Management/Tenants

Sub-tenants

Sub-tenants allow you to create multi-level hierarchical structures within your tenant organization. This guide explains how sub-tenants work and how to manage them effectively:

  • A tenant can have multiple sub-tenants
  • Sub-tenants can have their own sub-tenants (nested hierarchy)
  • Each sub-tenant has exactly one parent (either a tenant or another sub-tenant)
  • Sub-tenants inherit certain configurations while maintaining independent control over others

Creating Sub-tenants

Currently, the creation of sub-tenants is only supported through the Tenants page of the Descope Console or through our API.

To create a sub-tenant in the Console:

  1. Toggle on Create as sub-tenant when creating a new tenant
  2. Select an existing tenant or sub-tenant as the parent

creating sub-tenant

You can also manage sub-tenants from the Sub Tenants tab in the parent tenant's Settings. Use Show all descendants to view the complete hierarchy, including nested sub-tenants.

Sub-tenant list

Sub-tenant Configurable Features

Sub-tenants support independent configuration of many features. See the relevant documentation for details:

Authentication and Session Settings

Authentication settings follow specific inheritance rules:

  • SSO Configuration: Can either be
    • Inherited from the parent tenant (only group mapping and SSO domain are editable)
    • Created independently for the sub-tenant
  • Password Settings: Always inherited from the parent tenant
  • Session Management: Always inherited from the parent tenant

Tenant and Role Inheritance

The hierarchy follows these inheritance rules:

  • Role Inheritance: Users with roles in a parent tenant automatically receive the same roles in all sub-tenants
  • Bottom-Up Association: Sub-tenant assignments don't automatically grant parent tenant access
  • Independent Role Management: Sub-tenants can manage user roles independently of parent tenant assignments

JWT Structure

Sub-tenants appear as a flattened list in the JWT.

Example:

A user only has the explicit Partner role in Tenant 1, which has one associated sub-tenant Tenant 1 Subtenant:

Parent tenant assignment Subtenant assignment

JWT representation:

{
...
  "tenants": {
    "<Tenant 1 ID>": {
      "permissions": [],
      "roles": [
        "Partner"
      ]
    },
    "<Tenant 1 Subtenant ID>": {
      "permissions": null,
      "roles": [
        "Partner"
      ]
    }
  }
}
Was this helpful?

Tenant Settings

Learn how to customize the settings of your tenants within Descope.

SDK Management

Learn how to create and update tenants for your B2B app using the Descope backend SDKs.

On this page