Availability varies by Auth0 plan
This feature is available for B2B Professional, Enterprise, and Enterprise premium plans. To learn more, read Pricing.
To scope each request to a given organization, include the corresponding
org_id claim to machine-to-machine tokens. API servers must consider and enforce this claim when authorizing access to API resources and data. To learn more, read Work with Tokens and Organizations.
Let’s consider our fictitious Travel0 company to show two relevant example use cases.
Open up APIs to third-party applications
Using Auth0 Organizations and the , Travel0 offers a self-service portal where customers can create and manage their own organization. Travel0 wants to make it easy for customers to build bots to help end users find and purchase adventures. Therefore, as part of this portal, Travel0 allows customers to register their applications (e.g. the bots) to consume the Travel0 API on their own behalf using machine-to-machine access. In this use case, cross-organization access must be correctly controlled so that applications belonging to one organization can only access that organization’s data via the Travel0 API. Machine-to-Machine Access for Organizations allows you to configure Client Credentials access for each API by associating it with a specific organization. In the following diagram, the applications of our example organization, org_X, can only access the Travel0 API within the scope of org_X. You can also configure access from a single application to several organizations in cases where aggregators are used. With M2M Access for Organizations, you control which applications can access a specific organization using machine-to-machine access on a per API basis.
Isolation of organizations for internal applications
Travel0 also has some internal processes and CLI tools that need to access the Travel0 API using the Client Credentials Flow. To apply a unified access control strategy on the API, Travel0 wants requests from its own applications to be scoped to a specific organization to ensure only the right data is accessed in each case.