDT16sH^+1tLNy7xTU)df> z^2`g*^&31i7m4MxC{lT5u**JeOA{E=H^dFzyde6@%Qu?s-kz7*r$EbztzlbC!fnXB zP%)gs!7NxhJG+{a;lo*fQeSb{){AtP81=#pIV-#wm{>OR45ZS~azgc} z`<)k#b$p+@sgCUG)p-g&6&Ig>2yb|wpTmr_gM7Re&xpd^6of*&@hd%jq&{5B|0>mE zBRQ^(#yp=c^@-ELAJ=cAG3IF8`ZWUB(CS(7@Jn@MxspniNNusmMTG)&<-oHy+2R9k zW@}0K=%X(LP1YN&&DuNIS@9y%em+Qw@GdVV5xu=h5e?E)@qVG`Vvt+9FW!Q9UH{0s z1bg|*x#;3pGP~ZS+i#dwj6Qut08$=3Q(}t&CO}Yaik)b-mF)>WsTi*RIK3QwGG9%> zYWviPrB1tEH+y~x5PLj17l@s-a&~S5+VE5}_0i)av(kjPp)fYq#;G5URkIy2D(E%8 z3f0SUqvgcf(Yj*iu29MSAI)EXS&qnc0coerDu_{Sx)L)_YZ3V;Kf~^@ox1uqAd&r) zRRr8pvp(3vSf920riiJr*i!5#4d`M{cfC|4&(4kT(}gr<7jYd+$$l`g_gauk%d%>! z@kpBp_f}(sy-6SojVm;bQ|Nal$Lr6JD_C8N?pc96@KY@~77!1-wnY>9-#^~5T)@xI zbY-luDohx4W-d<`woKXnp|lJ?o&}BC+Ud~tT*!is=BpVFio@pGn!M|S!Z%kEGcw;j{TfV`s7$vXGuBd3GT zLnf}NNA9=|`t8^pby=CGV`x-VjY&N;->M)!!TRhoLZ~DL=yM;JLWU__?G$nK?5)dl zI0g20+sfdf;foq;H`BFp%q+yh0-smiBt5qO_aX;>YhlcDJ-@nEjHhfjam7l*?@`rn zK4daJ%9QgTs`yQ~#ApourcypEMaEu9lt1V4h@adRv8REGD1%fMH*Ef#T55b=GlnT@ z8HwZ5=sO>y;4nbyThE@wcZ0*bay_s$RKBoV-f$jUake#|iVlupd=2)qF{>`FGl@+U zLcpeObN$WBaBFw;AMlctsXeAV4Iqtn#x4w+AM?MaZH4_XimU^tjk zu)pX5RlwAoPq+yk&^P}1I~964@-L$^de=0(tT;*jyGesv#U7yaFVT##KuTeXax;$6hP?_WJz+qg?U>^WWDV>t7ziX)2&)MAOhV&+gM0 zSh8P=8R}JXX!rU0>hnrtDjB@Lnu0erel3*WbJuvC?;$*51{>$b1@Il|6qF6IC!Ti) z#1?o}Bwh2(#K*IOj(|FvwixBIqfwPz17d%%b~#E>x`ocp?Uxw2gwr25EJ)dy;j@9E zY~6*?ayEfN{o3jY&}EkN$gCp$zE`47*Ks7s@JBkOg@JP2sbl$5Ghoj3m+Yhz8F~iD zRTrJ(9)8gotc7O1oE~k3hE8Iy?%U&Eb17$QL8;!2%(i`t45$S9ltKTpK=Z_H7fE!z z)}7q1WuIaIMAGQJ$K3DReRz=o?jNBgsbG`&w=K$Nf$cJhZjR9%uoJ-_$6_WWVE%yp zbG;4EsCy263lt~bo(qDVpL2L<Z3o^wv>V>io=6RP6@&lO_F7kZeFoH^#>^DO$a1 zSce}=d#kVWi5DxIYrziY{$*hg%I56b`LSn+;4Y2+16$oZgj{bas#`_=Z}8bxUaL_(&D0yozY$I zi!X<@CG6u^H$UXg&8MLQ^>GrS`39C^uH)cz~V&^0@>HGUc-GAL-`Lr z>TyQYv{HmPa8<2Npb(4KY)Ak1C*B*h60SstCa_dx`ediXQs$Y%&ukaCRkA#}Q;kJE z>3iK)ypW^SQN3}o+Ua2f@u3TtFO>irN83>BcVF!13fW8T)YRAwjjQof!wsu}haKJ> zJae~pJ%S*{#5I2k9Le`%p zbWWVMXOI2nmHexCv2^=-r#A`KhRakAXsGUGb@RBcMLXhGHm!!veDD8_tn^Vs{}OU1 zYCbPqx&IBR6=KVxq7-ot*6y(uc9niN?MeVl=ZGR0cI!axS>vOmm@s)}VbJpCLIV^UV>CBSw~ zw#QtK(3{FL)y^XAb;|n9>W1mSk8@!iA#8MkNDu}a{F9Ll5c?vX#ANwWF@+u}9!68I z8p_mCC6agp=66(B%6N-_h;OEc$~pwJ)@k!n?^BJfrxYi8y=&JQQdFR3tt;>7ey5GS z7yu|clTikRWY0pF@d(EVcgD130uX+`{%DvbN_=*{f)wE5n&wk9Lfh#fl8Ipp9|q|^ zL5kg8w|o>~$j7DoxT7qM`|=*!;rk>1&Xhs>9dpUY^JsF*aS_=+9N%OHYeBH93st92d=pkt2LuGPvvPh%AAwXSlI|i(sJ4;{jJ?g0T5)e-ST@9Y4bT4-4{A zEIb2vrpI%GO|nB6U>%IDted9y<5UqRsivCq*d6H}6QNEh0$QDN+wOXeUiOG7OU#uL zdV{R>D3}>6cJA^|!$X>xixwmwt<^^T{-?``NjAv}SoQt{ZdQkF{d>`Y*P*7Bn`$Ge zd?nK`{Bi`wkVm%?hU|OO2mX@?uZGhDKLO9SR6f%+ADSU{cO#FVoDW}|<5|vHP z9D~wg4wL!x{2>c zmsRjUq|OPU;Eb<{3|X8CeR^CGZFvq${+LY2VP09jvLNUnjFkv$)@T_yF*KByz|YP^ zcv{|m_`}~hsg(58>y1(!^1aaW`dH@Ypnh^hse3lj;p9Zt%5hTcsPbtQQa{TSzQI2d zAG431s*!fqZUX9j6DuLeM)-E;rG?-P6;E`z^W4)*50;7AETvz&*gXS0u2@axg13hC z2KTT*T~b&L>N5)y`bu3tYbZJ;P*uj>Mh9=umfTs{3L}ZT&#v9_KSA5Kr@Wz;{$dXB z7l%|ihg$1jY!5)>YH|Hd<|tOY(6eg~%hufm8L4aC~Yj} zi!rr-(D+RAd{xQ2Vz2LAb)wZ4qf#f|sJF?jLyGILE61z;-BO1I zn+9I=40pNIM`_=l`Juk_W{6fXn=l1nU8E{QV6scQ{x(4wiV>+f{J9Futc(Qme?wH~ zKZmFp0pfGc8Gd_26AR>a8DC}cV+}r$UiZuo4#&x}GM|FgdsC$I=OrIui|WEJ#lh$2 z-It4qKl^5r1EKVI3$!&AnIyR?!>p?0fT~|pX->Ws_+Ur1E5_?f6UTxaBdfG8iz>n_ z=!Qnr2#DHV*c9>%rk`|=@Cy-Ck#tUV=J3J;?spKW_c>aw5x-V7%XxQACn=DJ3N^SS zVIjyBi{m{_RmXF{7=Q4Tb)8pnFTxM6de>iVhyQmxavz;RT1I+h$Xa=VFTX)5fH2OP z!#BQUN516hgj7cl0+o%fea*)j6*-JG)HH*e8uh@M>yrnzlVU~Oea2^H=rVW+YR#gD zA3p)MURvRsR>=p3Q0?>ikmLAUan>IW6BaXV7T9EJ+HS-V(pQk8%5w@Z`X6T<(3YMS z+fwyH`-C@pjR97x+F7r9lM_x}hLA^t?U9JJ4GyZIRSA;0rVwJ}To>x$wBbG_L<2Y7 zUcb;H-JF)gI@k!R6m!^6Np|7Tn&4o2p2Ul7t&eWwHa1tYimOzrmv!!nOSSeBjxlbP zk%|+zgfmI&K@^c@HZye_le9#*q2M;@SEwi*=5%(PKUZ>PO2uD-c|hk-jd-uZT&L(b zR$t;-vYEr3@En1mM~ZguxD_sIwC>qC5m8yv5>)o9WPHSD4xa*>$hf|l+vG>m+U(|v zLowI~e@C6SS=;TDP0$tVfSlQ-XvvE`VAy2L*H6){Wq0~r2DU5o{GP=-#&d?*nd1Xd zLM)uWs6o<4%rp^o>~G0jEHr4$c*CEG4{Yu*7ZnhhDS*#3E;b;%i6Z19NeKIm1l^bS zZfm@<46%Rqj%4g8y{$DBgz=SXIdGI+1gs{DXQb`&Xb+bT$e&mp81BbjB()r`< zDcXKtEBUrXBN>G6F2byE(tka~;z8)%r`U;3Mah4`y!QVh=MG}c8kX6San7v6F1)|ifI!H%`h1P&myUtCZ3iHv#_eNxcN()BelMt7U7%HR#*nAJxfoWZ zI6QKMU%{=SQ<{`XYFqN*@9f`1`!b)}>I=HAVdghNB!|1(Y*v{5B}Y3$B=f>nnC|H< z$kI3oY1L2R7qKAqeS8VYks>o04`=cZrv>nCMi-qSMN3C^A$5V`7anTKBMq_r2IINm zVQQ)40qd&Biv{5YWOJ=BU4Elif})E(-s#FjuIiRFz`Y1I&oiCkk=g5&Rms^89cjB7 zR%s<7GS8!;O@z19E^m&9bT%QEdKE2;XggeV%{HIJ3{J{CZ@>KL&+FIXVNj1V8&x4s zgE}|Ay#Zf7vZgbJzmKMw6)EwbR<&9KMB{Cz*@5@N`IutPQ+az_XefcKQ@WN))dYly zn0rB3-Dl4Yx^K;ofcMWzwjB)zb@r%vCwlp|@2Nan9Es-xt=A5TVrjA>J`elHr%pkN zrEX-=8UK#LlM4PjRpaXlR0r2kPcqA#Sytj;7IBp5;WP#8-U$@`ehKevC+63v2~oV0 z_eWD1CJ?>xMF9!At53h0p5Z|uUy}r(*8K`n?G14(UV5)f0nZ)%hY}DlU16oRm`s3o zC;eT=I+VQb&ylgL{Kp{wx^)pPAFtMV&PiPQ)A>rtfKpc;5QRsPWvOunknSX*=S{J7 zQ>h!G7RNuEa+S#ysbiCURs^s2jt49d#c-3eR&hcv3{fpsks;yiOup`Cfqb;Rk19O& z-74J9mG|*)Qgg>2ol6?a`sUpgbQh6Df<~x4@pB`fn4RND3O^Hox+f~N`Ltu-%RDlA zy-k@sMV=%% zL(-FZ{JoGG+;5o@?&Gs)JG`IJswnHzy2f-_txRt0S1R=5r^ZI{>MGShECD~{svokl z>QR&>+#fz=iDMD2SKQok{XRpeub1;ZfAeRv5Q=2AB#@8f<=Zbh&a435@ZF+{Pm|TM z%P;trAeeyR4nnam^nF)&m}G9)tvSR1AfGfM3_)-1sL&;g1%Ni~5-nA^GA52-$yI3< z6}ND&M-Z(;Ww$61JJQT?uhXoYAmP?aLj+-S=# zn>`JyUVZ^Y4PA)$7U^7g9iLzQtj0^m$`Ebz`ZSQWGWEwDa|HKOs1CV0Hk>$NN zC{9D>%%{4`{(+1j6nRb%cXReh7R_N7XU=6dQ1jHUY4`%{RPT1yG-K}7jtBO(SK-Fr z`b(7^i!Kc9{;^RqzzF}r7Ir*)<)QP)RtQbh>x#{9=HwGi=ci5v%*Ydy(m}=-)BLEg zEakn%`}oulB7q0T@w{O=Zoekni6Vs7V~KCq697tbk#9tadc_kp7^_FfLM2fB+LB6> zBZ1|u|DX~zN{$lzZ8`ahAmXWI-(?PreX*rHvRw)3G=!T!OjB^EJ@Gps*Xc7X7endf zBdBU_*i&RJ$8vqTe9v+PC1xc zN(O8TrPlrq;2-@rw45g}*;A#`Y<$lu3rPLPlq1jcAyPi4vBZ-=EvRgMF?n4Sw}u;! zQKu@%<)d1Mkw-%}dST=^@kDOVr7qDp?zU==B0}7|)z3!4(*!8nkP=@elgHQ;KP&9| z8=KpRXl{!{bO|w+9Qtt&tU9-dXXd{(iE{$x`&QzkYShiw2mY0@{pA}nb24;?8JRdrLgF9h43ZV8 zIhfB1|5Z8BYYNVhqYuJrEyik$qF-=cGr^x_B|xK}I_f}_$?;N%UePPbq;Q*!g5Gpg zCR+?X02l>Fk!qrdkrKxsb?^IV1-n_XlLphSlUYFR+OHu3YX_hmhNg7mx4j>CQ2pdD zp=OYA-wOw`_0dC&_1WQckMU68m#kG%q5x`d(y2{ntd{TvzIfL~vupdy^=}^KjxFc= z+2-U)KOZ^-I^@oPX1)}m<1^W0P9aV)UL2d6<_PseUy*W{xar_%0CU;9^8`?h83_#K zSR{AUbY?wrVz1O25`htY51My9Fx#?6v)yFHn*k^wYf<%=Z!CrxAuNq(4AyeMbAqKw zEK_YZRVM5;suAU=%F##u#cGS~Xw5goSkiPWlRU5h06qfTm6Lu)iP!7<0F?GY%qEd! zG~%-;D;2nXUR%|)`#PH)@i`Hzh_yQcY*L0SX7`o2U5VQ5xO5J%S`HQc1-Fh)Vw8Wh zdY+y07#IneYQbb{OGCGqAkQ>?vxAHqoD$&S@$&~2n=^v?PL?Bws*(#s?t|B|9W5DN zo!Uw-;``+k8p=by-$`Zlv)bDT^akCmk7!ZKI!kFK%rM)0`~3PKB=La6No5bn#L9$8 zsUyo(bfjOEd}PnGfw-?|S`|!vNBsG$caLq$GsWd(IoYmG_3t$b;~=8cAJ6{dE!RD1mcWk3gk~8zEJc%QaS|vMLp~~6XIYQP^!#@;vZUADL)Na42>|a!i zxtoC$%&2={=t6FqGPqJ<=I|0*w0LeN)QSu4ILe6}4uCpN!>43V);m>EjBrcdA1V1u zF)j$_-anncm8ctJ<#XGSz6pd>KQlA%fF@4_CR;sHUr}|le~ge%6|ALqajFZw9y{Ja z1{3>24+VF=!cJCX$3tB>Gg4DiJw%jGAM;YVTIl5+f}A)AWW`O|u!n#ag}`W;jYy!u zb88Z0rhkW(`naySzzuo48`6m)ps845@h2P=sWqQlOX>T=`31gAWvd;2^Z}%{ZJ%xA z+y{@{Jqkjs{~P4}&($?PlWUz_haK;yQvx`Po=3wUMy4$)c2K4jWo4QSHHzf-*>5k3s74gSB620SX**ln#NS>txLbuli30YtR~z-phOQgE-8mPh=X7qm-iUOU zhJ~EgaL3T6E0;R?G_>|*RM|I3ar2|Hv-dt}z)|vg*~0)ky?orY)EN3y`>i0w`%7e) zmJiTMTF=P@h#|IIzukp`QygNUlI2!Etboy3`a8qTBQWNLn!3crcm3x0e8PDsPVbEjy}V!zJD>A*i5Oz|oclwSNTn{}gx&P?@P#R=Ah&hOSMLXBJhhCWXon zbx)>SVtjmJ6*5qbsV6*=$+duBIsac30n=j)2vP7A!@IifP&%I>5PB)uf*WtfQa1m5 zF1Z6JdA^7Qq!Lg0T*S0>xgci=a6{<-pa+H5s9v`>KU>n-Po0)}?*Wv{)@e|!lFd&y=i2WV)41B*3c@}_ zxU?66#fmPagHD>NT0CG4-5jIN@Jw2cJw{X{WAj@9?49=!%2aOaDC?8W9pKr{XD7?O~B|LReP3Z{CKjpn$R)I`dw|VY6L*Ur5u=7CQ}TBy-i&*43}#Rt}J8)dmFpWuAXdeciqyBIf9lKXeXFw%3@*aQc;C+mZeoH1`3{LZ7X!m$5NfmQy^6qp%LcGlGd z6%j8aN1W+eP4H`pO!zaVYYN9gSbt)ygpImg`~V4xKs1*QV1Brbnk+ZE(ipilUvxCb zYDIFaP&hS^D`dih7L->zMN4b2FyZ%NaZb_q09G{WrA<~soE8PF&X&U!Yr^B0FeyvP zEoU}_6S(80MKy`TWXPMBO3;C*49{PyFBJsRX~VPG!a7k--+21=`+W1-4K4mu;N&h^ z7{3JJ74-y&?BQF?MJG^7&@1u1!NofHKG3SZO4!@X=M$-qo$~{q#gL#wd?aRXH>Sa%q%VA4K$(eXj^MmCtZ!zhj zzAWa777TdThlUVr!>dVO;1xRc%KpVt;s09vth&&n{bYFNj11uXQOQC0`SE1$Svxd& zMX>4gA_4{H2`aCGn>eF>+R&+!004c(;n{?FXv^=tw2+nxMblC#{u)<642t_b&|MY# zGMdl~d_g&3&D9`Yay|ke`bKk}lc5bT+2`{msk6l6uV7*Qub?&`65lF1l|35m54bw) zJ#8^`0_hN@!D}`He9>N)WUrrv;ap4Jrdg8WTHvB*@C$b|LtlZQao@uChM`G`=MD!@dxursB%AuI6s!nZ1`xE(H z*s7K`DPi`AS|4y{YP&5HbEe&f*PNP?>r_%aRE(84qTvE-GRxMjGq4@bqMTA*E_wtt z^d&n^%|yfk^IcZiy)LwQ^^86PZMeiE0~r^>>(lnLM2? z4cq&a#hg7Ig>iR?WnK|Qxa1s7RyiB61!&L`k)f5-$Jx3i+Km6kwRmAd$s3S#wosfy zRCz=>uC*cQI$~Ko&G4a4g`?h*t?&})1-l}Ao(WNW*37^wL5J9A<<%6ADU-XZPqcK? zcfyYwgr#44PhDr0-kAQlG?{=T`{8fcaz8EHy?QK&wo%JLeo|aW>^8Z#u+yG2D~3LA zMDCXhL&Zh z-qPD?D1;io%UE3)yVLoA*dvZ``3(b1*>P8sb<2#IFir!9B$D-36_tc)TDp)$!?b-5 zf!W>z({B#8y_Q`(l2>nPcqE;K9p8DG+*7FY(>oNI$Me2kgV!tP#3X<;C8yRINqM`0 z+mv!L3<(y5O6uN>7#jTn`W2%Lb50$l-A=mP+0?{lq5`81VtEF(9Ir2TG`^QFGD;OD z+j#jadIFVfGg}^|M7nXGB4vk>moP(%r3JA-xgNjt`;u0#47+7PdyCvh8eJyrZort7 z_urC=G$_obNzFF6}ycp3jmchCu6rF6>6l1>LlR(0JE@ouXeir63?ccYy$nQ&*squ1{wraOc6J zaZ-DkwM*+iq%oAGC0Nr*B{_ zV|+-i+6|sZ$A-=vn_`Rl|BAj)Z52=BuUU72F&7hc>zK5#(Tj|*zx#`CJ(rjzdsvz{ zFQde=wjDCMT2w|6*mkW!=S!(opBYY7MAhIOhkiY)wA{M9`qZE{8R=(gz>BX5A_hAa@g=zT{6n=1To~*Le?=`JcDcNk+vO{jQ@hhZ z5xwIeq#SAxhEW#$?xLh8{Mv3KEK@-27aAcJ+5I}wpf`h2Xc=4DAs;-eqno@e+85=* zm0?zo1u*+lX75Q*ya02hx<>1S%tWiH7Yg*xYcqn`io(tZ^0o~Poo+_N11uyC7DRKH zGcC{wCo1gW%wKr5s1yL1`~0*}Te_9DSic^vc@mon7ob^b{4J?g;ss|s9W^h3h5+EF zr2|fOkL%PTe`beYzyC1{2^vG6n!#X=!f}Xed&!;*whIUm`eS`tWK$@ilERUm`&HYw zX=fn$P~PX}RpA}~Z>yAYp(L~(_2OaJ+gI4R{>1AP%W<;!M5M*qs%x7-4kH1Uyhx!l z*T2fDMmR^=Itjb{ybB&Dvs0l6b|v`t9`fGqW@T9J)9}8kxL+>Q@hBxQn)oL_GkbIz z%Ba>!o=o(d1uy90g#1#D0~J3va{41zxYpz;fSGjtl_t>svoz71DC8mDvr()k7NW}b zvtS&!yyu~h>iFwiQDWoN6ad9CeD*5pFzt$|H1qJ!f(gD?qUc-ih9Qkz{M7tN65sdX zXqlC+tXVj7bE=o%#@m%&$PH#}cn)bs-a#`dOJSV>S7u8WW1==Z?tF>WO>ZT97S5N- zWo*ZtU65wk6{}ATtXwg47jcYsXWez_ck~G>cRXe(c3DD&SR>elgNg85l?~7Hh_G5T zBW&1v{Ne4?0Dq#X!YyL_C#o+pNH;PlrBsm~X9Q;?H!4?!g)nJMPC|?3^VO${i{t!s zH|cdpmWJiZwKR-l?y+PS&c~Gj6DaFZ85m>!GpFAJq`|A6lFf)(o%@G&fDutej3(kG2~>P!NF(N( zOkp+#b&h6A!)O1?3t+5TBuJ8hN9(`fO_=T->@DZdmd_A#!1e_zw9^y51cbYNsmpxu z-MG1@65e@P)4i!XtaCc1ef^wDq9nWou3zvSPn5^gyq$Whh7%ko z0AUbUC}4a_sRg?{{xspX%&^}7>-`IVU@2w`H)lL^`urrul#va%lJEJEp@L#pACDaU z(qADZ_`e~f^dUam^(?s#bEW!?lWrtGV|eS?5uQ*mZcdoM5t~}v0x%Q|#uty<Fo|VaPphVRc=&$4WDOGap{1+iD>RF@GE{VZ--ngIcIj{H%h2x zgJpxzd}C-@6fsANK#TBdH6ONN`4^2_HcT=csKF+wczRU~GbFsOkdzLy?41WStGX=L z#}=UhqH_54AAWT*wT}Wxu9%nxVVtJQq=L)&&Nhl6epW>LkKGQy^@kJybpvgr2c-T5 zvGCwaQ*5@T0RSs)1^bo(XD?2&&z#o(L)gZiJ~7`sW_YKjcy@W4G2NA97c;LTD&YFM zO5JonVjpyqt^VY?K88+iu1!3DIX#7(%#&v%e+m@AIpgNW^e!h1H%Mrv zaJt{G=|M=9+NJJjfLa#XG1cZJ4B~c}ee@)B$tGq?M{<`ixcu*;zuJF8$$tuj`%s&2 z)I*D(+(|h5QA@|bZYNi2;bm{4v;wVr*bC|ZExIw>OO-zrn{E$(Pw-HUT85s>qt%g# zOk^H4#K|B)3q?l=93_^Uqj|>-=LcAB`<)m{{dDT-tW-sORZ)-wj=1BCbdqxhc0QA* z(ld}Q`Xw#)0*Nm@y#s7uI@I$Cpb9#fPA~51M2%G7=89_7NBKC{zgrZvE@JYom$nGc zTFL3T`3@!(*$gSpw|h|(sWl+f9kaepoj?9_7PmBE30pqd<2c!vDB>*+8CAZ@wR#eK zTt}5^!3xbWMAdem1N3FVWv5;kc)Ky`zf5mdbE@lJqId8S)@G)&=&Cq85 zo2z|RAJiJMaY)m)Z3esFyz`oO4w8jY7z?i?hy1{Fm#6+>0=-`bPD$Z3)15wO0okr9 z`@UWXz`L|-V@u4et!%&x5khn}33|n+o!hdZOx06CH?L!zJP?mO1iu4Q3d2L{K5?90 z7dD6{zzrnDs$~Mp3cYSdk+=c+fDM$n&v~J4U{G%!?yUERClA4kj#R7I?-E5P+v5-C@ ztlL6Z5m)$(mKgAyfOKRUezDuvckvpqrJFxIRVdc|PNd%`+xR;nPenPT@QZ_GeJh!1 z+vG99<=Z@u-D(+&2V-_F21W)6&MvD-In{xecv0UU`s!OaPvqxP=_8D~on?Go_-l+C zhC2$a>fA!8bZnxLSED~q7efJ$hcLk8Be# z{{f)xivK4=6f!?_V6V8<@UcRpMBTw*qC|jEgIW^XP8`A4@59{NSB;%w4D#;+5iKZa za?tm*L@a{f`G3p|=KY9O7y);O7OY$*yh9@|{W;A2f%*8ecf(&U6%U%V(}$V`xg>7phuywzyWwDF%Dt?EYGb3@-d@ty3b4#qzh0%K z5nqhU_scnjNj>>nkrTYKwlX8GamGl+Z=eYDw7}qiAxd+ zCa!DI^`1rkLqc=9{W2ztWjf9kX5jx8`e!|`ZWfUMxPo-?0C-0t;gxYi65Z)*SyloH>ut=7! z`yE(6jr@#{Uv*f$8BkB7`LlVwF70?K=kJE{4*eVd40}W2?1Ka>IpVvIW=-ectmbeZ zVF}FyC&h!#oEi^BG*mm86q7q4Lei>~q9c&$g>Rf4!I*UBL96md1b6RD>)*XIV#2Vf zYa5JadIH^hg^s^Qznl<8Fu#eM7qk%yc|)Gf4z_cXDKJ`()<`F>i0JPuQzY6eGYB$r z#F+3I3!PzxeH0N`w;$-i?Ux*=J}{fxrmQfl36%Xn9?pga0dVhK%)G|KzveW)mZT%p z%y?gm3?@MTxDx$!?@4*rN^RRGDY>L`IU5Y9i)uV#vKRtoc603yQH5%hf;s`>$D)@K zUKFOT+j%G6roiJlA-wft(Y>j#00X8mA+msn41ARsICwVoxL`mOZV^C5U4;%)4Th4J zX}`GqZnOA()nPFiwm#Y|`pLj{E)p2)j$L?pre|UF`PlcSlvqGLMqqVe(E6FH~ zZT7}(qvs{`A_6vgAjd>Z2z~IE6RP~LElHyA?rdY?rRJ+**?NGSM>MGkXa^d)7)B8| z!*|QJ2nGwP0`1ZOgWv0;UZc#4GmADJf8*5Xe}9@!{)yAHY=kBdr&wsgb;J?7%_qTU zkc(KQS0SnnV|gV78i%d9HX2RAYT-O$ywj1}<7Zp%`49?U2L(v&?*n~xwiK2{$tUCR z$^LPw0*8D?2HdnUUrW0-N;Mi<|{L6dWZM7= zra19ZQk@Lsz$wq!{PCb<{D-4awxh_Mm<7ohkd<|e@opRA+)gnb%dDzbA*`t z5vc%vQuJ8pC@^({`Zspf0iiP3TaT6Q4SNR(NlMSaB2Y&=E zzW)GVBwrD9El6Y)E`20bmS?0`vQN=;bfZGgRZw3Vx2f+6?xwH>+bBS0088Y?fAaW0YuaPZM0r5`&c+de=hzoZ{s1T0r*U^nGH3!3##&rG=DbFgd= z08fRIZ@W4cJiYcBz+!3gCWdF?bXvpy#GP{vqJ02r9hDk&SEGRHi}FNqT8M)c|N4m> z7yTQjCwaYu<$6~kmX=}f>j=S_A5sJ{8ywf;Lg?c_^+!~-}hh71n+Eo zq$JVk`yP?A6Gi#F_x)V&dq`Fxe-o?a1NDAVQ++7zx&RE z%ed~<%UyncLM+k0-;z)N^|$1IjLZJVxa=;%{>QlNe~ioi#Yye|TjR3-Wf1xQ3(rIr zWyAttZH2g~*<_jy9j~rqc+~*Z9RXz)4=1;PbV2_18t~9V{~(nY$cbTM^>W!!zeU4A zzn0;vcUn4DTC`L;;LcKEA@9z}NKW%biP~whPU*XmER_UXC^UHqJ$T4kMTx4}2fU%I zgY9^x-L(hNzbn*r`!$@j2%l<|RzKAh6Wmk-s zUoY6NUXYy#eOgV9R=zMG)&dhcj!tZ%U0tGuwljuDLG4D0mUAU^WzanspLy>X@8?{_ zB0htYLV1k-c89T!`pSUEC7GHvL;l~lC5(Et#ejiFofhtO_K5HqPVkfyy#EQR+`2af zbu_Flh(oU|i_Rx!4*2z1EOo_q5=6vGT)chHZSKWrPKzcu7r+l|r!HoR6li3`!^Ee} zw0v$rLx@Ei>@?FrAxmxQvk;Ez;~#k39M2VxwL}mMT>q}xc)0@yUg!Gqbl~--0V&~N zXe)3vxeV$Rezl>B&fz_x2*cL`4K73xFN^;#_TD-y%I<3$#!f~+0fnJOl{Nef>*hhJEd8?X}lB*SXhP zo5G|1B7F?Nu5`ItsjIdiSM?=sAvIer$S(8GnjbNb2S4=tk`c`& z=nuxkpbARH2ZIZd4G1O)2BM}7YH$8b`;WB$D9N8K`Nxv{vD<&#%^xrM2b27PQm9V% ze}L;By#0T0m|*3@Vlm0xQ{&=*G*9Gp6V6d7S>14_eIk=U?REE&wt?HxT%<^WcH`op;y!nd8;C5`Al}r}I{c7B9Nd1wbugDI$M1;}?7)wpf{b=q{;>QVH1Kmb zbHHJk7%C(?hEw@gfXh2%v#LgQe_p6@R}6;S8`5limL8{lhfBZxq1Cum6Dk3}`gDH` z0q!j+DWX-%=l}Rrw*IX1P7wyN)fY`7MRmLI!ylgavVCKijYviPABI?^HW9jHAFkxp zWgk@9E|EGPtjAkDawTCy1&u*W=L$dq4OGKAbk8R3Eg&JIM7M?Wbzn{ccplG zPsj8XI*3$FJUy~@bxc*j&r*Hfd`|t`ZyS>Ms*|Jq8nhmiRAx#2y2-)PmL1P}x?3*z zRVe#iEUAsc^2Hwk60bKx+57X9&vJT$3XE8S+1qPGlMUfv?2=PKm`_PkAO8;cZa_p{_vLg(*I;31Rn7R&Xe3`5A6M41|aY(L$YXzj}cM6G&cC$H672 zw(?n4N6EacPX3sIHRn1AxQCu!1l~(XOdt5}VbuP|h9viZZm*%B0&y^#{yg;2&0k+l zGipfWHYNm%L!=?wE`p%)VY&G1`7>}^h)vYPGYck)aJap>|8 z^?wtkI5cfT43z)R=#0vtW+V6y4KReS{FHi38m7ng7bl=W9*!amxIXZw#&(LasIDpC zhL`C@OXk`7q;%p`z_L7!nbfoD`Gz0)WfCQ-q7&6rBAq^C&?Uy2`eEu?^ZpQeNUGVx0 z$1Wx*b3@w8etDS$?kC)+JI}V>AJz%tZ$%Xy58HI{TzS@(A_%yNAyENZ&QDX?cca)L z$((86H$-wLs^NGuUjnJHU>SC~E8;)p?IHoPM@Bc73I?`-$RV%qx22#bdc%%!w3q-Od#`3aN_GT;RVbYx9%qD~FY)f0;ZV-95gi-iux*v(OM==P! z<<6E%5B#E9mdn0Y+$Y?ZCe^3CHEz@81735owXeuPMm93EYmI70E35ij6yBZjTz=Ql@lvQMB=4ct0Owqx zal--|tnf^$y3mEZ&1opyyZ&NF$yi;$71Vzb*^O>)6#`ZWEKu?Ei~-nk{d~E${hv@u zVD||>kWn1!B_yLPZuHaWw7&@F@OT#K1@-m>#F~uhL?w$EmjLVA^57%!ZZufm)t_!Nn+|uoaebTu4_8#p z#UY5G)1;*>|8aQ>xlxyH_8J)5hV!!nKC9Ecq4W-zJ4DE1Z+YO^j(oO~?A=FoBp9Zt|$J;&$8EPH<}ig?MlT|DhzzU=3RE`xY^9+iwv#D|~IkaT91`uRG`JzzYq zOjv#d6_rru))y~+ZFhyt_9KZ3##vxTNjUA6b>nXelUcoA`tmsti8gFDM2S>(eVTpXYWg~J}_r`Nm% z^UY}PA>8uA8wLY!%9+0qUO)L*DrTV`06-af+ND`R@7G-GPU3{ zKoJkR1wZz@aSvo}GK)7KG~#M{XXVwZ{1C>$Qj2gty#y+Kyi2?tX^1sxYY(+$3w6b} zmeLbd{+bP7n~Zwt9#x03lLYZgC!m+wDU2tn<$ah40q zyf|o$aNuhoF*_7)zrBqQ#JAYz1-1pHD%tYCO7pA9#A`7(>OOAJMk^*g?CaxSCi;4s zM$Wal`d}NZTb4qc?kA32tnaw5Ui$J}AWpPC3=^p6Iv+l66ldr-KOxGMmco5d}Lb#7mN-4JKSaNGC8=D|voJUA$vO0+tId zjo6AxUHtpgyVTM>nO6lduJUL`_Rbdi zQ==Z39UhKsUhHN9mJ8=du;}$!5;(+eIfYj-KQ9U^dZpK?+4_M5CbBn}qpE7gwfXf5 zjbd^J-Z9v1stu&u-_)PsJbOJ_Y!o)fDI2c_Ww-qFb(U8B{fg|IG-j?Og;dPP;0f{C z)ry4#oQ(H!{<6|2l*0yuk)G&Y$rAxI^On_!USz82Lxk&l!#vr~UhH7&h*Vh5tyX(0 zdLP1`4`eBpHKPptSl0xuxBN{uxI`pv3E{VzB`~OofekGqLLYQkZPW?k(dP?7Tmvhw zGB=eu;RmrgQWXJasN8x8Lj+}pRNH)}c1TgX4I$r++HFIiHfN$i>;I2L%Iw!vWQ+8r z3e3h>v)n9|54(l#kq6_t;{}GjT5ce==O;B+87b83tL5}KbM-S7eo|dzIW0K-SOnG9Aj+ceUOMc+)|XA$5oN#j!Gr1QFY% z-bVY=u@V!-SjPrGa|Hd1g1d5;gg|XN0zu%U=d~2pG<>@F`*gg|JIz%w5tMiHV zDGG@-fc1X@nR#>Joze{9O_#>Ley)mLMwdD|~`e{1!+?_(JfrT88xSFY7i ze*;UGeKjAxIuzG1osphEDH;eh;`3WZEl*5GV=^3gvFyVSor7PmW#Gvzc6s+jE7sp? z7%4JP9U%l>$0U1x52AM6^F*wE_`3tDFPU1ZcD5J?*z$Sm7bXBB@?Vu6qvAiUsd+39 z z4<9Yi5o6G9xS2)TFyaaT2~+OwCj1_*cb|{#N=}(?)kZB>hCi-`qrmQBkC5q9Ezi=U zW~bnJZ@1xOkvp=fFTzu}9q;K_02e6Ubu#${V6G@`r^5INDd^c5aw8cS*!`WS8Ynw0 z|1Yxo8GpFf`GKA}bt>OH($VW;+5J6%&!#_Qn57Nz$U+>T{FKXszhlny1|>SNk7Zz6LVQBiJXJmhg&mDnYK-V1UNnE-(}z%@2rVUy$dVLyPHc7M{v;!@;SN)8{P{w(d#%mvvKROFR)qFUn8LqhA3 zg#y=#>v$ks5{qV^-OxU9#|4cVJWAf5OXItPI~{R>{m|OfX;vrwFFbhg^k$O-3e!A< zxGe>TqHs6*v%X*Flh45wC;mCAWxlQ9RAUwV!|JYEjr$IKxWvhp+qZ6|$NUH+RaYr9 zkAKMHT>LhPSF8T2jCPXcbUn_akyi5_Q8D=rh2c8w@2$G79s^F@{ng;0k_ zKvUv)hskI3%Kpxz;3eSqxHsP}P624v0~D6J_Uw4YpHjUR+;XE{ReIX_Nx-uqTv5Zw zWZVf~^4A}s9=*OtnTCOR9BuMw{Nq-GOh4N{E z=}^Be7mGD2Uu>Eugl@Y%YOf>vI1kH=50Zt{&Vc)EU&1J&^aC(Y4-s7Fw}n&(QayJF zx!7+t)D>PxbC;J7o~bn?@I6_$xj}H2<2yA)30w>`4;B2;#~t4hGzKB%Cqu(WzwTZX z;_`zj-GExYRjPBZ*_+L+TE~j|s2@67YDUF-cBr$0T{c!<-70Xmp2*{*hZK|VWK(EG zrN%Q%)@HsPv(XQ?%$(RMq%akG z=9Pt61)bYscT%Z|?5d@BR@31( z28|giaZ0Z;ocEUPfiy8uFva=f0ELeb7EIX=N<_D1F(4h;1g_Y$ji4?Zx7j%zRQ=gM z9^?uHF*3?hnV zafRkj8=$-6rYM~$u+IrYHmuDnlDndQyoDZ=WZ<$8$t`RJaKpY;nMM( z*x;sbzo(3DAr4lCe>uY-1hWTI9x~-IS=Jz=J;{6+yMT8#Lv;SUq5SB51?gsLq(v4^H88}@nZHxEvbvU1xsoj zfPrfUt~5BCDfHVoq##KT7$!Piiml>4>99*zu0M#4U7!oZXQOqpm`w|b6SY@RfpBl~ zS1hH)h6V+2Gk3jX>XIqGgXj)z-Zz+ROiD7kdQ@{T8T*!nwDY+=StGvc3yT($(U`CW z{k!3`e88Y=-xap8hEva%*39qMghv$UG_?}CtcJK&f4zLC*=3_f(bPDhuDlUP)w{wh zU)lc$b8=Cyb}b5sF}&}i2CPEq?#2|Kli8UkyD$`o%X0?zB*%9paBy%n;XRU`pTyf$r4cvC~cmTic}@ zP$2O!xBU?V6ZKQWlnmJ5y8bK+iw*=sdYo*jKySO zbsQ|eaJk>aJ=N_kU=yCK+aynCh4)u-m?7YW2e&rMa>qz^P{e0 zM`oZ3HX?uj5Hc6f6B)#QH&uImM;KaZkohDTCE1of zaac9qOt-DB&EBU9yiLG^qc%A?rp-PF7Hgw3Y04|EfuexhmP z@`_9#(Ruk#oRML^oQ^X8oP}TI#olZZ=>msxdg}CoKid zE63}rMQ7cVz$Kdj0k*tEWu&|LU-6jl>rVGo3rBDAk&$;WiQ#IxS{?0=S%gtJ(ADhr zBAA|od6+w$Y&GeDV2cKwT+`#!&bm?C2qFpvoASGO?mUN27tcW)if?b^?kH!OG3}FL z%fY^5<;|WwKmx6swvgwhASefF{UhT-tr@(9eo0xWk&aPJDhl33sb;nKg-IUs$#tt{ zV7Jc{NFZ4ccW=iI&!9CV)gyF2Vj<|sx@ig?NnIJAf6s2}lh9plhS&3^!4vb2QAExD zs6;!Bh=j!@l>_8_X4Yhl3x%T0z-jil3z={(_*9s3@N|6qRZlYp8O9pZ>~iTdx4JSTm zmbU)lep>?%xM|(5jFZ}oX`_1Qi6S~4rgnnf@UV6+H8=HOGZ2`|Lf3>>z1r<4|WqQ0l787Bna{JoHcI~4Zc901**QxW zIkTIc4|&8>jsFnt{Ppd}M1?7-I++ODJKJm!PG{Al((V+EwASODC2f`2S)WsU3 zYS0R#%Khn9Io2&#Rl2WYzyuJQU#n7x4gJ?o#9=~PxFIrzM(Y)*} zROjj@QU)M_kmg@|O(M|cJlQa&{-4VKBr=Rn@GI4&h9t%6t3jyo>XVDwCT|f#YRGcS z-f?$MgKgK^?)w(}<_axgMivIDgdk68- z$bckg5&XsHjmv13l3+#;pH36MB!0`@UW*Te9t8d+DiHAiuW>ev#UTykz`oL{fh2#+ zzS}mWXzKz6KZq!Kr~!T!kA*|%myNRKI3m4T4dmMxo<39Kr}upDvgm35;MJenfF$l%X$T)-tq&EtyLXY^R#cnpiy)&x9tJ@ zi2ayZDmZRNFP#&*X-KgN=<=2*2Avdxyns|>+Jp-Aga;9?pi0-Eiod1SJO0J1;FR;3 z2lg4;YC9Rz2=@G@IsMoST29k5^Zn4L=pY7T6{gtiLIo@mI20Pvyc^|`ln%YYeR`w) zM$x8z0sO>wF6Zc*qzXdy3-U~_Tvo>HCWf5HZ5b$3wb>K@i06+T83R$0TtWpZN(x|) z2lJbn;Zz(e#2Am?mENI!83niK)voZ^J)_ueKQvG^MVdam%zHC?%*{+$e4`U`sA!UnTgd-C``rR#`T1;AB)t6? zl0|)`gBX+n@}phGc#C%R^5d`KFjrqVS{3Otp`X7(efnDbEr)CPCp;tlt~oLY{-yAl zAWRqsZSGGtb-o;4V1oMVi-Cy6uCgzIz){vgU-9?I{12{1!K1|D9D5WBM;K5Tm`r zA-@>G&z_$Z@_Pj0;21QU!~W)0_iqVpV$g`j`;9NaQ`#=1i2+0L3V1)I0A$yUc}bd+ z7-G{OKZ5;xV2o>*fMU0rqU1QSd6(ffg1#YBKDy|qBo&moV+8&dd-2nY5mbw>6k7cr z0qtEskY&24!v39oHC{wMb;45xQizS3{?DMh-3q2N^taptZ(8i59Jw=aXe@o@yTmX*_wv>!BRdCO-p8vK-GcA+El z-x`HsD0?wNso@RXncpLzUCy{g50eSVUd3GnYNe&jEt@S2oiA_ysn}67kfz+<3;GU< z`2!qo(2Gq(tH1lLs^TYf(*)Cl<^ zT*UaW-y>i=mjc_K?yUvw$df!!Ycx7236(NITJ9Lt@nw|@`p z{T|K6kxj1@wU*|NUJtKXJ=7k^Z2u+6ENa4k+6a}87bDP&UK(NlJ;GalV<1a8GAiUX zlv*j_$ULAznTTJC{l94<8q?Xi^=1PYmvVyi^4?X6!{#D#L$UrjDdLy0UvF%-0VK5WSLCI9`_gY-K=|~Q&0fB}K^wS=D<3s{h1{NUe z$Qe15@=&G`*gysyisq;S84`$1x5LP_-=S$E`;W=l6TlhmJp-JM2WH@urNf>aZwT?jd-v@=qNV=fy%EDOCu9!C8S zmBKK*4fcKiOC8A6$4R)u@6C*MRRy(94*jT8t!{$8Zc-A6P?nOfD{A9P;2^q*5%#Ii zIB!e+o&wrc->a*)ZWProj1M#{_zDSWJ-IQz$-;d|_m73+1Pj-sZP)v`}&_6l}~3#&}4MGl~fQU9>s7?vVGJRSH# zn{IcpF!L1!dp)sem~LNYfF-uPSNz9g1~A`1Gzrp+b1wFtiuI8ZASz{OR@Qtj4xs9s@y3)x_r`M~R*ni(!%BvOk zAM0u@@>NaCFoL(HQap0bM8lxO(;L2>5)F@Bs8{)|s%Y=1-a;J% zM*8L#FJNM&gqy^1>)YQB639r1*hE$-k`s|n8?wFe--g2=1NQbT%N%87PKyRBuQenM zwz4-%pjNfGnBDemIL1H3hhZrQc;u^O0{@Uaaqy!{Yc`I!#Ha;Jx)Y=I9mVjLWfuN2 zRhciu$o?_=n>P*lmVlpmFWpQl__te3A^qeANi;T~WJaMH`0cl(N&x@~g#0TKz<4gg zj}!-5pV2C=^PgiU!mFOXyP)zvJ<`7mXmPtNN|Rr@SGF%VXPwGqz@s5c^m$z&*dQw9D%PTJiI}qirjTghNI(Jd)-0znrEBfdgeS zx@z@F*M%@jDq*IZixl~4u*SJ&0j@HoS8UtamR+g5z7Z>%}Qht4+x9 z{TxQ2HJd|9htJ>i_u0{`hKbYEJiGx;ak_x(2@TVeHxg<3(z`IC^&+4Lr1msVE~imx z+Vo)3l(y+?BtB)EV$e_l8EM)a`C1pR+AZ-TuTFSA%8j*RwOYVAOfotepc1Dz_=d}3 z1*2Un^Ze#BBxT1Q)?wCWn^ix#kP7uT7b0hA^XfH*`Ar&yOBa&_FF9CL5=uq;Fq^N3 zlBu5;mS@d|XR43lx6rj)_h6_PS`mfmWeemGH$!+NmWNIYZM%F1 zUoc?!=Cz+sbZR>ATcUz4#7E2uXvlIR1pQ1hU;SFMl9Dkd#T!U8U zZIw!{Urdn-iG~pWJ&^s7pb~uR0*QU3c*{=R)wnQvaq7wIa<`!9380^1*vBq{_jko0 zMZm~s$x#8 z(#0SUZxN}IUVQo%A7m-8L5l*lQ3EQ64HfaAX2aek{F8TxkBol%pV;>+8JMqFIkq5> zN)UVYOH+j#;%HV6bw{4#fv}waHF%m<#2D&@;n|6P*&wIqDP_Q~4A2)`cZ@_pX39f1 zT(k?!xCg#H68SX9#<4+b|J0l2m<*&|G(|LDAnzYuV4~Fq?j5fz$+mcHb8|h8HYPQg5fAO3!_MsOZ!+G!#w8&jY@_Pu_~k>xgpW)Al>N zNenqHAZNT-r*e|Ffcj%td5YQ$Q7le8V?xm7j1N1KKT}Y;ouY5uyhH)sPMRL;>IGfF zjmjMPOO?d-BCF$eqrP1*_*ft!AO)pv!XiK_`W2{Hn7;kEq8ZO>@qKdd!=HNcrMM_q zVHbS6$KethO2b}WWcT=Nv%|zda!=53G9Oq)4^y9?+twURbi%To(-##D=u2sI?PI{4 zjiB1kIV=qR$0JS zdnucvO!VC%ciKWxXyvCb%w9i9KFT%f6l|2JcGc0)P|Ma2WT>y1{72pXsM|$u=O1rOkF1a;+? z?4r@k!tXDrT2{?QUlYJZ;C*y8k{ZsZb>d&#$IPi}oOdlTBOZcuV4+F@p{ul<3&Kt- z0gCv>p{}6Xmda>C-#*$U!AY;Daa4S0k1bq&P^qkEqjC7hk7`lqWs618Gu2-z0B40#|-1`YDspY=lDD8c(+GsuI zS{u)%p*t+AYsr6iC3UKFtQpjr^=2y#xF2c4AfY!BT^Wtsdp`+SZ?0F#Bjra~0JlDT z^HVb)uVI(Q_Ud0&Qpx%KjPWT$`===z>o=O?Y&s`W9y*=$x;acfg?p`st&aLqC{&FXBwZKfnEGqP%MbX;s>h?BzgO&!RvOeEWB%d#tr1B=*FAT!E z_RVGOSre*yYGscC)vgHiV=8s>9*+xy*q^hlkEnK*Z+f+#CB2)-9ZXCjXdr`>?5C7( zg9HxE4S zIFpv^9EBnW>)3T0%U2qbs6zK0zfv`ML94!YsVTW;w6cQ-`UK zv*mJir+Qz%>bzc%us#BL`R%p2AnaNYhcd#t+$9aiK=Gfdi0vF4I_btE7z>9*mnrXD{5h zXJH$4G^KTOwYaG>*5T(#f(0aWsPmhC5WHnydF)yCd%kZlo=#mwymWe}!p;N81vNC* zdzWrL22qig{ndYudzKfeJFsE;bl1^|Xg_}+mmN=1Tz^C*K~o^SRTG5kEkyL%M4J@E ziycCQyKu0mq33Af17Y zmswa4Y`6E5&?xvy4tlfz@e{C7>9fpGVY=2}m&l;E5blHU??0s`L=fNjf!*~m<5uAg z3G9J`VY>)!i|9(Ooa@xEAK#ra<~X}SWqcEbm7RHSc-`4Cl@CiBby2_X$VWD&+ZAOm zqFv-l!{!_S0niJvQ0?GYdb4jIX;#@f7N#L#U#*zvZe4E_seqpJtd5HEn#Bw1ohtbF zd%Hn}9Lf(gxiX_Tqv@v;3U^;N`tcdGf1!;0E?D8)H*DX&AT^yJKTgf@x=5zj2$V(S zYw_~(cFaI|?X8-jyc1inAgejXCx~wH4sb0HqzhWhQ4_=AYO}aC@d~``E4=CIi&)*# zc%DRu649xGgj#TX{($jMl96<5uJ57D-hwp}&b!wo*$ zgUF3GE+Y4*MP){0RJ3JrC!p(GDw5NrZ4ke!nlfYkpaWTquw4Bd)Ed@RM||#vG;=zQ zcSx~3)>K&T7gx}zE!tJeGa2a8i#wT%v|f^8Bk!_5`Ozmc8@o{(Y41l%8P8=ec~&=x zm(>=5Z~l}vMYrO#Q=0%mf2VcY{Bs2bK_Fpq6}Riu+O4;N@s-Uq2emITzvG`f$r8G4 zN;@rdoHwgp8#$agm?AG@Rj+NM)K17N?+A2hHZ3a2Jv?2Y2#iFoSCbsMwwaxgn>b87 zU#F?AL+;CNFZ!vhG#aY)tUjr~T7fK;6-RcIO^Oeyd)z-dtFoAl zSfLZQPB>W-V|4p&tLzxks8@sT{GzV@AY#2cqx@9U{Y>1vW}4CI&1%PXi`a%ANE$)v zMTBFY*Lp$e4Wpf{_0>PsSW@_UU7j|RC~jZJbRi!B!UKo(o{IP)^8Qz{0s zFK8-qqwZ7%N8Pn0CCE;x)Gxb0fo-X_h0pWMZL<3ecJ>HCkGwq(>anWWbs>p)fCZsP zPWh3Tg>Z1&92y64NY?2?h>0>;ubyFWkc8 zP~dvJYvDL@ct&q#IGoG8BsI>dUzTx-duLdF&s~Gtx%dQGy#q?tmiBn5)C*K1X&H~> ziuATbaGt3Xw3{?&(We@R2*gg={akyCb%t!q)LSjiHfc{G+SLua*U6&-92lmga>l) zV5;2MpQ2kHIw=s z*PND45b|XKsx>F;cUmIv)oLO4TU+xRBXZ=w4s}s0$Z_(TS*FT)dWWuC!TqV4-tKY=TNo9E z84^1}T_K@%4+qKm1(4jITEm?RQz_7UfzQ(M*fA%VtFkcuegvsnr4l`O4c_;~JyB zw9z0xz75w|zQWm81SURkUblmYbV3jQc6lTHXp6HtpNihCnR`=IxlAjH$~x*CS`Fld z4pUMnA1);v?o;w|I#amlp2x{qtWgB@{EJ40dv%mHo#3MB@DtNj;xo^KNy>%|*^gd3 z?Oci31^d?vyX*bPp}fxL@v~@C*W=v+Ip+3nXhbwd7+NTj^Qkvxh(dV}+Gng^3RFg% z)mqf;7WSqRyQE7Wk!kG=M27htotnM7Hg`g`jzK29LYs=%{0cv#8B(*3IN2YgyJcdN zx|r-&7AAh~rtE$?x1gfQ129wJ&?O<093~6G>IEE*_01aJ3Ys2sBW0^_mQ=H`4|C~> zwKBpB;DyvrG;|cdk@SJ;s>e~uylz!R{Gtw0Uf9s2 zE0s^(thQf^Qxg##zJq$%;C_PBk=_!Y?HAWmvyN~oRoe|(wm28*9M<`c?O0RFDc5ti zLQwwdsaL0NpRs2uWMh32if2;>wwrQvM4V&}c~$Hcp}A=y(?pUFgeN}oxy$5kGhtczkVlI1GKO0B&n+}JE+pv2w*L4m z)|~4?_{!BngV`R#W0vG}w&%wB^V*^jK8KGp(iQoWwJ~FM>q8cI3bgyj@$5FPm}sgm zQA+C|x^Gs;muX1UMxBU<7FC=sc-x4zP-YFe@2?3ROgw=H@jQ1&?nS1krwdBu*4ex- zHfB-Xo;*u`4IQ{2|N}CIqXh%Dr zm>hWemawd}Z|vabRpcvZvM7F6utCc0xJ8(PlYpXWwaRc5w8VzBPaE)#(aWGTY{`OJ zV+iC7YCPWOaMfvowok7F;!Pq!46-XQ;30{^yt`d0D>xW16{;Cxx?d*;FO_bPEc*(P zopCCx{aDlX53cCdLT*Nzyoq};KO*l zUKLg*iWf*%Y{GSZvOlB3*I{#yZB%clUf!EU@p`=Vp_cX6+^Rw2z9{x;`}T*AxU1*) zopw5T%DC0b-7-f&!v(**x(Iapb*lN&G;mOIPWzEiy$UBb#u-?Ko*Kw@&W3HUe7MRk~f@5HseyKeb`Wakv@%zS9*f zQOtoEuF7MlwB(A)obgwRP}**Lk_z*7xxL(RrYVB_m3eJ*q)}wx2ZOtl?E53mp{=g& zj?*}wXNW2&j7GC$_&BDECDw*Q69WhuEC%f!9p!GG@R0E}@f>7CQ9;^h$YdT-vS}ba zTEylvo45$wa|U;g)EbQ>p)q4McoF&xy_;V3YibMUsz+neu`vf@_BGmd^o*8~JU5<9 zm7Hf#LGUYk_m(IKrH?M>Ud8O|tG zc5{vL%V2GDU75;~nH6u;ZY4(EE*r_N&>kw~+1O_2HG_Aojm<86x->>nc7w%&b;_B7 zV{SFe#7*NMpu%h^_u7(f1gn{TWI>P=){Z}4RX;Y2BHk(0v_wi1X;qU50@z2m{y1bA ztu*s5>UX-ha}RqsA}62Vn^x;>xh?rIuxXN~6Kayd2bE0RDol4hQ;FCd8y1Hg-{DY_Sg)<7Otwus#t(SMeF?iCN(b-+AFBP0LiK=TNb#g1dGMYNUTtfR$|r(Y0VllXa0!}yR-k51lGZG`6Ho2r7)eW;ni;$OIDU!w6&2cP zB9B99)|JsD$JC`ouEdDW4+biusE6;(?|9+ZkY`qGcT>+td%LXhr3{}$)-xHgDOb5! zsjBWzDtkRJ7vY*Zx$|Ibll1Nd7x)oyf!Qc7koTgig9n{gG3aOlq7)~{R5!y7o5NsH zo8byl)bakm_cXAxji^NAD+Uo3HVZOY%&?gq+a67)C(fmwpOqcD3WgoA^00+V-0mWc ztC5Nob(no`BGz(iAwIHrrNW)9;^-uXN&*jwFjhSX4Wf{dj!|boyk06gYR?M8!-DA$ zy1v}!IF6bH*thORZf$0P6nR&%iUX3M;kjUuWceJZ={#6t7lc4*wup8^#`|YL>*`EEFL4J10y4POe$^HtR9ss_6 zD*;f-8t42&fq2~c2u=kobOP2__RDNLkFrt``F1O;jMF6+cpsHg5#4G%`nhkii@DF5 zhwFECjdL}adyU3-5*3V9nm3Z_*OjQYG36a5mfaZvbxgK6$^J) z+uAEduF=VGpSx}!g&@}`#Maq94VRKwInK{1HhcTU9#Ch>l68gVuuYbi*W}fnDjXA9 ze~HR^1l-k&R;enxFtgibrW0@0O7Lou3)Sw@tN@TgnZy(XI6%?&b{hrqBf_d3tg-Dp zU9K(ijsy|v0+rdt&W%*tl5Zn5qll5~g~}sJ1G%eJ$amHaRt7k+k-qR$F5A#CqHMQR z&4TH3jgP+Yxd=^h^U8&aN-5tB;4-NDteh&=-bMN)4!Fr4kJqGm!E?7tBuW#@ZTK1qmjTVNW-&)SDv8M=ETe zG;FmP*y(9zurrqtu#^#*8FJ`bdN?gks-EMnM1dYgn9=)OqOb0aTDU~-PHnR=DZa3$ zdfp&aI!qffKEEu7E-XigU863J=bTCvCsNUIi)62Ba|tWTUBI8Gq#8zfEznQ6Lq&yEFUEbMDiGvAKism6Lts zhIN0mL5tbJ6rG1;w6@|9vO-vZRKvd2QaR63MBDogs(ef@(q>8g#?A@f4wN5PBBR*E zn0v=xU?*Fk3apAp_Lw^DBfGlOFRNX>Pz7Z-f{NvNE4{JkaODKseDNrcTdt?_3oQ;) zu6l|CNRFmB8^9w-=i1HbO^9{`fTb8;(Bzp5$4!)Gb=sV!5I;YKohRf6T;Wy{(9d4;CR<1(1kA?#3Ug%zE6_MogLPgLW`_J8b@0; zLlk|SSjqipFRW+C&wfz*py2T+5hNj*Su7ZEfVu^fFAV@UJqP4C9hng za8dliXOg1|4p(ygJ*$7E4+&@y{Pmm)((xqVBa?L}?aH~1RK;nsUy9xI?a$T{b#O=| za4XzLi@`km!5&1;&nxuz2G^K3F`RVk|I$5ucY55i3BQgz#{3u(^pHU?x3WZ(FnheB z=%i@2^_%uvQ4Q1b{n5fsvlsD0`c^D$B;M-wo#=Hs7;qb*iI)~-Dx@9{1Z4x1VKNVL z-ui+>HH|XHg*{n%#FW-nbe}Nn)(p`{g9KM$-m}g4LS*5deO2pLy2j&hbFI-hl)Z!B z8(03$_iE=JoBfo7rGPesE>?3Qd|n}UJ|b6t#I8$7ce97gSIX5}2>)bA(>-Dn}v+;XAop6DnQ^~@(j^!>RvY! z7^b=r>$E3*zE&1l6qIuceHJ^PZ_^ciM@&7kdZN@oreb-wZ&eKajJXTyiuAk}%1Qxc zdvoq~wJ`EM%Oe>_^f}3N_~kgJo(@Qrmf(;yOmVxP9T3{7*cN zwYL46D85f9VrT|6gLY@irrNpr%!(=sMJYaDFK}<{>daPBogYY!<&;KZE(B)k?-b5N zm^9zms0lA7aBOHPY==a^w>vBFE%`@x`$R!6Bwki4L*q_pZQ8;`nxG_7l_qx|1q>%%A@a>FB$y6zkrTZK zMhKvypfKmvTnRXc6iT!`ZM>-M_3$qd6Ga`@F>Uw#JQvb`&_AshO9}BfT%uS4q~!J- z8&h6q`MiH$s>Adn54%W{CjXFca2auhyjq0s_TnB3R)Kj{@4@`+!7F@QTpO2{MQXOa zKD`brIet%M&}8k~{%O__Dx2~!j*Sa&|e99dZWtoQv~ zdU6VIa4kjmVv9Pm>-<16rlZo>j$QA!aZYPbdE969<@=>ug}s#LPirk&{i=Q7-`&rv z0oMC}+WYcwsJrlQc_{mmlp<75JfUpKB-@iB36-bDzGTfh_GM&JF|wr19+J|6u}os@ z8fzv~Dr0BtLdL!g^E;zVan<#E|9h|Zz4&V`*Y}+7eeU}{_jbHaeRqZKYgWCMF73P6{ zGv4R!Hi$=;jk!0zASE|G-~<0#)-4rhJyQH)S>HGmtJQD<14}2kGA6myrD!CHwS8+Y zD*$I4XOrisRlxr83R#y=CMczmTyUiocPFpoB1o5{L)G+j2S{(Agq7WkR7{(qq~dgH z+Z=mjMrBGmCO;iwGp;q*E{-Zr3ol&0eMQuQ!|YTAD;~J|q%Clk)my(wblbRgy7H;s zi;rK0sRRI^dGXF=1OZn&nUyx<3kD9qOx-VxR*VSHyI;#klSWdk367re zZZ%+oq8}ae2w?-b^(g~imDL1ZiQj&8%RkAZV4(4y8?iPXAtlx3nAu;QgFlP37N;Dz z*=W0ckEZ9yvSgji-WbWrcQ+wN@iO38TDea7y*!294d3hX&e$EV*IrX7*`T<?T=WU;< zS?_*o*6R<%m=mh@2_B0j2&t`}7tA=ki;n}{v4rf}vjTN>ywa3V!Vz#7h<@bXY<~4q zVIHV@A9ck=1#>DJxWiBIxZqAxMEOx@olLKY+t@kf#WRJx44t3fMxC)~u}_WYBl84n zwk-^1@zxY$h89Qq3()vOD4}Dp$84==#KdyFOYuG92s>zOIyYx)X7V+o5!>OY`8NHKNMF!PCGV?>+jfI|Lh+>P`;ae$7wICTz zJ}Or>9#LxqFNqj~K1e=NMdYVk)ASlg|0})nI92^jS&6-~lZo*{*{)}zP@KEG3!>Zl zDya2)CQOtDQLCfdsK~}Rs_P$KroXH0|Bh^ecc zvMq&i?=M99aJ!qH#;Oxjp9&XZT z>ljnRq{4+XKj{1zqJ6@x{@NUGTU=X|bAF3Wt|1YF)Jr=T71QNo;#>gF0C~}1)iLDk zxTL7S#i`_ce?f{h#TfO-pnIbS1L*$tG| zT0c~fPYG<*d$m*Z^PuK7v>IM`cO)NpLpOU*|ek zSK{5F??2nVKkUebf`fypbz^74%p{6yfuxt*2Qvw^Buh@QZ-zy)d#P7=cA!wB5>phX zz*}`%c-_0w@+ODCNsdvYb4x$;;YV*}6D=u_DaAsLGPCjL=C^wjw5uMyA3H1GX1{GX zcXAJC2N9aAMwmX#u|&n-Rh9~xZ6dcI>&g$^B7nxMpi6T&w$?MDs8W(Cs zfV08sLZ@_Yq~Y;mYfeIMG%ccrEg4N7MQ-m zZBKjM#6LSE>~gj98Xe``#$^yn`A zIM7&NArkB0L`_Vat5Ob0xz8JR7@tf6xsU_lzIPtA51n}L8Hl_+r02YNpYH)>h|;uV zlG%4W&c$#?YRN(Q(8!$#$Y+ye8|&xa`TJh%C0ep*J97LQIVX1T2498EPIunUf{%py zvxy2{>Sy{1W-+M^idv?LM_>AgUudgUL}n92l=`llc-{K~HLOFS=Fodw?aHjEXt~p} zeQ_~n(Om&qn9P)A9ND;3ZQJhLapk%%k?5Vbte;gW!ao9-WoM$8I=aj=#&?z`4cU0SNebH&ddo$H1$s@v^0~&e8@-{+mXZaW(6~ zw@y;xN>h@$0L9rSpvMO@`Q%ey&~4q%y%x@Y*`s9IVGlB`Bd@XM2PR#+} zMpNfn8^`cU_~J%P{j0|3A}{c|aIW-`d+|(LY{Jy{0xl91ns;xsQ%LE!6g#W5sgLjIJ+o#O}DQf(3=BX;iU8 zaMQbGD;2{?z|d(rZzBXuR6TRAxg$d#DF*~^6trAxC8 zzT=7V_uCAQ6xa4NqF`Ee2cwM(o17pc0iyWvh%?LnlQng`ab=WQhe@_taMkAN08vaw zF2fcVdqn6O2?b835%;_1!X$GZdg!CVa3{=`2OBQ);4kq{Es@hDm3iFZjbOJJnnMy| zjbsjE{;M%2D|=UIS_*&;pi6Zio3R2dK%B7{PzRMYu=5LoeEyH!O`7WRzimSebfS7b zH=xKT21xyw>^H+8R@1g6-0yl#wG+`9C+nU0U7K^sCC(<_TdGQ;A9Zut$$)M0;N!&U z)xM?L5Kxsn@Zn$rco&EYFPfWfrFKdAGq+Ks^4vaFy+Q zKKfs)!5MKsAmX7SIy&m@win=OT%Ijf&#Zpqdo!B`NX#N(;0mB{~nC3qdWEp??|sn;?kF96%S9@BEQsbAW`E+@`k?u zDhw8XQ-WWU+ISZd3V4Wf1CU_<8-OttiRv*GA$Vy!sM@Z_F5bP`S=J5`!a`!K=MHK- zf{QOs8r#P)^ZBi>$dB77#W;pr*Li>xMfsS&!(#{nN|fGaaw)8~rUYFz^K6`{<{dRCBzT8~G_sC&s`wQBHn2Wbf^S^69tZ)fZyeu1Yh_DNjFY z_i3{PUku5h2LP%dh;^n%EYHMHktZ-cH!2EwwC^Q?3x1&{FPlFLZnIO;c^L~4f`E#& zNAN{6VQK<#U)0rS(Ko-gZQTD=7RibsP-OeiYsVAE?MV&VWUr~R*=e*(Z4^Q216lPH zH58=_Y~McA=zHk+m2M79i^`bjUU0sqGDU9dd!Mh;pe=MoLpa;9=3rkecJU2g$Zfpt z{raquvR^?-8WLOUKd5hZp)H|SVq)Sw@ZAx$^9EG~oLmCVbi5D=$fJVV zI1!)e(=f;cqpckS6PK{+b-FF|+Vm~*dozd$?_Nr8q5uA0)h&Ue4)cNsLzd_&EI8jw z z-R6$lv^JZTcGJsjdRS`Au^C-#Mpm0q<^LBE_5AYkvYSF;bUtFq4}c@tT=7&pu$BY} zldcBVm<5=WF0CN@2L@~~B_+$#f0?EP$&tk$!_WRmHNXdM=pA6OzU*CpN$R0KSSmJr zJR%Hnl;ZR|6H<0DY`&MyN9P_Z)_SsW@6SgUE=? zy0irkKfI-anD^9-=qtmBS$FoQawTNnY?Bq~$?;m&|X;`E$0N!<>wqfM^t5@6PUUjMcD;?~aU&tS|B&kH!wV zMCXHxl;J6Nwy!OP%ZE9z*`uJS$cO`p)l#gg8hjmG7W;vDEn#C2+0JLd-gWcD{{g?s z%T{K(R21u%=Ek!~j(9kW!~7t|cgI@xR{n@SCm2tzM=15l_OmEe_X>>B-@tmIEd=j5 z-RSD-l6?NDuIsqK088Tqn!IATe8~NT{-SY&zO%D)bX!|nj8CXDpmAJ%_!KS9`-?Rk zQ2p?@5ehc!qgZO93Tt*ghC7g}4J*r0#63$*r9CP650{IphoWH2jO-Lr&VS(R5I>E) zJO*_`teO4&!_WfoMAw>Tw21gPDr8)z%p_Beg{S_)xuHW~u7?XwXDy4HNc)K5YZIwj z2i|KU#WWq-K#q(K%*FF4uK!nZgr$01#Eh_IbH*3q0 z(IL%8^wWg+>{n9uN%f@Nl=F{#cVgQb8RakN51@#WISsMm#xjDDPP@1S-XyS3g=Fw3 zF3!xlm`Nh>oou}?fAWUm2zLlOaz@}lvG(wSe#uvoF?Nnd(;q9dJaORRjJ;+ zX2cb-gG*rLqgDI?1JQym{iK2IvRpK=Z4I0+`e$|TXe?$23%xX4JWI{~sk431GVhZk zyR+vGu;BMb*5s|J`v9|GSq}M248ovvaWc%}oae)}4RXEQouNlQN`sAkBcmAucQ=vn zFZBkDiN|{V;0`|fxj;M@b$uzRWgWWhmikzg-jk%C zBwH}p7-I9E)WjpE;W16F4ivC~NZw(?rS-}cLV|+PGgG96g#NL7Gu=TKRT^6uE(eaU z^dkEw2F+B8l>ij-JeuOBWE0KV%X&|KxV0t@bG|^Zv6ZU$4ndn`1)W;g=y}Z?P&xsd2iQelV$9eq zGk@|OFo|lL1IWWdLMv&+@T{Z$hW+~3teTRWwR(G1c-CxDxbS%=cFN26@Mv*=d&Lz5 zja88E5^!J6o{+*lOZz!<8FNM;F;ZoD`R3`M4^pAd>_Xd1X{Ie)bzx3Sy7SmJ_U@31b>8ejz&;IfBfW+&eJ&Y0ZL_Pt)tl^NW?dgQXWVk&I;S z&=zaOl^sm+;8n--Dl45ltb9-yLVoz6oPr3ZvXSeVzFH-Akdm8$*!GdOqv--2SQI<# z^poN2Y=o}!$^smO(X*|Cxxu+9b~@ zi{+543u!(Fdlskmhy=`wohNs9tI$*#ze`_!S5NQ6AjPz2uqGLyazu(PB@z*l2ltP- zyxzd+2I`};fDuNNj-JE3o#M4uxd?-}F54z{k5prOdwYSG7C|MY(EO#ri&N8dThFX*Gtz!~UBaj?BH*5ABIzlwTM%=7ljoTmSkxnoj?In1 zSIAD9`&|Dc5J&G8g!_Wg>0&?op z@RvAC_N@gCYpVQXP#kzTF5Nw`l$j%|mn??Aa-)o;NR$?0Y5%2DJt zpb*ELlrHF}wzj|xuXtr$Gfqdx!lHTV-~VJ-Yk6g$g9_Jp1WaodE+thlAb7oW*A#cd zTNr|O+!bdtc!NsZDd5$Q^OWIHgepx3uWj!Qud~{DSKJEK;JGLQDZVq6t{BF=A~u>t zvnCs!W;-Md<;!(6IdK>=`Yvw7O2h}{H^jbX$u_*ARzetBYn(VTtqt?pI|%jN$wR)> ztVFYW8=mI7sEU%ZYAN(Ggf&OW66(Hr(e%;>DaTtl+2Oa$53b@W3%-)KWmzS>} z8*_RUFpQgF0D?xBF3JL-=zL?Q=^{cSix%$^t7{Xs}3v7k0s{SWjgFadhJz4HY)kQ}xiq1?b$ zAGqvfo6Lwjk#cm+Vysv2E%a54KX}W;;b6ve16wyjc`x7P&qoAtov6@DB5hl59Ej(= zE2;=}M%6HL489r^Qty>#SW)fyJ*NPVVIo{EdVb%zWdgX>mpAA2?7^;P(t1JA#+L_y zaFKP3s9!-h?8y~p_Nw}@d@BLb4f}#NxQ_`H$i*cPTv=&WVlrG=C3o}>JcR{bhw__V zmnW(*B6)Vs4Bss_8P?6SJwGyQt^2TvFX4;2Zq^KePoq=JG!3Lxo_u!@gJ`%_LH z0Ug8U=h)DEaV5b>kR;rsEo;M%7l*sQ1m}%Vaz3(hsHDjdb9{;#J?*@`z3YjvSlGkh zKdBzmC@;w#TXNB}m6>DY^J4P2p1-?0y1lb==N?STAB@=+`aybACm$4XiOQ%`_p&D1 z{xbE{f7%_a`3Hqk-p}P*0rWs+60!Fca4r&;7v|aNvlJvQ`(XcM)+nM}1{D)N#!b3H z3@24#eA|OcJAXv`3KIXhtNm$Qy6UaqkvUVR0bMHa% zt)No0dhlQbB2BNGl1M30lhi(P9`^GrYmJswl?%K`KbS)7=;&~R2%L@RGH(L|olN!K zC{r}ld?41h*+YN75*C(bilqKDD^dbd%ms@^F4b5@pWX8_ides(d5Vkf*VAgKkP@)F zN-i?CGIO%-XyN+3RW$e8vb6juX1;3cKM;TER%u=T6?smV?}?f8wkHHyFtPr}u6;%S!k!EMN;0o>eIj1I5d-w#RrKf{|;9s4l{zv3>tpO z{p;kA!1_hd_@>`f4(q^2LU;Q~-wo^84y?*SKSn{gpdbo6!>JSa+e^uDI2(s!vd}fk}owl?EZTR8IsJwG0 zYLA0?!M7?Q4rC!jePut8+b)Yt_eMEYW0f9<8VL_+Cmrj Date: Fri, 31 Oct 2025 17:47:04 -0400 Subject: [PATCH 08/14] docs review --- .../shared/use-organization-params.mdx | 2 +- ...thorization-params-from-session-claims.mdx | 4 +- .../types/organization-custom-role-key.mdx | 2 +- docs/_partials/has-warning.mdx | 2 +- docs/guides/billing/for-b2b.mdx | 2 +- .../account-updates/user-impersonation.mdx | 2 +- .../accept-organization-invitations.mdx | 4 +- .../manage-membership-requests.mdx | 2 +- .../manage-organization-invitations.mdx | 4 +- .../organizations/manage-roles.mdx | 2 +- .../manage-user-org-invitations.mdx | 2 +- .../organizations/update-organizations.mdx | 2 +- .../override-clerk-types-interfaces.mdx | 2 +- .../sdk-development/backend-only.mdx | 2 +- .../development/sdk-development/fullstack.mdx | 2 +- .../upgrade-guides/core-2/backend.mdx | 2 +- .../{control-access => }/check-access.mdx | 4 +- docs/guides/organizations/configure.mdx | 102 ++++++++---------- .../organizations/create-and-manage.mdx | 30 ++---- .../{add-members => }/invitations.mdx | 14 +-- docs/guides/organizations/overview.mdx | 37 ++++--- .../roles-and-permissions.mdx | 8 +- docs/guides/organizations/set-metadata.mdx | 4 +- .../organizations/{add-members => }/sso.mdx | 18 ++-- .../{add-members => }/verified-domains.mdx | 16 +-- docs/guides/secure/authorization-checks.mdx | 4 +- docs/guides/secure/basic-rbac.mdx | 2 +- docs/guides/secure/features.mdx | 2 +- docs/manifest.json | 48 +++------ .../create-organization-invitation-bulk.mdx | 2 +- .../create-organization-invitation.mdx | 2 +- .../create-organization-membership.mdx | 2 +- .../update-organization-membership.mdx | 2 +- docs/reference/backend/types/auth-object.mdx | 4 +- docs/reference/components/control/protect.mdx | 4 +- .../organization/organization-list.mdx | 2 +- .../organization/organization-profile.mdx | 2 +- docs/reference/javascript/organization.mdx | 2 +- docs/reference/javascript/session.mdx | 4 +- .../organization-custom-permission-key.mdx | 2 +- .../javascript/types/organization-domain.mdx | 2 +- .../types/organization-invitation.mdx | 2 +- .../types/organization-membership.mdx | 4 +- .../types/user-organization-invitation.mdx | 2 +- redirects/static/docs.json | 8 +- 45 files changed, 168 insertions(+), 205 deletions(-) rename docs/guides/organizations/{control-access => }/check-access.mdx (96%) rename docs/guides/organizations/{add-members => }/invitations.mdx (91%) rename docs/guides/organizations/{control-access => }/roles-and-permissions.mdx (97%) rename docs/guides/organizations/{add-members => }/sso.mdx (76%) rename docs/guides/organizations/{add-members => }/verified-domains.mdx (83%) diff --git a/clerk-typedoc/shared/use-organization-params.mdx b/clerk-typedoc/shared/use-organization-params.mdx index 03c61ed8f5..dd8b326d19 100644 --- a/clerk-typedoc/shared/use-organization-params.mdx +++ b/clerk-typedoc/shared/use-organization-params.mdx @@ -1,6 +1,6 @@ | Property | Type | Description | | ----------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `domains?` | true \| \{ initialPage?: number; pageSize?: number; \} & \{ enrollmentMode?: "manual_invitation" \| "automatic_invitation" \| "automatic_suggestion"; \} & \{ infinite?: boolean; keepPreviousData?: boolean; \} | If set to `true`, all default properties will be used.
Otherwise, accepts an object with the following optional properties:
  • `enrollmentMode`: A string that filters the domains by the provided [enrollment mode](/docs/guides/organizations/add-members/verified-domains#enrollment-mode).
  • Any of the properties described in [Shared properties](#shared-properties).
| +| `domains?` | true \| \{ initialPage?: number; pageSize?: number; \} & \{ enrollmentMode?: "manual_invitation" \| "automatic_invitation" \| "automatic_suggestion"; \} & \{ infinite?: boolean; keepPreviousData?: boolean; \} | If set to `true`, all default properties will be used.
Otherwise, accepts an object with the following optional properties:
  • `enrollmentMode`: A string that filters the domains by the provided [enrollment mode](/docs/guides/organizations/verified-domains#enrollment-mode).
  • Any of the properties described in [Shared properties](#shared-properties).
| | `invitations?` | true \| \{ initialPage?: number; pageSize?: number; \} & \{ status?: ("expired" \| "revoked" \| "pending" \| "accepted")[]; \} & \{ infinite?: boolean; keepPreviousData?: boolean; \} | If set to `true`, all default properties will be used.
Otherwise, accepts an object with the following optional properties:
  • `status`: A string that filters the invitations by the provided status.
  • Any of the properties described in [Shared properties](#shared-properties).
| | `membershipRequests?` | true \| \{ initialPage?: number; pageSize?: number; \} & \{ status?: "expired" \| "revoked" \| "pending" \| "accepted"; \} & \{ infinite?: boolean; keepPreviousData?: boolean; \} | If set to `true`, all default properties will be used.
Otherwise, accepts an object with the following optional properties:
  • `status`: A string that filters the membership requests by the provided status.
  • Any of the properties described in [Shared properties](#shared-properties).
| | `memberships?` | true \| \{ initialPage?: number; pageSize?: number; \} & \{ query?: string; role?: string[]; \} & \{ infinite?: boolean; keepPreviousData?: boolean; \} | If set to `true`, all default properties will be used.
Otherwise, accepts an object with the following optional properties:
  • `role`: An array of [`OrganizationCustomRoleKey`](/docs/reference/javascript/types/organization-custom-role-key).
  • `query`: A string that filters the memberships by the provided string.
  • Any of the properties described in [Shared properties](#shared-properties).
| diff --git a/clerk-typedoc/types/check-authorization-params-from-session-claims.mdx b/clerk-typedoc/types/check-authorization-params-from-session-claims.mdx index 67490f70f6..24a67f0074 100644 --- a/clerk-typedoc/types/check-authorization-params-from-session-claims.mdx +++ b/clerk-typedoc/types/check-authorization-params-from-session-claims.mdx @@ -3,7 +3,7 @@ | Property | Type | Description | | --------------------------------------------- | ---------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | | `feature?` | `Autocomplete`\< user:${string} \| org:${string} \> | The [feature](/docs/guides/billing/overview) to check for. | -| `permission?` | `DisallowSystemPermissions`\<`P`\> | The [permission](/docs/guides/organizations/control-access/roles-and-permissions) to check for. | +| `permission?` | `DisallowSystemPermissions`\<`P`\> | The [permission](/docs/guides/organizations/roles-and-permissions) to check for. | | `plan?` | `Autocomplete`\< user:${string} \| org:${string} \> | The [plan](/docs/guides/billing/overview) to check for. | | `reverification?` | [`ReverificationConfig`](reverification-config.mdx) | The reverification configuration to check for. This feature is currently in public beta. **It is not recommended for production use.** | -| `role?` | `string` | The [role](/docs/guides/organizations/control-access/roles-and-permissions) to check for. | +| `role?` | `string` | The [role](/docs/guides/organizations/roles-and-permissions) to check for. | diff --git a/clerk-typedoc/types/organization-custom-role-key.mdx b/clerk-typedoc/types/organization-custom-role-key.mdx index 942f239fca..5a0af4dce8 100644 --- a/clerk-typedoc/types/organization-custom-role-key.mdx +++ b/clerk-typedoc/types/organization-custom-role-key.mdx @@ -1,3 +1,3 @@ `OrganizationCustomRoleKey` is a type that represents the user's role in an organization. It will be string unless the developer has provided their own types through [`ClerkAuthorization`](/docs/guides/development/override-clerk-types-interfaces#example-custom-roles-and-permissions). -Clerk provides the [default roles](/docs/guides/organizations/control-access/roles-and-permissions#default-roles) `org:admin` and `org:member`. However, you can create [custom roles](/docs/guides/organizations/control-access/roles-and-permissions#custom-roles) as well. +Clerk provides the [default roles](/docs/guides/organizations/roles-and-permissions#default-roles) `org:admin` and `org:member`. However, you can create [custom roles](/docs/guides/organizations/roles-and-permissions#custom-roles) as well. diff --git a/docs/_partials/has-warning.mdx b/docs/_partials/has-warning.mdx index 5a9d932314..0100d10827 100644 --- a/docs/_partials/has-warning.mdx +++ b/docs/_partials/has-warning.mdx @@ -1,2 +1,2 @@ > [!WARNING] -> Using `has()` **on the server-side** to check permissions works only with **custom permissions**, as [system permissions](/docs/guides/organizations/control-access/roles-and-permissions#system-permissions) aren't included in the session token claims. To check system permissions, verify the user's role instead. +> Using `has()` **on the server-side** to check permissions works only with **custom permissions**, as [system permissions](/docs/guides/organizations/roles-and-permissions#system-permissions) aren't included in the session token claims. To check system permissions, verify the user's role instead. diff --git a/docs/guides/billing/for-b2b.mdx b/docs/guides/billing/for-b2b.mdx index e0a8e75bc2..aaafd8c25b 100644 --- a/docs/guides/billing/for-b2b.mdx +++ b/docs/guides/billing/for-b2b.mdx @@ -12,7 +12,7 @@ Clerk billing for B2B SaaS allows you to create plans and manage subscriptions * ## Create a plan -Subscription plans are what your customers subscribe to. There is no limit to the number of plans you can create. If your Clerk instance has existing [custom permissions](/docs/guides/organizations/control-access/roles-and-permissions), the corresponding features from those permissions will automatically be added to the free plan for orgs. This ensures that organization members get the same set of custom permissions when billing is enabled, because all organizations start on the free plan. +Subscription plans are what your customers subscribe to. There is no limit to the number of plans you can create. If your Clerk instance has existing [custom permissions](/docs/guides/organizations/roles-and-permissions), the corresponding features from those permissions will automatically be added to the free plan for orgs. This ensures that organization members get the same set of custom permissions when billing is enabled, because all organizations start on the free plan. To create a plan, navigate to the [**Plans**](https://dashboard.clerk.com/~/billing/plans) page in the Clerk Dashboard. Here, you can create, edit, and delete plans. To setup B2B billing, select the **Plans for Organizations** tab and select **Add Plan**. When creating a plan, you can also create [features](/docs/guides/secure/features) for the plan; see the next section for more information. diff --git a/docs/guides/development/custom-flows/account-updates/user-impersonation.mdx b/docs/guides/development/custom-flows/account-updates/user-impersonation.mdx index 97618fd35e..9529495049 100644 --- a/docs/guides/development/custom-flows/account-updates/user-impersonation.mdx +++ b/docs/guides/development/custom-flows/account-updates/user-impersonation.mdx @@ -13,7 +13,7 @@ This guide will walk you through how to build a custom flow that handles user im - The following example builds a dashboard that is only accessible to users with the `org:admin:impersonate` permission. To use this example, you must first [create the custom `org:admin:impersonate` permission](/docs/guides/organizations/control-access/roles-and-permissions#custom-permissions). Or you can modify the [authorization checks](!authorization-check) to fit your use case. + The following example builds a dashboard that is only accessible to users with the `org:admin:impersonate` permission. To use this example, you must first [create the custom `org:admin:impersonate` permission](/docs/guides/organizations/roles-and-permissions#custom-permissions). Or you can modify the [authorization checks](!authorization-check) to fit your use case. In the dashboard, the user will see a list of the application's users. When the user chooses to impersonate a user, they will be signed in as that user and redirected to the homepage. diff --git a/docs/guides/development/custom-flows/organizations/accept-organization-invitations.mdx b/docs/guides/development/custom-flows/organizations/accept-organization-invitations.mdx index 11651dc3f5..5b07d79c4f 100644 --- a/docs/guides/development/custom-flows/organizations/accept-organization-invitations.mdx +++ b/docs/guides/development/custom-flows/organizations/accept-organization-invitations.mdx @@ -5,11 +5,11 @@ description: Learn how to use the Clerk API to build a custom flows for acceptin -When a user visits an [organization invitation](/docs/guides/organizations/add-members/invitations) link, Clerk first checks whether a custom redirect URL was provided. +When a user visits an [organization invitation](/docs/guides/organizations/invitations) link, Clerk first checks whether a custom redirect URL was provided. **If no redirect URL is specified**, the user will be redirected to the appropriate Account Portal page (either [sign-up](/docs/guides/customizing-clerk/account-portal#sign-up) or [sign-in](/docs/guides/customizing-clerk/account-portal#sign-in)), or to the custom sign-up/sign-in pages that you've configured for your application. -**If you specified [a redirect URL when creating the invitation](/docs/guides/organizations/add-members/invitations#redirect-url)**, you must handle the authentication flows in your code for that page. You can either embed the [``](/docs/reference/components/authentication/sign-in) component on that page, or if the prebuilt component doesn't meet your specific needs or if you require more control over the logic, you can rebuild the existing Clerk flows using the Clerk API. +**If you specified [a redirect URL when creating the invitation](/docs/guides/organizations/invitations#redirect-url)**, you must handle the authentication flows in your code for that page. You can either embed the [``](/docs/reference/components/authentication/sign-in) component on that page, or if the prebuilt component doesn't meet your specific needs or if you require more control over the logic, you can rebuild the existing Clerk flows using the Clerk API. This guide demonstrates how to use Clerk's API to build a custom flow for accepting organization invitations from a link. diff --git a/docs/guides/development/custom-flows/organizations/manage-membership-requests.mdx b/docs/guides/development/custom-flows/organizations/manage-membership-requests.mdx index d2fdb4ce1d..b6ef5af467 100644 --- a/docs/guides/development/custom-flows/organizations/manage-membership-requests.mdx +++ b/docs/guides/development/custom-flows/organizations/manage-membership-requests.mdx @@ -5,7 +5,7 @@ description: Learn how to use the Clerk API to build a custom flow for managing -This guide will demonstrate how to use the Clerk API to build a custom flow for managing [organization membership requests](/docs/guides/organizations/add-members/verified-domains#membership-requests). +This guide will demonstrate how to use the Clerk API to build a custom flow for managing [organization membership requests](/docs/guides/organizations/verified-domains#membership-requests). diff --git a/docs/guides/development/custom-flows/organizations/manage-organization-invitations.mdx b/docs/guides/development/custom-flows/organizations/manage-organization-invitations.mdx index cc21365866..8c6e8ffeb3 100644 --- a/docs/guides/development/custom-flows/organizations/manage-organization-invitations.mdx +++ b/docs/guides/development/custom-flows/organizations/manage-organization-invitations.mdx @@ -5,14 +5,14 @@ description: Learn how to use the Clerk API to build a custom flow for creating -Organization members with appropriate [permissions](/docs/guides/organizations/control-access/roles-and-permissions) can invite new users to their organization and manage those invitations. The invitation recipient can be either an existing user of your application or a new user. If they are a new user, they will need to sign up in order to accept the invitation. +Organization members with appropriate [permissions](/docs/guides/organizations/roles-and-permissions) can invite new users to their organization and manage those invitations. The invitation recipient can be either an existing user of your application or a new user. If they are a new user, they will need to sign up in order to accept the invitation. Users with the appropriate permissions can also revoke organization invitations for users that have not yet joined, which will prevent the user from becoming an organization member. This guide will demonstrate how to use the Clerk API to build a custom flow for inviting users to an organization and managing an organization's pending invitations. > [!NOTE] -> This guide is for creating and managing organization invitations client-side. You can also create an organization invitation using the Backend API. See the [organization invitations reference](/docs/guides/organizations/add-members/invitations) for more information. +> This guide is for creating and managing organization invitations client-side. You can also create an organization invitation using the Backend API. See the [organization invitations reference](/docs/guides/organizations/invitations) for more information. > > Also, see the [custom flow for accepting organization invitations](/docs/guides/development/custom-flows/organizations/accept-organization-invitations). diff --git a/docs/guides/development/custom-flows/organizations/manage-roles.mdx b/docs/guides/development/custom-flows/organizations/manage-roles.mdx index 3db79da092..c0ec7885e2 100644 --- a/docs/guides/development/custom-flows/organizations/manage-roles.mdx +++ b/docs/guides/development/custom-flows/organizations/manage-roles.mdx @@ -5,7 +5,7 @@ description: Learn how to use the Clerk API build a custom flow for managing mem -Organization members with appropriate [permissions](/docs/guides/organizations/control-access/roles-and-permissions#permissions) can manage a member's [role](/docs/guides/organizations/control-access/roles-and-permissions#roles) and remove members within an organization. +Organization members with appropriate [permissions](/docs/guides/organizations/roles-and-permissions#permissions) can manage a member's [role](/docs/guides/organizations/roles-and-permissions#roles) and remove members within an organization. This guide will demonstrate how to use the Clerk API to build a custom flow for managing member roles in an organization. diff --git a/docs/guides/development/custom-flows/organizations/manage-user-org-invitations.mdx b/docs/guides/development/custom-flows/organizations/manage-user-org-invitations.mdx index 64c6f75686..2e1767f445 100644 --- a/docs/guides/development/custom-flows/organizations/manage-user-org-invitations.mdx +++ b/docs/guides/development/custom-flows/organizations/manage-user-org-invitations.mdx @@ -5,7 +5,7 @@ description: Learn how to use the Clerk API to build a custom flow for managing -This guide will demonstrate how to use the Clerk API to build a custom flow for managing a user's [organization invitations](/docs/guides/organizations/add-members/invitations). +This guide will demonstrate how to use the Clerk API to build a custom flow for managing a user's [organization invitations](/docs/guides/organizations/invitations). diff --git a/docs/guides/development/custom-flows/organizations/update-organizations.mdx b/docs/guides/development/custom-flows/organizations/update-organizations.mdx index 10ef856773..519e9d0048 100644 --- a/docs/guides/development/custom-flows/organizations/update-organizations.mdx +++ b/docs/guides/development/custom-flows/organizations/update-organizations.mdx @@ -5,7 +5,7 @@ description: Learn how to use the Clerk API to build a custom flow for updating -Organization members with appropriate [permissions](/docs/guides/organizations/control-access/roles-and-permissions) can update an organization. +Organization members with appropriate [permissions](/docs/guides/organizations/roles-and-permissions) can update an organization. This guide will demonstrate how to use Clerk's API to build a custom flow for updating an organization. diff --git a/docs/guides/development/override-clerk-types-interfaces.mdx b/docs/guides/development/override-clerk-types-interfaces.mdx index 8609cc4cf7..19e208b88d 100644 --- a/docs/guides/development/override-clerk-types-interfaces.mdx +++ b/docs/guides/development/override-clerk-types-interfaces.mdx @@ -42,7 +42,7 @@ declare global { When defining custom types for roles and permissions: -- Custom permissions are merged with [system permissions](/docs/guides/organizations/control-access/roles-and-permissions#system-permissions) +- Custom permissions are merged with [system permissions](/docs/guides/organizations/roles-and-permissions#system-permissions) - Custom roles completely replace default roles (`org:admin` and `org:member`) ```tsx {{ filename: 'types/globals.d.ts' }} diff --git a/docs/guides/development/sdk-development/backend-only.mdx b/docs/guides/development/sdk-development/backend-only.mdx index 32d9d71d51..7ebe95f963 100644 --- a/docs/guides/development/sdk-development/backend-only.mdx +++ b/docs/guides/development/sdk-development/backend-only.mdx @@ -12,7 +12,7 @@ The source of truth for all BAPI endpoints is the [BAPI reference docs](/docs/re - User only needs to provide their [Secret Key](/docs/guides/development/sdk-development/terminology) - Centralized request authentication (e.g. in a middleware or plugin) - Give access to the instance of BAPI client (so that users can use all methods) -- User should be able to limit access to routes by checking for [roles and permissions](/docs/guides/organizations/control-access/roles-and-permissions) +- User should be able to limit access to routes by checking for [roles and permissions](/docs/guides/organizations/roles-and-permissions) > [!IMPORTANT] > BAPI has [rate limits](/docs/guides/how-clerk-works/system-limits) to help protect users against brute-force attacks or stop abuse of Clerk's platform. Be sure to include a backoff mechanism into your fetching logic and respect the `Retry-After` header to gracefully handle any active rate limits. diff --git a/docs/guides/development/sdk-development/fullstack.mdx b/docs/guides/development/sdk-development/fullstack.mdx index bdd687bdcf..0ef762d88b 100644 --- a/docs/guides/development/sdk-development/fullstack.mdx +++ b/docs/guides/development/sdk-development/fullstack.mdx @@ -14,7 +14,7 @@ A fullstack SDK combines the [frontend-only SDK](/docs/guides/development/sdk-de - User should be able to use [ClerkJS options](/docs/reference/javascript/clerk#clerk-options){{ target: '_blank' }} - Centralized request authentication (e.g. in a middleware or plugin) - Give access to the instance of [BAPI](/docs/guides/development/sdk-development/terminology) client (so that users can use all methods) -- User should be able to limit access to routes by checking for [roles and permissions](/docs/guides/organizations/control-access/roles-and-permissions) +- User should be able to limit access to routes by checking for [roles and permissions](/docs/guides/organizations/roles-and-permissions) ## Optional features diff --git a/docs/guides/development/upgrading/upgrade-guides/core-2/backend.mdx b/docs/guides/development/upgrading/upgrade-guides/core-2/backend.mdx index fcd2383faf..987390cb5b 100644 --- a/docs/guides/development/upgrading/upgrade-guides/core-2/backend.mdx +++ b/docs/guides/development/upgrading/upgrade-guides/core-2/backend.mdx @@ -714,7 +714,7 @@ As part of this major version, a number of previously deprecated props, argument - The `MembershipRole` type was replaced with `OrganizationCustomRoleKey` (related to [roles and permissions](/docs/guides/organizations/control-access/roles-and-permissions)). An example of where this type might be found: + The `MembershipRole` type was replaced with `OrganizationCustomRoleKey` (related to [roles and permissions](/docs/guides/organizations/roles-and-permissions)). An example of where this type might be found: ```js import { useAuth } from '@clerk/clerk-react' diff --git a/docs/guides/organizations/control-access/check-access.mdx b/docs/guides/organizations/check-access.mdx similarity index 96% rename from docs/guides/organizations/control-access/check-access.mdx rename to docs/guides/organizations/check-access.mdx index e6b3d4d8de..093316630c 100644 --- a/docs/guides/organizations/control-access/check-access.mdx +++ b/docs/guides/organizations/check-access.mdx @@ -14,7 +14,7 @@ Clerk provides two primary ways to perform these checks: the `has()` method for Authorization checks can verify roles and custom permissions. Roles like `org:admin` determine a user's level of access within an organization, while custom permissions like `org:invoices:create` provide fine-grained control over specific features and actions. > [!IMPORTANT] -> Clerk links custom permissions to features. A permission check for `org:invoices:create` will only return `true` if the organization's active plan includes the `invoices` feature **and** the user has the permission. Learn more in the [roles and permissions guide](/docs/guides/organizations/control-access/roles-and-permissions#custom-permissions). +> Clerk links custom permissions to features. A permission check for `org:invoices:create` will only return `true` if the organization's active plan includes the `invoices` feature **and** the user has the permission. Learn more in the [roles and permissions guide](/docs/guides/organizations/roles-and-permissions#custom-permissions). ## Frontend checks with `` @@ -86,5 +86,5 @@ Now that you know how to check roles and permissions, you can: - [Read the complete authorization checks guide](/docs/guides/secure/authorization-checks) for advanced patterns including middleware protection and custom authorization logic - [Learn how to check features and plans](/docs/guides/billing/for-b2b#control-access-with-features-plans-and-permissions) for subscription-based applications -- [Set up custom roles and permissions](/docs/guides/organizations/control-access/roles-and-permissions) to define your access control model +- [Set up custom roles and permissions](/docs/guides/organizations/roles-and-permissions) to define your access control model - [Configure default roles](/docs/guides/organizations/configure#default-roles) for new organization members diff --git a/docs/guides/organizations/configure.mdx b/docs/guides/organizations/configure.mdx index fcfa6a2df0..dba873d06f 100644 --- a/docs/guides/organizations/configure.mdx +++ b/docs/guides/organizations/configure.mdx @@ -1,27 +1,24 @@ --- -title: Configure Organizations +title: Configure organizations description: Learn how to configure global organization settings in the Clerk Dashboard, including pricing, membership limits, and optional features. metadata: - title: Configure Organizations settings in Clerk Dashboard + title: Configure organization settings in Clerk Dashboard --- -Global organization settings control how Organizations work across your entire application. These settings determine who can create organizations, how members join them, what roles they receive, and which features are available. You'll configure most of these when you first enable Organizations, though you can adjust them later as your needs evolve. +Global organization settings control how organizations work across your entire application. These settings determine who can create organizations, how members join them, what roles they receive, and which features are available. You'll configure most of these when you first enable organizations, though you can adjust them later as your needs evolve. -## Enable Organizations +## Enable organizations Organizations are disabled by default. When you enable organizations, Clerk offers two workspace models: -- **Personal accounts disabled (recommended)**: Every user must belong to an organization. After signing up, users are prompted to create or join an organization through the [session tasks flow](/docs/guides/configure/session-tasks) before they can access your application. +- **Personal accounts disabled (default)**: Every user is required to belong to an organization. All new and existing users will be prompted to create or join an organization through the [session tasks flow](/docs/guides/configure/session-tasks) before they can access your application. > [!IMPORTANT] > Personal accounts being disabled by default was released on August 22, 2025. Applications created before this date will not see the **Allow personal accounts** setting, because personal accounts were enabled by default. - **Personal accounts enabled**: Users can operate in their own individual workspace or join organizations. They start in their personal account and can switch to organizations using the [``](/docs/reference/components/organization/organization-switcher) component. -Most B2B and multi-tenant applications disable personal accounts. This ensures proper data isolation and team structure from the start. You should only enable personal accounts if your app serves both individual users and teams (like a tool that works for solo users but also has team features). - -> [!NOTE] -> If you have existing users when you enable organizations with personal accounts disabled, they will be required to create or join an organization. +Most B2B and multi-tenant applications leave personal accounts disabled. This ensures proper data isolation and team structure from the start. You should only enable personal accounts if your app serves both individual users and teams (like a tool that works for solo users but also has team features). To enable organizations: @@ -32,70 +29,66 @@ To enable organizations: Clerk measures Organizations by Monthly Active Organizations (MAOs). Refer to the [overview page](/docs/guides/organizations/overview#how-do-organizations-work) for pricing details and limits. -## Organization Options +## Organization settings -Once organizations are enabled, you can configure core features and behaviors. These settings control membership limits, verified domains, organization slugs, and whether to allow personal accounts alongside organizations. +Once organizations are enabled, you can configure core features and behaviors, such as membership limits, verified domains, organization slugs, and whether to allow personal accounts alongside organizations. ### Membership limits -By default, each organization can have up to 5 members. You can increase this limit as your customer base grows, or set different limits for individual organizations if you have different pricing tiers. There is no limit to the number of organizations a user can be a member of. +There is no limit to the number of organizations a user can be a member of. + +Each organization allows a maximum of 5 members by default. You can increase this limit as your customer base grows, or set different limits for individual organizations if you have different pricing tiers. -To change the global default: +To change the membership limit for all organizations in your application: 1. In the Clerk Dashboard, navigate to the [**Organizations Settings**](https://dashboard.clerk.com/~/organizations-settings) page. 1. In the **Default membership limit** section, update the membership limit. - - **Free plan**: Maximum 5 members per organization - - **Pro plan**: Unlimited members per organization + - **Free plan**: Allows a maximum of 5 members in an organization + - **Pro plan**: Allows unlimited members in an organization -You can override this limit for individual organizations: +To change the membership limit for a specific organization: 1. In the Clerk Dashboard, select [**Organizations**](https://dashboard.clerk.com/~/organizations). 1. Select the organization you want to update. 1. In the **Membership limit** section, update the limit for that specific organization. -Learn more about [adding members to organizations](/docs/guides/organizations/add-members/invitations). +### Allow personal accounts -### Personal accounts +When enabling the organizations feature, you were prompted to choose whether to allow personal accounts. This setting is disabled by default. Refer to the [section on enabling organizations](#enable-organizations) above for a detailed explanation of how personal accounts work. -You can change the personal accounts setting after initial setup. This is useful if your product strategy evolves. For example, if you initially served only teams but now want to support individual users as well. +You can change this setting after initial setup, which is useful if your product strategy evolves. For example, if you initially served only teams but now want to support individual users as well. To change this setting: 1. In the Clerk Dashboard, navigate to the [**Organizations Settings**](https://dashboard.clerk.com/~/organizations-settings) page. 1. Toggle **Allow personal accounts**. -Refer to the [Enable Organizations section](#enable-organizations) above for a detailed explanation of how personal accounts work. - ### Verified domains -Verified domains allow automatic or suggested organization membership for users with specific email domains (like `@acme.com`). This is useful for company-wide rollouts where you want to streamline enrollment for employees with company email addresses. Members with the ["Manage domains" system permission](/docs/guides/organizations/control-access/roles-and-permissions#system-permissions) can manage verified domains and enrollment modes. +Verified domains allow automatic or suggested organization membership for users with specific email domains (like `@acme.com`). This is useful for company-wide rollouts where you want to streamline enrollment for employees with company email addresses. Members with the [`org:sys_domains:manage` system permission](/docs/guides/organizations/roles-and-permissions#system-permissions) can manage verified domains and enrollment modes. -Learn more about [verified domains](/docs/guides/organizations/add-members/verified-domains). +Learn more about [verified domains](/docs/guides/organizations/verified-domains). ### Organization slugs -Organization slugs are human-readable URL identifiers (like `acme-corp`) that help users reference which organization they're working in. Enable this feature if you need organization-specific URLs or if users frequently switch between multiple organizations. This is disabled by default for applications created after October 7, 2025. - -Learn more about [using organization slugs in URLs](/docs/guides/organizations/org-slugs-in-urls). +> [!IMPORTANT] +> Organization slugs are disabled by default for applications created after October 7, 2025. For applications created before this date, you can opt to disable it. -## User-created Organizations +Organization slugs are human-readable URL identifiers (like `acme-corp`) that help users reference which organization they're working in. Enable this feature if you need organization-specific URLs or if users frequently switch between multiple organizations. -After configuring organization features, you'll want to control who can create organizations. By default, end users can create organizations in your application, but you can restrict this if you prefer to manually provision organizations for customers. +You can also [use organization slugs in your application's URLs](/docs/guides/organizations/org-slugs-in-urls). -### Allow user-created Organizations +### Allow user-created organizations -By default, users can create organizations in your application. You might want to disable this if you prefer to manually provision organizations for customers through the Clerk Dashboard or your own admin interface. - -To change this setting: - -1. In the Clerk Dashboard, navigate to the [**Organizations Settings**](https://dashboard.clerk.com/~/organizations-settings) page. -1. Toggle **Allow user-created organizations**. +By default, users can create organizations in your application. You can restrict this if you prefer to manually provision organizations. You can also override this permission for specific users in their profile page under **User permissions**. Learn more about [creating organizations](/docs/guides/organizations/create-and-manage). -### Organization creation limit +#### Organization creation limit + +{/* TODO: Come back to this. Is the max 100, or is it unlimited? By default, in the Clerk Dash, it says unlimited. But I thought Clerk caps each user to create up to 100 orgs per application instance */} When user-created organizations are enabled, each user can create up to 100 organizations by default. You can configure this to set a lower limit or allow unlimited organizations. @@ -120,63 +113,56 @@ When users create or join organizations, they need to be assigned a role. These #### Default role for members -The default role for members is assigned to users when they join an organization through invitations or verified domain enrollment. By default, this is set to **Member**. +The default role for members is assigned to users when they join an organization through invitations or verified domain enrollment. By default, this is set to [**Member**](/docs/guides/organizations/roles-and-permissions#default-roles). This role is used: - When sending invitations from the [``](/docs/reference/components/organization/organization-profile) component (pre-filled as default) -- When users auto-join via [verified domains](/docs/guides/organizations/add-members/verified-domains) +- When users auto-join via [verified domains](/docs/guides/organizations/verified-domains) - As the suggested role for new organization members To change the default role: -1. In the Clerk Dashboard, navigate to [**Roles & Permissions**](https://dashboard.clerk.com/~/organizations-settings/roles). +1. In the Clerk Dashboard, navigate to the [**Roles & Permissions**](https://dashboard.clerk.com/~/organizations-settings/roles) page. 1. Select the three dots next to the role you want to set as default. 1. Choose **Set as Default role**. -Learn more about [roles and permissions](/docs/guides/organizations/control-access/roles-and-permissions). +Learn more about [roles and permissions](/docs/guides/organizations/roles-and-permissions). #### Creator's initial role -The creator's initial role is assigned to users when they create a new organization. By default, this is set to **Admin**, giving them full control over the organization they created. +When a user creates a new organization, Clerk automatically adds them as its first member and assigns them the organization's designated **Creator** role. By default, that role is [**Admin**](/docs/guides/organizations/roles-and-permissions#default-roles), giving them full control over the organization they created. -This role must have at least these [system permissions](/docs/guides/organizations/control-access/roles-and-permissions#system-permissions): +The Creator role must have at least these [system permissions](/docs/guides/organizations/roles-and-permissions#system-permissions): - Manage members (`org:sys_memberships:manage`) - Read members (`org:sys_memberships:read`) - Delete organization (`org:sys_profile:delete`) -To change the creator role: - -1. In the Clerk Dashboard, navigate to [**Roles & Permissions**](https://dashboard.clerk.com/~/organizations-settings/roles). -1. Ensure the role has the required system permissions listed above. -1. Select the three dots next to the role you want to set as creator role. -1. Choose **Set as Creator role**. - -Learn more about [roles and permissions](/docs/guides/organizations/control-access/roles-and-permissions). +Learn more about the [Creator role and how to reassign it](/docs/guides/organizations/roles-and-permissions#the-creator-role). ### Allow new members to delete organizations This setting controls whether organization members can delete organizations. -### Allow new members to delete Organizations +### Allow new members to delete organizations -By default, any member with the ["Delete organization" system permission](/docs/guides/organizations/control-access/roles-and-permissions#system-permissions) can delete an organization. You can disable this if you want to prevent accidental data loss or require your own approval process before organizations are removed. +By default, any member with the [`org:sys_profile:delete` system permission](/docs/guides/organizations/roles-and-permissions#system-permissions) can delete an organization. You can disable this if you want to prevent accidental data loss or require your own approval process before organizations are removed. -To prevent members from deleting organizations: +To change this setting: 1. In the Clerk Dashboard, navigate to the [**Organizations Settings**](https://dashboard.clerk.com/~/organizations-settings) page. -1. Disable **Allow new members to delete organizations**. +1. Toggle **Allow new members to delete organizations**. -> [!NOTE] +> [!IMPORTANT] > This setting only applies to newly created organizations. Existing organizations retain their current deletion settings. -Learn more about [roles and permissions](/docs/guides/organizations/control-access/roles-and-permissions). +Learn more about [roles and permissions](/docs/guides/organizations/roles-and-permissions). ## Next steps Now that you've configured global settings, you can: - [Create your first organization](/docs/guides/organizations/create-and-manage) and start adding members -- [Add members to your organization](/docs/guides/organizations/add-members/invitations) with invitations, verified domains, or SSO -- [Configure access control](/docs/guides/organizations/control-access/roles-and-permissions) with custom roles and permissions +- [Add members to your organization](/docs/guides/organizations/invitations) with invitations, verified domains, or SSO +- [Configure access control](/docs/guides/organizations/roles-and-permissions) with custom roles and permissions diff --git a/docs/guides/organizations/create-and-manage.mdx b/docs/guides/organizations/create-and-manage.mdx index 8e0036da71..b514a13da0 100644 --- a/docs/guides/organizations/create-and-manage.mdx +++ b/docs/guides/organizations/create-and-manage.mdx @@ -5,27 +5,21 @@ metadata: title: Create and manage Organizations with Clerk --- -You can create organizations in the Clerk Dashboard, or end users can create them in your application. Once created, you can manage individual organization profiles, and update settings. Clerk provides components to help users switch between multiple organizations. - -This guide covers working with individual organizations. For global settings that affect all organizations in your application (like enabling organizations, setting default roles, or configuring membership), refer to [Configure Organizations](/docs/guides/organizations/configure). +Organizations can be created and managed either in the Clerk Dashboard or in your application. This guide covers working with individual organizations. For global settings that affect all organizations in your application (like enabling organizations, setting default roles, or configuring memberships), refer to the [dedicated guide](/docs/guides/organizations/configure). ## Create an organization -You can create organizations in the Clerk Dashboard, or end users can create them in your application. The number of organizations you can create depends on your [Monthly Active Organization (MAO) limits](/docs/guides/organizations/overview#how-do-organizations-work). +Organizations can be created in the Clerk Dashboard or in your application. The number of organizations you can create depends on your [Monthly Active Organization (MAO) limits](/docs/guides/organizations/overview#how-do-organizations-work). ### Create an organization in the Clerk Dashboard -To create an organization in the Clerk Dashboard: - -1. In the Clerk Dashboard, select [**Organizations**](https://dashboard.clerk.com/~/organizations). -1. Select the **Create Organization** button. -1. Enter the organization's name. Optionally, upload the organization's logo, enter the organization's slug, and select the organization's owner. The slug is a unique identifier for the organization that you can use in URLs, such as `example-name`. +To create an organization in the Clerk Dashboard, navigate to the [**Organizations**](https://dashboard.clerk.com/~/organizations) page and select the **Create Organization** button. ### Create an organization in your application -By default, users have permission to create organizations within your application. When a user creates an organization, they become the organization's [admin](/docs/guides/organizations/control-access/roles-and-permissions#default-roles) with full control over settings, members, and permissions. +By default, [users have permission to create organizations within your application](/docs/guides/organizations/configure#allow-user-created-organizations). When a user creates an organization, they become the organization's [admin](/docs/guides/organizations/roles-and-permissions#default-roles) with full control over settings, members, and permissions. -**Default limits**: Each user can create up to 100 organizations. To change creation permissions or limits, see the [Configure Organizations guide](/docs/guides/organizations/configure#user-created-organizations). +**Default limits**: Each user can create up to 100 organizations. To change creation permissions or limits, see the [dedicated guide](/docs/guides/organizations/configure#allow-user-created-organizations). The easiest way to allow users to create organizations is to use the [``](/docs/reference/components/organization/create-organization) and/or [``](/docs/reference/components/organization/organization-switcher) components. The `` component is more comprehensive, as it handles all organization flows including creation, switching, and management. @@ -33,15 +27,11 @@ If the prebuilt components don't meet your needs, you can build [custom flows](/ ## Manage organizations -As an application owner, you can manage all organizations in your application. This includes the organizations you created and those created by your users. You can view, update, and delete organizations, as well as manage their members and settings. +As an application owner, you can manage all organizations in your application, both those created by you and those created by your users. You can view, update, and delete any organization, as well as manage its members and settings. ### Manage organizations in the Clerk Dashboard -To manage organizations in the Clerk Dashboard: - -1. In the Clerk Dashboard, select [**Organizations**](https://dashboard.clerk.com/~/organizations) to view all organizations in your application. -1. Select a specific organization to view its details, members, invitations, and settings. -1. From here, you can update the organization's name, slug, logo, and public and private metadata. You can also adjust the organization's [membership limit](/docs/guides/organizations/configure#membership-limits). +To manage an organization in the Clerk Dashboard, navigate to the [**Organizations**](https://dashboard.clerk.com/~/organizations) page. Select a specific organization to view its details, members, invitations, subscriptions, payments, and settings. ### Manage organizations in your application @@ -59,7 +49,7 @@ Users who belong to multiple organizations can switch between them at any time. The [``](/docs/reference/components/organization/organization-switcher) component provides the easiest way for users to switch between organizations. If you need more control over the switching logic, you can use the `setActive()` method from the [`useOrganizationList()`](/docs/reference/hooks/use-organization-list) hook, or access it directly from the [`Clerk`](/docs/reference/javascript/clerk#set-active) object. -If [personal accounts are enabled](/docs/guides/organizations/configure#personal-accounts), users can also switch to their personal account using the `` component. +If [personal accounts are enabled](/docs/guides/organizations/configure#allow-personal-accounts), users can also switch to their personal account using the `` component. ## Next steps @@ -67,5 +57,5 @@ Now that you know how to create and manage organizations, you can: - [Add custom data with organization metadata](/docs/guides/organizations/set-metadata) - [Use organization slugs in URLs](/docs/guides/organizations/org-slugs-in-urls) for tenant-specific routing -- [Invite members to organizations](/docs/guides/organizations/add-members/invitations) -- [Set up roles and permissions](/docs/guides/organizations/control-access/roles-and-permissions) +- [Invite members to organizations](/docs/guides/organizations/invitations) +- [Set up roles and permissions](/docs/guides/organizations/roles-and-permissions) diff --git a/docs/guides/organizations/add-members/invitations.mdx b/docs/guides/organizations/invitations.mdx similarity index 91% rename from docs/guides/organizations/add-members/invitations.mdx rename to docs/guides/organizations/invitations.mdx index 054a674ffc..17855b81dd 100644 --- a/docs/guides/organizations/add-members/invitations.mdx +++ b/docs/guides/organizations/invitations.mdx @@ -1,13 +1,13 @@ --- title: Invite users to your organization -description: Send, manage, and track user invitations within your multi-tenant SaaS using Clerk Organizations. +description: Send, manage, and track user invitations within your multi-tenant SaaS using Clerk organizations. metadata: - title: Send and manage Organization invitations via Clerk + title: Send and manage organization invitations via Clerk --- Organization invitations let you add new members to your organization. When you send an invitation, Clerk sends an email to the invited user with a unique invitation link. When the user visits the organization invitation link, Clerk redirects them to the [Account Portal sign-in page](/docs/guides/customizing-clerk/account-portal#sign-in). If the user is already signed in, Clerk redirects them to your application's homepage (`/`). If you want to redirect the user to a specific page in your application, you can [specify a redirect URL when creating the invitation](#redirect-url). -By default, only [admins](/docs/guides/organizations/control-access/roles-and-permissions#default-roles) can invite users to an organization. +By default, only [admins](/docs/guides/organizations/roles-and-permissions#default-roles) can invite users to an organization. This feature requires that [**Email** is enabled](/docs/guides/configure/auth-strategies/sign-up-sign-in-options#email), as Clerk uses the user's email address to send the invitation. You can still disable **Email** as a sign-in option if you do not want users to be able to sign-in with their email address. @@ -21,7 +21,7 @@ Invitations work well when you need precise control over who joins your organiza - Onboarding requires manual approval or review - Specific roles need to be assigned during the invitation -If you want to streamline enrollment for users with company email addresses, consider [verified domains](/docs/guides/organizations/add-members/verified-domains), which can automatically invite users based on their email domain. If customers require centralized authentication through their Identity Provider, use [enterprise SSO](/docs/guides/organizations/add-members/sso). +If you want to streamline enrollment for users with company email addresses, consider [verified domains](/docs/guides/organizations/verified-domains), which can automatically invite users based on their email domain. If customers require centralized authentication through their Identity Provider, use [enterprise SSO](/docs/guides/organizations/sso). ## Create an invitation @@ -160,7 +160,7 @@ Use the following tabs to see examples for each method. Now that you know how to invite users to your organization, you can: -- [Configure verified domains](/docs/guides/organizations/add-members/verified-domains) to automatically invite users based on their email domain -- [Set up enterprise SSO](/docs/guides/organizations/add-members/sso) for centralized authentication through an Identity Provider -- [Set up roles and permissions](/docs/guides/organizations/control-access/roles-and-permissions) to control what invited users can access +- [Configure verified domains](/docs/guides/organizations/verified-domains) to automatically invite users based on their email domain +- [Set up enterprise SSO](/docs/guides/organizations/sso) for centralized authentication through an Identity Provider +- [Set up roles and permissions](/docs/guides/organizations/roles-and-permissions) to control what invited users can access - [Add metadata to invitations](/docs/guides/organizations/set-metadata) for tracking or custom workflows diff --git a/docs/guides/organizations/overview.mdx b/docs/guides/organizations/overview.mdx index ee64c0182a..4f0c5f0fab 100644 --- a/docs/guides/organizations/overview.mdx +++ b/docs/guides/organizations/overview.mdx @@ -1,19 +1,19 @@ --- title: Organizations -description: Learn what Clerk Organizations are, how they work, and how to build secure multi-tenant B2B applications with team workspaces, role-based access control, and streamlined enrollment. +description: Learn what Clerk organizations are, how they work, and how to build secure multi-tenant B2B applications with team workspaces, role-based access control, and streamlined enrollment. metadata: title: Organizations - Build multi-tenant B2B applications --- Organizations let you group users with roles and permissions. This lets you build multi-tenant B2B apps like Slack (workspaces), Linear (teams), or Vercel (projects) where users switch between different team contexts. -Users can belong to multiple organizations, and Clerk provides the organization context in each session (memberships, roles, and the active organization). Your application uses this context to control what data to show and what actions to allow. +Users can belong to multiple organizations, and Clerk provides the organization context (memberships, roles, and the active organization) in each session. You can then use this context to control what data to show and what actions to allow. > [!NOTE] -> Check out the demo apps to explore organizations in Clerk: +> To explore organizations in Clerk, check out the demo apps: > [https://github.com/clerk/orgs](https://github.com/clerk/orgs) -## How do Organizations work? +## How do organizations work? Organizations live within your Clerk application. Each application can contain multiple organizations, and each organization can have multiple users. You define roles and permissions once at the application level, and they apply across all organizations within that application. @@ -23,23 +23,30 @@ The organization that a user is currently viewing is called the **active organiz Clerk measures organization usage through **Monthly Active Organizations (MAOs)**. An MAO is an organization with at least two users that have signed in that month, where at least one has interacted with the organization during the current billing cycle. Free plans include up to 50 MAOs in development and 100 in production. Pro plans offer unlimited development MAOs and start at 100 free production MAOs, then $1 per additional MAO. Refer to the [pricing page](/pricing){{ target: '_blank' }} for complete details. +### How do I set an organization as active? + +By default, personal accounts are disabled and users are required to be a member of at least one organization, which will be set as the active organization. + +If personal accounts are enabled, when a user signs in, they will sign in to their personal account and **no** active organization will be set. The easiest way to allow users to set an organization as active is to use the +[``](/docs/reference/components/organization/organization-switcher) component. If the prebuilt components don't meet your specific needs or if you require more control over the logic, you can also use the [`setActive()`](/docs/reference/javascript/clerk#set-active) method, which is returned by the [`useOrganizationList()`](/docs/reference/hooks/use-organization-list) hook. If you aren't using hooks, you can access the [`setActive()`](/docs/reference/javascript/clerk#set-active) method from the [`Clerk`](/docs/reference/javascript/clerk) object. + ### Core workflow The core workflow consists of three stages: -1. **Create**: You can create organizations in the Clerk Dashboard, or end users can create them in your application through prebuilt components or APIs. Each organization has a profile, settings, and metadata. Users can belong to multiple organizations and switch between them with the [``](/docs/reference/components/organization/organization-switcher) component. +1. **Create**: You can create organizations [in the Clerk Dashboard](https://dashboard.clerk.com/~/organizations), or end users can create them in your application through prebuilt components or APIs. Each organization has a profile, settings, and metadata. Users can belong to multiple organizations and switch between them with the [``](/docs/reference/components/organization/organization-switcher) component. 1. **Invite**: You can bring people into organizations in different ways depending on your needs: - - **Invitations** for bottoms-up adoption where individual users invite teammates with precise control over roles - - **Verified domains** for company-wide rollouts where Clerk automatically invites users with matching email domains (who can join immediately) or suggests they join (requiring admin approval) - - **Enterprise connections** (for example: SSO, SAML, OIDC) for top-down deployments managed by IT with centralized authentication through an Identity Provider (IdP) + - **Invitations** for bottom-up adoption, where individual users invite teammates with precise control over roles. + - **Verified domains** for company-wide rollouts, where Clerk automatically invites users with matching email domains (who can join immediately) or suggests they join (requiring admin approval). + - **Enterprise connections** (SAML or OIDC) for top-down deployments managed by IT with centralized authentication through an Identity Provider (IdP). You can combine these approaches: use manual invitations for external contractors alongside domain-based enrollment for employees. The active organization determines which members and roles apply to the current context. -1. **Control**: You manage access through roles and permissions. Default admin and member roles cover common cases, while custom roles and permissions provide fine-grained access for more complex needs. You can perform [authorization checks](/docs/guides/organizations/control-access/check-access) in both frontend and backend code. +1. **Control**: You manage access to content or entire pages using roles and permissions. Default admin and member roles cover common cases, while custom roles and permissions provide fine-grained access for more complex needs. You can perform [authorization checks](/docs/guides/organizations/check-access) in both frontend and backend code. Beyond these core steps, you can also monitor organization health and growth with analytics in the Clerk Dashboard. This helps you spot which organizations are growing, staying active, or dropping off, so you know what's working and where you might need attention. -## Why Organizations? +## Why organizations? Organizations help you build multi-tenant applications faster, support team collaboration at scale, and provide enterprise-grade access control. This model is especially valuable for B2B2C products in a growth stage and B2C products expanding into B2B. @@ -51,17 +58,17 @@ Modern applications need to support users who work across multiple teams or clie Managing who can join an organization becomes easier when you can set enrollment rules. Verified domains let you automatically invite or suggest organizations to users with approved company emails. When a user signs up with a matching email domain, they can join the organization without manual approval. This streamlines onboarding for company-wide rollouts and reduces friction for IT administrators. -For B2B2C SaaS onboarding entire companies, verified domains handle the scale. When Acme Corp adopts your product, all @acme.com employees automatically join their company's organization without manual invitations. +For B2B2C SaaS onboarding entire companies, verified domains handle the scale. When Acme Corp adopts your product, all `@acme.com` employees automatically join their company's organization without needing to deal with manual invitations. ### Support enterprise authentication -Large customers often require centralized authentication through their identity provider. Organization-level SSO lets members authenticate with SAML or OIDC protocols through providers like Okta, Entra ID, and Google Workspace. When users sign in through their IdP, Clerk automatically adds them to the organization with the appropriate role. This satisfies enterprise security requirements and maintains existing identity workflows. +Large customers often require centralized authentication through their identity provider. Organization-level SSO lets members authenticate with SAML or OIDC protocols through providers like Okta, Microsoft Entra ID, and Google Workspace. When users sign in through their IdP, Clerk automatically adds them to the organization with the appropriate role. This satisfies enterprise security requirements and maintains existing identity workflows. As B2C products scale into enterprise customers, SSO becomes essential. Products that started with individual email sign-ups need to evolve to support IT-managed authentication for Fortune 500 buyers. ### Control access with roles and permissions -Organizations support role-based access control (RBAC) so the right people can do the right work. Default admin and member roles cover common cases, and custom roles and permissions let you create fine-grained access that maps to your features and teams. Clerk embeds the active organization's roles and permissions in the session, enabling you to perform [authorization checks](/docs/guides/organizations/control-access/check-access) without extra network requests. +Organizations support role-based access control (RBAC) so the right people can do the right work. Default admin and member roles cover common cases, and custom roles and permissions let you create fine-grained access that maps to your features and teams. Clerk embeds the active organization's roles and permissions in the session, enabling you to perform [authorization checks](/docs/guides/organizations/check-access) without extra network requests. ### Monitor organization growth @@ -79,5 +86,5 @@ Now that you understand what Organizations are and how they work, here's how to - [Configure global settings](/docs/guides/organizations/configure) - [Create and manage organizations](/docs/guides/organizations/create-and-manage) -- [Invite members](/docs/guides/organizations/add-members/invitations) -- [Set up roles and permissions](/docs/guides/organizations/control-access/roles-and-permissions) +- [Invite members](/docs/guides/organizations/invitations) +- [Set up roles and permissions](/docs/guides/organizations/roles-and-permissions) diff --git a/docs/guides/organizations/control-access/roles-and-permissions.mdx b/docs/guides/organizations/roles-and-permissions.mdx similarity index 97% rename from docs/guides/organizations/control-access/roles-and-permissions.mdx rename to docs/guides/organizations/roles-and-permissions.mdx index 075a805b67..b8cf345bee 100644 --- a/docs/guides/organizations/control-access/roles-and-permissions.mdx +++ b/docs/guides/organizations/roles-and-permissions.mdx @@ -42,7 +42,7 @@ To reassign the **Creator** role: ### The **Default** role for members -New organization members are initially assigned the **Default** role. By default, that role is `org:member`. This role is used as a pre-filled default in `` invitations and for organization enrollment with [verified domains](/docs/guides/organizations/add-members/verified-domains). +New organization members are initially assigned the **Default** role. By default, that role is `org:member`. This role is used as a pre-filled default in `` invitations and for organization enrollment with [verified domains](/docs/guides/organizations/verified-domains). You cannot delete an organization role if it's used as the organization's **Default** role. But, you _can_ reassign the **Default** role to any other role. @@ -141,6 +141,6 @@ It's best practice to always verify whether or not a user is **authorized** to a Now that you've set up roles and permissions, you can: - [Perform authorization checks](/docs/guides/secure/authorization-checks) to limit access to content or entire routes based on a user's role or permissions -- [Learn how to automatically invite users to an organization based on their email domain](/docs/guides/organizations/add-members/verified-domains) -- [Learn how to manually invite users to an organization](/docs/guides/organizations/add-members/invitations) -- [Learn how to automatically add users to an organization through enterprise SSO](/docs/guides/organizations/add-members/sso) +- [Learn how to automatically invite users to an organization based on their email domain](/docs/guides/organizations/verified-domains) +- [Learn how to manually invite users to an organization](/docs/guides/organizations/invitations) +- [Learn how to automatically add users to an organization through enterprise SSO](/docs/guides/organizations/sso) diff --git a/docs/guides/organizations/set-metadata.mdx b/docs/guides/organizations/set-metadata.mdx index a32088a37b..80c8eb2b3f 100644 --- a/docs/guides/organizations/set-metadata.mdx +++ b/docs/guides/organizations/set-metadata.mdx @@ -38,6 +38,6 @@ To ease the flow of setting metadata, Clerk provides the [`updateOrganizationMet Now that you understand organization metadata, you can: - [Use organization slugs in URLs](/docs/guides/organizations/org-slugs-in-urls) for tenant-specific routing -- [Add metadata to invitations](/docs/guides/organizations/add-members/invitations#invitation-metadata) to track invitation sources or assign attributes +- [Add metadata to invitations](/docs/guides/organizations/invitations#invitation-metadata) to track invitation sources or assign attributes - [Create and manage organizations](/docs/guides/organizations/create-and-manage) to see metadata in action -- [Check roles and permissions](/docs/guides/organizations/control-access/check-access) to control access based on metadata values +- [Check roles and permissions](/docs/guides/organizations/check-access) to control access based on metadata values diff --git a/docs/guides/organizations/add-members/sso.mdx b/docs/guides/organizations/sso.mdx similarity index 76% rename from docs/guides/organizations/add-members/sso.mdx rename to docs/guides/organizations/sso.mdx index fbc6cfbe60..ca1e971a89 100644 --- a/docs/guides/organizations/add-members/sso.mdx +++ b/docs/guides/organizations/sso.mdx @@ -1,13 +1,13 @@ --- title: Organization-level enterprise SSO -description: Integrate as many enterprise SSO methods within Clerk Organizations. Enable SAML SSO, OAuth/OIDC, and other secure MFA/single sign-on options for B2B SaaS apps. +description: Integrate as many enterprise SSO methods within Clerk organizations. Enable SAML SSO, OAuth/OIDC, and other secure MFA/single sign-on options for B2B SaaS apps. metadata: title: Set up organization-level SAML and OIDC for B2B/B2C apps --- Clerk provides enterprise single sign-on (SSO) through a feature called [**enterprise connections**](/docs/guides/configure/auth-strategies/enterprise-connections/overview). You can enable enterprise connections for specific organizations, allowing members to authenticate through their company's identity provider using SAML or OIDC protocols. -When users sign up or sign in using an organization's enterprise connection, Clerk automatically adds them as members of that organization and assigns them the [default role](/docs/guides/organizations/control-access/roles-and-permissions#the-default-role-for-members). This process is known as [Just-in-Time (JIT) provisioning](/docs/guides/configure/auth-strategies/enterprise-connections/jit-provisioning). +When users sign up or sign in using an organization's enterprise connection, Clerk automatically adds them as members of that organization and assigns them the [default role](/docs/guides/organizations/roles-and-permissions#the-default-role-for-members). This process is known as [Just-in-Time (JIT) provisioning](/docs/guides/configure/auth-strategies/enterprise-connections/jit-provisioning). ## When to use enterprise SSO @@ -17,7 +17,7 @@ Enterprise SSO works well when customers require centralized authentication thro - IT teams need to manage user provisioning from a central location - Organizations want to maintain existing identity management workflows -If you need manual control over who joins and their [roles](/docs/guides/organizations/control-access/roles-and-permissions), use [invitations](/docs/guides/organizations/add-members/invitations). If you want automatic enrollment without IdP requirements, use [verified domains](/docs/guides/organizations/add-members/verified-domains). +If you need manual control over who joins and their [roles](/docs/guides/organizations/roles-and-permissions), use [invitations](/docs/guides/organizations/invitations). If you want automatic enrollment without IdP requirements, use [verified domains](/docs/guides/organizations/verified-domains). ## Common onboarding flows @@ -45,10 +45,10 @@ This flow is common when individual users try the product before company-wide ad Clerk supports enterprise SSO via [SAML](/docs/guides/configure/auth-strategies/enterprise-connections/overview#saml) or via the [OpenID Connect (OIDC) protocol](/docs/guides/configure/auth-strategies/enterprise-connections/overview#oidc), either through EASIE or by integrating with any OIDC-compatible provider. -To add an enterprise SSO connection for an organization, follow the appropriate guide based on the platform you want to use, such as the [Google SAML guide](/docs/guides/configure/auth-strategies/enterprise-connections/saml/google). When configuring the connection in the Clerk Dashboard, there will be an option to select the **Organization** for which you want to enable this connection. If you don't select an organization, Clerk will add the connection for your entire application. +To add an enterprise SSO connection for an organization, go to the [Enterprise connections](/docs/guides/configure/auth-strategies/enterprise-connections/overview) docs and follow the appropriate guide based on the platform you want to use, such as the [Google SAML guide](/docs/guides/configure/auth-strategies/enterprise-connections/saml/google). When configuring the connection in the Clerk Dashboard, there will be an option to select the **Organization** for which you want to enable this connection. If you don't select an organization, Clerk will add the connection for your entire application. > [!WARNING] -> A domain used for enterprise SSO can't be used as a [verified domain](/docs/guides/organizations/add-members/verified-domains) for the same organization. +> A domain used for enterprise SSO can't be used as a [verified domain](/docs/guides/organizations/verified-domains) for the same organization. ## Enforce enterprise SSO by domain @@ -60,7 +60,7 @@ Clerk enforces enterprise SSO connections on a per-domain basis in organizations ## Remove a member from your organization -Users who joined through an enterprise connection cannot leave the organization on their own. You can remove them through the Clerk Dashboard, the [Backend API](/docs/reference/backend-api/tag/organization-memberships/delete/organizations/\{organization_id}/memberships/\{user_id}), or by another member with the [manage members permission](/docs/guides/organizations/control-access/roles-and-permissions#system-permissions). +Users who joined through an enterprise connection cannot leave the organization on their own. You can remove them through the Clerk Dashboard, the [Backend API](/docs/reference/backend-api/tag/organization-memberships/delete/organizations/\{organization_id}/memberships/\{user_id}), or by another member with the [manage members permission](/docs/guides/organizations/roles-and-permissions#system-permissions). Removed users will automatically rejoin the organization on their next sign-in unless you also remove them from the IdP or disconnect the enterprise connection. @@ -76,7 +76,7 @@ Now that you've set up enterprise SSO, you can: - [Learn more about enterprise connections](/docs/guides/configure/auth-strategies/enterprise-connections/overview) for advanced configuration options - [Understand JIT provisioning](/docs/guides/configure/auth-strategies/enterprise-connections/jit-provisioning) to customize how users are automatically added to organizations -- [Configure verified domains](/docs/guides/organizations/add-members/verified-domains) for users who don't use SSO -- [Invite specific users](/docs/guides/organizations/add-members/invitations) to your organization -- [Set up roles and permissions](/docs/guides/organizations/control-access/roles-and-permissions) to control what SSO users can access +- [Configure verified domains](/docs/guides/organizations/verified-domains) for users who don't use SSO +- [Invite specific users](/docs/guides/organizations/invitations) to your organization +- [Set up roles and permissions](/docs/guides/organizations/roles-and-permissions) to control what SSO users can access - [Configure default roles](/docs/guides/organizations/configure#default-roles) for users joining via SSO diff --git a/docs/guides/organizations/add-members/verified-domains.mdx b/docs/guides/organizations/verified-domains.mdx similarity index 83% rename from docs/guides/organizations/add-members/verified-domains.mdx rename to docs/guides/organizations/verified-domains.mdx index 1d9badb8b1..61ec733371 100644 --- a/docs/guides/organizations/add-members/verified-domains.mdx +++ b/docs/guides/organizations/verified-domains.mdx @@ -5,12 +5,12 @@ metadata: title: Verified domains within Clerk Organizations (Step-by-Step) --- -Clerk's **verified domains** feature is useful for organizations that want to restrict membership to users with specific email domains, and automatically invite or suggest users with that domain to join an organization. For example, if the domain `@clerk.com` is verified, any user with an email address ending in `@clerk.com` can be automatically invited or be suggested to join an organization with that domain. Clerk assigns users the [**Default** role](/docs/guides/organizations/control-access/roles-and-permissions#the-default-role-for-members) set in the organization settings page. +Clerk's **verified domains** feature is useful for organizations that want to restrict membership to users with specific email domains, and automatically invite or suggest users with that domain to join an organization. For example, if the domain `@clerk.com` is verified, any user with an email address ending in `@clerk.com` can be automatically invited or be suggested to join an organization with that domain. Clerk assigns users the [**Default** role](/docs/guides/organizations/roles-and-permissions#the-default-role-for-members) set in the organization settings page. A verified domain cannot be a disposable domain or common email provider. For example, you cannot create a verified domain for `@gmail.com`. > [!WARNING] -> A verified domain can't be added if it's already in use for the [organization's SSO](/docs/guides/organizations/add-members/sso). +> A verified domain can't be added if it's already in use for the [organization's SSO](/docs/guides/organizations/sso). The easiest way to add and verify domains, and manage all settings related to verified domains is to use Clerk's [``](/docs/reference/components/organization/organization-switcher) component. @@ -22,7 +22,7 @@ Verified domains work well when you want to streamline enrollment for users with - Reducing onboarding friction for employees with approved email domains - Enrollment can happen based on email domain without manual approval -If you need precise control over specific people and their roles, use [invitations](/docs/guides/organizations/add-members/invitations). If customers require authentication through their Identity Provider, use [enterprise SSO](/docs/guides/organizations/add-members/sso). +If you need precise control over specific people and their roles, use [invitations](/docs/guides/organizations/invitations). If customers require authentication through their Identity Provider, use [enterprise SSO](/docs/guides/organizations/sso). ## Enable verified domains @@ -54,7 +54,7 @@ After sign-up, a user will receive a **suggestion** for the organization if thei ### Membership requests -Membership requests are requests from users who saw an organization suggestion and requested to join an organization. Membership requests are only available for organizations that have the **Verified domains** feature enabled and **Automatic suggestion** enabled in both the Dashboard and for the specific domain. +Membership requests are requests from users who saw an organization suggestion and requested to join an organization. Membership requests are only available for organizations that have the **Verified domains** and **Automatic suggestion** features enabled in both the Dashboard and for the specific domain. When a user sends an organization membership request, users with the `org:sys_memberships:manage` permission (by default, admins) will see a notification on their `` component. They will need to accept the request before the user can join the organization. @@ -62,7 +62,7 @@ When a user sends an organization membership request, users with the `org:sys_me Any user with the `org:sys_domains:manage` permission can add and verify domains under an organization. By default, admins have this permission. To add and verify domains in the [``](/docs/reference/components/organization/organization-switcher) component, select the **General** tab. There will be a **Verified domains** section. -You can verify domains through an email verification code sent to an email that matches the domain. If the user adding the domain already has a verified email using that domain in their account, Clerk will automatically verify the domain. +Domains can be verified through an email verification code sent to an email that matches the domain. If the user adding the domain already has a verified email using that domain in their account, Clerk will automatically verify the domain. An application instance may only have one verified domain of the same name, and an organization may only have one domain of the same name (verified or unverified). @@ -92,7 +92,7 @@ domain.updateEnrollmentMode({ enrollmentMode: 'automatic_invitation' }) Now that you've configured verified domains, you can: -- [Set up enterprise SSO](/docs/guides/organizations/add-members/sso) for centralized authentication through an Identity Provider -- [Invite specific users](/docs/guides/organizations/add-members/invitations) who don't match your verified domain -- [Set up roles and permissions](/docs/guides/organizations/control-access/roles-and-permissions) to control what auto-enrolled users can access +- [Set up enterprise SSO](/docs/guides/organizations/sso) for centralized authentication through an Identity Provider +- [Invite specific users](/docs/guides/organizations/invitations) who don't match your verified domain +- [Set up roles and permissions](/docs/guides/organizations/roles-and-permissions) to control what auto-enrolled users can access - [Configure default roles](/docs/guides/organizations/configure#default-roles) for users joining via verified domains diff --git a/docs/guides/secure/authorization-checks.mdx b/docs/guides/secure/authorization-checks.mdx index 6f0a2c5e5b..93dbbb36f7 100644 --- a/docs/guides/secure/authorization-checks.mdx +++ b/docs/guides/secure/authorization-checks.mdx @@ -10,7 +10,7 @@ It's best practice to always verify whether or not a user is **authorized** to a Clerk provides two main features that can be used to implement authorization checks: - [Organizations](/docs/guides/organizations/overview) - - Users can be assigned [roles and permissions](/docs/guides/organizations/control-access/roles-and-permissions#permissions) + - Users can be assigned [roles and permissions](/docs/guides/organizations/roles-and-permissions#permissions) - Useful for role-based and permission-based access control - [Billing](/docs/guides/billing/overview) - Users can subscribe to plans and features @@ -38,7 +38,7 @@ This guide will show you how to implement authorization checks in order to prote ## Important considerations - When doing authorization checks, it's recommended to use permission-based over role-based, and feature-based over plan-based authorization, as these approaches are more granular, flexible, and more secure. - - Note: Using `has()` **on the server-side** to check permissions works only with **custom permissions**, as [system permissions](/docs/guides/organizations/control-access/roles-and-permissions#system-permissions) aren't included in the session token claims. To check system permissions, verify the user's role instead. + - Note: Using `has()` **on the server-side** to check permissions works only with **custom permissions**, as [system permissions](/docs/guides/organizations/roles-and-permissions#system-permissions) aren't included in the session token claims. To check system permissions, verify the user's role instead. - Checking for a role or permission depends on the user having an [active organization](!active-organization). Without an active organization, the authorization checks will likely always evaluate to false by default. - If you would like to perform role-based authorization checks **without** using Clerk's organizations feature, see [the Role Based Access Control (RBAC) guide](/docs/guides/secure/basic-rbac). - If you have both organizations and billing enabled, a permission check will only work if the feature part of the permission key (`org::`) **is a feature included in the organization's active plan**. For example, say you want to check if an organization member has the custom permission `org:teams:manage`, where `teams` is the feature. Before performing the authorization check, you need to ensure that the user's organization is subscribed to a plan that has the `teams` feature. If not, the authorization check will always return `false`, _even if the user has the custom permission_. diff --git a/docs/guides/secure/basic-rbac.mdx b/docs/guides/secure/basic-rbac.mdx index fd2c398034..06aa291ad4 100644 --- a/docs/guides/secure/basic-rbac.mdx +++ b/docs/guides/secure/basic-rbac.mdx @@ -4,7 +4,7 @@ description: Learn how to leverage Clerk's publicMetadata to implement your own sdk: nextjs --- -To control which users can access certain parts of your app, you can use the [roles feature](/docs/guides/organizations/control-access/roles-and-permissions#roles). Although Clerk offers roles as part of the [organizations](/docs/guides/organizations/overview) feature set, not every app implements organizations. **This guide covers a workaround to set up a basic Role Based Access Control (RBAC) system for products that don't use Clerk's organizations or roles.** +To control which users can access certain parts of your app, you can use the [roles feature](/docs/guides/organizations/roles-and-permissions#roles). Although Clerk offers roles as part of the [organizations](/docs/guides/organizations/overview) feature set, not every app implements organizations. **This guide covers a workaround to set up a basic Role Based Access Control (RBAC) system for products that don't use Clerk's organizations or roles.** This guide assumes that you're using Next.js App Router, but the concepts can be adapted to Next.js Pages Router and Remix. diff --git a/docs/guides/secure/features.mdx b/docs/guides/secure/features.mdx index 957d96fea5..6b841f47a4 100644 --- a/docs/guides/secure/features.mdx +++ b/docs/guides/secure/features.mdx @@ -7,7 +7,7 @@ Features are specific capabilities or functionalities in your application that y Features can be used in two ways: -- With Clerk's [organizations](/docs/guides/organizations/overview) feature to create custom permissions. Custom permissions are always tied to a feature, and are formatted as `org::`. For example, you could create a feature called **invoices** and then create a new permission called **create invoices**. The custom permission's key would be `org:invoices:create`. Learn more about [custom permissions](/docs/guides/organizations/control-access/roles-and-permissions). +- With Clerk's [organizations](/docs/guides/organizations/overview) feature to create custom permissions. Custom permissions are always tied to a feature, and are formatted as `org::`. For example, you could create a feature called **invoices** and then create a new permission called **create invoices**. The custom permission's key would be `org:invoices:create`. Learn more about [custom permissions](/docs/guides/organizations/roles-and-permissions). - With Clerk's billing feature to create features specific to a subscription plan. See the [billing docs](/docs/guides/billing/overview) for more information. To manage your features, navigate to the [**Features**](https://dashboard.clerk.com/~/features) page in the Clerk Dashboard. diff --git a/docs/manifest.json b/docs/manifest.json index 9777c6d1c4..9221245069 100644 --- a/docs/manifest.json +++ b/docs/manifest.json @@ -657,48 +657,28 @@ "href": "/docs/guides/organizations/overview" }, { - "title": "Configure Organizations", + "title": "Configure organizations", "href": "/docs/guides/organizations/configure" }, { - "title": "Create and manage Organizations", + "title": "Create and manage organizations", "href": "/docs/guides/organizations/create-and-manage" }, { - "title": "Add members", - "collapse": true, - "items": [ - [ - { - "title": "Invitations", - "href": "/docs/guides/organizations/add-members/invitations" - }, - { - "title": "Verified domains", - "href": "/docs/guides/organizations/add-members/verified-domains" - }, - { - "title": "Enterprise SSO", - "href": "/docs/guides/organizations/add-members/sso" - } - ] - ] + "title": "Roles and permissions", + "href": "/docs/guides/organizations/roles-and-permissions" }, { - "title": "Control access", - "collapse": true, - "items": [ - [ - { - "title": "Roles and permissions", - "href": "/docs/guides/organizations/control-access/roles-and-permissions" - }, - { - "title": "Check roles and permissions", - "href": "/docs/guides/organizations/control-access/check-access" - } - ] - ] + "title": "Invitations", + "href": "/docs/guides/organizations/invitations" + }, + { + "title": "Verified domains", + "href": "/docs/guides/organizations/verified-domains" + }, + { + "title": "Enterprise SSO", + "href": "/docs/guides/organizations/sso" }, { "title": "Set organization metadata", diff --git a/docs/reference/backend/organization/create-organization-invitation-bulk.mdx b/docs/reference/backend/organization/create-organization-invitation-bulk.mdx index 196edcc983..55a7f97b88 100644 --- a/docs/reference/backend/organization/create-organization-invitation-bulk.mdx +++ b/docs/reference/backend/organization/create-organization-invitation-bulk.mdx @@ -53,7 +53,7 @@ function createOrganizationInvitationBulk( - `role` - [`OrganizationCustomRoleKey`](/docs/reference/javascript/types/organization-custom-role-key) - The [role](/docs/guides/organizations/control-access/roles-and-permissions) to assign the invited user within the organization. + The [role](/docs/guides/organizations/roles-and-permissions) to assign the invited user within the organization. --- diff --git a/docs/reference/backend/organization/create-organization-invitation.mdx b/docs/reference/backend/organization/create-organization-invitation.mdx index b2e5b49b4a..74c0cb4551 100644 --- a/docs/reference/backend/organization/create-organization-invitation.mdx +++ b/docs/reference/backend/organization/create-organization-invitation.mdx @@ -41,7 +41,7 @@ function createOrganizationInvitation( - `role` - `string` - The [role](/docs/guides/organizations/control-access/roles-and-permissions) to assign the invited user within the organization. + The [role](/docs/guides/organizations/roles-and-permissions) to assign the invited user within the organization. --- diff --git a/docs/reference/backend/organization/create-organization-membership.mdx b/docs/reference/backend/organization/create-organization-membership.mdx index cc54c0bb1a..ba9e5f9ba3 100644 --- a/docs/reference/backend/organization/create-organization-membership.mdx +++ b/docs/reference/backend/organization/create-organization-membership.mdx @@ -34,7 +34,7 @@ function createOrganizationMembership( - `role` - `string` - The [role](/docs/guides/organizations/control-access/roles-and-permissions) to assign the added user within the organization. + The [role](/docs/guides/organizations/roles-and-permissions) to assign the added user within the organization. ## Example diff --git a/docs/reference/backend/organization/update-organization-membership.mdx b/docs/reference/backend/organization/update-organization-membership.mdx index b248a394c0..8cd8b478a5 100644 --- a/docs/reference/backend/organization/update-organization-membership.mdx +++ b/docs/reference/backend/organization/update-organization-membership.mdx @@ -34,7 +34,7 @@ function updateOrganizationMembership( - `role` - `string` - The [role](/docs/guides/organizations/control-access/roles-and-permissions) to assign user. + The [role](/docs/guides/organizations/roles-and-permissions) to assign user. ## Example diff --git a/docs/reference/backend/types/auth-object.mdx b/docs/reference/backend/types/auth-object.mdx index 084ccb29df..21628b4a69 100644 --- a/docs/reference/backend/types/auth-object.mdx +++ b/docs/reference/backend/types/auth-object.mdx @@ -135,14 +135,14 @@ function has(isAuthorizedParams: CheckAuthorizationParamsWithCustomPermissions): - `role` - `string` - The [role](/docs/guides/organizations/control-access/roles-and-permissions) to check for. + The [role](/docs/guides/organizations/roles-and-permissions) to check for. --- - `permission` - `string` - The [permission](/docs/guides/organizations/control-access/roles-and-permissions) to check for. + The [permission](/docs/guides/organizations/roles-and-permissions) to check for. --- diff --git a/docs/reference/components/control/protect.mdx b/docs/reference/components/control/protect.mdx index 9a6b759d0e..409f8885b4 100644 --- a/docs/reference/components/control/protect.mdx +++ b/docs/reference/components/control/protect.mdx @@ -1130,14 +1130,14 @@ The following example uses ``'s `condition` prop to conditionally rende - `permission?` - `string` - Optional string corresponding to a [permission](/docs/guides/organizations/control-access/roles-and-permissions) in the format `org::` + Optional string corresponding to a [permission](/docs/guides/organizations/roles-and-permissions) in the format `org::` --- - `role?` - `string` - Optional string corresponding to a [role](/docs/guides/organizations/control-access/roles-and-permissions) in the format `org:` + Optional string corresponding to a [role](/docs/guides/organizations/roles-and-permissions) in the format `org:` --- diff --git a/docs/reference/components/organization/organization-list.mdx b/docs/reference/components/organization/organization-list.mdx index dbaf4a9529..8c259c23da 100644 --- a/docs/reference/components/organization/organization-list.mdx +++ b/docs/reference/components/organization/organization-list.mdx @@ -6,7 +6,7 @@ sdk: astro, chrome-extension, expo, nextjs, nuxt, react, react-router, remix, ta ![The \ component displays organization-related memberships and automatic invitations and suggestions for the user.](/docs/images/ui-components/organization-list.png){{ style: { maxWidth: '460px' } }} -The `` component displays organization-related memberships and automatic [invitations](/docs/guides/organizations/add-members/verified-domains#automatic-invitations) and [suggestions](/docs/guides/organizations/add-members/verified-domains#automatic-suggestions) for the user. +The `` component displays organization-related memberships and automatic [invitations](/docs/guides/organizations/verified-domains#automatic-invitations) and [suggestions](/docs/guides/organizations/verified-domains#automatic-suggestions) for the user. ` component allows users to manage their organizatio This component's **General** tab displays the organization's information and the **Leave organization** button. Admins will be able to see the **Update profile** button, **Verified domains** section, and **Delete organization** button. -The **Members** tab shows the organization's members along with their join dates and roles. Admins will have the ability to invite a member, change a member's role, or remove them from the organization. Admins will have tabs within the **Members** tab to view the organization's [invitations](/docs/guides/organizations/add-members/invitations) and [requests](/docs/guides/organizations/add-members/verified-domains#membership-requests). +The **Members** tab shows the organization's members along with their join dates and roles. Admins will have the ability to invite a member, change a member's role, or remove them from the organization. Admins will have tabs within the **Members** tab to view the organization's [invitations](/docs/guides/organizations/invitations) and [requests](/docs/guides/organizations/verified-domains#membership-requests). The **Billing** tab displays the plans and features that are available to the organization, as well as the user's billing information, such as their invoices and payment methods. diff --git a/docs/reference/javascript/organization.mdx b/docs/reference/javascript/organization.mdx index 07e99ee83f..5f68dffd51 100644 --- a/docs/reference/javascript/organization.mdx +++ b/docs/reference/javascript/organization.mdx @@ -227,7 +227,7 @@ function getDomains(params?: GetDomainsParams): Promise #### Example diff --git a/docs/reference/javascript/session.mdx b/docs/reference/javascript/session.mdx index d10c9d833b..e0bd31eeb6 100644 --- a/docs/reference/javascript/session.mdx +++ b/docs/reference/javascript/session.mdx @@ -266,14 +266,14 @@ type CheckAuthorizationParams = WithReverification< - `role` - `string` - Accepts [role](/docs/guides/organizations/control-access/roles-and-permissions#roles) key. + Accepts [role](/docs/guides/organizations/roles-and-permissions#roles) key. --- - `permission` - `string` - Accepts [permission](/docs/guides/organizations/control-access/roles-and-permissions#permissions) key. + Accepts [permission](/docs/guides/organizations/roles-and-permissions#permissions) key. --- diff --git a/docs/reference/javascript/types/organization-custom-permission-key.mdx b/docs/reference/javascript/types/organization-custom-permission-key.mdx index 58431d8171..4cfdb429cb 100644 --- a/docs/reference/javascript/types/organization-custom-permission-key.mdx +++ b/docs/reference/javascript/types/organization-custom-permission-key.mdx @@ -6,4 +6,4 @@ sdk: js-frontend `OrganizationCustomPermissionKey` is a type that represents a user's permission in an organization. It will be string unless the developer has provided their own types through [`ClerkAuthorization`](/docs/guides/development/override-clerk-types-interfaces#example-custom-roles-and-permissions). -Clerk provides [default system permissions](/docs/guides/organizations/control-access/roles-and-permissions#system-permissions). However, you can create [custom permissions](/docs/guides/organizations/control-access/roles-and-permissions#custom-permissions) as well. +Clerk provides [default system permissions](/docs/guides/organizations/roles-and-permissions#system-permissions). However, you can create [custom permissions](/docs/guides/organizations/roles-and-permissions#custom-permissions) as well. diff --git a/docs/reference/javascript/types/organization-domain.mdx b/docs/reference/javascript/types/organization-domain.mdx index 340a5fd221..d48c2826be 100644 --- a/docs/reference/javascript/types/organization-domain.mdx +++ b/docs/reference/javascript/types/organization-domain.mdx @@ -33,7 +33,7 @@ The `OrganizationDomain` object is the model around an organization domain. - `enrollmentMode` - `'manual_invitation' | 'automatic_invitation' | 'automatic_suggestion'` - An [enrollment mode](/docs/guides/organizations/add-members/verified-domains#enrollment-mode) will change how new users join an organization. + An [enrollment mode](/docs/guides/organizations/verified-domains#enrollment-mode) will change how new users join an organization. --- diff --git a/docs/reference/javascript/types/organization-invitation.mdx b/docs/reference/javascript/types/organization-invitation.mdx index 11ac8f7825..68cbee4d50 100644 --- a/docs/reference/javascript/types/organization-invitation.mdx +++ b/docs/reference/javascript/types/organization-invitation.mdx @@ -40,7 +40,7 @@ The `OrganizationInvitation` object is the model around an organization invitati - `role` - [`OrganizationCustomRoleKey`](/docs/reference/javascript/types/organization-custom-role-key) - The [role](/docs/guides/organizations/control-access/roles-and-permissions) of the current user in the organization. + The [role](/docs/guides/organizations/roles-and-permissions) of the current user in the organization. --- diff --git a/docs/reference/javascript/types/organization-membership.mdx b/docs/reference/javascript/types/organization-membership.mdx index bf9c707da0..604e0fb95d 100644 --- a/docs/reference/javascript/types/organization-membership.mdx +++ b/docs/reference/javascript/types/organization-membership.mdx @@ -26,7 +26,7 @@ The `OrganizationMembership` object is the model around an organization membersh - `role` - `string` - The [role](/docs/guides/organizations/control-access/roles-and-permissions) of the current user in the organization. + The [role](/docs/guides/organizations/roles-and-permissions) of the current user in the organization. --- @@ -81,5 +81,5 @@ function update(updateParams: UpdateOrganizationMembershipParams): Promise diff --git a/docs/reference/javascript/types/user-organization-invitation.mdx b/docs/reference/javascript/types/user-organization-invitation.mdx index e98d544b50..4f88f34215 100644 --- a/docs/reference/javascript/types/user-organization-invitation.mdx +++ b/docs/reference/javascript/types/user-organization-invitation.mdx @@ -46,7 +46,7 @@ The `UserOrganizationInvitation` object is the model around a user's invitation - `role` - [`OrganizationCustomRoleKey`](/docs/reference/javascript/types/organization-custom-role-key) - The [role](/docs/guides/organizations/control-access/roles-and-permissions) of the current user in the organization. + The [role](/docs/guides/organizations/roles-and-permissions) of the current user in the organization. --- diff --git a/redirects/static/docs.json b/redirects/static/docs.json index 1ac752fd49..5ca2a6c8f0 100644 --- a/redirects/static/docs.json +++ b/redirects/static/docs.json @@ -4181,22 +4181,22 @@ }, { "source": "/docs/guides/organizations/invitations", - "destination": "/docs/guides/organizations/add-members/invitations", + "destination": "/docs/guides/organizations/invitations", "permanent": true }, { "source": "/docs/guides/organizations/verified-domains", - "destination": "/docs/guides/organizations/add-members/verified-domains", + "destination": "/docs/guides/organizations/verified-domains", "permanent": true }, { "source": "/docs/guides/organizations/sso", - "destination": "/docs/guides/organizations/add-members/sso", + "destination": "/docs/guides/organizations/sso", "permanent": true }, { "source": "/docs/guides/organizations/roles-and-permissions", - "destination": "/docs/guides/organizations/control-access/roles-and-permissions", + "destination": "/docs/guides/organizations/roles-and-permissions", "permanent": true }, { From d734d2d657baa32fcb8da954d2f723b7be49d751 Mon Sep 17 00:00:00 2001 From: Alexis Aguilar <98043211+alexisintech@users.noreply.github.com> Date: Wed, 5 Nov 2025 17:22:35 -0500 Subject: [PATCH 09/14] update overview --- docs/guides/organizations/overview.mdx | 52 +++++--------------------- 1 file changed, 9 insertions(+), 43 deletions(-) diff --git a/docs/guides/organizations/overview.mdx b/docs/guides/organizations/overview.mdx index 4f0c5f0fab..b477ec0e8a 100644 --- a/docs/guides/organizations/overview.mdx +++ b/docs/guides/organizations/overview.mdx @@ -15,11 +15,11 @@ Users can belong to multiple organizations, and Clerk provides the organization ## How do organizations work? -Organizations live within your Clerk application. Each application can contain multiple organizations, and each organization can have multiple users. You define roles and permissions once at the application level, and they apply across all organizations within that application. +Organizations live within your Clerk application. Each application can contain multiple organizations, and each organization can have multiple users. You define [roles and permissions](/docs/guides/organizations/roles-and-permissions) once at the application level, and they apply across all organizations within that application. ![Relationship between Clerk organization, users, roles and permissions](/docs/images/orgs/relationship-diagram.png) -The organization that a user is currently viewing is called the **active organization**. The active organization determines which organization-specific data the user can access and which role and related permissions they have within the organization. Users can switch between organizations using the [``](/docs/reference/components/organization/organization-switcher) component. +The organization that a user is currently viewing is called the **active organization**. The active organization determines which organization-specific data the user can access and which role and related permissions they have within the organization. Clerk measures organization usage through **Monthly Active Organizations (MAOs)**. An MAO is an organization with at least two users that have signed in that month, where at least one has interacted with the organization during the current billing cycle. Free plans include up to 50 MAOs in development and 100 in production. Pro plans offer unlimited development MAOs and start at 100 free production MAOs, then $1 per additional MAO. Refer to the [pricing page](/pricing){{ target: '_blank' }} for complete details. @@ -36,55 +36,21 @@ The core workflow consists of three stages: 1. **Create**: You can create organizations [in the Clerk Dashboard](https://dashboard.clerk.com/~/organizations), or end users can create them in your application through prebuilt components or APIs. Each organization has a profile, settings, and metadata. Users can belong to multiple organizations and switch between them with the [``](/docs/reference/components/organization/organization-switcher) component. -1. **Invite**: You can bring people into organizations in different ways depending on your needs: - - **Invitations** for bottom-up adoption, where individual users invite teammates with precise control over roles. - - **Verified domains** for company-wide rollouts, where Clerk automatically invites users with matching email domains (who can join immediately) or suggests they join (requiring admin approval). - - **Enterprise connections** (SAML or OIDC) for top-down deployments managed by IT with centralized authentication through an Identity Provider (IdP). +1. **Add members**: You can add members to organizations in different ways depending on your needs: + - [**Invitations**](/docs/guides/organizations/invitations) for bottom-up adoption, where individual users invite teammates with precise control over roles. + - [**Verified domains**](/docs/guides/organizations/verified-domains) for company-wide rollouts, where Clerk automatically invites users with matching email domains (who can join immediately) or suggests they join (requiring admin approval). + - [**Enterprise connections**](/docs/guides/organizations/sso) (SAML or OIDC) for top-down deployments managed by IT with centralized authentication through an Identity Provider (IdP). You can combine these approaches: use manual invitations for external contractors alongside domain-based enrollment for employees. The active organization determines which members and roles apply to the current context. -1. **Control**: You manage access to content or entire pages using roles and permissions. Default admin and member roles cover common cases, while custom roles and permissions provide fine-grained access for more complex needs. You can perform [authorization checks](/docs/guides/organizations/check-access) in both frontend and backend code. +1. **Control access**: You can manage access to content or entire pages using roles and permissions. Default admin and member roles cover common cases, while custom roles and permissions provide fine-grained access for more complex needs. You can perform [authorization checks](!authorization-check) in both frontend and backend code. Beyond these core steps, you can also monitor organization health and growth with analytics in the Clerk Dashboard. This helps you spot which organizations are growing, staying active, or dropping off, so you know what's working and where you might need attention. -## Why organizations? - -Organizations help you build multi-tenant applications faster, support team collaboration at scale, and provide enterprise-grade access control. This model is especially valuable for B2B2C products in a growth stage and B2C products expanding into B2B. - -### Enable secure team collaboration - -Modern applications need to support users who work across multiple teams or client accounts. Organizations provide the structure for this multi-tenant usage while keeping data boundaries clear. Users can switch between organizations without auth or data leakage between tenants. Each organization maintains its own settings, roles, and members, while users can belong to multiple organizations with a single account. - -### Automate team enrollment - -Managing who can join an organization becomes easier when you can set enrollment rules. Verified domains let you automatically invite or suggest organizations to users with approved company emails. When a user signs up with a matching email domain, they can join the organization without manual approval. This streamlines onboarding for company-wide rollouts and reduces friction for IT administrators. - -For B2B2C SaaS onboarding entire companies, verified domains handle the scale. When Acme Corp adopts your product, all `@acme.com` employees automatically join their company's organization without needing to deal with manual invitations. - -### Support enterprise authentication - -Large customers often require centralized authentication through their identity provider. Organization-level SSO lets members authenticate with SAML or OIDC protocols through providers like Okta, Microsoft Entra ID, and Google Workspace. When users sign in through their IdP, Clerk automatically adds them to the organization with the appropriate role. This satisfies enterprise security requirements and maintains existing identity workflows. - -As B2C products scale into enterprise customers, SSO becomes essential. Products that started with individual email sign-ups need to evolve to support IT-managed authentication for Fortune 500 buyers. - -### Control access with roles and permissions - -Organizations support role-based access control (RBAC) so the right people can do the right work. Default admin and member roles cover common cases, and custom roles and permissions let you create fine-grained access that maps to your features and teams. Clerk embeds the active organization's roles and permissions in the session, enabling you to perform [authorization checks](/docs/guides/organizations/check-access) without extra network requests. - -### Monitor organization growth - -The Clerk Dashboard provides comprehensive organization growth tracking with the same level of insight you have for user growth. Track new, reactivated, retained, and churned organizations over time with detailed analytics. The organization growth chart shows activity breakdowns across each period, and you can analyze data across different time periods to see daily, weekly, or monthly active organizations. A detailed cohort table lets you drill into individual organizations and investigate specific trends by clicking chart segments. - -For B2B products, organization-level analytics reveal which customer accounts are growing or churning. This helps you understand product-market fit at the account level, not just individual usage. - -### Monetize with subscription plans - -Clerk's [billing for B2B](/docs/guides/billing/for-b2b) lets you create subscription plans and manage payments for organizations. You can gate features behind specific plans, ensuring organizations only access functionality they've subscribed to. Billing integrates directly with roles and permissions, so when you create custom permissions tied to features, those permissions only work if the organization's active plan includes that feature. This makes it easy to build tiered pricing models where higher-tier plans unlock additional capabilities. - ## Next steps -Now that you understand what Organizations are and how they work, here's how to implement them: +Now that you understand what organizations are and how they work, here's how to implement them: -- [Configure global settings](/docs/guides/organizations/configure) +- [Configure organization settings](/docs/guides/organizations/configure) - [Create and manage organizations](/docs/guides/organizations/create-and-manage) - [Invite members](/docs/guides/organizations/invitations) - [Set up roles and permissions](/docs/guides/organizations/roles-and-permissions) From 6913823b6ec132949f0bbb32c1fd7683e1dcde32 Mon Sep 17 00:00:00 2001 From: Alexis Aguilar <98043211+alexisintech@users.noreply.github.com> Date: Wed, 5 Nov 2025 17:36:05 -0500 Subject: [PATCH 10/14] another overview update; update metadata --- docs/guides/organizations/metadata.mdx | 43 ++++++++++++++++++++++ docs/guides/organizations/overview.mdx | 8 ++-- docs/guides/organizations/set-metadata.mdx | 43 ---------------------- docs/manifest.json | 2 +- 4 files changed, 49 insertions(+), 47 deletions(-) create mode 100644 docs/guides/organizations/metadata.mdx delete mode 100644 docs/guides/organizations/set-metadata.mdx diff --git a/docs/guides/organizations/metadata.mdx b/docs/guides/organizations/metadata.mdx new file mode 100644 index 0000000000..4e35960ad0 --- /dev/null +++ b/docs/guides/organizations/metadata.mdx @@ -0,0 +1,43 @@ +--- +title: Organization metadata +description: Learn how to add custom metadata to your B2B authentication flows to store additional information in the org object for advanced user segmentation, analytics, and B2B workflows. +metadata: + title: Custom metadata for B2B authentication flows +--- + +Organization metadata lets you store custom information about an organization that is not part of the standard fields, such as custom attributes that are specific to your application. This is useful for advanced user segmentation, analytics, or storing application-specific data like subscription tier, department, or region. + +Metadata is stored on the [`Organization`](/docs/reference/javascript/organization) and [`OrganizationMembership`](/docs/reference/javascript/organization-membership) objects. + +## Types of metadata + +There are two types of organization metadata: "public" and "private". + +| Metadata | Frontend API | Backend API | +| - | - | - | +| Public | Read access | Read & write access | +| Private | No read or write access | Read & write access | + +Both the [`Organization`](/docs/reference/javascript/organization) and [`OrganizationMembership`](/docs/reference/javascript/organization-membership) objects have the metadata fields: `publicMetadata` and `privateMetadata`. + +- Use the `publicMetadata` property if you need to set some metadata from your backend and have them displayed as read-only on the frontend. +- Use the `privateMetadata` property if the custom attributes contain sensitive information that should not be displayed on the frontend. + +## Set organization metadata + +You can set organization metadata in the [Clerk Dashboard](https://dashboard.clerk.com/~/organizations) or using Clerk's Backend API. See the [`updateOrganizationMetadata()`](/docs/reference/backend/organization/update-organization-metadata) and [`updateOrganizationMembershipMetadata()`](/docs/reference/backend/organization/update-organization-membership-metadata) methods for more information. + +## Access public metadata + +To access public metadata on the frontend, it's available on the [`Organization`](/docs/reference/javascript/organization) object, which can be accessed using the [`useOrganization()`](/docs/reference/hooks/use-organization) hook. + +To access public metadata on the backend, it's available on the [Backend `Organization`](/docs/reference/backend/types/backend-organization) object which can be accessed using the [`getOrganization()`](/docs/reference/backend/organization/get-organization) method. This method will return the `Organization` object which contains the public metadata. However, this method is subject to [rate limits](/docs/guides/how-clerk-works/system-limits#backend-api-requests), so _if you are accessing the metadata frequently_, it's recommended to [attach it to the user's session token](#metadata-in-the-session-token). + +## Next steps + +Now that you understand organization metadata, you can: + +- [Use organization slugs in URLs](/docs/guides/organizations/org-slugs-in-urls) for tenant-specific routing +- [Add metadata to invitations](/docs/guides/organizations/invitations#invitation-metadata) to track invitation sources or assign attributes +- [Create and manage organizations](/docs/guides/organizations/create-and-manage) to see metadata in action +- [Check roles and permissions](/docs/guides/organizations/check-access) to control access based on metadata values diff --git a/docs/guides/organizations/overview.mdx b/docs/guides/organizations/overview.mdx index b477ec0e8a..39c129fc0d 100644 --- a/docs/guides/organizations/overview.mdx +++ b/docs/guides/organizations/overview.mdx @@ -32,15 +32,17 @@ If personal accounts are enabled, when a user signs in, they will sign in to the ### Core workflow -The core workflow consists of three stages: +The core workflow when working with organizations can follow something along the lines of: -1. **Create**: You can create organizations [in the Clerk Dashboard](https://dashboard.clerk.com/~/organizations), or end users can create them in your application through prebuilt components or APIs. Each organization has a profile, settings, and metadata. Users can belong to multiple organizations and switch between them with the [``](/docs/reference/components/organization/organization-switcher) component. +1. **Create**: You can create organizations [in the Clerk Dashboard](https://dashboard.clerk.com/~/organizations), or end users can create them in your application through prebuilt components or APIs. Each organization has a profile, settings, and [metadata](/docs/guides/organizations/set-metadata). Users can belong to multiple organizations and switch between them with the [``](/docs/reference/components/organization/organization-switcher) component. Learn more about [creating and managing organizations](/docs/guides/organizations/create-and-manage). 1. **Add members**: You can add members to organizations in different ways depending on your needs: + - [**Invitations**](/docs/guides/organizations/invitations) for bottom-up adoption, where individual users invite teammates with precise control over roles. - [**Verified domains**](/docs/guides/organizations/verified-domains) for company-wide rollouts, where Clerk automatically invites users with matching email domains (who can join immediately) or suggests they join (requiring admin approval). - [**Enterprise connections**](/docs/guides/organizations/sso) (SAML or OIDC) for top-down deployments managed by IT with centralized authentication through an Identity Provider (IdP). - You can combine these approaches: use manual invitations for external contractors alongside domain-based enrollment for employees. The active organization determines which members and roles apply to the current context. + + You can combine these approaches: use manual invitations for external contractors alongside domain-based enrollment for employees. The active organization determines which members and roles apply to the current context. 1. **Control access**: You can manage access to content or entire pages using roles and permissions. Default admin and member roles cover common cases, while custom roles and permissions provide fine-grained access for more complex needs. You can perform [authorization checks](!authorization-check) in both frontend and backend code. diff --git a/docs/guides/organizations/set-metadata.mdx b/docs/guides/organizations/set-metadata.mdx deleted file mode 100644 index 80c8eb2b3f..0000000000 --- a/docs/guides/organizations/set-metadata.mdx +++ /dev/null @@ -1,43 +0,0 @@ ---- -title: Organization metadata -description: Learn how to add custom metadata to your B2B authentication flows to store additional information in the org object for advanced user segmentation, analytics, and B2B workflows. -metadata: - title: Custom metadata for B2B authentication flows ---- - -Organization metadata lets you store custom information about an organization that is not part of the standard fields, such as custom attributes that are specific to your application. This is useful for advanced user segmentation, analytics, or storing application-specific data like subscription tier, department, or region. - -There are two types of metadata: **public** and **private**. - -- You can set both **public** and **private** metadata and access them from the [Backend API](/docs/reference/backend-api){{ target: '_blank' }}. -- You can access only **public** metadata from the [Frontend API](/docs/reference/frontend-api/){{ target: '_blank' }}. - -Both the `Organization` and `Organization Membership` objects have the metadata fields: `publicMetadata` and `privateMetadata`. - -- Use the `publicMetadata` property if you need to set some metadata from your backend and have them displayed as read-only on the frontend. -- Use the `privateMetadata` property if the custom attributes contain sensitive information that should not be displayed on the frontend. - -## Set organization metadata - -You can set organization metadata in the Clerk dashboard or using the [JS Backend SDK](/docs/js-backend/getting-started/quickstart). - -### Clerk Dashboard - -1. In the Clerk Dashboard, navigate to the [**Organizations**](https://dashboard.clerk.com/~/organizations) page. -1. Select the organization you want to update. -1. In the **Organization metadata** section, select **Edit** next to the metadata you want to update. - -### JS Backend SDK - -To ease the flow of setting metadata, Clerk provides the [`updateOrganizationMetadata()`](/docs/reference/backend/organization/update-organization-metadata) and [`updateOrganizationMembershipMetadata()`](/docs/reference/backend/organization/update-organization-membership-metadata) methods from the [JS Backend](/docs/js-backend/getting-started/quickstart), which is a wrapper around the [Backend API](/docs/reference/backend-api){{ target: '_blank' }}. - - - -## Next steps - -Now that you understand organization metadata, you can: - -- [Use organization slugs in URLs](/docs/guides/organizations/org-slugs-in-urls) for tenant-specific routing -- [Add metadata to invitations](/docs/guides/organizations/invitations#invitation-metadata) to track invitation sources or assign attributes -- [Create and manage organizations](/docs/guides/organizations/create-and-manage) to see metadata in action -- [Check roles and permissions](/docs/guides/organizations/check-access) to control access based on metadata values diff --git a/docs/manifest.json b/docs/manifest.json index 9221245069..c9c4878e86 100644 --- a/docs/manifest.json +++ b/docs/manifest.json @@ -682,7 +682,7 @@ }, { "title": "Set organization metadata", - "href": "/docs/guides/organizations/set-metadata" + "href": "/docs/guides/organizations/metadata" }, { "title": "Use organization slugs in URLs", From 772f1d3139acab2436c81f9fe3349eb110d70720 Mon Sep 17 00:00:00 2001 From: Alexis Aguilar <98043211+alexisintech@users.noreply.github.com> Date: Wed, 5 Nov 2025 17:40:53 -0500 Subject: [PATCH 11/14] update authorization checks metadata --- docs/guides/secure/authorization-checks.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/guides/secure/authorization-checks.mdx b/docs/guides/secure/authorization-checks.mdx index 93dbbb36f7..9250ac5959 100644 --- a/docs/guides/secure/authorization-checks.mdx +++ b/docs/guides/secure/authorization-checks.mdx @@ -1,6 +1,6 @@ --- -title: Authorize users -description: Learn how to verify and validate user roles and permissions within Clerk to maintain secure access control. We provide a collection of utility functions and components that allow developers to perform authorization checks. +title: Authorization checks +description: Learn how to verify and validate user roles and permissions within Clerk to maintain secure access control. metadata: title: Verifying user permissions with Clerk --- From faec6dd969387d3c267615b412297021688131af Mon Sep 17 00:00:00 2001 From: Alexis Aguilar <98043211+alexisintech@users.noreply.github.com> Date: Wed, 5 Nov 2025 17:45:37 -0500 Subject: [PATCH 12/14] link fixes --- .../organizations/create-and-manage.mdx | 2 +- docs/guides/organizations/invitations.mdx | 2 +- docs/guides/organizations/metadata.mdx | 17 +++++++-- docs/guides/organizations/overview.mdx | 2 +- redirects/static/docs.json | 35 ------------------- 5 files changed, 18 insertions(+), 40 deletions(-) diff --git a/docs/guides/organizations/create-and-manage.mdx b/docs/guides/organizations/create-and-manage.mdx index b514a13da0..83d6c6d96e 100644 --- a/docs/guides/organizations/create-and-manage.mdx +++ b/docs/guides/organizations/create-and-manage.mdx @@ -55,7 +55,7 @@ If [personal accounts are enabled](/docs/guides/organizations/configure#allow-pe Now that you know how to create and manage organizations, you can: -- [Add custom data with organization metadata](/docs/guides/organizations/set-metadata) +- [Add custom data with organization metadata](/docs/guides/organizations/metadata) - [Use organization slugs in URLs](/docs/guides/organizations/org-slugs-in-urls) for tenant-specific routing - [Invite members to organizations](/docs/guides/organizations/invitations) - [Set up roles and permissions](/docs/guides/organizations/roles-and-permissions) diff --git a/docs/guides/organizations/invitations.mdx b/docs/guides/organizations/invitations.mdx index 17855b81dd..a9afbeadd8 100644 --- a/docs/guides/organizations/invitations.mdx +++ b/docs/guides/organizations/invitations.mdx @@ -163,4 +163,4 @@ Now that you know how to invite users to your organization, you can: - [Configure verified domains](/docs/guides/organizations/verified-domains) to automatically invite users based on their email domain - [Set up enterprise SSO](/docs/guides/organizations/sso) for centralized authentication through an Identity Provider - [Set up roles and permissions](/docs/guides/organizations/roles-and-permissions) to control what invited users can access -- [Add metadata to invitations](/docs/guides/organizations/set-metadata) for tracking or custom workflows +- [Add metadata to invitations](/docs/guides/organizations/metadata) for tracking or custom workflows diff --git a/docs/guides/organizations/metadata.mdx b/docs/guides/organizations/metadata.mdx index 4e35960ad0..1b5519e1b2 100644 --- a/docs/guides/organizations/metadata.mdx +++ b/docs/guides/organizations/metadata.mdx @@ -7,7 +7,7 @@ metadata: Organization metadata lets you store custom information about an organization that is not part of the standard fields, such as custom attributes that are specific to your application. This is useful for advanced user segmentation, analytics, or storing application-specific data like subscription tier, department, or region. -Metadata is stored on the [`Organization`](/docs/reference/javascript/organization) and [`OrganizationMembership`](/docs/reference/javascript/organization-membership) objects. +Metadata is stored on the [`Organization`](/docs/reference/javascript/organization) and [`OrganizationMembership`](/docs/reference/javascript/types/organization-membership) objects. ## Types of metadata @@ -18,7 +18,7 @@ There are two types of organization metadata: "public" and "private". | Public | Read access | Read & write access | | Private | No read or write access | Read & write access | -Both the [`Organization`](/docs/reference/javascript/organization) and [`OrganizationMembership`](/docs/reference/javascript/organization-membership) objects have the metadata fields: `publicMetadata` and `privateMetadata`. +Both the [`Organization`](/docs/reference/javascript/organization) and [`OrganizationMembership`](/docs/reference/javascript/types/organization-membership) objects have the metadata fields: `publicMetadata` and `privateMetadata`. - Use the `publicMetadata` property if you need to set some metadata from your backend and have them displayed as read-only on the frontend. - Use the `privateMetadata` property if the custom attributes contain sensitive information that should not be displayed on the frontend. @@ -33,6 +33,19 @@ To access public metadata on the frontend, it's available on the [`Organization` To access public metadata on the backend, it's available on the [Backend `Organization`](/docs/reference/backend/types/backend-organization) object which can be accessed using the [`getOrganization()`](/docs/reference/backend/organization/get-organization) method. This method will return the `Organization` object which contains the public metadata. However, this method is subject to [rate limits](/docs/guides/how-clerk-works/system-limits#backend-api-requests), so _if you are accessing the metadata frequently_, it's recommended to [attach it to the user's session token](#metadata-in-the-session-token). +## Metadata in the session token + +Retrieving metadata from the `Organization` or `OrganizationMembership` objects on the server-side requires making an API request to Clerk's Backend API, which is slower and is subject to [rate limits](/docs/guides/how-clerk-works/system-limits#backend-api-requests). You can store it in the user's session token, which doesn't require making an API request as it's available on the user's authentication context. **However, there is a size limitation to keep in mind.** Clerk stores the session token in a cookie, and most browsers cap cookie size at [**4KB**](https://datatracker.ietf.org/doc/html/rfc2109#section-6.3). After accounting for the size of Clerk's default claims, the cookie can support **up to 1.2KB** of custom claims. **Exceeding this limit will cause the cookie to not be set, which will break your app as Clerk depends on cookies to work properly.** + +If you need to store more than 1.2KB of metadata, you should [store the extra data in your own database](/docs/guides/development/webhooks/syncing#storing-extra-user-data) instead. If this isn't an option, you can [move particularly large claims out of the token](/docs/guides/sessions/session-tokens#example) and fetch them using a separate API call from your backend, but this approach brings back the issue of making an API request to Clerk's Backend API, which is slower and is subject to rate limits. + +Another limitation of storing metadata in the session token is that when you modify metadata server-side, the changes won't appear in the session token until the next refresh. To avoid race conditions, either [force a JWT refresh](/docs/guides/sessions/force-token-refresh) after metadata changes or handle the delay in your application logic. + +If you've considered the limitations, and you still want to store metadata in the session token: + +1. In the Clerk Dashboard, navigate to the [**Sessions**](https://dashboard.clerk.com/~/sessions) page. +1. Under **Customize session token**, in the **Claims** editor, you can add any claim to your session token that you need and select **Save**. To avoid exceeding the session token's 1.2KB limit, it's not recommended to add the entire `organization.public_metadata` or `organization_membership.public_metadata` object. Instead, add individual fields as claims, like `organization.public_metadata.birthday`. When doing this, it's recommended to leave particularly large claims out of the token to avoid exceeding the session token's size limit. See the [example](/docs/guides/sessions/session-tokens#example) for more information. + ## Next steps Now that you understand organization metadata, you can: diff --git a/docs/guides/organizations/overview.mdx b/docs/guides/organizations/overview.mdx index 39c129fc0d..a0787d6a71 100644 --- a/docs/guides/organizations/overview.mdx +++ b/docs/guides/organizations/overview.mdx @@ -34,7 +34,7 @@ If personal accounts are enabled, when a user signs in, they will sign in to the The core workflow when working with organizations can follow something along the lines of: -1. **Create**: You can create organizations [in the Clerk Dashboard](https://dashboard.clerk.com/~/organizations), or end users can create them in your application through prebuilt components or APIs. Each organization has a profile, settings, and [metadata](/docs/guides/organizations/set-metadata). Users can belong to multiple organizations and switch between them with the [``](/docs/reference/components/organization/organization-switcher) component. Learn more about [creating and managing organizations](/docs/guides/organizations/create-and-manage). +1. **Create**: You can create organizations [in the Clerk Dashboard](https://dashboard.clerk.com/~/organizations), or end users can create them in your application through prebuilt components or APIs. Each organization has a profile, settings, and [metadata](/docs/guides/organizations/metadata). Users can belong to multiple organizations and switch between them with the [``](/docs/reference/components/organization/organization-switcher) component. Learn more about [creating and managing organizations](/docs/guides/organizations/create-and-manage). 1. **Add members**: You can add members to organizations in different ways depending on your needs: diff --git a/redirects/static/docs.json b/redirects/static/docs.json index 5ca2a6c8f0..5d87745b86 100644 --- a/redirects/static/docs.json +++ b/redirects/static/docs.json @@ -4178,40 +4178,5 @@ "source": "/docs/authentication/saml/google", "destination": "/docs/guides/configure/auth-strategies/enterprise-connections/saml/google", "permanent": true - }, - { - "source": "/docs/guides/organizations/invitations", - "destination": "/docs/guides/organizations/invitations", - "permanent": true - }, - { - "source": "/docs/guides/organizations/verified-domains", - "destination": "/docs/guides/organizations/verified-domains", - "permanent": true - }, - { - "source": "/docs/guides/organizations/sso", - "destination": "/docs/guides/organizations/sso", - "permanent": true - }, - { - "source": "/docs/guides/organizations/roles-and-permissions", - "destination": "/docs/guides/organizations/roles-and-permissions", - "permanent": true - }, - { - "source": "/docs/guides/organizations/metadata", - "destination": "/docs/guides/organizations/set-metadata", - "permanent": true - }, - { - "source": "/docs/guides/organizations/create-and-manage/metadata", - "destination": "/docs/guides/organizations/set-metadata", - "permanent": true - }, - { - "source": "/docs/guides/organizations/create-and-manage/org-slugs-in-urls", - "destination": "/docs/guides/organizations/org-slugs-in-urls", - "permanent": true } ] From ef57b7d14abbea5d0a5152750ed5d419369cfa68 Mon Sep 17 00:00:00 2001 From: Sarah Soutoul Date: Tue, 11 Nov 2025 11:24:49 -0600 Subject: [PATCH 13/14] docs review pt2 --- docs/guides/organizations/check-access.mdx | 2 +- docs/guides/organizations/configure.mdx | 4 +--- docs/guides/organizations/create-and-manage.mdx | 2 +- docs/guides/organizations/invitations.mdx | 11 +++++------ docs/guides/organizations/metadata.mdx | 2 +- docs/guides/organizations/org-slugs-in-urls.mdx | 12 ++++++------ docs/guides/organizations/overview.mdx | 6 ++---- docs/guides/organizations/roles-and-permissions.mdx | 4 ++-- docs/guides/organizations/sso.mdx | 10 +++++----- docs/guides/organizations/verified-domains.mdx | 6 +++--- 10 files changed, 27 insertions(+), 32 deletions(-) diff --git a/docs/guides/organizations/check-access.mdx b/docs/guides/organizations/check-access.mdx index 093316630c..1c7c6ed941 100644 --- a/docs/guides/organizations/check-access.mdx +++ b/docs/guides/organizations/check-access.mdx @@ -2,7 +2,7 @@ title: Check roles and permissions with authorization checks description: Limit access to content or entire routes based on a user's organization role or permissions. metadata: - title: Check roles and permissions in Organizations + title: Check roles and permissions in organizations --- Authorization checks verify that users can only access resources and perform actions they have permission for within an organization. These checks are essential for protecting sensitive data, gating premium features, and ensuring users stay within their allowed scope of access. diff --git a/docs/guides/organizations/configure.mdx b/docs/guides/organizations/configure.mdx index dba873d06f..1f84d9d975 100644 --- a/docs/guides/organizations/configure.mdx +++ b/docs/guides/organizations/configure.mdx @@ -27,7 +27,7 @@ To enable organizations: 1. In the modal, toggle **Allow personal accounts** based on your decision above. 1. Select **Enable**. -Clerk measures Organizations by Monthly Active Organizations (MAOs). Refer to the [overview page](/docs/guides/organizations/overview#how-do-organizations-work) for pricing details and limits. +Clerk measures organizations by Monthly Active Organizations (MAOs). Refer to the [overview page](/docs/guides/organizations/overview#how-do-organizations-work) for pricing details and limits. ## Organization settings @@ -145,8 +145,6 @@ Learn more about the [Creator role and how to reassign it](/docs/guides/organiza This setting controls whether organization members can delete organizations. -### Allow new members to delete organizations - By default, any member with the [`org:sys_profile:delete` system permission](/docs/guides/organizations/roles-and-permissions#system-permissions) can delete an organization. You can disable this if you want to prevent accidental data loss or require your own approval process before organizations are removed. To change this setting: diff --git a/docs/guides/organizations/create-and-manage.mdx b/docs/guides/organizations/create-and-manage.mdx index 83d6c6d96e..74ae485efc 100644 --- a/docs/guides/organizations/create-and-manage.mdx +++ b/docs/guides/organizations/create-and-manage.mdx @@ -5,7 +5,7 @@ metadata: title: Create and manage Organizations with Clerk --- -Organizations can be created and managed either in the Clerk Dashboard or in your application. This guide covers working with individual organizations. For global settings that affect all organizations in your application (like enabling organizations, setting default roles, or configuring memberships), refer to the [dedicated guide](/docs/guides/organizations/configure). +Organizations can be created and managed either **in the Clerk Dashboard** or **in your application**. This guide covers working with individual organizations. For global settings that affect all organizations in your application (like enabling organizations, setting default roles, or configuring memberships), refer to the [dedicated guide](/docs/guides/organizations/configure). ## Create an organization diff --git a/docs/guides/organizations/invitations.mdx b/docs/guides/organizations/invitations.mdx index a9afbeadd8..50e2d2cb50 100644 --- a/docs/guides/organizations/invitations.mdx +++ b/docs/guides/organizations/invitations.mdx @@ -17,9 +17,9 @@ To configure your application's **Email** settings, navigate to the [**User & au Invitations work well when you need precise control over who joins your organization and which role they receive. This approach fits scenarios where: -- Teams are small and members are known in advance -- Onboarding requires manual approval or review -- Specific roles need to be assigned during the invitation +- Teams are small and members are known in advance. +- Onboarding requires manual approval or review. +- Specific roles need to be assigned during the invitation. If you want to streamline enrollment for users with company email addresses, consider [verified domains](/docs/guides/organizations/verified-domains), which can automatically invite users based on their email domain. If customers require centralized authentication through their Identity Provider, use [enterprise SSO](/docs/guides/organizations/sso). @@ -93,12 +93,11 @@ Once the user visits the invitation link, they will be redirected to the page yo > [!TIP] > -> - To test redirect URLs in your development environment, pass your port. For example, `http://localhost:3000/accept-invitation`. +> To test redirect URLs in your development environment, pass your port. For example, `http://localhost:3000/accept-invitation`. ### Invitation metadata -You can also add metadata to an invitation when creating the invitation through the Backend API. Once the invited user signs up using the invitation link, Clerk stores the **invitation** metadata (`OrganizationInvitation.publicMetadata`) in the organization **membership's** metadata (`OrganizationMembership.publicMetadata`). You can find more information about organization membership metadata in the [Organization -Membership](/docs/reference/javascript/types/organization-membership) docs. +You can also add metadata to an invitation when creating the invitation through the Backend API. Once the invited user signs up using the invitation link, Clerk stores the **invitation** metadata (`OrganizationInvitation.publicMetadata`) in the organization **membership's** metadata (`OrganizationMembership.publicMetadata`). For more details on organization membership metadata, see the [OrganizationMembership](/docs/reference/javascript/types/organization-membership) reference. To add metadata to an invitation, add the `public_metadata` parameter when creating the invitation. diff --git a/docs/guides/organizations/metadata.mdx b/docs/guides/organizations/metadata.mdx index 1b5519e1b2..120e8579e8 100644 --- a/docs/guides/organizations/metadata.mdx +++ b/docs/guides/organizations/metadata.mdx @@ -11,7 +11,7 @@ Metadata is stored on the [`Organization`](/docs/reference/javascript/organizati ## Types of metadata -There are two types of organization metadata: "public" and "private". +There are two types of organization metadata: **public** and **private**. | Metadata | Frontend API | Backend API | | - | - | - | diff --git a/docs/guides/organizations/org-slugs-in-urls.mdx b/docs/guides/organizations/org-slugs-in-urls.mdx index f71a8bba06..361c3d8263 100644 --- a/docs/guides/organizations/org-slugs-in-urls.mdx +++ b/docs/guides/organizations/org-slugs-in-urls.mdx @@ -49,15 +49,15 @@ This feature is intended for apps that **require** organization slugs in URLs. * Use organization slugs if: -- Users frequently share links for public-facing content (e.g., documentation, marketing materials, and third-party blogs) -- Users regularly switch between multiple organizations -- Organization-specific URLs provide meaningful context +- Users frequently share links for public-facing content (e.g., documentation, marketing materials, and third-party blogs). +- Users regularly switch between multiple organizations. +- Organization-specific URLs provide meaningful context. **Don't** use organization slugs if: -- Most users belong to only one organization -- You want to keep URLs simple and consistent -- You're primarily using the Clerk session for organization context +- Most users belong to only one organization. +- You want to keep URLs simple and consistent. +- You're primarily using the Clerk session for organization context. This guide shows you how to add organization slugs to your app's URLs, configure Clerk components to handle slug-based navigation, and access organization data based on the URL slug at runtime. diff --git a/docs/guides/organizations/overview.mdx b/docs/guides/organizations/overview.mdx index a0787d6a71..7ad9ab8ea0 100644 --- a/docs/guides/organizations/overview.mdx +++ b/docs/guides/organizations/overview.mdx @@ -10,8 +10,7 @@ Organizations let you group users with roles and permissions. This lets you buil Users can belong to multiple organizations, and Clerk provides the organization context (memberships, roles, and the active organization) in each session. You can then use this context to control what data to show and what actions to allow. > [!NOTE] -> To explore organizations in Clerk, check out the demo apps: -> [https://github.com/clerk/orgs](https://github.com/clerk/orgs) +> To explore organizations in Clerk, check out the [demo apps](https://github.com/clerk/orgs). ## How do organizations work? @@ -27,8 +26,7 @@ Clerk measures organization usage through **Monthly Active Organizations (MAOs)* By default, personal accounts are disabled and users are required to be a member of at least one organization, which will be set as the active organization. -If personal accounts are enabled, when a user signs in, they will sign in to their personal account and **no** active organization will be set. The easiest way to allow users to set an organization as active is to use the -[``](/docs/reference/components/organization/organization-switcher) component. If the prebuilt components don't meet your specific needs or if you require more control over the logic, you can also use the [`setActive()`](/docs/reference/javascript/clerk#set-active) method, which is returned by the [`useOrganizationList()`](/docs/reference/hooks/use-organization-list) hook. If you aren't using hooks, you can access the [`setActive()`](/docs/reference/javascript/clerk#set-active) method from the [`Clerk`](/docs/reference/javascript/clerk) object. +If personal accounts are enabled, when a user signs in, they will sign in to their personal account and **no** active organization will be set. The easiest way to allow users to set an organization as active is to use the [``](/docs/reference/components/organization/organization-switcher) component. If the prebuilt components don't meet your specific needs or if you require more control over the logic, you can use the [`setActive()`](/docs/reference/javascript/clerk#set-active) method returned by the [`useOrganizationList()`](/docs/reference/hooks/use-organization-list) hook, or access it directly from the [`Clerk`](/docs/reference/javascript/clerk) object. ### Core workflow diff --git a/docs/guides/organizations/roles-and-permissions.mdx b/docs/guides/organizations/roles-and-permissions.mdx index b8cf345bee..4db37883af 100644 --- a/docs/guides/organizations/roles-and-permissions.mdx +++ b/docs/guides/organizations/roles-and-permissions.mdx @@ -7,7 +7,7 @@ metadata: -Roles and permissions let you control who can access specific resources and perform certain actions within each organization. Clerk provides default admin and member roles that cover common use cases. Clerk also supports modeling your own custom role and fine-grained permissions to that map to your application's features and team structure. +Roles and permissions let you control who can access specific resources and perform certain actions within each organization. Clerk provides two default roles - **admin** and **member** - that cover most common use cases. You can also create custom roles and fine-grained permissions that fit your application's specific features and team setup. ## Roles @@ -68,7 +68,7 @@ To create a new role: ### Change a user's role -You can change a user's role in the Clerk Dashboard, or in your application, such as in the [``](/docs/reference/components/organization/organization-switcher) component. +You can change a user's role in the Clerk Dashboard, or in your application using the [``](/docs/reference/components/organization/organization-switcher) component. To change a user's role in the Clerk Dashboard: diff --git a/docs/guides/organizations/sso.mdx b/docs/guides/organizations/sso.mdx index ca1e971a89..ad40d67356 100644 --- a/docs/guides/organizations/sso.mdx +++ b/docs/guides/organizations/sso.mdx @@ -13,9 +13,9 @@ When users sign up or sign in using an organization's enterprise connection, Cle Enterprise SSO works well when customers require centralized authentication through their Identity Provider. This approach fits scenarios where: -- Enterprise customers have security requirements that mandate IdP-based authentication -- IT teams need to manage user provisioning from a central location -- Organizations want to maintain existing identity management workflows +- Enterprise customers have security requirements that mandate IdP-based authentication. +- IT teams need to manage user provisioning from a central location. +- Organizations want to maintain existing identity management workflows. If you need manual control over who joins and their [roles](/docs/guides/organizations/roles-and-permissions), use [invitations](/docs/guides/organizations/invitations). If you want automatic enrollment without IdP requirements, use [verified domains](/docs/guides/organizations/verified-domains). @@ -60,7 +60,7 @@ Clerk enforces enterprise SSO connections on a per-domain basis in organizations ## Remove a member from your organization -Users who joined through an enterprise connection cannot leave the organization on their own. You can remove them through the Clerk Dashboard, the [Backend API](/docs/reference/backend-api/tag/organization-memberships/delete/organizations/\{organization_id}/memberships/\{user_id}), or by another member with the [manage members permission](/docs/guides/organizations/roles-and-permissions#system-permissions). +Users who joined through an enterprise connection cannot leave the organization on their own. You can remove them through the Clerk Dashboard, the [Backend API](/docs/reference/backend-api/tag/organization-memberships/delete/organizations/\{organization_id}/memberships/\{user_id}){{ target: '_blank' }}, or by another member with the [manage members permission](/docs/guides/organizations/roles-and-permissions#system-permissions). Removed users will automatically rejoin the organization on their next sign-in unless you also remove them from the IdP or disconnect the enterprise connection. @@ -68,7 +68,7 @@ Removed users will automatically rejoin the organization on their next sign-in u When you reassign an enterprise connection to a new organization, existing members stay in the original organization. They will automatically join the new organization the next time they sign in. -To remove these users from the original organization, use either the [Backend API](/docs/reference/backend-api/tag/organization-memberships/delete/organizations/\{organization_id}/memberships/\{user_id}) or the Clerk Dashboard. +To remove these users from the original organization, use either the [Backend API](/docs/reference/backend-api/tag/organization-memberships/delete/organizations/\{organization_id}/memberships/\{user_id}){{ target: '_blank' }} or the Clerk Dashboard. ## Next steps diff --git a/docs/guides/organizations/verified-domains.mdx b/docs/guides/organizations/verified-domains.mdx index 61ec733371..903ffa0745 100644 --- a/docs/guides/organizations/verified-domains.mdx +++ b/docs/guides/organizations/verified-domains.mdx @@ -18,9 +18,9 @@ The easiest way to add and verify domains, and manage all settings related to ve Verified domains work well when you want to streamline enrollment for users with company email addresses. This approach fits scenarios where: -- Company-wide rollouts need automatic or suggested membership -- Reducing onboarding friction for employees with approved email domains -- Enrollment can happen based on email domain without manual approval +- Company-wide rollouts need automatic or suggested membership. +- Reducing onboarding friction for employees with approved email domains. +- Enrollment can happen based on email domain without manual approval. If you need precise control over specific people and their roles, use [invitations](/docs/guides/organizations/invitations). If customers require authentication through their Identity Provider, use [enterprise SSO](/docs/guides/organizations/sso). From 71713d2cc4a937f12656f3efb0f411f0b23a2b7e Mon Sep 17 00:00:00 2001 From: Sarah Soutoul Date: Tue, 11 Nov 2025 11:32:30 -0600 Subject: [PATCH 14/14] Remove typedoc --- clerk-typedoc/shared/organization-resource.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clerk-typedoc/shared/organization-resource.mdx b/clerk-typedoc/shared/organization-resource.mdx index e44a9a35fd..b5128e2f6a 100644 --- a/clerk-typedoc/shared/organization-resource.mdx +++ b/clerk-typedoc/shared/organization-resource.mdx @@ -1,6 +1,6 @@ The `Organization` object holds information about an organization, as well as methods for managing it. -To use these methods, you must have the **Organizations** feature [enabled in your app's settings in the Clerk Dashboard](/docs/guides/organizations/configure#enable-organizations). +To use these methods, you must have the **Organizations** feature [enabled in your app's settings in the Clerk Dashboard](/docs/guides/organizations/overview#enable-organizations-in-your-application). ## Properties