Next.js Multi-tenant web app - auth0 rules vs application

Hi all,

I have a multi-tenant web application (Next.js) with domains expressed like this:

What is the recommended way of authenticating users based on the path?

ie: How to handle a user that is logged in as tenant1 but navigates to tenant2’s secured page?

Do you do that at the auth0 level with a rule that would detect the context and matches it with a permission or an app_metadata setting for example?

Or do you deal with this situation at the app level?

What’s best practice? Thank you.

After a bit of research I’ve decided to go the Auth extension route and give my tenants permissions/role that I will parse inside my app through app_metadata using a rule attaching the app_metadata to the user object.

Next step is to create some logic at the app level.