feature request: Support jitRoleIds in One-Time Token (OTT) creation context #8331
Description
What problem did you meet?
I am building a custom multi-tenant invitation flow using the Management API (POST /api/one-time-tokens). While I can successfully use jitOrganizationIds in the context to add a user to an organization upon authentication, I cannot specify which role they should receive. They are always assigned the organization's configured "Default Role."
This makes it impossible to create specific "Magic Links" for different access levels (e.g., inviting an "Admin" vs. a "Viewer") in a single step. To achieve this today, I have to rely on complex Webhooks or race-prone post-registration API calls to update the user's role immediately after they join, which adds unnecessary complexity to the onboarding infrastructure.
Describe what you'd like Logto to have
I would like the context object in the One-Time Token creation API to support a jitRoleIds array, functioning similarly to how jitOrganizationIds currently works.
When a user authenticates using a token generated with this context, Logto should automatically assign the specified Role IDs to the user within the organization.
Proposed Payload Example:
{
"email": "string",
"context": {
"jitOrganizationIds": [
"string"
],
"jitRoleIds": [
"string"
] // <-- New requested property
},
"expiresIn": 42.0
}This feature would allow developers to programmatically control permissions and roles atomically during the invitation process, significantly simplifying custom B2B onboarding flows.