Multi-Tenant Applications Best Practices

Multi-tenancy is when a single instance of software runs on a server that is accessible to multiple groups of users. Auth0's Public Cloud is an example of a multi-tenant application. Your applications, settings, and connections are a single tenant, which shares resources with other tenants in the Public Cloud. To learn more about tenants, read Create Tenants. To learn more about Auth0's Public Cloud, read Deployment Options.

Please note that this article is not about using multiple Auth0 tenants. It is about using Auth0 to secure your own multi-tenant application.

There are several ways you can secure multi-tenant applications with Auth0. You can handle your multi-tenancy needs with one of the following approaches:

  • Use multiple connections

  • Identify different tenants by application

  • Store tenant details in app_metadata

  • Use separate Auth0 tenants

Entity limits may apply. To learn more, read Entity Limit Policy. If you have an Enterprise subscription, you will not be constrained due to entity limits, but you may be constrained by a connection that already has thousands of enabled clients.

Multiple connections

You can use multiple connections to handle your tenants. Each connection represents and contains a different pool of users.

Using multiple connections introduces additional layers of complexity, but there are several scenarios where the upsides of this option outweigh the downsides:

  • You have different Connection-level requirements, such as varying password policies, for each of your Applications.

  • You have user pools from different Connections. For example, one app may have users providing username/password credentials, while another app handles Enterprise logins.

To implement this, you can call /authorize with a connection specified for the user, using the connection option in the Auth0 SPA SDK, or by passing a connection parameter to the authorize() method in Auth0.js.

If you use Lock in your applications, Lock supports a maximum of 50 database connections per application. Enterprise connections are not affected by this limit. If you use the New Universal Login Experience, Lock is not involved and this limitation therefore does not affect you.

Entity limits may apply. To learn more, read Entity Limit Policy. If you have an Enterprise subscription, you will not be constrained due to entity limits, but you may be constrained by a connection that already has thousands of enabled clients.

Identify tenants by application

You can represent each of your tenants with a separate application in Auth0.

Representing each of your tenants with an application allows you to configure each one differently. You can also enable/disable connections for individual applications if your tenants have varying requirements. Doing so, however, requires you to track the tenants to which your users belong within your application. Then, when they log in, you will need to specify the application they are to use.

Entity limits may apply. To learn more, read Entity Limit Policy. If you have an Enterprise subscription, you will not be constrained due to entity limits, but you may be constrained by a connection that already has thousands of enabled clients.

In the Management API, to enable a connection for all clients, you need to pass all the clients in that array when calling PATCH /api/v2/connections/:id. When the clients are in the hundreds of thousands, the payload exceeds our allowed payload size for an API request and makes it impossible to do this.

Store tenant details in app_metadata

Storing tenant details in the user metadata is the simplest of the implementation scenarios we cover in this article.

Using the identifier of your choice (e.g., "tenant": "customer_12345"), you can store tenant-related details in the app_metadata. Doing so allows all of your users, regardless of which tenant to which they belong, to log in using one uniform method.

You can check for this value in your application after users log in and are redirected. This will help you sort users.

Create separate Auth0 tenants for each customer

You can create a new Auth0 tenant for each of your application's tenants.

We recommend that you follow this approach only if you need to share access to the Auth0 Dashboard with individual customers. Otherwise, one of the above solutions is a more practical and easy to manage one than attempting to manage many Auth0 tenant dashboards, which is also not a scalable solution as your customer base grows.

This method requires you to use a different set of Auth0 credentials when calling Auth0 APIs to authenticate users belonging to each customer because you would be using different applications on different Auth0 tenants (with different Client IDs) for each of your customers.