Which UI do you use?

Custom UI

Pre built UI

Paid Feature

This is a paid feature. Email us to get a license key to start a SuperTokens subscription.

If you want to try this feature without contacting us, you can sign up for our managed service, and use this feature in our development environment for free.

Users and tenants

When a user is created, they assigned to the tenantId using which they signed up. This means that that user can only login into that tenant. SuperTokens allows you to assign a user ID to multiple tenants as long as that user's email / phone number is unique for that login method, for each of the new tenants. Once associated with multiple tenants, that user can login to each of the tenants they have been assigned to.

For example, if a user signs up with email password login in the public tenant with email user@example.com, they can be assigned to another tenant (t1 for example), as long as t1 doesn't already have an email password user with the same email (i.e. user@example.com).

In order to associate a user with a tenant, you can call the following API:

NodeJS

Important

For other backend frameworks, you can follow our guide on how to spin up a separate server configured with the SuperTokens backend SDK to authenticate requests and issue session tokens.

GoLang

import Multitenancy from "supertokens-node/recipe/multitenancy";

async function addUserToTenant(userId: string, tenantId: string) {
    let resp = await Multitenancy.associateUserToTenant(tenantId, userId);

    if (resp.status === "OK") {
        // User is now associated with tenant
    } else if (resp.status === "UNKNOWN_USER_ID_ERROR") {
        // The provided user ID was not one that signed up using one of SuperTokens' auth recipes.
    } else if (resp.status === "EMAIL_ALREADY_EXISTS_ERROR") {
        // This means that the input user is one of  passwordless or email password logins, and the new tenant already has a user with the same email for that login method. 
    } else if (resp.status === "PHONE_NUMBER_ALREADY_EXISTS_ERROR") {
        // This means that the input user is a passwordless user and the new tenant already has a user with the same phone number, for passwordless login.
    } else {
        // status is THIRD_PARTY_USER_ALREADY_EXISTS_ERROR
        // This means that the input user had already previously signed in with the same third party provider (e.g. Google) for the new tenant.
    }
}

Python

note

Coming Soon

cURL

Asyncio

note

Coming Soon

Syncio

note

Coming Soon

Single app setup

curl --location --request POST '/<TENANT_ID>/recipe/multitenancy/tenant/user \
--header 'api-key: ' \
--header 'Content-Type: application/json' \
--data-raw '{
    "userId": "..."
}'

Multi app setup

curl --location --request POST '/<TENANT_ID>/recipe/multitenancy/tenant/user \
--header 'api-key: ' \
--header 'Content-Type: application/json' \
--data-raw '{
    "userId": "..."
}'

In the above code, we are associating userId with the tenant with ID TENANT_ID. The output of the above API will have the following status response:

• "OK": User association with tenant was successful
• "UNKNOWN_USER_ID_ERROR": The provided user ID was not one that signed up using one of SuperTokens' auth recipes.
• "EMAIL_ALREADY_EXISTS_ERROR": This means that the input user is one of passwordless or email password logins, and the new tenant already has a user with the same email for that login method.
• "PHONE_NUMBER_ALREADY_EXISTS_ERROR": This means that the input user is a passwordless user and the new tenant already has a user with the same phone number, for passwordless login.
• "THIRD_PARTY_USER_ALREADY_EXISTS_ERROR": This means that the input user had already previously signed in with the same third party provider (e.g. Google) for the new tenant.

You can even remove a user's access from a tenant using the API call shown below. In fact, you can remove a user from all tenants that they have access to, and the user and their metadata will still be in the system, however they will not be able to login into any tenant. To remove a user from a tenant, call the following API:

NodeJS

Important

For other backend frameworks, you can follow our guide on how to spin up a separate server configured with the SuperTokens backend SDK to authenticate requests and issue session tokens.

GoLang

import Multitenancy from "supertokens-node/recipe/multitenancy";

async function removeUserFromTeannt(userId: string, tenantId: string) {
    let resp = await Multitenancy.disassociateUserFromTenant(tenantId, userId);

    if (resp.wasAssociated) {
        // User was removed from tenant
    } else {
        // User was never a part of the tenant anyway
    }
}

Python

note

Coming Soon

cURL

Asyncio

note

Coming Soon

Syncio

note

Coming Soon

Single app setup

curl --location --request POST '/<TENANT_ID>/recipe/multitenancy/tenant/user/remove \
--header 'api-key: ' \
--header 'Content-Type: application/json' \
--data-raw '{
    "userId": "..."
}'

Multi app setup

curl --location --request POST '/<TENANT_ID>/recipe/multitenancy/tenant/user/remove \
--header 'api-key: ' \
--header 'Content-Type: application/json' \
--data-raw '{
    "userId": "..."
}'

important

• Users can only be shared across tenants and not across apps.
• If your app has two tenants, that are in different database locations, then you cannot share users between them.