How can my backend know which company a user belongs to?

Hi All,

I am building an SPA with a backend API that will be used by multiple companies, with each company having several users.

The problem I am facing is that if I have 2 users, one from company X and one from company Y, how can my backend know which company that user belongs to so that it can return the correct data to the user?

Do I add permissions to the users e.g. company:companyX & company:companyY so that my backend can distinguish between the users?

Or is there another (better) method for doing this?

Thanks!

Hi @jk.chauhan,

Welcome to the Auth0 Community Forum!

I think using metadata could be a reasonable solution for this.

You can add the users metadata to the access token as a custom claim.

Hope this helps!

Thanks,
Dan

Hi Dan

Thanks for your message.

I have successfully managed to write the rule I am able to get the company that the user belongs to in the id token after setting it in the app_metadata.

My next question is how can my backend get this information as well?
The app_metadata is only set in the id token which doesn’t get sent to the api so it still has no knowledge of which company the user belongs to.

I’ve read about the /userinfo api endpoint for getting user information so should my backend make a call to the endpoint and get the app_metadata that way? And should it use the access token that the client sent to it to access this api?

Thanks

Jay

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.