Multi tenant architecture

I’m confused as to how best use auth0 to implement the following multi tenant scenario

  • User logs in with Native App (WPF application) and is logged into specific tenant (or given a list if more than one available)
  • Native App can call api to make requests. Api verifies that the user should have access to this tenant.

The api must of course be able to tell what tenants the user can interact with (the current tenant could be called using a host such as but then the api needs to know that the current token is valid for tenant1)

Using the OIDC client and not explicitly specifying an audience, I can log in to the native client and look at the groups claim to determine what tenants the user is allowed to access, but the access token returned isn’t valid for the api. If I specify the api as the audience, I get a valid access token, and call the api but no claim information as to what tenants the user is allowed to access, and what permissions they have.

This article has some information but doesn’t describe a multi tenant scenario: mobile api

I’m really not even sure if an api is what I want for this scenario, the documentation is a little confusing. Essentially I want to create a multi tenant ASP.Net api with a WPF frontend

I hope that makes sense… feel free to ask if I haven’t clarified something.

I’ve figured out passing the tenants as claims. This article (OpenID Connect Scopes) explains that you have to namespace the claims when passing an audience. I created a rule to put the “groups” claim in as a tenant and can now access that from the client.

I can then use the access token from the api to call the /userinfo endpoint to get the tenants and validate that the selected tenant is valid. I’m not sure yet how one would have different scopes per tenant though.

I’m having the same difficulty understanding how to authorize a user’s tenant for a backend API in my app. Can you elaborate more on your solution? Thanks…