What is a multi-tenant identity server?
A multi-tenant identity server is a single authentication and authorization system that serves many separate applications or organizations β called tenants β while keeping each tenantβs users, settings, and data fully isolated from the others. One deployment, many independent identity boundaries.
The terms, briefly
- Identity server β the system that authenticates users (verifies who they are) and authorizes them (decides what they can access), typically using the OAuth 2.0 and OpenID Connect standards. It issues the tokens your apps trust.
- Tenant β a self-contained boundary: one customer, organization, or product. Each tenant has its own users, connections, and configuration.
- Multi-tenant β the same identity server hosts many tenants at once, isolating them from each other instead of running a separate server per tenant.
Single-tenant vs multi-tenant
| Single-tenant | Multi-tenant | |
|---|---|---|
| Tenants per deployment | One | Many, isolated |
| New customer/org | Stand up new infrastructure | Create a tenant β instant |
| Operational cost | Grows with each tenant | Shared, scales centrally |
| Typical use | One internal app | SaaS, B2B, many products |
Multi-tenancy is what lets a SaaS business onboard a new customer organization without provisioning new infrastructure, and lets a team run several products from one identity system.
How Faable Auth implements multi-tenancy
Faable Auth is multi-tenant by design. Four concepts model the whole product:
- Account β your tenant, hosted at
https://<account>.auth.faable.linkor your own custom domain. - Connections β the sources of users for that tenant: database (email + password), social, passwordless, or generic OIDC.
- Clients β the applications that run OAuth flows against the tenant.
- Users & Teams β identities grouped into teams with role-based access control (RBAC).
Tenants are isolated by host, so orgs, teams, and users stay separate without extra plumbing. On top of this you get social login, passwordless, enterprise SSO/SAML, MFA, machine-to-machine tokens, Actions, and Webhooks β all hosted 100% in Europe under GDPR.