Existing Multi Tenant Website w/Proprietary Auth calling new Web API and want to filter all DB calls by Tenant

Hello all,
I want to thank you for your time, I have reviewed the docs but not sure best practice for this specific scenario. I currently have a website that does its own Authentication/Authorization storing credentials in DB, I can’t migrate the existing site to Auth0 as there are a bunch of other ramifications. I also have a brand new API which I want to secure using Auth0.

  1. Basically I want to be able to filter all Application DB calls within the API based on the current callers Tenant but do not want to have them Authenticate twice once against existing DB and Secondly for API access.

  2. Here is the flow. User logins into website>username/pass in DB authenticates>associates TenantID for that user>Web site code calls tenant specific DB based on tenant Claim. We are adding a new Rest API but do not want to use the same auth mechanism hence Auth0. There will be a subset of pages in the site calling the new API but want the API to be aware of Tenant but authenticate using Auth0. There is a single backend but want to filter all DB calls based on a Tenant Identifier.

Any advise would be greatly appreciated.

You are asking for best practice but you are using a homebrew identity system? In any case the oAuth grant type of client credentials. would be used as best practice. Callers of your API would be given a Client ID and Secret to request access tokens. Most all identity systems include the client ID in the minted JWT access token. So your API (resource server). would validate the token with a JWT verifier, extract the ClientID and map to a tenant. For simplicity you could make your tenant ID the same as the Client ID. Even without oAuth you can accomplish the same by having your API accept simple web tokens given to each customer that map to a tenant. This is a very weak security model should your customers ever expose their web API key inadvertently.