@logto/schemas 1.12.0 → 1.13.0

package/lib/types/tenant-organization.js

@@ -0,0 +1,145 @@
+/**
+ * @fileoverview
+ * Tenant organizations are organizations in the admin tenant that represent tenants. They are
+ * created when a tenant is created, and are used to define the roles and scopes for the users in
+ * the tenant.
+ *
+ * This module provides utilities to manage tenant organizations.
+ */
+import { adminTenantId } from '../seeds/tenant.js';
+/** Given a tenant ID, return the corresponding organization ID in the admin tenant. */
+export const getTenantOrganizationId = (tenantId) => `t-${tenantId}`;
+/**
+ * Given a tenant ID, return the organization create data for the admin tenant. It follows a
+ * convention to generate the organization ID and name which can be used across the system.
+ *
+ * @example
+ * ```ts
+ * const tenantId = 'test-tenant';
+ * const createData = getCreateData(tenantId);
+ *
+ * expect(createData).toEqual({
+ *   tenantId: 'admin',
+ *   id: 't-test-tenant',
+ *   name: 'Tenant test-tenant',
+ * });
+ * ```
+ *
+ * @see {@link getId} for the convention of generating the organization ID.
+ */
+export const getTenantOrganizationCreateData = (tenantId) => Object.freeze({
+    tenantId: adminTenantId,
+    id: getTenantOrganizationId(tenantId),
+    name: `Tenant ${tenantId}`,
+});
+/**
+ * Scope names in organization template for managing tenants.
+ *
+ * @remarks
+ * Should sync JSDoc descriptions with {@link tenantScopeDescriptions}.
+ */
+export var TenantScope;
+(function (TenantScope) {
+    /** Read the tenant data. */
+    TenantScope["ReadData"] = "read:data";
+    /** Write the tenant data, including creating and updating the tenant. */
+    TenantScope["WriteData"] = "write:data";
+    /** Delete data of the tenant. */
+    TenantScope["DeleteData"] = "delete:data";
+    /** Invite members to the tenant. */
+    TenantScope["InviteMember"] = "invite:member";
+    /** Remove members from the tenant. */
+    TenantScope["RemoveMember"] = "remove:member";
+    /** Update the role of a member in the tenant. */
+    TenantScope["UpdateMemberRole"] = "update:member:role";
+    /** Manage the tenant settings, including name, billing, etc. */
+    TenantScope["ManageTenant"] = "manage:tenant";
+})(TenantScope || (TenantScope = {}));
+const allTenantScopes = Object.freeze(Object.values(TenantScope));
+/**
+ * Given a tenant scope, return the corresponding organization scope data in the admin tenant.
+ *
+ * @example
+ * ```ts
+ * const scope = TenantScope.ReadData; // 'read:data'
+ * const scopeData = getTenantScope(scope);
+ *
+ * expect(scopeData).toEqual({
+ *   tenantId: 'admin',
+ *   id: 'read-data',
+ *   name: 'read:data',
+ *   description: 'Read the tenant data.',
+ * });
+ * ```
+ *
+ * @see {@link tenantScopeDescriptions} for scope descriptions of each scope.
+ */
+export const getTenantScope = (scope) => Object.freeze({
+    tenantId: adminTenantId,
+    id: scope.replaceAll(':', '-'),
+    name: scope,
+    description: tenantScopeDescriptions[scope],
+});
+const tenantScopeDescriptions = Object.freeze({
+    [TenantScope.ReadData]: 'Read the tenant data.',
+    [TenantScope.WriteData]: 'Write the tenant data, including creating and updating the tenant.',
+    [TenantScope.DeleteData]: 'Delete data of the tenant.',
+    [TenantScope.InviteMember]: 'Invite members to the tenant.',
+    [TenantScope.RemoveMember]: 'Remove members from the tenant.',
+    [TenantScope.UpdateMemberRole]: 'Update the role of a member in the tenant.',
+    [TenantScope.ManageTenant]: 'Manage the tenant settings, including name, billing, etc.',
+});
+/**
+ * Role names in organization template for managing tenants.
+ *
+ * @remarks
+ * Should sync JSDoc descriptions with {@link tenantRoleDescriptions}.
+ */
+export var TenantRole;
+(function (TenantRole) {
+    /** Admin of the tenant, who has all permissions. */
+    TenantRole["Admin"] = "admin";
+    /** Member of the tenant, who has permissions to operate the tenant data, but not the tenant settings. */
+    TenantRole["Member"] = "member";
+})(TenantRole || (TenantRole = {}));
+const tenantRoleDescriptions = Object.freeze({
+    [TenantRole.Admin]: 'Admin of the tenant, who has all permissions.',
+    [TenantRole.Member]: 'Member of the tenant, who has permissions to operate the tenant data, but not the tenant settings.',
+});
+/**
+ * Given a tenant role, return the corresponding organization role data in the admin tenant.
+ *
+ * @example
+ * ```ts
+ * const role = TenantRole.Member; // 'member'
+ * const roleData = getTenantRole(role);
+ *
+ * expect(roleData).toEqual({
+ *   tenantId: 'admin',
+ *   id: 'member',
+ *   name: 'member',
+ *   description: 'Member of the tenant, who has permissions to operate the tenant data, but not the tenant settings.',
+ * });
+ * ```
+ *
+ * @see {@link tenantRoleDescriptions} for scope descriptions of each role.
+ */
+export const getTenantRole = (role) => Object.freeze({
+    tenantId: adminTenantId,
+    id: role,
+    name: role,
+    description: tenantRoleDescriptions[role],
+});
+/**
+ * The dictionary of tenant roles and their corresponding scopes.
+ * @see {TenantRole} for scope descriptions of each role.
+ */
+export const tenantRoleScopes = Object.freeze({
+    [TenantRole.Admin]: allTenantScopes,
+    [TenantRole.Member]: [
+        TenantScope.ReadData,
+        TenantScope.WriteData,
+        TenantScope.DeleteData,
+        TenantScope.InviteMember,
+    ],
+});

package/lib/types/tenant.d.ts

@@ -1,5 +1,4 @@
 export declare enum TenantTag {
     Development = "development",
-    Staging = "staging",
     Production = "production"
 }

package/lib/types/tenant.js

@@ -1,9 +1,7 @@
 export var TenantTag;
 (function (TenantTag) {
-    /* Development tenants are free to use but are not meant to be used as production environment */
+    /* Development tenants are free to use but are not meant to be used as production environment. */
     TenantTag["Development"] = "development";
-    /* @deprecated */
-    TenantTag["Staging"] = "staging";
-    /* A production tenant must have an associated subscription plan, even if it's a free plan */
+    /* A production tenant must have an associated subscription plan, even if it's a free plan. */
     TenantTag["Production"] = "production";
 })(TenantTag || (TenantTag = {}));

package/lib/types/user-assets.d.ts

@@ -1,19 +1,19 @@
 import { z } from 'zod';
 export declare const maxUploadFileSize: number;
-export declare const allowUploadMimeTypes: readonly ["image/jpeg", "image/png", "image/gif", "image/vnd.microsoft.icon", "image/svg+xml", "image/tiff", "image/webp", "image/bmp"];
-declare const allowUploadMimeTypeGuard: z.ZodEnum<["image/jpeg", "image/png", "image/gif", "image/vnd.microsoft.icon", "image/svg+xml", "image/tiff", "image/webp", "image/bmp"]>;
+export declare const allowUploadMimeTypes: readonly ["image/jpeg", "image/png", "image/gif", "image/vnd.microsoft.icon", "image/x-icon", "image/svg+xml", "image/tiff", "image/webp", "image/bmp"];
+declare const allowUploadMimeTypeGuard: z.ZodEnum<["image/jpeg", "image/png", "image/gif", "image/vnd.microsoft.icon", "image/x-icon", "image/svg+xml", "image/tiff", "image/webp", "image/bmp"]>;
 export type AllowedUploadMimeType = z.infer<typeof allowUploadMimeTypeGuard>;
 export declare const userAssetsServiceStatusGuard: z.ZodObject<{
     status: z.ZodUnion<[z.ZodLiteral<"ready">, z.ZodLiteral<"not_configured">]>;
-    allowUploadMimeTypes: z.ZodOptional<z.ZodArray<z.ZodEnum<["image/jpeg", "image/png", "image/gif", "image/vnd.microsoft.icon", "image/svg+xml", "image/tiff", "image/webp", "image/bmp"]>, "many">>;
+    allowUploadMimeTypes: z.ZodOptional<z.ZodArray<z.ZodEnum<["image/jpeg", "image/png", "image/gif", "image/vnd.microsoft.icon", "image/x-icon", "image/svg+xml", "image/tiff", "image/webp", "image/bmp"]>, "many">>;
     maxUploadFileSize: z.ZodOptional<z.ZodNumber>;
 }, "strip", z.ZodTypeAny, {
     status: "ready" | "not_configured";
-    allowUploadMimeTypes?: ("image/jpeg" | "image/png" | "image/gif" | "image/vnd.microsoft.icon" | "image/svg+xml" | "image/tiff" | "image/webp" | "image/bmp")[] | undefined;
+    allowUploadMimeTypes?: ("image/jpeg" | "image/png" | "image/gif" | "image/vnd.microsoft.icon" | "image/x-icon" | "image/svg+xml" | "image/tiff" | "image/webp" | "image/bmp")[] | undefined;
     maxUploadFileSize?: number | undefined;
 }, {
     status: "ready" | "not_configured";
-    allowUploadMimeTypes?: ("image/jpeg" | "image/png" | "image/gif" | "image/vnd.microsoft.icon" | "image/svg+xml" | "image/tiff" | "image/webp" | "image/bmp")[] | undefined;
+    allowUploadMimeTypes?: ("image/jpeg" | "image/png" | "image/gif" | "image/vnd.microsoft.icon" | "image/x-icon" | "image/svg+xml" | "image/tiff" | "image/webp" | "image/bmp")[] | undefined;
     maxUploadFileSize?: number | undefined;
 }>;
 export type UserAssetsServiceStatus = z.infer<typeof userAssetsServiceStatusGuard>;

package/lib/types/user-assets.js

@@ -6,6 +6,7 @@ export const allowUploadMimeTypes = [
     'image/png',
     'image/gif',
     'image/vnd.microsoft.icon',
+    'image/x-icon',
     'image/svg+xml',
     'image/tiff',
     'image/webp',

package/lib/types/user.d.ts

@@ -20,8 +20,8 @@ export declare const userInfoGuard: z.ZodObject<Pick<{
         userId: string;
         details?: Record<string, unknown> | undefined;
     }>>;
-    customData: z.ZodType<import("../foundations/index.js").JsonObject, z.ZodTypeDef, import("../foundations/index.js").JsonObject>;
-    logtoConfig: z.ZodType<import("../foundations/index.js").JsonObject, z.ZodTypeDef, import("../foundations/index.js").JsonObject>;
+    customData: z.ZodType<import("@withtyped/server/lib/types.js").JsonObject, z.ZodTypeDef, import("@withtyped/server/lib/types.js").JsonObject>;
+    logtoConfig: z.ZodType<import("@withtyped/server/lib/types.js").JsonObject, z.ZodTypeDef, import("@withtyped/server/lib/types.js").JsonObject>;
     mfaVerifications: z.ZodType<({
         type: MfaFactor.TOTP;
         id: string;
@@ -92,8 +92,8 @@ export declare const userInfoGuard: z.ZodObject<Pick<{
         userId: string;
         details?: Record<string, unknown> | undefined;
     }>;
-    customData: import("../foundations/index.js").JsonObject;
-    logtoConfig: import("../foundations/index.js").JsonObject;
+    customData: import("@withtyped/server/lib/types.js").JsonObject;
+    logtoConfig: import("@withtyped/server/lib/types.js").JsonObject;
     mfaVerifications: ({
         type: MfaFactor.TOTP;
         id: string;
@@ -138,8 +138,8 @@ export declare const userInfoGuard: z.ZodObject<Pick<{
         userId: string;
         details?: Record<string, unknown> | undefined;
     }>;
-    customData: import("../foundations/index.js").JsonObject;
-    logtoConfig: import("../foundations/index.js").JsonObject;
+    customData: import("@withtyped/server/lib/types.js").JsonObject;
+    logtoConfig: import("@withtyped/server/lib/types.js").JsonObject;
     mfaVerifications: ({
         type: MfaFactor.TOTP;
         id: string;
@@ -189,8 +189,8 @@ export declare const userProfileResponseGuard: z.ZodObject<{
         userId: string;
         details?: Record<string, unknown> | undefined;
     }>>;
-    customData: z.ZodType<import("../foundations/index.js").JsonObject, z.ZodTypeDef, import("../foundations/index.js").JsonObject>;
-    logtoConfig: z.ZodType<import("../foundations/index.js").JsonObject, z.ZodTypeDef, import("../foundations/index.js").JsonObject>;
+    customData: z.ZodType<import("@withtyped/server/lib/types.js").JsonObject, z.ZodTypeDef, import("@withtyped/server/lib/types.js").JsonObject>;
+    logtoConfig: z.ZodType<import("@withtyped/server/lib/types.js").JsonObject, z.ZodTypeDef, import("@withtyped/server/lib/types.js").JsonObject>;
     mfaVerifications: z.ZodType<({
         type: MfaFactor.TOTP;
         id: string;
@@ -262,8 +262,8 @@ export declare const userProfileResponseGuard: z.ZodObject<{
         userId: string;
         details?: Record<string, unknown> | undefined;
     }>;
-    customData: import("../foundations/index.js").JsonObject;
-    logtoConfig: import("../foundations/index.js").JsonObject;
+    customData: import("@withtyped/server/lib/types.js").JsonObject;
+    logtoConfig: import("@withtyped/server/lib/types.js").JsonObject;
     mfaVerifications: ({
         type: MfaFactor.TOTP;
         id: string;
@@ -310,8 +310,8 @@ export declare const userProfileResponseGuard: z.ZodObject<{
         userId: string;
         details?: Record<string, unknown> | undefined;
     }>;
-    customData: import("../foundations/index.js").JsonObject;
-    logtoConfig: import("../foundations/index.js").JsonObject;
+    customData: import("@withtyped/server/lib/types.js").JsonObject;
+    logtoConfig: import("@withtyped/server/lib/types.js").JsonObject;
     mfaVerifications: ({
         type: MfaFactor.TOTP;
         id: string;
@@ -374,7 +374,6 @@ export declare enum InternalRole {
     Admin = "#internal:admin"
 }
 export declare enum AdminTenantRole {
-    Admin = "admin",
     /** Common user role in admin tenant. */
     User = "user",
     /** The role for machine to machine applications that represent a user tenant and send requests to Logto Cloud. */
@@ -407,8 +406,8 @@ export declare const featuredUserGuard: z.ZodObject<Pick<{
         userId: string;
         details?: Record<string, unknown> | undefined;
     }>>;
-    customData: z.ZodType<import("../foundations/index.js").JsonObject, z.ZodTypeDef, import("../foundations/index.js").JsonObject>;
-    logtoConfig: z.ZodType<import("../foundations/index.js").JsonObject, z.ZodTypeDef, import("../foundations/index.js").JsonObject>;
+    customData: z.ZodType<import("@withtyped/server/lib/types.js").JsonObject, z.ZodTypeDef, import("@withtyped/server/lib/types.js").JsonObject>;
+    logtoConfig: z.ZodType<import("@withtyped/server/lib/types.js").JsonObject, z.ZodTypeDef, import("@withtyped/server/lib/types.js").JsonObject>;
     mfaVerifications: z.ZodType<({
         type: MfaFactor.TOTP;
         id: string;

package/lib/types/user.js

@@ -41,7 +41,6 @@ export var InternalRole;
 })(InternalRole || (InternalRole = {}));
 export var AdminTenantRole;
 (function (AdminTenantRole) {
-    AdminTenantRole["Admin"] = "admin";
     /** Common user role in admin tenant. */
     AdminTenantRole["User"] = "user";
     /** The role for machine to machine applications that represent a user tenant and send requests to Logto Cloud. */

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@logto/schemas",
-  "version": "1.12.0",
+  "version": "1.13.0",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "license": "MPL-2.0",
   "type": "module",
@@ -21,27 +21,27 @@
     "access": "public"
   },
   "engines": {
-    "node": "^18.12.0"
+    "node": "^20.9.0"
   },
   "devDependencies": {
-    "@silverhand/eslint-config": "4.0.1",
-    "@silverhand/essentials": "^2.8.4",
-    "@silverhand/ts-config": "4.0.0",
+    "@silverhand/eslint-config": "5.0.0",
+    "@silverhand/essentials": "^2.9.0",
+    "@silverhand/ts-config": "5.0.0",
     "@types/inquirer": "^9.0.0",
     "@types/jest": "^29.4.0",
-    "@types/node": "^18.11.18",
+    "@types/node": "^20.9.5",
     "@types/pluralize": "^0.0.33",
     "camelcase": "^8.0.0",
     "chalk": "^5.0.0",
     "eslint": "^8.44.0",
-    "jest": "^29.5.0",
+    "jest": "^29.7.0",
     "lint-staged": "^15.0.0",
     "pluralize": "^8.0.0",
     "prettier": "^3.0.0",
     "roarr": "^7.11.0",
     "slonik": "^30.0.0",
     "slonik-sql-tag-raw": "^1.1.4",
-    "typescript": "^5.0.0"
+    "typescript": "^5.3.3"
   },
   "eslintConfig": {
     "extends": "@silverhand",
@@ -64,12 +64,12 @@
   },
   "prettier": "@silverhand/eslint-config/.prettierrc",
   "dependencies": {
-    "@logto/connector-kit": "^2.0.0",
-    "@logto/core-kit": "^2.2.1",
-    "@logto/language-kit": "^1.0.0",
-    "@logto/phrases": "^1.8.0",
-    "@logto/phrases-experience": "^1.5.0",
-    "@logto/shared": "^3.0.0",
+    "@logto/connector-kit": "^2.1.0",
+    "@logto/core-kit": "^2.3.0",
+    "@logto/language-kit": "^1.1.0",
+    "@logto/phrases": "^1.9.0",
+    "@logto/phrases-experience": "^1.6.0",
+    "@logto/shared": "^3.1.0",
     "@withtyped/server": "^0.12.9"
   },
   "peerDependencies": {

package/tables/application_sign_in_experiences.sql

@@ -0,0 +1,15 @@
+/* init_order = 2 */
+
+/** Application level sign-in experience configuration. */
+create table application_sign_in_experiences (
+  tenant_id varchar(21) not null
+    references tenants (id) on update cascade on delete cascade,
+  application_id varchar(21) not null
+    references applications (id) on update cascade on delete cascade,
+  branding jsonb /* @use Branding */ not null default '{}'::jsonb,
+  terms_of_use_url varchar(2048),
+  privacy_policy_url varchar(2048),
+  display_name varchar(256),
+  
+  primary key (tenant_id, application_id)
+);

package/tables/application_user_consent_organization_scopes.sql

@@ -0,0 +1,14 @@
+/* init_order = 2 */
+
+/** The organization scopes (permissions) assigned to an application. */
+create table application_user_consent_organization_scopes (
+  tenant_id varchar(21) not null
+    references tenants (id) on update cascade on delete cascade,
+  /** The globally unique identifier of the application. */
+  application_id varchar(21) not null
+    references applications (id) on update cascade on delete cascade,
+  /** The globally unique identifier of the organization scope. */
+  organization_scope_id varchar(21) not null
+    references organization_scopes (id) on update cascade on delete cascade,
+  primary key (application_id, organization_scope_id)
+);

package/tables/application_user_consent_organizations.sql

@@ -0,0 +1,16 @@
+/* init_order = 3 */
+
+/** The relations between applications, users and organizations. A relation means that a user has consented to an application to access data in an organization. */
+create table application_user_consent_organizations (
+  tenant_id varchar(21) not null
+    references tenants (id) on update cascade on delete cascade,
+  application_id varchar(21) not null
+    references applications (id) on update cascade on delete cascade,
+  organization_id varchar(21) not null,
+  user_id varchar(21) not null,
+  primary key (tenant_id, application_id, organization_id, user_id),
+  /** User's consent to an application should be synchronized with the user's membership in the organization. */
+  foreign key (tenant_id, organization_id, user_id)
+    references organization_user_relations (tenant_id, organization_id, user_id)
+    on update cascade on delete cascade
+)

package/tables/application_user_consent_resource_scopes.sql

@@ -0,0 +1,14 @@
+/* init_order = 3 */
+
+/** The resource scopes (permissions) assigned to an application's consent request. */
+create table application_user_consent_resource_scopes (
+  tenant_id varchar(21) not null
+    references tenants (id) on update cascade on delete cascade,
+  /** The globally unique identifier of the application. */
+  application_id varchar(21) not null
+    references applications (id) on update cascade on delete cascade,
+  /** The globally unique identifier of the resource scope. */
+  scope_id varchar(21) not null
+    references scopes (id) on update cascade on delete cascade,
+  primary key (application_id, scope_id)
+);

package/tables/application_user_consent_user_scopes.sql

@@ -0,0 +1,13 @@
+/* init_order = 2 */
+
+/** The user scopes (permissions) assigned to an application */
+create table application_user_consent_user_scopes (
+  tenant_id varchar(21) not null
+    references tenants (id) on update cascade on delete cascade,
+  /** The globally unique identifier of the application. */
+  application_id varchar(21) not null
+    references applications (id) on update cascade on delete cascade,
+  /** The unique UserScope enum value @see (@logto/core-kit/open-id.js) for more details */
+  user_scope varchar(64) not null,
+  primary key (application_id, user_scope)
+);

package/tables/applications.sql

@@ -1,6 +1,6 @@
 /* init_order = 1 */
 
-create type application_type as enum ('Native', 'SPA', 'Traditional', 'MachineToMachine');
+create type application_type as enum ('Native', 'SPA', 'Traditional', 'MachineToMachine', 'Protected');
 
 create table applications (
   tenant_id varchar(21) not null
@@ -12,9 +12,24 @@ create table applications (
   type application_type not null,
   oidc_client_metadata jsonb /* @use OidcClientMetadata */ not null,
   custom_client_metadata jsonb /* @use CustomClientMetadata */ not null default '{}'::jsonb,
+  protected_app_metadata jsonb /* @use ProtectedAppMetadata */,
+  is_third_party boolean not null default false,
   created_at timestamptz not null default(now()),
   primary key (id)
 );
 
 create index applications__id
   on applications (tenant_id, id);
+
+create index applications__is_third_party
+  on applications (tenant_id, is_third_party);
+
+create unique index applications__protected_app_metadata_host
+  on applications (
+    (protected_app_metadata->>'host')
+  );
+
+create unique index applications__protected_app_metadata_custom_domain
+  on applications (
+    (protected_app_metadata->'customDomains'->0->>'domain')
+  );

package/tables/daily_token_usage.sql

@@ -0,0 +1,11 @@
+create table daily_token_usage (
+  id varchar(21) not null,
+  tenant_id varchar(21) not null
+    references tenants (id) on update cascade on delete cascade,
+  usage bigint not null default(0),
+  date timestamptz not null,
+  primary key (id)
+);
+
+create unique index daily_token_usage__date
+  on daily_token_usage (tenant_id, date);

package/tables/organization_invitation_role_relations.sql

@@ -0,0 +1,14 @@
+/* init_order = 4 */
+
+/** The organization roles that will be assigned to a user when they accept an invitation. */
+create table organization_invitation_role_relations (
+  tenant_id varchar(21) not null
+    references tenants (id) on update cascade on delete cascade,
+  /** The ID of the invitation. */
+  organization_invitation_id varchar(21) not null
+    references organization_invitations (id) on update cascade on delete cascade,
+  /** The ID of the organization role. */
+  organization_role_id varchar(21) not null
+    references organization_roles (id) on update cascade on delete cascade,
+  primary key (tenant_id, organization_invitation_id, organization_role_id)
+);

package/tables/organization_invitations.sql

@@ -0,0 +1,36 @@
+/* init_order = 3 */
+
+create type organization_invitation_status as enum ('Pending', 'Accepted', 'Expired', 'Revoked');
+
+/** The invitation entry defined in RFC 0003. It stores the invitation information for a user to join an organization. */
+create table organization_invitations (
+  tenant_id varchar(21) not null
+    references tenants (id) on update cascade on delete cascade,
+  /** The unique identifier of the invitation. */
+  id varchar(21) not null,
+  /** The user ID who sent the invitation. */
+  inviter_id varchar(21)
+    references users (id) on update cascade on delete cascade,
+  /** The email address or other identifier of the invitee. */
+  invitee varchar(256) not null,
+  /** The user ID of who accepted the invitation. */
+  accepted_user_id varchar(21)
+    references users (id) on update cascade on delete cascade,
+  /** The ID of the organization to which the invitee is invited. */
+  organization_id varchar(21) not null
+    references organizations (id) on update cascade on delete cascade,
+  /** The status of the invitation. */
+  status organization_invitation_status not null,
+  /** The time when the invitation was created. */
+  created_at timestamptz not null default (now()),
+  /** The time when the invitation status was last updated. */
+  updated_at timestamptz not null default (now()),
+  /** The time when the invitation expires. */
+  expires_at timestamptz not null,
+  primary key (id)
+);
+
+-- Ensure there is only one pending invitation for a given invitee and organization.
+create unique index organization_invitations__invitee_organization_id
+  on organization_invitations (tenant_id, invitee, organization_id)
+  where status = 'Pending';