From Prototype to Production on Auth0: Tenants, Actions & Org-Aware B2B

If your demo tenant works but you hesitate to onboard the first customer, this is the missing checklist.

1) Split environments early

Use Dev / Test / Prod. Promote config with Terraform so every change is code-reviewed and reproducible. Back up clients, keys, and custom domains in the repo (never in chat).

What to automate

• Clients, connections, hooks/actions, email templates
• Organization settings and roles
• Log Streams and custom domains

2) Model B2B with Organizations

Auth0 Organizations give you customer-scoped login, roles, and SSO connections.

Practical setup

• One org per customer
• Org-specific connections (their IdP) + your database fallback
• Org roles that map to your app’s RBAC

3) Use Actions (small and testable)

Prefer Actions over legacy Rules. Keep each one tiny:

• Claims shaping (tenant_id, org_id, license flags)
• JIT enrichment from your Profile API
• Routing logic (which app / connection)

Tip: write unit tests for each Action in Node and ship via CI.

4) Keys, domains, and auth UX

• Custom domain on every tenant
• Rotate signing keys on a schedule
• Align session lifetimes with your product (SPAs ≠ APIs)
• Universal Login with passkeys + TOTP fallback

5) Observability you’ll actually use

Export logs via Log Streams → SIEM. Track:

• signup & login conversion
• factor mix (WebAuthn vs SMS)
• error rates (rule/action failures, token exchange failures)
• consent & email bounce rates

6) Enterprise-ready checklist

• Break-glass admins listed and tested ✅
• Backup of tenant settings & Action code ✅
• Per-customer SSO mapped to the right org ✅
• Runbooks for key rotation, incident, tenant restore ✅

When these boxes are green, onboarding customer #1 is straightforward—not a gamble.