Organizations and Accounts

When signing up for Border0, the following are automatically created:

  1. An Account
  2. An Admin User
  3. An Organization

Thinks of the Account as a root account. This account is the owner of one or more Organizations.
In Border all Sockets and Policies are part of an organization.


Organizations allow administrators to group resources and administrative users. Each organization can have multiple administrators.
There are several organization settings that can be configured.

In the Border0 portal, users can see all organizations they belong to under settings > My organizations..
To switch organizational contexts, just click "Switch to this Org"


change organizations

Using border0 you can see all organizations you have access to:

$ border0 account list-orgs
│ ID                                   │ NAME                      │ CURRENT │
│ 35efeb24-0578-4a64-87ea-54769a8aa207 │ Andree Toonk-org          │ Yes     │
│ 145c9ac8-7b27-4ea3-bf68-462dda88c26f │ Border0                   │ No      │
│ f7df5857-806d-4fc5-8a41-aaa7dfeb5822 │ Andree zerotrust demo-org │ No      │
│ 24d4e858-a954-4459-88ec-3c4f5201d086 │ API Prod Connector-org    │ No      │
│ 1a14df54-cc56-4f08-98b3-6540895162d8 │ Border1                   │ No      │

To switch organization context use:

$ border0 account switch-org --org-name MyORG
Switching to organization: MyORG

Default Organization

Since a Border0 administrator may have access to more than one organization, you must ensure you're in the right organization context. The section above describes how an admin can change between organizations. An admin may also set a default Organization. This means we'll set the organization context to the Default organization each time the Admin logs in.

Setting the default organization can be achieved by clicking on the three dots in the Actions column for the organization. From there, you can set the organization as the Default org.


setting the default organization


each organization receives its own subdomain. This is the unique name for your organization and is also the domain used to provide DNS names for your Sockets.
For example, an organization with the name awesome-org, will have the subdomain: All Sockets under this organization will get a DNS name under that subdomain, i.e.


An organization can have one or more administrators. A Border0 admin user can invite new admin users via the portal or using the CLI:

border0 org invite [--org_id <orgid>] [email protected]

Remove a user from an organization.

border0 org remove [--org_id <orgid>] [email protected]

Users can have one of two roles in an organization:

  1. Administrator
  2. Member

Only administrators can add and remove users from an organization.

Service Accounts

Service accounts are intended enable programmatic and automated use of the platform and resources. Once created a service account can be issued tokens or be included in policies giving access to sockets.

Creation of the service account can be done via admin portal Team > Service Accounts.

or via CLI tool

border0 organization service-account create \
  --description "Example service account" \
  --name my-first-sc \
  --role client

| Name        | my-first-sc             |
| Role        | client                  |
| Active      | true                    |
| Description | Example service account |
| Created At  | 2024-04-18T03:18:18Z    |
| Updated At  | 2024-04-18T03:18:18Z    |

API keys

Not all actions require actual human accounts. We all like to automate "all the things".
For automation or machine tokens, Border0 provides API tokens. One great way to use these is for the Border0 Connector or systemd like scripts.

A token can be created in the portal in the Organization page. From there, click the "API Tokens" tab.
Note that tokens have either admin or member privileges. We recommend using member privileges for your Token. Note that the Token is only shown once, so make sure to copy the Token.

You can always generate a new token and revoke old tokens.


An organization has limits that are based on the type of plan the account is on.
A Border0 admin user can see the organization limits in the portal at this location

These are the standard limits

PlanLimit typeLimit
FreeAdmin users
End Users (users accessing your Sockets)
EnterpriseAdmin users
End Users
Contact Sales