Can two tenants share the same API?

We have two different sets of users.

End users that has our hardware installed in their homes and also partners, who do the actual installation of the hardware. In my mind they should use different apps and I don’t see them ever logging in to the other app. So my thinking is that they should live in different tenants. I guess another option is to use roles, but not sure if that makes sense here.

I think they will use different API’s, but there might be some overlap where they call the same API. The installers can sort of be seen as the “parent” of the end user, where they might want to monitor some parts of the user data. Are there any recommendations on this type of setup? Can I simply pick the issuer out of the token and validate the token against the issuer domain?