Skip to main content
Paid Feature

This is a paid feature. For self hosted users, Sign up to get a license key and follow the instructions sent to you by email. This will start a SuperTokens subscription.

If you are using the development environment of our managed service you can use this feature for free. If you want to enable this feature for the production environment, please email us

Multitenant and Enterprise SSO login

Multitenant login is a feature that lets you customize the login experience for each of your customers. For example, a customer customer1 hosted on can have login with Active Directory and Google, and another customer customer2 hosted on can have login with Okta and Facebook.

This is also the page that you should see if you want to implement sign in with:

  • Okta (thirdPartyId: "okta")
  • SAML (thirdPartyId: "boxy-saml")
  • Active Directory (thirdPartyId: "active-directory")
  • Google Workspaces (thirdPartyId: "google-workspaces")
  • GitLab (thirdPartyId: "gitlab")
  • Bitbucket (thirdPartyId: "bitbucket")
  • Or any other workforce IdP

Step 1: Create and configure a new tenant in SuperTokens core#

Each tenant can be configured with a unique tenantId, and the list of third party connections (Active Directory, Google etc..) that should be allowed for them.

You can create a new tenant using our backend SDKs or via a cURL command to the core.

import Multiteancy from "supertokens-node/recipe/multitenancy";

async function createTenant() {
let resp = await Multiteancy.createOrUpdateTenant("customer1", {
thirdPartyEnabled: true,

if (resp.createdNew) {
// new tenant was created
} else {
// existing tenant's config was modified.

Once a tenant is created, add their thirdparty providers as shown below.

import Multiteancy from "supertokens-node/recipe/multitenancy";

async function createTenant() {
let resp = await Multiteancy.createOrUpdateThirdPartyConfig("customer1", {
thirdPartyId: "active-directory",
name: "Active Directory",
clients: [{
clientId: "...",
clientSecret: "...",
oidcDiscoveryEndpoint: "<directoryId>/v2.0",

if (resp.createdNew) {
// Active Directory added to customer1
} else {
// Existing active directory config overwritten for customer1

The above shows how to add an Active Directory config for the customer1 tenant. You can see the config structure for all the in built providers on this page.

Step 2: Build your multi tenant a UX flow#

The most common multi tenant flows are:

  • Tenants use a common domain to login: All tenants login using the same page (for example, and are optionally redirected to their sub domain post login. At the start of the login flow, the customer will have to input their tenantId / workspace URL / identifier - as defined by you, and the login methods shown would be based on their tenantId.
  • Tenants use their sub domain to login: Here, each tenant has a sub domain assigned to them (for example,, ...), and they would visit their sub domain to login and access their app. Each sub domain's login experience may be different (as defined by you or the tenant).

SuperTokens is flexible enough to allow other forms of UX as well, but since the above two flow are most common, we provide dedicated docs for them (see the links above).

See also#

Looking for older versions of the documentation?
Which UI do you use?
Custom UI
Pre built UI