DEV Community: Gad Ishimwe The latest articles on DEV Community by Gad Ishimwe (@gad_ishimwe). https://dev.to/gad_ishimwe https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3496978%2Fe4d327d9-3c96-4bfb-bf8f-112689f9afc7.png DEV Community: Gad Ishimwe https://dev.to/gad_ishimwe en Integrating Auth0 Authentication with NestJS Using Organizations (Multi-Tenant Setup) Gad Ishimwe Fri, 12 Sep 2025 22:57:14 +0000 https://dev.to/gad_ishimwe/integrating-auth0-authentication-with-nestjs-using-organizations-multi-tenant-setup-1567 https://dev.to/gad_ishimwe/integrating-auth0-authentication-with-nestjs-using-organizations-multi-tenant-setup-1567 <p>Recently, I was asked to architect and implement a multi-tenant SaaS application in NestJS with the requirement to use Auth0 for authentication.</p> <p>This was my first time working with Auth0, and at first I was confused by its multi-tenant features. After some digging, I realized an important distinction: my application’s tenants were not the same as Auth0 tenants.</p> <p>Auth0 tenants are intended to separate environments (like development, staging, and production), while organizations within a single Auth0 tenant are what you use to represent your app’s actual tenants.</p> <h2> Here’s how I integrated it step by step </h2> <h3> 1. Set Up Your NestJS App </h3> <p>If you haven’t already, set up a basic NestJS app. I’ll use starter code for this example.</p> <h3> 2. Create an Auth0 Account </h3> <p>Log into Auth0 (or create an account). If it’s a new account, you’ll be asked if it’s for a company or personal use. In my case, I chose a personal.</p> <h3> 3. Create an Application </h3> <p>Next, you’ll be prompted to create your first app, or you can navigate to <strong>Applications</strong> on the left menu and create it from there.<br> If you already have a frontend/client, pick it. For this example, I’ll use <strong>Regular Web Application</strong>.</p> <h3> 4. Configure Application Settings </h3> <p>Navigate straight to <strong>Settings</strong> tab, note down your <strong>Domain</strong>, <strong>Client ID</strong> and <strong>Client Secret</strong> as you'll need them to authenticate your client to your backend API. Next, navigate to <strong>Login Experience</strong> tab, select <strong>Business Users</strong>, leave <strong>No prompt</strong> selected and save.</p> <p>Scroll down to Application URIs and configure:</p> <ul> <li> <strong>Application Login URI</strong>: <code>https://127.0.0.1:3000/login</code> </li> <li> <strong>Allowed Callback URLs</strong>: <code>https://127.0.0.1:3000/callback</code> </li> <li> <strong>Allowed Logout URLs</strong>: <code>https://127.0.0.1:3000/logout</code> </li> </ul> <p>Use <strong>https</strong> and <strong>127.0.0.1</strong> instead of localhost to avoid errors. And then save.</p> <h3> 5. Create an API in Auth0 </h3> <p>Navigate to <strong>APIs</strong> in the left menu. Click <strong>Create API</strong>, give it a name and identifier (this <strong>identifier</strong> becomes the <strong>audience</strong> parameter in authorization calls).<br> I called mine <code>https://api.myapp.com</code>. You can name it whatever you want because it won't ever be called.</p> <h3> 6. Create an Organization </h3> <p>Navigate to <strong>Organizations</strong>, then click <strong>Create Organization</strong>. Name it (I named mine org1). Next, navigate to <strong>Connections</strong> tab, enable your desired login methods (I used <strong>Username-Password-Authentication</strong>).</p> <h3> 7. Invite Users to your organization </h3> <p>Navigate to <strong>Invitations</strong> tab and click <strong>Invite Members</strong>. Select our client app we created in step 3, enter email of a user you want to invite, select the connection you created in previous step, optionally you can also select the role if you've created them, I'll leave mine empty for now. Then click <strong>Send Invites</strong>.<br> Auth0 will send an email with an invitation link like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://127.0.0.1:3000/login?invitation=INVITATION_CODE&amp;organization=org_YOUR_ORGANIZATION_ID&amp;organization_name=YOUR_ORGANIZATION_NAME </code></pre> </div> <h3> 8. Accepting the Invite </h3> <p>To accept the invite, grab the INVITATION_CODE from above link and navigate to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://YOUR_DOMAIN/authorize?client_id=YOUR_CLIENT_ID&amp;response_type=code&amp;redirect_uri=https://127.0.0.1:3000/callback&amp;organization=org_YOUR_ORGANIZATION_ID&amp;invitation=INVITATION_CODE </code></pre> </div> <p>You’ll land on the Auth0 authorization page, create your password, and authorize the client app.<br> You’ll then be redirected to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://127.0.0.1:3000/callback?code=AUTHORIZATION_CODE </code></pre> </div> <h2> Exchange the Authorization Code for an Access Token </h2> <p>We’ll configure NestJS to accept Auth0 tokens and validate them. Our starter code has one endpoint <code>/</code> that returns <code>Hello World!</code>. Let’s protect it.</p> <h3> 9. Install Required Packages </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm i passport @nestjs/passport passport-jwt jwks-rsa npm i <span class="nt">--save-dev</span> @types/passport-jwt </code></pre> </div> <h3> 10. Create JWT Strategy </h3> <p><code>auth/jwt.strategy.ts</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Injectable</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/common</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PassportStrategy</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/passport</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">ExtractJwt</span><span class="p">,</span> <span class="nx">Strategy</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">passport-jwt</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">passportJwtSecret</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">jwks-rsa</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Injectable</span><span class="p">()</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">JwtStrategy</span> <span class="kd">extends</span> <span class="nc">PassportStrategy</span><span class="p">(</span><span class="nx">Strategy</span><span class="p">)</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">()</span> <span class="p">{</span> <span class="k">super</span><span class="p">({</span> <span class="na">secretOrKeyProvider</span><span class="p">:</span> <span class="nf">passportJwtSecret</span><span class="p">({</span> <span class="na">cache</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">rateLimit</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">jwksRequestsPerMinute</span><span class="p">:</span> <span class="mi">5</span><span class="p">,</span> <span class="na">jwksUri</span><span class="p">:</span> <span class="dl">'</span><span class="s1">YOUR_ISSUER_URL.well-known/jwks.json</span><span class="dl">'</span><span class="p">,</span> <span class="p">}),</span> <span class="na">jwtFromRequest</span><span class="p">:</span> <span class="nx">ExtractJwt</span><span class="p">.</span><span class="nf">fromAuthHeaderAsBearerToken</span><span class="p">(),</span> <span class="na">audience</span><span class="p">:</span> <span class="dl">'</span><span class="s1">YOUR_AUDIENCE</span><span class="dl">'</span><span class="p">,</span> <span class="na">issuer</span><span class="p">:</span> <span class="dl">'</span><span class="s1">YOUR_ISSUER_URL</span><span class="dl">'</span><span class="p">,</span> <span class="na">algorithms</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">RS256</span><span class="dl">'</span><span class="p">],</span> <span class="p">});</span> <span class="p">}</span> <span class="nf">validate</span><span class="p">(</span><span class="nx">payload</span><span class="p">:</span> <span class="nx">unknown</span><span class="p">):</span> <span class="nx">unknown</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">payload</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <ul> <li><code>YOUR_ISSUER_URL=https://YOUR_DOMAIN/</code></li> <li><code>YOUR_AUDIENCE=YOUR_IDENTIFIER</code></li> </ul> <h3> 11. Create Auth Module and import our JWT Strategy </h3> <p><code>auth/auth.module.ts</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Module</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/common</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PassportModule</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/passport</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">JwtStrategy</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./jwt.strategy</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Module</span><span class="p">({</span> <span class="na">imports</span><span class="p">:</span> <span class="p">[</span><span class="nx">PassportModule</span><span class="p">.</span><span class="nf">register</span><span class="p">({</span> <span class="na">defaultStrategy</span><span class="p">:</span> <span class="dl">'</span><span class="s1">jwt</span><span class="dl">'</span> <span class="p">})],</span> <span class="na">providers</span><span class="p">:</span> <span class="p">[</span><span class="nx">JwtStrategy</span><span class="p">],</span> <span class="na">exports</span><span class="p">:</span> <span class="p">[</span><span class="nx">PassportModule</span><span class="p">],</span> <span class="p">})</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">AuthModule</span> <span class="p">{}</span> </code></pre> </div> <h3> 12. Import Auth Module in app.module.ts </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Module</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/common</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">AppController</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./app.controller</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">AppService</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./app.service</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">AuthModule</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./auth/auth.module</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Module</span><span class="p">({</span> <span class="na">imports</span><span class="p">:</span> <span class="p">[</span><span class="nx">AuthModule</span><span class="p">],</span> <span class="na">controllers</span><span class="p">:</span> <span class="p">[</span><span class="nx">AppController</span><span class="p">],</span> <span class="na">providers</span><span class="p">:</span> <span class="p">[</span><span class="nx">AppService</span><span class="p">],</span> <span class="p">})</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">AppModule</span> <span class="p">{}</span> </code></pre> </div> <h3> 13. Protect the Endpoint in app.controller.ts </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Controller</span><span class="p">,</span> <span class="nx">Get</span><span class="p">,</span> <span class="nx">UseGuards</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/common</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">AppService</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./app.service</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">AuthGuard</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/passport</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Controller</span><span class="p">()</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">AppController</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="k">private</span> <span class="k">readonly</span> <span class="nx">appService</span><span class="p">:</span> <span class="nx">AppService</span><span class="p">)</span> <span class="p">{}</span> <span class="p">@</span><span class="nd">UseGuards</span><span class="p">(</span><span class="nc">AuthGuard</span><span class="p">(</span><span class="dl">'</span><span class="s1">jwt</span><span class="dl">'</span><span class="p">))</span> <span class="p">@</span><span class="nd">Get</span><span class="p">()</span> <span class="nf">getHello</span><span class="p">():</span> <span class="kr">string</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">appService</span><span class="p">.</span><span class="nf">getHello</span><span class="p">();</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> 14. Getting an Access Token </h3> <p>Use curl to exchange the authorization code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">--request</span> POST <span class="se">\</span> <span class="nt">--url</span> <span class="s1">'https://YOUR_DOMAIN/oauth/token'</span> <span class="se">\</span> <span class="nt">--header</span> <span class="s1">'content-type: application/x-www-form-urlencoded'</span> <span class="se">\</span> <span class="nt">--data</span> <span class="nv">grant_type</span><span class="o">=</span>authorization_code <span class="se">\</span> <span class="nt">--data</span> <span class="nv">code</span><span class="o">=</span>AUTHORIZATION_CODE <span class="se">\</span> <span class="nt">--data</span> <span class="nv">client_id</span><span class="o">=</span>YOUR_CLIENT_ID <span class="se">\</span> <span class="nt">--data</span> <span class="nv">client_secret</span><span class="o">=</span>YOUR_CLIENT_SECRET <span class="se">\</span> <span class="nt">--data</span> <span class="nv">redirect_uri</span><span class="o">=</span>https%3A%2F%2F127.0.0.1%3A3000%2Fcallback </code></pre> </div> <p>You should receive a token like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">{</span><span class="s2">"access_token"</span>:<span class="s2">"eyJhb...THE_TOKEN...nA"</span>,<span class="s2">"expires_in"</span>:86400,<span class="s2">"token_type"</span>:<span class="s2">"Bearer"</span><span class="o">}</span>% </code></pre> </div> <h3> 15. Accessing User Info in NestJS </h3> <p>The user payload will be added to the <code>ExecutionContext</code>, which you can access inside a controller or guard:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">request</span> <span class="o">=</span> <span class="nx">context</span><span class="p">.</span><span class="nf">switchToHttp</span><span class="p">().</span><span class="nx">getRequest</span><span class="o">&lt;</span><span class="nx">Request</span> <span class="o">&amp;</span> <span class="p">{</span> <span class="na">user</span><span class="p">:</span> <span class="p">{</span> <span class="na">sub</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">org_id</span><span class="p">:</span> <span class="kr">string</span><span class="p">}</span><span class="o">&gt;</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">user</span><span class="p">;</span> </code></pre> </div> <p>If you want more user data, append <code>&amp;scope=openid profile email</code> to your login url.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://YOUR_DOMAIN/authorize?client_id=YOUR_CLIENT_ID&amp;response_type=code&amp;redirect_uri=https://127.0.0.1:3000/callback&amp;organization=org_YOUR_ORGANIZATION_ID&amp;scope=openid profile email </code></pre> </div> <p>With these steps, you now have a working multi-tenant authentication setup in NestJS using Auth0 Organizations, complete with org_id in the token payload for tenant-aware logic.</p> <p>That’s it! I hope this guide helps someone. If you have any questions, feel free to drop a comment. I’ll be happy to help.</p> nestjs authentication auth0 jwt