> But when I authenticate my common support agents instead of the customers themselves, I do want them to have access to everything.

> I don’t think anyone has yet managed to make this easy.

We have a few recommendations for this (I work for FusionAuth, a different auth server). From our doc[0]:

    Have users reset their password every time they need access to a different tenant.
    Use a passwordless login option like a magic link or passkey.
    Set up or use an administrative identity server, such as a second instance of FusionAuth, Google GSuite, or Azure AD/Microsoft Entra, and have these users log in using that.
    Put all admin users in one FusionAuth tenant, create an application in that tenant, and set up an OIDC Identity Provider for applications in other tenants to delegate to that application.

0: https://fusionauth.io/docs/get-started/core-concepts/users

> You don’t want org1 to have access to the data that user x has access to in org2

Of course not—I'm not sure why you'd think I mean that?

I'm just saying that if I open a link to `https://datadog.com/alert/12389` and `https://datadog.com/alert/12500` and the alerts are for different orgs, my auth cookies should be able to tell that I, as user X, have access to both orgs without having to "switch contexts" or re-auth.