Organizing customers into tenant(s)

Hi all,

I would like to learn more about proper way of organizing resources.
We develop a PaaS product, where each our customer owns non-shared set of resources (cluster with an API and an SPA web app).

Our design is to create a single Auth0 tenant and for each customer define:

  • Connection (Azure LDAP, SAML, etc.)
  • SPA Application
  • API

This way, each customer manages their own users in their IdP, we just allow them to log into the infrastructure via Auth0.

Now we are facing a problem - it seems that the SPA can send whatever “Audience” it wants and Auth0 will grant an access token.
So customer1 could potentially ask a token “audience” for “api.customer2.paas.com”.

I have read the previous messages and it seems that the “Public-facing applications” cannot have any restrictions of this kind, because they are public.

What would be the best way to tie together a connection, application, and an API?
Should every customer have it’s own Auth0 tenant? Or should we write Auth0 actions that verify that user coming from connection_1 cannot try to access api_2 ?

Thank you!