Service account / tenant token

Hello :wave:

I’m building a multi-tenant SaaS application storing tenant details in the users app_metadata field as suggested here. I want to distribute a CLI that customers can use on shared hosts (such as their CI infrastructures) with access to the API.

  • I understand how the Device Authorization Flow can help me protect this CLI with end-user authentication. But that would mean having an end-user’s token on a shared host. (This is what I have implemented so far as I’m failing to figure out a better solution).
  • I understand how the Client Authorization Flow can help me protect this CLI with client-based authentication. But that would mean that the access token wouldn’t hold any tenant information (unless I’m missing a way to somehow customize the issued token?).
  • I believe what I really need is a “tenant access token”, bound to no particular user, yet holding the tenant information (which the API uses to restrict access).

One thing I considered is to create a “service account” user per tenant, but I don’t see any way (for example through the Management API) to generate an access token for a user outside of the authorization flow. I guess I could initiate a Resource Owner Password Flow from my backend and generate an access token for that service account but it feels… wrong.

Am I missing something obvious? Is none of this making sense? I’m pretty new to all this so feel free to challenge my entire reasoning here, it won’t hurt my feelings :slight_smile:


Hi @arnaudp,

Based on the Authorization Flow guide (Which OAuth 2.0 Flow Should I Use?) it sounds like Client Credentials flow is right for your situation since the client is the resource owner.

With Client Credentials flow, you can add tenant-specific data to tokens in custom claims by using a Client Credentials Exchange hook:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.