On This Page
← Back to B2C Guide

Core Differences Between B2C and Multi-Tenant B2B Auth

The fundamental distinction comes down to who manages user identity and how users are grouped.

In B2C (Business-to-Consumer) authentication, users sign up individually. Your platform owns the user's identity. Users self-register, manage their own credentials, and may belong to no organisation at all.

In multi-tenant B2B authentication, users belong to an organisation (tenant). The organisation — not the individual — is your paying customer. The organisation's IT admin provisions users, may enforce their own identity provider via SSO, and controls access policies at the tenant level.

Dimension B2C Auth Multi-Tenant B2B Auth
Primary customer Individual end-user Organisation / company
User provisioning Self-registration Admin invite or SCIM auto-provisioning
Identity ownership Your platform owns the identity Org may bring their own IdP (federated)
Data isolation Per-user Per-tenant (organisational boundary)
MFA policy User-opted or platform-enforced globally Admin-enforced per tenant
SSO type Social login (Google, Apple, GitHub) Enterprise IdP (Azure AD, Okta, SAML 2.0)
RBAC scope Platform-wide roles Tenant-scoped roles per organisation
Audit & compliance Basic activity logs Enterprise audit trail (SOC 2, ISO 27001, GDPR DPA)

B2C Authentication Architecture

A B2C identity architecture is built around a single shared user pool. All users live in the same identity store. Authentication flows are consumer-oriented: self-service registration, social login, passwordless options, and email verification at sign-up.

Key B2C Design Decisions

  • Registration flow: Email/password, social OAuth (Google, Apple, GitHub), or passwordless (magic link, passkey). For B2C, lower friction wins — social login measurably improves sign-up conversion rates.
  • Email verification: Required before granting full access. Use a metered email verification API (Ailacs Identity's built-in service) to validate without building the infrastructure yourself.
  • Token claims: B2C tokens carry sub, email, name, email_verified, and platform-wide roles. No tenant context is included.
  • Bot protection: Public registration endpoints must be protected by CAPTCHA or rate limiting. B2C sign-up surfaces are a primary target for bot-driven account creation attacks.

Example B2C JWT Claims

// B2C access token payload (decoded)
{
    "sub":            "usr_01HXYZ3KM9FVWQ",
    "email":          "alice@example.com",
    "name":           "Alice Smith",
    "email_verified": true,
    "roles":          ["user"],
    "iss":            "https://auth.ailacs.com",
    "aud":            "your-b2c-app-client-id",
    "exp":            1751234567,
    "iat":            1751230967
}

Multi-Tenant B2B Authentication Architecture

Multi-tenant B2B auth introduces the concept of tenants — isolated organisational contexts. Every user belongs to a tenant, every resource belongs to a tenant, and every authorisation decision is made within a tenant scope.

Tenant Isolation Models

Shared Database

All tenants in one database, rows tagged with tenant_id. Simplest to operate. Isolation is enforced at the application layer. Suitable for most early-stage SaaS products.

Schema per Tenant

One database, separate schemas per tenant. Stronger isolation. Easier per-tenant backup and restore. Common in regulated industries with data residency requirements.

Database per Tenant

Highest isolation level. Each tenant gets a dedicated database. Most complex and expensive to operate. Required for high-security enterprise contracts with strict data isolation SLAs.

Multi-Tenant JWT Claims

// Multi-tenant B2B access token payload (decoded)
{
    "sub":           "usr_01HXYZ3KM9FVWQ",
    "email":         "bob@acmecorp.com",
    "name":          "Bob Jones",
    "tenant_id":     "ten_ACMECORP",
    "tenant_name":   "Acme Corporation",
    "org_roles":     ["admin", "billing_manager"],
    "platform_roles": ["tenant_user"],
    "idp":           "azure-ad",
    "iss":           "https://auth.ailacs.com",
    "aud":           "your-b2b-app-client-id",
    "exp":           1751234567
}

Note the additional tenant_id, org_roles, and idp claims that are absent in a B2C token. Your API must always scope data queries to the tenant_id in the token — never trust a tenant ID from the request body.

Hybrid Architecture: Supporting Both B2C and B2B

Many successful SaaS products start B2C (individual users self-sign-up) and later acquire enterprise B2B customers who require tenant isolation, SSO enforcement, and admin-controlled provisioning. A hybrid identity architecture supports both models from a single platform.

The key to hybrid architecture is designing your data model with optional tenant context from the start. This way, existing B2C users are completely unaffected when you add enterprise features later.

// Hybrid user model — TenantId is null for B2C users
public class ApplicationUser : IdentityUser
{
    // Null for individual B2C users; set for org members
    public string? TenantId { get; set; }
    public Tenant? Tenant   { get; set; }

    public UserType UserType { get; set; } = UserType.Consumer;
}

public enum UserType { Consumer, OrganizationMember }

// Tenant model — only relevant for B2B customers
public class Tenant
{
    public string  Id             { get; set; } = null!;
    public string  Name           { get; set; } = null!;
    public string? SsoMetadataUrl { get; set; }   // SAML/OIDC IdP federation config
    public bool    EnforceSso     { get; set; }
    public bool    EnforceMfa     { get; set; }
    public ICollection<ApplicationUser> Users { get; set; } = [];
}

With Ailacs Identity, the hybrid model is built-in. Users without a TenantId follow B2C authentication flows (social login, self-registration, magic links). Users with a TenantId are routed through their organisation's authentication policy — including SSO enforcement and TOTP MFA if configured by the org admin. No extra infrastructure required.

Decision Framework: Which Architecture Do You Need?

What is the right authentication architecture for a SaaS application? Use this framework to choose between B2C, multi-tenant B2B, and hybrid:

Choose B2C auth if: Your users are individual consumers or professionals signing up for themselves. User management is entirely self-service. You don't have enterprise customers with their own IT departments or SSO requirements.
Choose Multi-Tenant B2B if: Your customers are companies buying licences for their employees. You need per-organisation admin portals, SSO enforcement, SCIM auto-provisioning, or tenant-level audit logs. Your sales cycle involves enterprise procurement.
Choose Hybrid if: You have both individual sign-ups (PLG / product-led growth) and enterprise customers that require org-level control. Slack, Notion, and Figma are classic examples — anyone can sign up, but enterprises get admin consoles and SSO.
Business Signal B2C Multi-Tenant B2B Hybrid
ACV below $500
ACV above $5,000
Enterprise SSO required
Social login required
SCIM provisioning
Freemium / PLG model
Per-tenant data residency

The B2C → Hybrid → Multi-Tenant Migration Path

Most successful SaaS products follow the same progression. Building on top of Ailacs Identity means the transition at each stage is a configuration and data model change — not a re-architecture.

1
Start B2C: Self-registration, email/password or social login. Single user table with no tenant context. Focus on product-market fit before investing in enterprise identity infrastructure.
2
Add optional tenants (Hybrid): Introduce a Tenant model with a nullable TenantId on users. Existing B2C users are completely unaffected. New enterprise customers are given an org context. Unlock invite flows, admin console, and per-tenant settings.
3
Layer enterprise features: Add SSO federation (Azure AD, Okta, SAML 2.0), SCIM user provisioning, per-tenant RBAC, and audit logging as enterprise deals demand. Ailacs Identity provides all of these as configurable features on an existing tenant — no re-architecture required.
4
Full multi-tenant (if needed): If your product pivots to pure B2B, make tenant membership mandatory and remove B2C self-registration flows. The underlying identity infrastructure (Ailacs Identity) handles both models — the migration is a product policy change, not a platform rebuild.
← Auth for JS Frameworks Back to Main Guide →