Organizations

The organizations module manages organization entities post-onboarding: organization listing (MORIA only), reference data (sizes and industries), per-organization detail, and organization profile updates. All endpoints require Bearer + the read-organization / update-organization permissions.

Property	Value
Base URL	{HOST}/v1
Auth	Bearer JWT (header Authorization) or cookie access_token
Content-Type	application/json
Error envelope	{ "message": string | string[], "statusCode": number, "error": string }
Validation	Global ValidationPipe · whitelist: true, forbidNonWhitelisted: true · unknown field → 400
Related modules	onboarding, users, acl, accounts
Document version	v1 · 2026-05-20
Audience	Internal FE devs (mobile + web)

Summary

The full organization list is visible only to the MORIA role. Reference endpoints (sizes, industries) are used by FE to populate dropdown pickers in organization create/edit forms. Per-organization detail is accessible to anyone with read-organization, while update is only allowed for one’s own organization (unless the user is moria_super_admin).

Method	Path	Auth	Summary
GET	/v1/organizations	bearer	List organizations (MORIA only)
GET	/v1/organizations/sizes	bearer	Reference data for organization sizes
GET	/v1/organizations/industries	bearer	Reference data for industry sectors
GET	/v1/organizations/:organization_id	bearer	Detail of one organization
PATCH	/v1/organizations/:organization_id	bearer	Update organization profile

Auth notes

• GET /organizations is only for UserType.MORIA. Other roles → 403.
• For PATCH /:organization_id, non-moria_super_admin users can only edit their own organization — if organization_id differs, the server returns 401.
• The organization signup endpoint (POST /organizations/signup) is documented in the Onboarding module.

---

GET /v1/organizations bearer

Fetch the organization list (paginated). For UserType.MORIA only, with the read-organization permission.

bearer MORIA read-organization RESOURCE_FETCHED

Query params

Param	Type	Default	Notes
page	number	1	Page number
limit	number	10	Records per page
order	'asc' | 'desc'	desc	Order by created_at

Response — 200 OK

{
  "status": "success",
  "statusCode": 200,
  "message": "Organizations retrieved successfully",
  "data": {
    "limit": 10,
    "count": 42,
    "currentPage": 1,
    "totalPages": 5,
    "organizations": [
      {
        "id": "660e8400-e29b-41d4-a716-446655440111",
        "name": "Moria Fund",
        "email": "ops@moriafund.com",
        "phone_number": "+628123456788",
        "logo_id": null,
        "status": "active",
        "industry": "finance",
        "official_registration_number": "0123456789",
        "created_at": "2026-05-20T08:30:00.000Z",
        "updated_at": "2026-05-20T08:30:00.000Z"
      }
    ]
  }
}

Errors

Status	When it occurs
401 Unauthorized	Invalid Bearer/cookie
403 Forbidden	Not MORIA or missing read-organization permission

---

GET /v1/organizations/sizes bearer

Reference data for organization sizes (e.g. tens, hundreds, thousands, millions). Used for FE dropdowns.

bearer MORIA, ORGANIZATION read-organization

Query params

Param	Type	Default	Notes
page	number	1	Page number
limit	number	10	Records per page
order	'asc' | 'desc'	desc	Order by created_at

Response — 200 OK

{
  "status": "success",
  "statusCode": 200,
  "message": "Organization sizes retrieved successfully",
  "data": {
    "limit": 10,
    "count": 4,
    "currentPage": 1,
    "totalPages": 1,
    "sizes": [
      { "id": "...", "label": "tens", "range": "1-10" }
    ]
  }
}

Errors

Status	When it occurs
401 Unauthorized	Invalid Bearer/cookie
403 Forbidden	Permission mismatch

---

GET /v1/organizations/industries bearer

Reference data for industry sectors (e.g. finance, health, technnology, government, ngo). Used for FE dropdowns.

bearer MORIA, ORGANIZATION read-organization

Query params

Param	Type	Default	Notes
page	number	1	Page number
limit	number	10	Records per page
order	'asc' | 'desc'	desc	Order by created_at

Response — 200 OK

{
  "status": "success",
  "statusCode": 200,
  "message": "Organization industries retrieved successfully",
  "data": {
    "limit": 10,
    "count": 11,
    "currentPage": 1,
    "totalPages": 2,
    "industries": [
      { "id": "...", "value": "finance", "label": "Finance" }
    ]
  }
}

The enum value INDUSTRY.TECHNOLOGY is recorded as "technnology" (typo retained for mobile client compatibility). See the enum reference below.

Errors

Status	When it occurs
401 Unauthorized	Invalid Bearer/cookie
403 Forbidden	Permission mismatch

---

GET /v1/organizations/:organization_id bearer

Detail of one organization by UUID. The server validates read permission + the caller’s organization scope.

bearer read-organization

Path params

Param	Type	Notes
organization_id	UUID	Organization ID (must be UUID, validated via ParseUUIDPipe)

Response — 200 OK

{
  "status": "success",
  "statusCode": 200,
  "message": "organization fetched successfully",
  "data": {
    "organization": {
      "id": "660e8400-e29b-41d4-a716-446655440111",
      "name": "Moria Fund",
      "email": "ops@moriafund.com",
      "phone_number": "+628123456788",
      "logo_id": null,
      "industry": "finance",
      "official_registration_number": "0123456789",
      "status": "active",
      "created_at": "2026-05-20T08:30:00.000Z",
      "updated_at": "2026-05-20T08:30:00.000Z"
    }
  }
}

Errors

Status	When it occurs
400 Bad Request	organization_id is not a UUID
401 Unauthorized	Invalid Bearer/cookie
403 Forbidden	Permission mismatch
404 Not Found	Organization not found

---

PATCH /v1/organizations/:organization_id bearer

Update an organization profile. Only moria_super_admin may edit other organizations; other organization users may only edit their own organization.

bearer update-organization

Path params

Param	Type	Notes
organization_id	UUID	Target organization ID

Request body — UpdateOrganizationDto

Field	Type	Required	Notes
name	string	optional	Organization name
logo_id	string	optional	Logo file UUID (see file-manager module)
email	string	optional	Organization contact email
phone_number	string	optional	Contact phone
official_registration_number	string	optional	Official registration number
status	enum ORGANIZATION_STATUS	optional	pending, active, inactive, suspended

Example request

{
  "name": "Moria Fund Pro",
  "email": "contact@moriafund.com",
  "status": "active"
}

Response — 200 OK

{
  "status": "success",
  "statusCode": 200,
  "message": "Organization updated successfully",
  "data": {
    "organization": {
      "id": "660e8400-e29b-41d4-a716-446655440111",
      "name": "Moria Fund Pro",
      "email": "contact@moriafund.com",
      "phone_number": "+628123456788",
      "status": "active",
      "updated_at": "2026-05-20T09:00:00.000Z"
    }
  }
}

Errors

Status	When it occurs
400 Bad Request	Validation failed (invalid enum, unknown field)
401 Unauthorized	Non-moria_super_admin user attempts to edit another organization
403 Forbidden	Missing update-organization permission
404 Not Found	Organization not found

---

Reference

Enum: ORGANIZATION_STATUS

• pending — just signed up, awaiting KYB verification
• active — fully operational
• inactive — temporarily deactivated
• suspended — suspended by Moria

Enum: INDUSTRY

• finance, health, agriculture, education
• technnology (typo retained)
• manufacturing, marine, aviation, security
• government, ngo

Enum: ORGANIZATION_SIZE

• tens, hundreds, thousands, millions

Standard error envelope

{
  "message": "you can't edit another organization",
  "statusCode": 401,
  "error": "Unauthorized"
}

message can be a string or an array of strings (multi-field validation errors).

Common HTTP codes

• 400 body/param validation
• 401 no cross-org access
• 403 role/permission mismatch
• 404 organization not found
• 500 internal — show a generic toast in FE