Skip to main contentArrow Right
All storiesArrow Left

CARS24: Auth in Top Gear

CARS24 customer story thumbnail

CARS24, a multinational online car marketplace, was looking to move some of their applications away from their incumbent CIAM solution that was struggling to adapt to their evolving business needs. Learn why CARS24 chose Descope to help provide their users and other stakeholders a reliable, secure, and frictionless authentication experience across five applications and counting.


About CARS24

Founded in 2015, CARS24 is a leading AutoTech company whose mission is to simplify the buying, selling, and financing of pre-owned cars. The company is headquartered in India and also has presence in Australia, the UAE, and Thailand.

With hundreds of branches, over 6000 employees, and more than 10,000 channel partners, CARS24 operates at scale and requires a customer authentication system which matches that scale. The company serves a variety of stakeholders as end users on their various apps and digital properties:

  • Customers looking to buy or finance used cars.

  • Sellers looking to sell cars.

  • Loan officers looking to list, issue, and process car loans.

  • Channel partners looking to facilitate multiple parts of the car buying / selling process.

  • Employees making it all happen.

Each of the above stakeholders has unique expectations regarding security and user experience during onboarding and repeat app visits. Even more important is the need to provide proper access to different apps based on these stakeholders’ unique attributes.

The need for granular access control

For an organization with a sophisticated and multi-faceted user base like CARS24, relying solely on role-based access control (RBAC) was causing scalability issues, role explosion, and engineering and IT work to handle edge cases. 

Marut Singh, CTO of CARS24, said:

“The need to add fine-grained authorization to our identity management systems has grown as our business has grown. Having the same role-based models for different stakeholders like partners, employees, and loan officers restricts growth and traps our development resources in creating increasingly complex role matrices that are tough to scale. Among other capabilities, we were seeking a CIAM solution that could support our need to add granular access control for our app users.”

Seeking a flexible CIAM solution

CARS24 had several applications that interacted with each other and served multiple stakeholders – internal, external, and hybrid. Each of these applications had slightly different security, UX, and onboarding requirements, which would likely mean different authentication methods. But ultimately, they also wanted a unified view of their user bases across applications while providing them with consistent and reliable authentication.

Marut said:

“Our aim was to reduce both end user friction and developer / IT friction with all our applications. End users should get a consistent login experience as well as the right level of access based on their traits. We have applications accessed by internal users, partners, and customers – tiering these users and providing them a personalized view of the application was a priority. At the same time, we did not want our engineering team to manually stitch together user activity across these apps.” 

From a security perspective, protecting the sanctity of sessions was top of mind. Since some sets of employees were required to log in every day as a security policy, each application needed to have its own session management practices.

The CARS24 team was looking for a CIAM solution with:

  • Flexibility to support different auth methods and types of applications.

  • Consistency to provide a unified user experience across apps and form factors (desktop and mobile). 

  • The ability to easily interoperate with their existing authentication systems on other applications.

  • Minimal ongoing configuration and coding changes.

CARS24’s incumbent authentication provider was not scaling sustainably to meet the aforementioned needs. They were seeking an alternative that could work alongside the incumbent in the short term and be comprehensive enough to replace it in the long term. 

The Descope experience 

Fast forwarding to the present, CARS24 already has five applications integrated with Descope and is migrating more applications at the time of writing. 

Most of these applications are meant for internal users, with Descope being flexible enough to handle use cases outside the ambit of traditional CIAM. Some applications are also meant for partners and external dealers, with each of these user sets having their own intricacies.

Fig: CARS24 portal login screen with multiple authentication methods

Marut said:

“Descope has helped us be more agile and adaptable to different end users’ authentication needs across applications. For example, we are able to enforce Google Workspace policies for internal users and easily add SSO for dealers and partners, all while getting a unified view of our user tables across applications. This is all down to Descope Flows.” 

CARS24 has been a user of Descope Flows from the onset – all with the exception of one application (which uses Descope’s Kotlin SDK) are integrated with Descope’s no / low code workflows. Designing and implementing the user journey as a workflow enables CARS24 to route the right user to the right login experience, add checks and conditions, and easily switch out or modify auth methods without changing the codebase. 

On the security front, Descope provides per-application session management configuration options, allowing CARS24 to set different session times, activity timeouts, and other settings to cater to each app’s security requirements. They also utilize VPN enforcement for certain internal user logins and leverage the Descope Amazon S3 connector for audit streaming.  

Support par excellence 

As an early customer of Descope, CARS24 has had the chance to collaborate on product features as well as be the first adopters of several enhancements made to the Descope platform since they first onboarded seven months ago. They are currently trialing Descope FGA as part of their overall strategy to move to granular access control models.

Marut said:

“The speed with which Descope keeps adding new features that meet real developer needs is impressive. Our team also really appreciates the empathetic and ever-present support. Whether it’s regular check-ins, guidance and implementation help for unique use cases, or fast response and deployment for feature requests, we can see that Descope has our back.”


Descope is a flexible drag-and-drop CIAM platform that helps organizations easily add authentication, authorization, and identity management to their apps. Customers use us for initiatives such as passwordless authentication, SSO, identity federation, strong MFA, and fraud prevention.

To get started with Descope, sign up for a Free Forever account. If you have questions about our platform, book time with our auth experts.