search

Multi-Tenancy Architecture

hashtag
Overview

The Refresh App Web implements a comprehensive multi-tenancy architecture that provides complete data isolation while maintaining excellent performance. Tenant isolation is enforced at both the application level (user identity resolution, permission checking) and the database level (Row-Level Security using JWT claims).

hashtag
Multi-Tenancy Model

hashtag
Tenant Hierarchy

Organization (Tenant)
├── Tenant Settings
├── Tenant Users (with roles: owner, admin, manager, member, viewer)
├── Groups
│   ├── Group Settings
│   └── Group Users (with roles: admin, manager, member)
└── Tenant Data
    ├── Integrations
    ├── Employees (HRIS)
    ├── Survey Responses
    ├── Reports
    └── Resources

hashtag
Key Concepts

Tenant:

  • Primary isolation boundary

  • Represents an organization/company (your customers)

  • Has its own branding, settings, and data

  • Users can belong to multiple tenants via linked accounts

Group:

  • Sub-organization within a tenant

  • Represents a team, department, or division

  • Inherits tenant context

  • Users can belong to multiple groups

Active Tenant:

  • Currently selected tenant for the request

  • Specified via URL path parameter (:tenantId in route)

  • Determines which work user_id to use for data operations

  • Encoded in Neon JWT for RLS enforcement

hashtag
User-Tenant Relationship

hashtag
Multiple User Records Per Person

A single person can have multiple users records, one per tenant they've worked with:

See User Management for complete details on user identity lifecycle.

hashtag
Tenant Context Resolution

When a request arrives for a tenant route (e.g., /api/v1/tenants/newco/...):

hashtag
Application-Level Isolation

hashtag
Request Flow

hashtag
Tenant and Group Context: URL Path Parameters

Tenant and group context are passed via URL path parameters (not headers):

Why URL path, not headers?

Benefit
URL Path

Self-documenting URLs

Standard REST convention

Easier to audit/log

Works with browser history/bookmarks

Shareable URLs

No hidden state

Validated by middleware

Headers are reserved for:

  • Cross-cutting concerns (Authorization, Request-Id, tracing)

  • Internal validation (bypass users may send X-Tenant-Id to validate against URL)

hashtag
Example Route Structure

hashtag
Middleware Implementation

Middleware validates tenant access from URL path parameters:

hashtag
Group Context

Groups are always scoped within a tenant. The :groupId URL path parameter is used when an operation is group-specific:

hashtag
Personal vs Tenant Routes

Route Type
Tenant Context
User ID Used
Data Access

Personal

Not in URL

Primary user_id

Personal resources only

Tenant

:tenantId in URL

Work user_id

Tenant-owned data

Personal Routes: /personal/*, /settings/account, /settings/linked-accounts

Tenant Routes: /tenants/{tenant_id}/dashboard, /tenants/{tenant_id}/surveys, etc.

hashtag
Cookie for UI Convenience

For the SvelteKit frontend, activeTenantId cookie stores the last-selected tenant:

The frontend uses this cookie for navigation (e.g., redirecting to /tenants/{activeTenantId}/dashboard after login).

hashtag
Database-Level Isolation

hashtag
Row-Level Security (RLS)

RLS policies automatically filter database queries based on JWT claims:

hashtag
Neon JWT Generation

After resolving the work user_id for a tenant, generate a Neon JWT:

hashtag
Database Connection with JWT

hashtag
Role-Based Access Control

hashtag
Tenant Roles

Stored in tenant_users.role, mapped to permissions:

Role
Description
Example Permissions

tenant:owner

Full control

tenant:delete, billing:manage

tenant:admin

Manage tenant

member:invite, survey:delete

tenant:manager

Create content

survey:create, report:export

tenant:member

Basic access

survey:respond, survey:view:own

tenant:viewer

Read-only

survey:view, report:view

hashtag
Group Roles

Stored in group_users.role:

Role
Description

group:admin

Manage group settings and members

group:manager

Add members, create content

group:member

Participate in group activities

hashtag
Permission Resolution

See Authorization for complete details.

hashtag
Data Model

hashtag
Tenant Table

hashtag
Tenant Users Table

hashtag
Groups Tables

hashtag
Security Considerations

hashtag
Tenant Isolation Guarantees

  1. Application Level:

    • :tenantId URL path parameter required for tenant routes

    • Work user_id resolved for requested tenant (via tenant_users membership)

    • tenant_users.status = 'active' check (bypass_rls users skip this)

  2. Database Level:

    • RLS policies enforce WHERE tenant_id = jwt_claim

    • Cross-tenant queries blocked by Postgres

    • Cannot bypass RLS from application code

  3. JWT Security:

    • Neon JWT contains tenant_id (not user-controllable)

    • RS256 signing prevents tampering

    • 8-hour expiration with refresh

hashtag
Attack Prevention

Attack
Prevention

Tenant ID tampering

JWT signed with private key, verified by Neon

Cross-tenant access

RLS policies enforce isolation at DB level

Unauthorized tenant access

tenant_users membership check

JWT forgery

RS256 requires private key to sign

hashtag
Performance Optimizations

hashtag
1. Permission Caching

hashtag
2. JWT Reuse

Only regenerate Neon JWT when:

  • Token expired

  • Tenant context changes

  • User permissions change

hashtag
3. Database Indexes

hashtag
Best Practices

hashtag
1. Always Use Work User ID for Tenant Data

hashtag
2. Validate Tenant Access

hashtag
3. Use Neon JWT for All Tenant Queries

hashtag
Related Documentation

Last updated: December 2025

PreviousAuthorizationNextSecurity Architecture

Last updated