Configure Multi tenant architecture

datamatica.in · September 11, 2025, 6:09am

Hi we are planning to implement a multi tenant architecture for our web app hosted in AKS. We are already using Auth0 as a IdP, now we want more granularity for user management. The core idea is to implement an architecture so that users from different organizations can login to our web app so that they can access the resources that are meant to them using the same web app and its APIs. These organizations will have different storages and Databases. We will have a single URL where the users should login, I’m not sure about about how the organization will be chosen from there. Overall can anyone please give me a walkthrough of the entire process or an example article would be fine.

vlad.murarasu · September 11, 2025, 3:57pm

Hi @datamatica.in,

Welcome back to the Auth0 Community!

I can provide a step-by-step walkthrough for achieving this with Auth0.

Create Database Connections
Create Organizations and link each organization to its respective database
- In your organization settings, go to the Connections tab and enable its database connection.
Set up your Auth0 application
- In your application settings, go to the Connections tab and enable the organization database connection.
- In the Login Experience tab, select the type of users to be Business Users; in the Login Flow, select Prompt for Organization. Now, when you go to log in, you will first be asked what organization you’re part of, and depending on the organization name that you input, you will be presented with its respective database connection and be able to log in.

If you have any other questions, feel free to reach out.

Have a good one,
Vlad

datamatica.in · September 12, 2025, 5:40am

Thanks @vlad.murarasu for the reply. But I think you have misunderstood my query. My backend will handle the connections, storage accounts etc. Suppose I created 2 organizations, and added users to it, also I have db1, storage 1 for org 1 and db2, storage 2 for org 2. When a user from org 1 login, can we pass a header or something to include the org1 and auth0 will know that user from org 1 has logged in and respond with a token with the org claim. And my backend will extract that claim and process it accordingly so that org 1 user gets served only the content from the db1 and storage 1. Is it possible, if so do I want a paid plan and what are steps to be initialized from auth0.
Thanks

vlad.murarasu · September 12, 2025, 6:32pm

Hi @datamatica.in,

Yes, this is absolutely possible and is the recommended way to handle multi-tenancy with Auth0. When a user authenticates through an Organization, Auth0 automatically adds an org_id claim to the Access Token and ID Token. This org_id is the secure and reliable identifier your backend can use to retrieve the correct resources for that tenant.

Here are the steps to achieve the architecture you’ve described:

Use Auth0 Organizations: This is the foundational feature for your multi-tenant application.
- First, you’ll need to create your organizations (e.g., “Org 1”, “Org 2”) in the Auth0 Dashboard under Organizations.
- You can then add or invite users to their respective organizations.
Receive the Organization Claim: When a user logs in as part of an organization, the issued Access Token will contain an org_id claim by default.
- Example Claim in Token Payload:
```
{
  "iss": "https://YOUR_DOMAIN/",
  "sub": "auth0|xxxxxxxxxx",
  "aud": [
    "https://your-api-identifier/"
  ],
  "iat": 1663000000,
  "exp": 1663086400,
  "azp": "YOUR_CLIENT_ID",
  "scope": "openid profile email",
  "org_id": "org_xxxxxxxxxx"
}
```
- Your backend API should validate the Access Token and then extract the org_id value. This value can be used as a key to look up the correct database connection string, storage account details, and other tenant-specific configurations.

Add Custom Claims with Actions (Optional): If you want to pass more information than just the org_id, such as the database name or storage tier, you can store this in the organization’s metadata and use an Auth0 Action to add it to the token.

In your Auth0 Dashboard, navigate to Organizations, select an organization, and go to Metadata. Add your key-value pairs.
- database_name: db1
- storage_account: storage1
Create a Login Flow Action to add this metadata to the token:

exports.onExecutePostLogin = async (event, api) => {
  if (event.organization) {
    const namespace = 'https://your-app.com/'; // Use a unique namespace
    const orgMetadata = event.organization.metadata;

    // Set claims for the Access Token
    api.accessToken.setCustomClaim(`${namespace}database_name`, orgMetadata.database_name);
    api.accessToken.setCustomClaim(`${namespace}storage_account`, orgMetadata.storage_account);

    // You can also set them for the ID Token if needed
    api.idToken.setCustomClaim(`${namespace}database_name`, orgMetadata.database_name);
  }
};

Now your backend can extract these custom claims directly from the token, simplifying your lookup logic.

Pricing Plan: To answer your other question, you can create up to 5 Organizations using the free plan. You can check all the benefits over at https://auth0.com/pricing.

Have a good one,
Vlad

Topic		Replies	Views
Implementing multi-tenancy with multiple-connections Get Help multi-tenant	4	5295	March 18, 2020
Multi tenant database behind API, need to identify the user/tenant Get Help jwt , api	4	8341	December 17, 2018
Multi-tenancy -- Tenants or Connections? Get Help auth0	2	3724	December 17, 2018
Connect Auth0 tenants Knowledge Articles custom-database , multi-tenant , tenant	1	1342	August 17, 2023
How to setup one tenant, one application, multiple organizations? Get Help tenant-management , support-center	2	182	December 19, 2024

Configure Multi tenant architecture

Related topics