Enable Organizations in your Auth0 tenant and create an organization per customer using the Auth0 Management API POST /api/v2/organizations with a unique name and display_name.
Associate one or more connections to each organization using POST /api/v2/organizations/{orgId}/enabled_connections; this controls which identity sources members of that organization can authenticate with.
Invite or directly add members to the organization using the members or invitations endpoints; assign organization-level roles using POST /api/v2/organizations/{orgId}/members/{userId}/roles.
Configure your application's universal login to accept an organization parameter (or use organization discovery from email domain) so users are routed to the correct org at login time.
In the ID token, the org_id and org_name claims identify the organization the user authenticated through; validate these claims in your application to enforce tenant isolation.
Use Auth0 Actions on the post-login trigger to add additional organization-specific claims or to enforce organization-level policies such as MFA requirements.
Known gotchas
A user can be a member of multiple organizations; the org_id claim reflects the organization chosen at login time, not all memberships — your app must not infer all memberships from a single token.
Connections enabled at the organization level must also be explicitly enabled on the application; mismatches result in login errors that are difficult to diagnose.
Organization-level roles are separate from tenant-level roles; permissions granted through org roles are scoped to that organization and do not apply tenant-wide.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp