1auth.
Home/Documentation/Per-App User Isolation Without Shared Identity
FeaturesArchitecture evaluation

Per-App User Isolation Without Shared Identity

Keep the same email address isolated across separate apps so users, roles, providers, and tokens never merge by accident.

A lot of auth systems assume one global directory and then add tenants on top. 1Auth starts from the opposite direction: each app owns its own users, and the infrastructure is what gets shared.

Open 1AuthBrowse docs hub

What teams need from this feature

These are the operational constraints that usually turn a simple auth flow into infrastructure work.

  • One email address can represent different products, contracts, and permissions across the same company portfolio.
  • Support and admin actions become risky when disabling or editing one account can affect another product.
  • Cross-app token reuse becomes a silent vulnerability if tenant scope is only implied, not enforced.

How 1Auth handles it

1Auth ships the primitive as part of one backend instead of forcing each product to rebuild the same boundary.

Unique identity boundary per app

The database model treats app_id plus email as the identity boundary, which keeps same-email accounts independent by design.

Audience and app checks in JWTs

The token model reinforces the same boundary so backend consumers can reject tokens that belong to another app.

Scoped roles, orgs, and providers

Roles, OAuth account links, organizations, and teams stay local to the app instead of attaching to a shared global principal.

Good fit when

The product gets stronger when the auth model matches the boundary of the app, not the convenience of the provider.

  • Your products should never imply a shared account system or accidental SSO.
  • You support multiple brands, portals, or client-facing apps with different access rules.
  • You need a hard separation model that developers and support teams can reason about quickly.

FAQ

Questions teams ask before they ship

Can the same person register the same email in multiple apps?

Yes. That is a core design goal. The same human can hold separate accounts in different apps without those accounts being linked.

Do organizations replace per-app isolation?

No. Organizations add structure inside an app. They do not collapse separate apps into one shared identity system.

Related Pages

Keep exploring the 1Auth docs cluster

Each page below connects to the same app-scoped auth model from a different buying or implementation angle.

Features
Multi-Tenant Authentication for Modern Apps

Run one authentication backend across many apps while keeping users, tokens, organizations, and roles isolated per app.

Security
Auth Backend Security Checklist

Review the critical controls for a production auth backend: app isolation, JWT validation, callbacks, rotation, recovery, and operational hardening.

Use Cases
Authentication for Client Portals

Build client portal auth with separate customer access, recovery flows, role-aware operations, and app-scoped isolation.