Hello Auth0 team,
We’re integrating Auth0 as the central identity provider in a multi-tenant SaaS platform for business management. Our platform supports b2b, b2c, partners apis talk to our backend..
Our backend is built on a microservices architecture, with services like Booking, Customer Management, Inventory, and Payments — each with its own API surface and access rules.
We are looking for Auth0’s official recommendation on:
How should each microservice validate that a request has permission to perform an operation?
Should permissions or roles be embedded into the access token?
Or should authorization be handled by a centralized service or token introspection?
What token structure does Auth0 recommend for this model?
Should we include scopes only?
Or also embed roles, tenant ID, and fine-grained permissions via custom claims?
What is the preferred approach for tenant isolation and per-tenant role mapping in this case?
Should we use Organizations?
Or model tenants via custom claims and metadata?
How should feature access (based on subscription plans) be modeled and validated in a scalable way?
Should plan-level feature flags be included in tokens?
Or resolved externally per request?
We’re not looking for general guidance — we’d like to understand what Auth0 officially recommends for secure, scalable authorization in this architecture, particularly when access control needs to be enforced at the microservice level.