Multitenant Application approach validation


I’d like to validate our approach to a multitenant application.

For our use case, we have setup a REST api as well as a SPA application in our Auth0 Tenant. Each user in the tenant can possibly have access to more than one tenant with different permissions for each tenant.

To do this we have added a list of permissions for each tenants in the user “app_metadata” that we then add to the token. This allows our API to just have to look at the token to know what tenants a user can access and what it permission it has for those tenants without having to query our backend service to check what permission the user has. The downside is that it makes it somewhat harder to change a users permission.

I have a few questions regarding this.

  1. Is it a correct approach? if not, what would be a recommended approach?

  2. What would be a recommended way to let my tenant create their own application to access the API?