We are building a B2B multi-tenant SaaS platform where each customer (organization) has its own workspace with multiple members and roles (owner, admin, editor, viewer). Currently we have ~50 users across 3 organizations, with expected growth.
We are evaluating two approaches:
Approach A: Auth0 as Source of Truth
Auth0 manages users, roles, and organization membership. PostgreSQL stores only product data. Backend relies on JWT + Management API.
Approach B: Auth0 for Authentication Only
Auth0 handles login only. After login, users are stored in PostgreSQL, and all reads (profiles, roles, org membership, permissions) come from DB. No sync with Auth0 after login.
Questions:
Which approach is commonly used in B2B SaaS?
Will Auth0 Management API rate limits be an issue in Approach A?
Is Approach B a recommended pattern in real-world usage?
Any better hybrid approach?
Would really appreciate guidance from people who have built similar systems.
Before I tackled your 4 main points, allow me to say that you are on the right track using Auth0 Organizations, as this feature is designed specifically for B2B customers and also, having your architecture on a single tenant can greatly reduces cost and potential management difficulties.
When it comes to the questions presented:
Having Auth0 as the source of truth ( Option A ) is a very common approach which simplifies your architecture by centralizing user management within Auth0, which works great when also using our Organizations feature. Having everything in one place usually requires the least amount of general implementation and maintenance steps.
This will depend heavily on how many calls to the Management API your application will need to make for every user action before hitting the Rate Limit. In addition, these limits depend on your tenant’s subscription level and you can consult our Rate Limit Configurations for the specific limits imposed for each subscription tier.
As you scale, you will be more likely to hit the rate limits, in which case a couple of common ways to mitigate this would be:
Upgrading your subscription to accommodate a larger influx of Management API calls. I warmly recommend getting in Contact with our Sales team who can provide more insight as to the most suited subscription model for your use-case and expected growth;
Handling rate-limiting errors in your application : you can implement logic in your code to handle rate limiting by checking the X-RateLimit-Remainingheader and responding as the returned number approaches 0. Please check the following GitHub repo.
It is indeed a common pattern to use Auth0 only for authentication and is applicable for scenarios like:
complex user schemas, where the profiles require larger amounts of information or heavily nested attributes, it might be a better fit using a database like PostgreSQL instead of storing the information on Auth0’s user metadata;
if you application needs to read data at very low latency, it would likely be faster than making API calls to Auth0 API;
in case you are integrating with legacy data systems, it could be better to the user data in the already existing database instead of migrating.
I warmly recommend our blog post on Building Single-Tenant vs. Multi-Tenant Apps with Auth0 for this topic, as it outlines key factors such as benefits and drawbacks of isolation for B2B Applications and presents additional points about choosing the right model for B2B. A great case for using a hybrid approach :
take full advantage of Auth0’s core functions to secure user authentication with basic user information ( email, name etc.);
store user data in your PostgreSQL database when they need to be frequently accessed, or if the database has a complex structure;
implement logic using Auth0 Actions to keep your PostgreSQL database in sync with Auth0.
I hope this helped paint a clearer picture as to the right approach for your use-case and once again, please do not hesitate reaching out to our Sales team to further understand the best choices for the subscription tier that would reliably support both your infrastructure, but also your growth forecast.
For any other issues or concerns, we are here to help!