Hello 
I’m building a multi-tenant SaaS application storing tenant details in the users app_metadata field as suggested here. I want to distribute a CLI that customers can use on shared hosts (such as their CI infrastructures) with access to the API.
- I understand how the Device Authorization Flow can help me protect this CLI with end-user authentication. But that would mean having an end-user’s token on a shared host. (This is what I have implemented so far as I’m failing to figure out a better solution).
- I understand how the Client Authorization Flow can help me protect this CLI with client-based authentication. But that would mean that the access token wouldn’t hold any tenant information (unless I’m missing a way to somehow customize the issued token?).
- I believe what I really need is a “tenant access token”, bound to no particular user, yet holding the tenant information (which the API uses to restrict access).
One thing I considered is to create a “service account” user per tenant, but I don’t see any way (for example through the Management API) to generate an access token for a user outside of the authorization flow. I guess I could initiate a Resource Owner Password Flow from my backend and generate an access token for that service account but it feels… wrong.
Am I missing something obvious? Is none of this making sense? I’m pretty new to all this so feel free to challenge my entire reasoning here, it won’t hurt my feelings 
Thanks!