API credentials for clients in a multi-tenant setup


I am designing a multi-tenant authentication/authorization setup, in which different client applications (tenants) will require access to an API that I manage. Just to clarify, each tenant will run several NodeJS/Go applications on separate servers, all of which require scopes/permissions that set it apart from the other tenants.

I’ve gone over the Auth0 pricing page, and I’m trying to understand if Auth0 would be a good fit for my case, because it seems that I would have no way of avoiding the “Enterprise” plan if I understand the different application types correctly.

After going over the documentation, it seems that the most fitting implementation would be to create a M2M App (client ID + client secret pair) for each of my clients (tenants). Each client would generate an access token using the id+secret and use that to access the API. On the server side, I would verify the validity of each token and make sure it contained the required scopes, and grant access accordingly. Clients would use this token until it expires, then generate a new token using the same id+secret pair.

If I were to use this design, it seems that I would reach a large number of M2M Apps as my tenant list grows, and if I understand correctly, at ~100 tenants I would require the “Enterprise” plan, which surely exceeds my budget at this point in time.

Is there a better way of implementing the requirements I’ve described, which doesn’t lead to “endless” M2M Apps? It doesn’t seem very scalable, so I guess I must be missing something.

Thank you for any input.

Hi @subtlestag,

Thanks for reaching out.

If I understand your requirements correctly (dynamically issuing client credentials to third-party applications), you are going to run into application entity limits and you will need an enterprise subscription to proceed beyond the Self-Service limits.

You can take a look at our startup plan, which is meant for early-stage companies that are preparing to scale.

Hi @dan.woda, thank you for the response.

Is there a way I can achieve a similar result without reaching the application entity limits? Are M2M Applications the only way to get unique credentials per tenant (app running on a user’s server)? Is there a way that Users can generate tokens that have qualities similar to M2M Apps?

Thank you

Hi @subtlestag,

Issuing client credentials would be the OAuth2 way to handle this scenario. Returning a token would require a set of credentials.

I see. Looking at this from another angle, if a M2M App is authorized to access a specific API (http://myapi/v1), with a certain list of Permissions (e.g. read:contacts, write:calendar), would it be possible to request an access token that only grants a subset of the Permissions? In other words, request a token (https://me.auth0.com/oauth/token) using a client ID and client secret, but only for read:contacts?