Level: Medium

Napkin-math based on lines added — not a strict rule. Tests, guides, and lockfiles are omitted for better accuracy (closer to SLOC than raw diff).

Jump to file

∟ lib/my_app/accounts/user_notifier.ex
∟ lib/my_app/organizations.ex
∟ lib/my_app/organizations/invitation.ex
∟ lib/my_app_web/controllers/organization/invitation_controller.ex
∟ lib/my_app_web/controllers/organization/invitation_html.ex
∟ lib/my_app_web/controllers/organization/invitation_html/accept.html.heex
∟ lib/my_app_web/live/member_live/components.ex
∟ lib/my_app_web/live/member_live/index.ex
∟ lib/my_app_web/live/member_live/invite.ex
∟ lib/my_app_web/router.ex
∟ priv/repo/migrations/0002_add_organizations_invitations.exs

Email notifications

A new deliver_organization_invitation/2 function sends invitation emails. The email includes the organization name and a link to accept the invitation.

lib/my_app/accounts/user_notifier.ex Reveal

	`-101,4 +101,24 @@ defmodule MyApp.Accounts.UserNotifier do`
	`==============================`
	`""")`
	`end`
+
+	`@doc """`
+	`Deliver an invitation to join an organization to an email.`
+	`"""`
+	`def deliver_organization_invitation(invitation, url) do`
+	`deliver(invitation.email, "You've been invited to join #{invitation.organization.name}", """`
+
+	`==============================`
+
+	`Hi #{invitation.email},`
+
+	`You have been invited to join #{invitation.organization.name}'s organization.`
+
+	`You can join by visiting the URL below:`
+
+	`#{url}`
+
+	`==============================`
+	`""")`
+	`end`
	`end`

Organizations context additions

The Organizations context is extended with invitation management functions:

The send_invitation/3 function uses a transaction to build the invitation, insert it, and send the email atomically. If any step fails, the entire operation is rolled back.

The accept_invitation/3 function deletes the invitation and adds the user as a member in a single transaction. It accepts a URL function to generate the organization URL for the welcome notification email.

lib/my_app/organizations.ex Reveal

	`-3,10 +3,13 @@ defmodule MyApp.Organizations do`
	`The Organizations context.`
	`"""`

+	`import Ecto.Query`
+
	`alias MyApp.Repo`
	`alias MyApp.Accounts.Scope`
	`alias MyApp.Accounts.User`
	`alias MyApp.Accounts.UserNotifier`
+	`alias MyApp.Organizations.Invitation`
	`alias MyApp.Organizations.Organization`
	`alias MyApp.Organizations.OrganizationUser`

	`-174,4 +177,76 @@ defmodule MyApp.Organizations do`
	`\|> OrganizationUser.role_query(not_in: [:owner])`
	`\|> Repo.delete_all()`
	`end`
+
+	`## Invitations`
+
+	`def get_invitation!(%Scope{} = scope, invitation_id) do`
+	`Invitation`
+	`\|> Invitation.organization_query(scope.organization)`
+	`\|> Repo.get!(invitation_id)`
+	`end`
+
+	`def get_invitation_by_token(token) do`
+	`{:ok, query} = Invitation.verify_token_query(token)`
+	`Repo.one(query)`
+	`end`
+
+	`def get_invitation_by_token!(token) do`
+	`{:ok, query} = Invitation.verify_token_query(token)`
+	`Repo.one!(query)`
+	`end`
+
+	`def list_invitations(%Scope{} = scope) do`
+	`Invitation`
+	`\|> Invitation.organization_query(scope.organization)`
+	`\|> order_by(desc: :inserted_at)`
+	`\|> Repo.all()`
+	`end`
+
+	`def delete_invitation(invitation) do`
+	`Repo.delete(invitation)`
+	`end`
+
+	`def accept_invitation(%Scope{} = scope, token, organization_url_fun)`
+	`when is_function(organization_url_fun, 1) do`
+	`Repo.transaction(fn ->`
+	`invitation = get_invitation_by_token!(token)`
+	`invitation_scope = %Scope{organization: invitation.organization}`
+
+	`opts = [organization_url: organization_url_fun.(invitation.organization)]`
+
+	`with {:ok, invitation} <- delete_invitation(invitation),`
+	`{:ok, multi} <- add_user(invitation_scope, scope.user, [role: :member], opts) do`
+	`multi`
+	`else`
+	`{:error, reason} -> Repo.rollback(reason)`
+	`end`
+	`end)`
+	`end`
+
+	`def send_invitations_to_all(%Scope{} = scope, emails, accept_invitation_url_fun) do`
+	`Enum.reduce_while(emails, :ok, fn email, :ok ->`
+	`case send_invitation(scope, email, accept_invitation_url_fun) do`
+	`{:ok, _invitation} -> {:cont, :ok}`
+	`{:error, _reason} = error -> {:halt, error}`
+	`end`
+	`end)`
+	`end`
+
+	`def send_invitation(%Scope{} = scope, email, accept_invitation_url_fun)`
+	`when is_function(accept_invitation_url_fun, 1) do`
+	`Repo.transaction(fn ->`
+	`with {:ok, encoded_token, invitation} <- Invitation.build(scope.organization, email: email),`
+	`{:ok, invitation} <- Repo.insert(invitation),`
+	`{:ok, _email} <-`
+	`UserNotifier.deliver_organization_invitation(`
+	`invitation,`
+	`accept_invitation_url_fun.(encoded_token)`
+	`) do`
+	`{:ok, invitation}`
+	`else`
+	`{:error, reason} -> Repo.rollback(reason)`
+	`end`
+	`end)`
+	`end`
	`end`

The Invitation schema

The Invitation schema stores pending invitations. Each invitation has an email , a hashed token , and belongs to an organization. We only store inserted_at (no updated_at ) since invitations are immutable once created.

The build/2 function generates a cryptographically secure random token, hashes it with SHA256, and returns both the URL-safe encoded token (for the invitation link) and the invitation struct (with the hashed token for storage). This pattern is similar to how password reset tokens work.

Invitations expire after a configurable number of days (default 3). The verify_token_query/1 function decodes and hashes the provided token, then builds a query that only matches non-expired invitations. The expired?/1 and expiration/1 helper functions support displaying expiration status in the UI.

lib/my_app/organizations/invitation.ex Reveal

	`-0,0 +1,87 @@`
+	`defmodule MyApp.Organizations.Invitation do`
+	`use Ecto.Schema`
+
+	`import Ecto.Changeset`
+	`import Ecto.Query`
+
+	`alias MyApp.Organizations`
+
+	`@hash_algorithm :sha256`
+	`@rand_size 32`
+
+	`@expiration_in_days 3`
+
+	`@primary_key {:id, :binary_id, autogenerate: true}`
+	`@foreign_key_type :binary_id`
+
+	`schema "organizations_invitations" do`
+	`field :email, :string`
+	`field :token, :binary`
+
+	`belongs_to :organization, Organizations.Organization`
+
+	`timestamps(updated_at: false)`
+	`end`
+
+	`def build(organization, attrs) do`
+	`token = :crypto.strong_rand_bytes(@rand_size)`
+	`hashed_token = :crypto.hash(@hash_algorithm, token)`
+
+	`changeset =`
+	`%__MODULE__{}`
+	`\|> Map.merge(%{organization: organization, token: hashed_token})`
+	`\|> email_changeset(Map.new(attrs))`
+
+	`with {:ok, invitation} <- apply_action(changeset, :validate) do`
+	`{:ok, Base.url_encode64(token, padding: false), invitation}`
+	`end`
+	`end`
+
+	`## Changesets`
+
+	`def email_changeset(invitation, attrs) do`
+	`invitation`
+	`\|> cast(attrs, [:email])`
+	`\|> validate_required([:email])`
+	`\|> validate_format(:email, ~r/@/)`
+	`end`
+
+	`## Queries`
+
+	`def verify_token_query(token) do`
+	`case Base.url_decode64(token, padding: false) do`
+	`{:ok, decoded_token} ->`
+	`hashed_token = :crypto.hash(@hash_algorithm, decoded_token)`
+
+	`query =`
+	`from invitation in __MODULE__,`
+	`where: invitation.token == ^hashed_token,`
+	`where: invitation.inserted_at > ago(^@expiration_in_days, "day"),`
+	`preload: :organization`
+
+	`{:ok, query}`
+
+	`:error ->`
+	`:error`
+	`end`
+	`end`
+
+	`def organization_query(query, organization) do`
+	`from invitation in query,`
+	`where: [organization_id: ^organization.id]`
+	`end`
+
+	`## View`
+
+	`def expired?(invitation) do`
+	`NaiveDateTime.before?(expiration_date_time(invitation), NaiveDateTime.utc_now())`
+	`end`
+
+	`def expiration(invitation) do`
+	`Calendar.strftime(expiration_date_time(invitation), "%B %-d, %Y")`
+	`end`
+
+	`def expiration_date_time(invitation) do`
+	`NaiveDateTime.shift(invitation.inserted_at, Duration.new!(day: @expiration_in_days))`
+	`end`
+	`end`

Invitation controller

The InvitationController handles the invitation acceptance flow with two actions.

The show/2 action displays the invitation acceptance page. It handles several cases:

The accept/2 action processes the form submission, accepting the invitation and redirecting to the organization.

lib/my_app_web/controllers/organization/invitation_controller.ex Reveal

	`-0,0 +1,41 @@`
+	`defmodule MyAppWeb.Organization.InvitationController do`
+	`use MyAppWeb, :controller`
+
+	`alias MyApp.Organizations`
+
+	`def show(conn, %{"token" => token}) do`
+	`current_scope = conn.assigns.current_scope`
+
+	`invitation = Organizations.get_invitation_by_token(token)`
+
+	`cond do`
+	`invitation == nil ->`
+	`conn`
+	`\|> put_flash(:error, "Invitation is invalid or has expired.")`
+	`\|> redirect(to: ~p"/users/register")`
+
+	`current_scope == nil ->`
+	`conn`
+	`\|> put_session(:user_return_to, ~p"/invitations/accept/#{token}")`
+	`\|> put_flash(:info, "Register to join #{invitation.organization.name}.")`
+	`\|> redirect(to: ~p"/users/register")`
+
+	`Organizations.get_organization(current_scope, invitation.organization.id) ->`
+	`conn`
+	`\|> put_flash(:info, "You are already a member of #{invitation.organization.name}.")`
+	`\|> redirect(to: ~p"/~/#{invitation.organization}")`
+
+	`true ->`
+	`render(conn, :accept, token: token, invitation: invitation)`
+	`end`
+	`end`
+
+	`def accept(conn, %{"token" => token}) do`
+	`{:ok, %{organization: organization}} =`
+	`Organizations.accept_invitation(conn.assigns.current_scope, token, &url(~p"/~/#{&1}"))`
+
+	`conn`
+	`\|> put_flash(:info, "You are now a member of #{organization.name}.")`
+	`\|> redirect(to: ~p"/~/#{organization}")`
+	`end`
+	`end`

lib/my_app_web/controllers/organization/invitation_html.ex Reveal

	`-0,0 +1,5 @@`
+	`defmodule MyAppWeb.Organization.InvitationHTML do`
+	`use MyAppWeb, :html`
+
+	`embed_templates "invitation_html/*"`
+	`end`

Invitation acceptance template

The acceptance page shows the organization name and a simple form with a hidden token field and an accept button.

lib/my_app_web/controllers/organization/invitation_html/accept.html.heex Reveal

	`-0,0 +1,15 @@`
+	`<Layouts.app flash={@flash} current_scope={@current_scope}>`
+	`<.header>`
+	`You're invited to join {@invitation.organization.name}`
+	`<:subtitle>`
+	`Click below to accept the invitation with your current user account.`
+	`</:subtitle>`
+	`</.header>`
+
+	`<.form for={%{}} class="mt-10" method="post" action={~p"/invitations/accept"}>`
+	`<input type="hidden" name="token" value={@token} />`
+	`<.button type="submit">`
+	`Accept invitation`
+	`</.button>`
+	`</.form>`
+	`</Layouts.app>`

Dynamic form components

Two components support the dynamic form fields:

drop_field_wrapper/1 wraps each email input with a remove button (hidden checkbox). When checked, the field is removed from the form on the next validation.

add_field_button/1 renders a button (hidden checkbox) that adds a new empty field when clicked.

These components use Ecto's sort_param and drop_param feature to manage dynamic embedded fields without writing JavaScript.

lib/my_app_web/live/member_live/components.ex Reveal

	`-0,0 +1,44 @@`
+	`defmodule MyAppWeb.MemberLive.Components do`
+	`use MyAppWeb, :html`
+
+	`attr :form, Phoenix.HTML.Form, required: true`
+	`attr :drop_param, :atom, required: true`
+	`attr :drop_index, :integer, required: true`
+	`slot :inner_block, required: true`
+
+	`def drop_field_wrapper(assigns) do`
+	`~H"""`
+	`<div class="flex gap-2">`
+	`<div class="flex-1">`
+	`{render_slot(@inner_block)}`
+	`</div>`
+	`<div class="w-16 py-1">`
+	`<label :if={@drop_index > 0} class="btn">`
+	`<input`
+	`type="checkbox"`
+	`class="hidden"`
+	`name={Phoenix.HTML.Form.input_name(@form, @drop_param) <> "[]"}`
+	`value={@drop_index}`
+	`/> <.icon name="hero-minus" />`
+	`</label>`
+	`</div>`
+	`</div>`
+	`"""`
+	`end`
+
+	`attr :form, Phoenix.HTML.Form, required: true`
+	`attr :sort_param, :atom, required: true`
+
+	`def add_field_button(assigns) do`
+	`~H"""`
+	`<label class="btn">`
+	`<input`
+	`type="checkbox"`
+	`class="hidden"`
+	`name={Phoenix.HTML.Form.input_name(@form, @sort_param) <> "[]"}`
+	`/>`
+	`<.icon name="hero-plus" />`
+	`</label>`
+	`"""`
+	`end`
+	`end`

Members index updates

The members index page is updated to show pending invitations alongside current members. A second table displays all invitations with their email and expiration status.

Expired invitations are highlighted in red. Owners can delete invitations directly from the list.

The "Add Member" button is replaced with "Invite Members" to reflect the new flow.

lib/my_app_web/live/member_live/index.ex Reveal

	`-12,9 +12,9 @@ defmodule MyAppWeb.MemberLive.Index do`
	`<:actions>`
	`<.button`
	`:if={@current_scope.organization.user_role == :owner}`
-	`phx-click={JS.patch(~p"/~/#{@current_scope.organization}/settings/members/add")}`
+	`phx-click={JS.patch(~p"/~/#{@current_scope.organization}/settings/members/invite")}`
	`>`
-	`Add Member`
+	`Invite Members`
	`</.button>`
	`</:actions>`
	`</.header>`
	`-48,6 +48,35 @@ defmodule MyAppWeb.MemberLive.Index do`
	`</.link>`
	`</:action>`
	`</.table>`
+
+	`<div class="divider" />`
+
+	`<.header>`
+	`Pending Invitations`
+	`</.header>`
+
+	`<.table id="organization_invitations_table" rows={@streams.invitations}>`
+	`<:col :let={{_id, invitation}} label="Email">`
+	`{invitation.email}`
+	`</:col>`
+	`<:col :let={{_id, invitation}} label="Expires">`
+	`<%= if Organizations.Invitation.expired?(invitation) do %>`
+	`<span class="text-red-500">`
+	`Expired on {Organizations.Invitation.expiration(invitation)}`
+	`</span>`
+	`<% else %>`
+	`<span>{Organizations.Invitation.expiration(invitation)}</span>`
+	`<% end %>`
+	`</:col>`
+	`<:action :let={{id, invitation}} :if={@current_scope.organization.user_role == :owner}>`
+	`<.link`
+	`phx-click={JS.hide(to: id) \|> JS.push("delete_invitation", value: %{id: invitation.id})}`
+	`data-confirm="Are you sure you want to delete this invitation?"`
+	`>`
+	`Delete`
+	`</.link>`
+	`</:action>`
+	`</.table>`
	`</Layouts.app>`
	`"""`
	`end`
	`-58,10 +87,12 @@ defmodule MyAppWeb.MemberLive.Index do`

	`def handle_params(params, _uri, socket) do`
	`users = Organizations.list_users(socket.assigns.current_scope)`
+	`invitations = Organizations.list_invitations(socket.assigns.current_scope)`

	`{:noreply,`
	`socket`
	`\|> stream(:users, users, reset: true)`
+	`\|> stream(:invitations, invitations, reset: true)`
	`\|> apply_action(params, socket.assigns.live_action)}`
	`end`

	`-106,4 +137,15 @@ defmodule MyAppWeb.MemberLive.Index do`
	`{:noreply, stream_delete(socket, :users, user)}`
	`end`
	`end`
+
+	`def handle_event("delete_invitation", %{"id" => invitation_id}, socket) do`
+	`:owner = socket.assigns.current_scope.organization.user_role`
+
+	`{:ok, invitation} =`
+	`socket.assigns.current_scope`
+	`\|> Organizations.get_invitation!(invitation_id)`
+	`\|> Organizations.delete_invitation()`
+
+	`{:noreply, stream_delete(socket, :invitations, invitation)}`
+	`end`
	`end`

Invite members LiveView

The Invite LiveView allows owners to send invitations to multiple email addresses at once. It uses an embedded schema form with dynamic fields that can be added or removed.

The inner Form module defines an embedded schema with a list of invitation embeds. It uses Ecto's sort_param and drop_param options to enable dynamic field management without JavaScript.

The form starts with 3 empty email fields. Users can add more fields or remove existing ones using the add/remove buttons. When submitted, the form collects all non-empty emails and sends invitations to each.

lib/my_app_web/live/member_live/invite.ex Reveal

	`-0,0 +1,122 @@`
+	`defmodule MyAppWeb.MemberLive.Invite do`
+	`use MyAppWeb, :live_view`
+
+	`import MyAppWeb.MemberLive.Components`
+
+	`alias MyApp.Organizations`
+	`alias __MODULE__.Form, as: InviteForm`
+
+	`def render(assigns) do`
+	`~H"""`
+	`<Layouts.app flash={@flash} current_scope={@current_scope}>`
+	`<.header>`
+	`Invite Members`
+	`</.header>`
+
+	`<.form for={@form} phx-change="validate" phx-submit="save">`
+	`<.inputs_for :let={f} field={@form[:invitations]}>`
+	`<.drop_field_wrapper form={@form} drop_param={:invitations_drop} drop_index={f.index}>`
+	`<.input field={f[:email]} type="email" autocomplete="off" placeholder="Enter an email..." />`
+	`</.drop_field_wrapper>`
+	`</.inputs_for>`
+
+	`<.add_field_button form={@form} sort_param={:invitations_sort} />`
+
+	`<.button type="submit" class="btn btn-primary">`
+	`Send invitations`
+	`</.button>`
+	`</.form>`
+	`</Layouts.app>`
+	`"""`
+	`end`
+
+	`def mount(_params, _session, socket) do`
+	`changeset = InviteForm.changeset(InviteForm.new(3), %{})`
+	`{:ok, assign(socket, :form, to_form(changeset, as: "invite_form"))}`
+	`end`
+
+	`def handle_event("validate", %{"invite_form" => params}, socket) do`
+	`changeset = InviteForm.validate(params)`
+	`{:noreply, assign(socket, :form, to_form(changeset, as: "invite_form"))}`
+	`end`
+
+	`def handle_event("save", %{"invite_form" => params}, socket) do`
+	`current_scope = socket.assigns.current_scope`
+
+	`url_fun = &url(~p"/invitations/accept/#{&1}")`
+
+	`with {:ok, emails} <- InviteForm.submit(params),`
+	`:ok <- Organizations.send_invitations_to_all(current_scope, emails, url_fun) do`
+	`{:noreply,`
+	`socket`
+	`\|> put_flash(:info, "Sent invitations to #{length(emails)} email(s).")`
+	`\|> push_navigate(to: ~p"/~/#{current_scope.organization}/settings/members")}`
+	`else`
+	`{:error, %Ecto.Changeset{} = changeset} ->`
+	`{:noreply, assign(socket, :form, to_form(changeset))}`
+
+	`{:error, _reason} ->`
+	`{:noreply,`
+	`socket`
+	`\|> put_flash(:error, "Failed to send invitation email(s).")`
+	`\|> push_patch(to: ~p"/~/#{current_scope.organization}/settings/members/invite")}`
+	`end`
+	`end`
+
+	`defmodule Form do`
+	`use Ecto.Schema`
+
+	`import Ecto.Changeset`
+
+	`embedded_schema do`
+	`embeds_many :invitations, Invitation do`
+	`field :email, :string`
+	`end`
+	`end`
+
+	`def new(count) do`
+	`%__MODULE__{`
+	`invitations: for(_ <- 1..count, do: %__MODULE__.Invitation{})`
+	`}`
+	`end`
+
+	`def validate(params) do`
+	`%__MODULE__{}`
+	`\|> changeset(params)`
+	`\|> Map.put(:action, :validate)`
+	`end`
+
+	`def submit(params) do`
+	`handle_result = fn form ->`
+	`form.invitations`
+	`\|> Enum.map(& &1.email)`
+	`\|> Enum.reject(&is_nil/1)`
+	`end`
+
+	`%__MODULE__{}`
+	`\|> changeset(params)`
+	`\|> apply_action(:insert)`
+	`\|> case do`
+	`{:ok, form} -> {:ok, handle_result.(form)}`
+	`{:error, _changeset} = reason -> reason`
+	`end`
+	`end`
+
+	`def changeset(form, attrs) do`
+	`form`
+	`\|> cast(attrs, [])`
+	`\|> cast_embed(:invitations,`
+	`required: true,`
+	`with: &invitation_changeset/2,`
+	`sort_param: :invitations_sort,`
+	`drop_param: :invitations_drop`
+	`)`
+	`end`
+
+	`def invitation_changeset(invitation, attrs) do`
+	`invitation`
+	`\|> cast(attrs, [:email])`
+	`\|> validate_format(:email, ~r/@/)`
+	`end`
+	`end`
+	`end`

Router changes

Three new routes are added:

The show route is public so that users who aren't logged in can be redirected to register first, with the invitation URL stored in their session.

lib/my_app_web/router.ex Reveal

	`-21,6 +21,8 @@ defmodule MyAppWeb.Router do`
	`pipe_through :browser`

	`get "/", PageController, :home`
+
+	`get "/invitations/accept/:token", Organization.InvitationController, :show`
	`end`

	`# Other scopes may use custom stacks.`
	`-60,6 +62,8 @@ defmodule MyAppWeb.Router do`
	`end`

	`post "/users/update-password", UserSessionController, :update_password`
+
+	`post "/invitations/accept", Organization.InvitationController, :accept`
	`end`

	`scope "/", MyAppWeb do`
	`-109,6 +113,7 @@ defmodule MyAppWeb.Router do`
	`live "/edit", OrganizationLive.Form, :edit`

	`live "/settings/members/add", MemberLive.Add, :add`
+	`live "/settings/members/invite", MemberLive.Invite, :invite`
	`live "/settings/members/:id/edit", MemberLive.Edit, :edit`
	`end`
	`end`

Database migration

The migration creates the organizations_invitations table with:

The token has a unique index to ensure fast lookups and prevent duplicate tokens.

priv/repo/migrations/0002_add_organizations_invitations.exs Reveal

	`-0,0 +1,19 @@`
+	`defmodule MyApp.Repo.Migrations.AddOrganizationsInvitations do`
+	`use Ecto.Migration`
+
+	`def change do`
+	`create table(:organizations_invitations, primary_key: false) do`
+	`add :id, :binary_id, primary_key: true`
+	`add :email, :string, null: false`
+	`add :token, :binary, null: false`
+
+	`add :organization_id, references(:organizations, type: :binary_id, on_delete: :delete_all),`
+	`primary_key: true`
+
+	`timestamps(updated_at: false)`
+	`end`
+
+	`create unique_index(:organizations_invitations, [:token])`
+	`create index(:organizations_invitations, [:organization_id])`
+	`end`
+	`end`

Install with Claude Code

Write instructions to implement this feature to your project directory in a LLM-friendly format, then have Claude take care of the rest! Requires Claude Code to be installed.

curl "https://elixir-saas.com/llms/p/organizations-invitations.md?v=1.8.3&f=impl" > organizations_invitations.md;

claude "Implement the feature that is documented in: organizations_invitations.md." --allowedTools "Write Edit Bash(mix:*) Bash(mkdir:*)";

Organizations with Invitations