Sub-tenants

Sub-tenants allow you to create multi-level hierarchical structures within your tenant organization. This guide explains how sub-tenants work and how to manage them effectively:

  • A tenant can have multiple sub-tenants
  • Sub-tenants can have their own sub-tenants (nested hierarchy)
  • Each sub-tenant has exactly one parent (either a tenant or another sub-tenant)
  • Sub-tenants inherit certain configurations while maintaining independent control over others

Creating Sub-tenants

Currently, the creation of sub-tenants is only supported through the Tenants page of the Descope Console or through our API.

To create a sub-tenant in the Console:

  1. Toggle on Create as sub-tenant when creating a new tenant
  2. Select an existing tenant or sub-tenant as the parent

creating sub-tenant

You can also manage sub-tenants from the Sub Tenants tab in the parent tenant's Settings. Use Show all descendants to view the complete hierarchy, including nested sub-tenants.

Sub-tenant list

Sub-tenant Configurable Features

Sub-tenants support independent configuration of many features. See the relevant documentation for details:

Authentication and Session Settings

Authentication settings follow specific inheritance rules:

  • SSO Configuration: Can either be
    • Inherited from the parent tenant (only group mapping and SSO domain are editable)
    • Created independently for the sub-tenant
  • Password Settings: Always inherited from the parent tenant
  • Session Management: Always inherited from the parent tenant

Tenant and Role Inheritance

The hierarchy follows these inheritance rules:

  • Role Inheritance: Users with roles in a parent tenant automatically receive the same roles in all sub-tenants
  • Bottom-Up Association: Sub-tenant assignments don't automatically grant parent tenant access
  • Independent Role Management: Sub-tenants can manage user roles independently of parent tenant assignments

JWT Structure

Sub-tenants appear as a flattened list in the JWT.

Example:

A user only has the explicit Partner role in Tenant 1, which has one associated sub-tenant Tenant 1 Subtenant:

Parent tenant assignment Subtenant assignment

JWT representation:

{
...
  "tenants": {
    "<Tenant 1 ID>": {
      "permissions": [],
      "roles": [
        "Partner"
      ]
    },
    "<Tenant 1 Subtenant ID>": {
      "permissions": null,
      "roles": [
        "Partner"
      ]
    }
  }
}
Was this helpful?

On this page