Scope Zitadel API by Org
I'm struggling to identify the the best way to interact with the zitadel API scoped by a single org/tenant.
In this scenario, a humans is granted an auth_token after logging in, is validated on the backend, and now the Zitadel API needs to be used to search users that are in the same org as the
The general approach I'm taking is along the lines of:
Now AFAIK there's two approaches here in terms of authenticating the client
- One SU per org/tenant, each a manager on their respective orgs
- One SU for the project, is a manager on all orgs/tenant
If I have an SU per tenant, this suggests that I need to create a new client for every request (as each SU will need its own client jwt key). At best you could do some caching across users in the same org, but this feels a little messy. The benefit though is better isolation between orgs.
Alternatively, a single project SU means the client only uses one key, and I can have a single client instance in my app. However I can't figure out how to then scope requests to a single org. I've seen references to
I guess my question is - what is the idiomatic way to approach this? SU per org and then manage the clients, or one SU and scope requests to an org on the fly?
In this scenario, a humans is granted an auth_token after logging in, is validated on the backend, and now the Zitadel API needs to be used to search users that are in the same org as the
The general approach I'm taking is along the lines of:
Now AFAIK there's two approaches here in terms of authenticating the client
- One SU per org/tenant, each a manager on their respective orgs
- One SU for the project, is a manager on all orgs/tenant
If I have an SU per tenant, this suggests that I need to create a new client for every request (as each SU will need its own client jwt key). At best you could do some caching across users in the same org, but this feels a little messy. The benefit though is better isolation between orgs.
Alternatively, a single project SU means the client only uses one key, and I can have a single client instance in my app. However I can't figure out how to then scope requests to a single org. I've seen references to
x-zitadel-orgidI guess my question is - what is the idiomatic way to approach this? SU per org and then manage the clients, or one SU and scope requests to an org on the fly?
