Logo / Docs

Use Cases Overview

As a flexible developer tool, FusionAuth can be used in many different ways. We’ve even heard of customers using us for localized email template management.

But there are a few key use cases that FusionAuth particularly shines at, and this section outlines them.

Decision Flowchart

By answering a few questions, you can narrow down how FusionAuth fits into your application or applications.

Machines
People
Mine
Yes
No
No
Yes
My customers
No
Yes
Yes
No
Authenticating people or machines/software?
Machine to machine
Does the end user identity belong to you or to your customers?
Do you have a suite of multiple applications?
Application suite
Creating a platform w/APIs for other apps to use?
Auth as a service
API user consents and delegated access
Do your customers own their users' identities via a directory?
B2B2C
Are you deploying software into customer environments?
Identity broker
B2B2E

You can also combine options, using FusionAuth to provide more than one core application service.

Use Case Table

Here’s a table of the common use cases. If you have questions, feel free to contact our technical sales team or post in our community forum.

I Want ToUse Case NameDescription
Log in to my application using FusionAuth to enable authentication features, such as MFA, to be configured rather than coded.Auth as a service

Easily offload authentication and add features with configuration rather than coding. The user who logs in could be a consumer (b2c) or a business user (b2b). Features include:

  • adding a “Log in with Google” or “Log in with SAML” button
  • multi-factor authentication (MFA) via SMS, time based one time passwords (TOTP) or email
  • login with a one-time password (OTP) or magic links
  • passkeys
  • self-service registration and profile management
  • verification of user account ownership using email messages
Enable SSO between my applications.App suite

Transparently allow users to log in once and switch between your different applications. As you add more applications, they’ll be able to move between them, similar to the GSuite of products, where you can transparently access Google Calendar, Google Drive, and Gmail even though they are on different domains.

This works with both mobile and web applications. You can limit users to a subset of applications and assign different roles per application.

Allow my customers to offer access to my software to their customers, who are consumers.Business to business to consumer (b2b2c)

Offer a SaaS software package, where your customers have consumers as customers or users. The end users of the software control their own identity and typically self-register to gain access to your system.

With this case, users typically access your SaaS software using hostnames tied to customers: customerA.example.com and customerB.example.com, or yoursaas.customerA.com or yoursaas.customerB.com.

You can have each customer’s users isolated, so that customer A’s users are distinct from customer B’s users. The users belonging to customer A will be logically isolated and separate from the users of customer B. You can customize the login screens, password rules, allowed login methods (including social login), and security settings for each of your customers. This is common practice when private labeling software.

Or you can allow end users to switch between customers, like a user can do with GitHub organizations. Each user can have different permissions for each customer. This is useful if there are cross cutting users like contractors, who might work with more than one customer account.

Allow my customers to offer access to my software to their customers, who are businesses, and their employees.Business to business to employee (b2b2e)

Offer a SaaS software package, where your customers have business employees as customers or users.

With this case, users typically access your SaaS solution using hostnames tied to customers: customerA.yoursaas.com and customerB.yoursaas.com, or yoursaas.customerA.com or yoursaas.customerB.com. They may also use an Org Id input form, like the AWS console, which then directs the user to the correct location.

Businesses typically have their own employee directory using tools like Okta, Azure AD, and Google Workspace. They want to control access to your application automatically using tools like SCIM or SAML/OIDC just-in-time provisioning.

You can have each customer’s users isolated, so that customer A’s users are distinct from customer B’s users. The users belonging to customer A will be logically isolated and separate from the users of customer B. You can customize the login screens and identity provider settings of each of your customers. You can translate between the roles at the customer and within your application using our reconcile lambdas. This is common if you are private labeling your software.

Use standards based authentication for my APIs or other software systems.Machine to machine communication (m2m)

Manage authentication and permissions for software programs using the client credentials grant and access tokens. More secure than static API keys, with fine grained permissions and service identity built in.

Self-host FusionAuth and embed it into your Kubernetes cluster, on-prem data center or other environment.

FusionAuth can scale to hundreds of millions of entities (APIs, devices) and you can manage the entire solution via language specific SDKs.

Embed FusionAuth in my deployable application to provide a single interface for my engineering team, while allowing my customers to bring their own identity providers.Identity broker

If you ship software to install in private clouds or data centers, FusionAuth can be a lightweight identity broker allowing you to easily add support for your customer’s identity providers. This lets your software easily integrate into your customer’s environment.

Leverage FusionAuth’s documentation on how to configure connections to Azure AD, Okta and more. Your engineering team uses the FusionAuth APIs and SDKs to get user and role data.

Easily add ‘authorize’ buttons for third party platforms, and manage the tokens used to access third party APIs.Authorization hub

Safely manage your users’ third party API tokens in one place. Add new social or enterprise providers as needed. Secure the refresh tokens and other credentials for social providers like Google, Instagram, YouTube, Facebook, Microsoft, and more.

FusionAuth handles the integrations and your engineering team uses one API to retrieve tokens across all social providers.

Build a platform for others to access my APIs on behalf of my users using OAuth grants.API user consents and delegated access

If you have APIs that others are building on top of, use FusionAuth to manage user data, and want to allow your users to delegate access to their data accessible via your APIs, FusionAuth can handle the full OAuth grant, including custom scopes and customization of access tokens.

In this case, FusionAuth is part of your API strategy, handling user consents and access token generation.

Control all the UX and use FusionAuth only for the backend of my auth system.Data store

Use FusionAuth as a rock solid user data store, but take control of the login workflows, the user experience, and other aspects of the authentication experience. You have complete control over the location of the data and how your users log in. This can be helpful if you have stringent UX or unique workflow requirements.

Use the Login API and other APIs to create your own user interfaces. Build your own workflows that meet your precise needs. FusionAuth can be the foundation as a simple, secure datastore with unlimited profile data, search capabilities, and security built in.