Hi @hirocc , Thank you for reaching us.
Can you please provide a little more explanation about how you will be managing to create identities and access tokens? Are you going to generate that for them in your backend, or will they have your ACS key?
Also, are you looking to have Teams interop or ACS calls?
It is always recommended to protect your ACS resource key and to not share it with anyone or in your front-end (In case you are building a web application) or application (In case you are building a mobile application).
So, if you are managing to generate identities and access tokens on their behalf in your backend, you can keep track of each customer's identities, and if required you can revoke them as mentioned in the documentation here access-tokens, but please note that once the identity is revoked you can't revert that, and you need to generate them a new identity if required.