I’m seeking advice on how best to set up our application for B2B use. Right now, we have two use cases for our services:
A Single-Page-Application where our customers can go and login via Auth0.
Customers can consume our backend API directly and use it within their offerings.
Right now what I’m thinking is the following:
1 SPA application for our Web App. To separate customers we could then create an Organisation per customer.
For direct API use, we’d then need to create an M2M application for each customer that needed access to the API directly so they’d have different credentials.
Is this thinking correct? Would this be the recommended way of achieving this? I was reading Different API access scenarios; own SPA, tenants, third-parties and believe the use-cases are quite similar but I wasn’t sure why we’d need to create multiple different applications for our customers if they all login to our web application.
Your thinking is correct, and the approach you outlined is a recommended way to achieve your goals. By creating separate organizations per customer in your SPA application, you can ensure that each customer has their own isolated environment within your application. This separation can help manage customer-specific settings, configurations, and data.
For direct API use, creating an M2M application for each customer is indeed the recommended approach. This allows you to generate unique credentials (client ID and client secret) for each customer, ensuring secure and controlled access to your backend API. Each customer’s M2M application can then be configured with the appropriate scopes and permissions required for their specific use case.
Creating separate applications for customers logging into your web application is necessary because each customer’s application will have its own settings, configurations, and potentially different branding or customizations. This approach allows you to provide a tailored experience to each customer while maintaining separation and control over their data and settings.
If all of our clients are going to use the same branding, settings and configurations, we only need to create one Auth0 Application that they will log into.
If our clients need separate branding, settings and configurations then we should create a separate Auth0 Application per client who requires different settings.
For direct API usage, we need to create an M2M application per client.