Multi-Tenant Data Flow
How requests are scoped to tenants throughout the stack.
Request Flowβ
Layer-by-Layerβ
1. JWT Tokenβ
Every JWT contains the tenantId:
{
"id": "user-uuid",
"tenantId": "tenant-uuid",
"role": "ADMIN",
"exp": 1735689600
}
2. RequestContextβ
RequestContext stores the current tenant in async local storage:
RequestContext.currentTenantId(); // returns tenant UUID
3. Guard Layerβ
TenantPermissionGuard validates:
- Token contains valid
tenantId - Tenant exists and is active
4. Service Layerβ
All services extend TenantAwareCrudService which auto-filters by tenant:
// Automatically adds WHERE tenantId = :currentTenant
const tasks = await this.taskService.findAll();
5. Repository Layerβ
Query builders append tenant filter:
SELECT * FROM task
WHERE "tenantId" = 'tenant-uuid'
AND "organizationId" = 'org-uuid'
Cross-Tenant Accessβ
Only SUPER_ADMIN role can access data across tenants.
Related Pagesβ
- Tenant Isolation β security deep dive
- Multi-Tenancy β architecture overview
- Request Lifecycle β full request flow