Skip to main content

If you are using our backend SDK that is lesser than the following versions, please visit the older documentation link here.

Paid Feature

This is a paid feature.

For self hosted users, Sign up to get a license key and follow the instructions sent to you by email. Creation of tenants is free on the dev license key.

This feature is already enabled for managed service users. Creation of additional tenant is free on the provided development environment.

Multitenant and Enterprise SSO login

Multitenant login is a feature that lets you customize the login experience for each of your customers. For example, a customer customer1 hosted on can have login with Active Directory and Google, and another customer customer2 hosted on can have login with Okta, Facebook and magic link based login.

This is also the page that you should see if you want to implement sign in with:

  • Okta (thirdPartyId: "okta")
  • SAML (thirdPartyId: "boxy-saml")
  • Active Directory (thirdPartyId: "active-directory")
  • Google Workspaces (thirdPartyId: "google-workspaces")
  • GitLab (thirdPartyId: "gitlab")
  • Bitbucket (thirdPartyId: "bitbucket")
  • Or any other workforce IdP

Step 1: Create and configure a new tenant in SuperTokens core#

Each tenant can be configured with a unique tenantId, and the list of third party connections (Active Directory, Google etc..) that should be allowed for them.

You can create a new tenant using our backend SDKs or via a cURL command to the core.

import Multitenancy from "supertokens-node/recipe/multitenancy";

async function createNewTenant() {

let resp = await Multitenancy.createOrUpdateTenant("customer1", {
passwordlessEnabled: true,
thirdPartyEnabled: true

if (resp.createdNew) {
// new tenant was created
} else {
// existing tenant's config was modified.

Once a tenant is created, add their thirdparty providers as shown below.

import Multiteancy from "supertokens-node/recipe/multitenancy";

async function createTenant() {
let resp = await Multiteancy.createOrUpdateThirdPartyConfig("customer1", {
thirdPartyId: "active-directory",
name: "Active Directory",
clients: [{
clientId: "...",
clientSecret: "...",
oidcDiscoveryEndpoint: "<directoryId>/v2.0",

if (resp.createdNew) {
// Active Directory added to customer1
} else {
// Existing active directory config overwritten for customer1

The above shows how to add an Active Directory config for the customer1 tenant. You can see the config structure for all the in built providers on this page.

Step 2: Build your multi tenant a UX flow#

The most common multi tenant flows are:

  • Tenants use a common domain to login: All tenants login using the same page (for example, and are optionally redirected to their sub domain post login. At the start of the login flow, the customer will have to input their tenantId / workspace URL / identifier - as defined by you, and the login methods shown would be based on their tenantId.
  • Tenants use their sub domain to login: Here, each tenant has a sub domain assigned to them (for example,, ...), and they would visit their sub domain to login and access their app. Each sub domain's login experience may be different (as defined by you or the tenant).

SuperTokens is flexible enough to allow other forms of UX as well, but since the above two flow are most common, we provide dedicated docs for them (see the links above).

See also#

Looking for older versions of the documentation?
Which UI do you use?
Custom UI
Pre built UI