Tenants

Overview

FusionAuth is fundamentally a single tenant solution, so you may be surprised to learn that we support multiple tenants.

FusionAuth will always be a single tenant solution, this means that your instance of FusionAuth is your own and even when FusionAuth is hosting, we do not co-mingle your data with other clients. FusionAuth was built as a single tenant solution, and we have no plans to change anytime soon.

It is entirely likely that our clients may wish to be multi-tenant or offer their services to more than one client. In these scenarios it may be useful to separate Users, Applications and Groups for each of your clients.

For example, let’s assume you are building a payroll offering using a SaaS model. In this case it is possible that monica@piedpiper.com works for two of your clients, Acme Corp and The Umbrella Company. Because Monica is not aware that Acme Corp and The Umbrella Company both are buying their Payroll software from the same vendor it would be surprising for Monica to share the same password and account details between these two companies. In this scenario you would likely want to utilize the FusionAuth Tenant to ensure that monica@piedpiper.com exists once for each instance of your Payroll offering.

See Tenant API Authentication for more details about making API requests in a multi-tenant configuration.

Create a Tenant

To create a new tenant, navigate to Settings Tenants.

Create a Tenant

Tenant Configuration

A majority of your FusionAuth configuration is managed at the Tenant-level. Some of these configuration options act as defaults and can be overridden by the Application.

General

Tenant Configuration - General
Table 1. Form Fields

Issuer

The named issuer used to sign tokens. Typically a fully-qualified domain name.

Login Theme

The Theme associated with this Tenant; determines which templates to render for interactive work-flows.

Email

Tenant Configuration - SMTP settings
Table 2. SMTP settings

Host Required

The IP address of the outgoing SMTP mail server.

Port Required

The port of the outgoing SMTP mail server.

Username Optional

The username of the outgoing SMTP mail server authentication.

Change password Optional

When enabled, you may modify the SMTP password, when the Password field is not displayed the current password will not be modified.

Password Required

The new password to use for the outgoing SMTP mail server authentication.

Security Optional

The preferred encryption protocol used by your SMTP server, this is generally documented by your SMTP service provider.

Tenant Configuration - Email verification settings
Table 3. Email verification settings

Verify email Optional

When enabled, users will be required to verify their email address.

Verify email when changed Optional

When enabled, users will be required to verify their email address upon update.

Verification template Required

The email template to use when accounts are created to verify the User’s email address. This field is required when the Verify email toggle is enabled.

Delete unverified users Optional

When enabled, users who have not verified their email address after a configurable duration since being created will be permanently deleted.

Delete after Required

The duration since creation that a user must exist before being deleted for having an unverified email address. This field is required when the Delete unverified users toggle is enabled.

Tenant Configuration - Email template settings
Table 4. Template settings

Setup password Optional

The email template to use when accounts are created and the user needs to setup their password.

Forgot password Optional

The template to use for the forgot password workflow that uses emails.

Passwordless login Optional

The template to use to send the link for passwordless login requests.

OAuth

Tenant Configuration - OAuth
Table 5. Form Fields

Session timeout

The length of time an SSO session can be inactive before it is closed.

Logout URL

The URL the user is redirected to upon logout.

JWT

Tenant Configuration - JWT
Table 6. Form Fields

Refresh token duration

The length of time the refresh token is valid. Refresh tokens are typically long lived.

JWT Duration

The length of time the issued token (access token and Id token) is valid. JWT tokens are typically short lived.

Access token signing key

The key used to sign the access token JWT.

Id token signing key

The key used to sign the Id token JWT.

Advanced

Tenant Configuration - External Identifier Durations
Table 7. External identifier durations Form Fields

Authorization Code

The number of seconds before the OAuth2 Authorization Code is no longer valid to be used to complete a Token request.

Change Password

The number of seconds before the Change Password identifier is no longer valid to complete the Change Password request.

Email Verification

The number of seconds before the Email Verification identifier is no longer valid to complete the Email Verification request.

One Time Password

The number of seconds before the One Time Password identifier is no longer valid to complete a Login request.

Passwordless Login

The number of seconds before the Passwordless Login identifier is no longer valid to complete a Login request.

Registration Verification

The number of seconds before the Registration Verification identifier is no longer valid to complete the Registration Verification request.

Setup Password

The number of seconds before the Setup Password identifier is no longer valid to complete the Change Password request.

Two Factor Login

The number of seconds before the Two Factor identifier is no longer valid to complete a Two Factor login request.

Two Factor Trust

The number of seconds before the Two Factor Trust is no longer valid and the user will be prompted for Two Factor during login.

Device Grant Codes

The number of seconds before the device_code and user_code are no longer valid to be used to complete the Device Code grant.

Tenant Configuration - External Identifier Generation
Table 8. External identifier generation Form Fields

Change Password

The length and type of characters of the generated code used in the Change Password flow.

Email Verification

The length and type of characters of the generated code used in the Email Verification flow.

Passwordless Login

The length and type of characters of the generated code used in the Passwordless Login flow.

Registration Verification

The length and type of characters of the generated code used in the Registration Verification flow.

Setup Password

The length and type of characters of the generated code used in the Setup Password flow.

Device Grant User Code

The length and type of characters of the generated user code used in the Device Authorization Grant flow.

Table 9. SMTP Settings Form Fields

Additional properties

The custom SMTP configuration properties that may be necessary in some cases.