Multi-Tenancy
LumoAuth is a multi-organization identity platform. Every resource — users, applications, roles, configurations — is scoped to an organization, so data is fully isolated between organizations while they share a single deployment.
What is Multi-Tenancy?
A organization in LumoAuth represents an isolated identity domain. Each organization has its own:
- Users and user profiles
- OAuth applications and API clients
- Roles, permissions, and access policies
- Authentication settings (MFA, social login, SSO)
- Branding and custom domains
- Audit logs and compliance data
Organizations are completely isolated from each other. A user in one organization cannot access resources in another organization.
URL Structure
Every organization is accessed through its unique slug in the URL:
https://your-domain.com/orgs/{orgId}/...
| Path | Purpose |
|---|---|
/orgs/{orgId}/portal/ | Organization admin portal dashboard |
/orgs/{orgId}/portal/applications | Manage OAuth applications |
/orgs/{orgId}/portal/access-management/ | Users, roles, groups, permissions |
/orgs/{orgId}/portal/configuration/ | Auth settings, social login, SAML, LDAP |
/orgs/{orgId}/api/v1/ | Organization API endpoints |
/orgs/{orgId}/api/v1/oauth/authorize | OAuth authorization endpoint |
/orgs/{orgId}/api/v1/oauth/token | Token endpoint |
/orgs/{orgId}/.well-known/openid-configuration | OIDC discovery |
With custom domains, you can map auth.yourdomain.com to your organization, removing the /orgs/{orgId} prefix entirely.
Use Cases
| Scenario | How Multi-Tenancy Helps |
|---|---|
| SaaS Platform | Each customer gets their own organization with separate users and settings |
| Enterprise Departments | Each department maintains independent identity configurations |
| Environments | Separate organizations for dev, staging, and production |
| White-Label Products | Each brand operates under its own custom domain |
Organization Isolation
LumoAuth enforces organization isolation at every layer:
| Layer | Isolation Mechanism |
|---|---|
| Data | All database queries are scoped to the current organization |
| Authentication | Login sessions are organization-specific |
| API | All API requests require organization context |
| Configuration | Auth settings, MFA policies, social providers are per-organization |
| Audit Logs | Logs are organization-scoped and cannot be accessed cross-organization |
| Tokens | Access tokens include organization claims and are validated per-organization |
In This Section
| Guide | Description |
|---|---|
| Organization Setup | Create, configure, and manage organizations |
| Organization Portal | Navigate the organization admin portal |
| Custom Domains | Map your own domain to a organization |