Using 2 different tenants for user signup and login for 3rd party applications


We’re starting to use auth0 as the main identity provider for all our users (signup and login using user/password, google, facebook, etc) within our product.

We also want to enable 3rd party applications to build on top of our APIs and for that to use the Oauth2 user consent flow, where our users give consent to use our APIs on their behalf.

We were thinking about separating these functionalities into 2 different tenants: 1 tenant is responsible only for all the internal workflows (where we will have our 1st party applications) and the other tenant only to create 3rd party applications (with custom actions and whatnot).

I have 2 questions here:

  1. Is that something that is considered best practice and is being done?
  2. Will we have the same identifier across the 2 tenants for the same user?


Hi @gregra

Thank you for contacting Auth0 community.

The same user in two different tenants will get different IDs because tenants will have two different user db sources.

What is the reason behind maintaining two different tenants?


1 Like

Thank you for the quick reply @jeff0. The reason is to have a full decoupling between the authentication and authorization data/flows between our private tenant and the 3rd party applications, to decrease the chance of data leak (like actions that act upon one tenant but shouldn’t act on the other).

Does that make sense?