Configure multi-tenancy

Orchestrate uses the OpenID Connect(OIDC) authentication protocol. JSON Web Tokens (JWTs) with custom claims control access to tenant resources.


Orchestrate is not an identity provider and does not generate JWTs in production. In production, use an identity provider such as Auth0 to generate JWTs.

Set the environment variables

Environment Variable Description
MULTI_TENANCY_ENABLED Set to 1 to enable multi-tenancy. The default is 0.
AUTH_JWT_CLAIMS_NAMESPACE The namespace for custom JWT claim. For example, orchestrate.namespace.
AUTH_JWT_CERTIFICATE The public key of the identity provider (Auth0, for example).
AUTH_API_KEY The secret enabling internal microservice to microservice communication to bypass JWT authentication.

Orchestrate JWT

An example JWT for Orchestrate multi-tenancy is displayed below.


The custom part of the claim is the namespace defined by the AUTH_JWT_CLAIMS_NAMESPACE environment variable and the tenant_id.

The tenant ID is specified only in the JWT. That is, it is not configured in Orchestrate. When you enable multi-tenancy, all requests require an authorization token so resources (for example, accounts) are associated with a tenant ID on creation. Authenticated requests return only resources linked to the tenant ID.

Specify the JWT to authorize Orchestrate API requests.

Testing and demonstration

For testing and demonstration purposes only, use the AUTH_JWT_PRIVATE_KEY environment variable to specify the private key associated with the public key specified by AUTH_JWT_CERTIFICATE.