Multi-tenancy

3 min read·Updated May 7, 2026

Most B2B SaaS is multi-tenant: each customer (a tenant) gets their own workspace, users, and permissions. Authaz handles the isolation — you don't write the filters.

curl -X POST https://your-app.authaz.io/api/v1/applications \
  -H "X-API-Key: $AUTHAZ_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Customer Portal",
    "tenancyType": "multi_tenant",
    "tenancyMode": "shared"
  }'

Pick a model#

Three options. Decide at application-creation time — the model can't be migrated in place.

Single-tenant#

application
└── users   (one pool, all peers)

One pool. No tenants. Roles apply application-wide.

For B2C, internal tools, anything where "customer workspace" doesn't apply.

Shared pool

Previous: Access Explorer
Next: Tenancy Customization

application
└── users   (one pool)
    └── memberships → tenant A · tenant B · tenant C

application
├── tenant A → users pool A
├── tenant B → users pool B
└── tenant C → users pool C

curl -X POST https://your-app.authaz.io/api/v1/applications/{appId}/tenants \
  -H "X-API-Key: $AUTHAZ_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"name": "Acme Corp", "metadata": {"plan": "pro"}}'

Operation	Application-scoped	Tenant-scoped
List users	`GET /v1/users`	`GET /v1/applications/{appId}/tenants/{tenantId}/users`
Send invitation	`POST /v1/invitations`	`POST /v1/applications/{appId}/tenants/{tenantId}/invitations`
Assign a role	`POST /v1/role-assignments`	`POST /v1/applications/{appId}/tenants/{tenantId}/role-assignments`
Provider config	`PUT /v1/applications/{appId}/auth/...`	`PUT /v1/applications/{appId}/tenants/{tenantId}/auth/...`

https://your-app.authaz.io/oauth2/authorize
  ?client_id=...
  &tenant_id=tenant_acme
  &response_type=code
  &...

curl -X POST https://your-app.authaz.io/api/v1/applications/{appId}/tenants/{tenantId}/role-assignments \
  -H "X-API-Key: $AUTHAZ_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "userId": "user_01h...", "roleId": "role_admin" }'

curl -X POST https://your-app.authaz.io/api/v1/authorization/check \
  -H "X-API-Key: $AUTHAZ_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "userId": "user_01h...",
    "resource": "invoices",
    "action": "create",
    "tenantId": "tenant_acme"
  }'


API key without a tenant claim	Hits app-scoped paths, sees everything.
JWT without a `tenant_id` claim	Same effect — Authaz won't auto-scope.

Multi-tenancy

Pick a model#

Single-tenant#

Shared pool

Isolated pools#

Create a tenant#

Tenant-scoped Management API#

Tokens carry the tenant#

Tenant-scoped permissions#

Cross-tenant access#

Next#