← Back to reference

Multi Tenant Architecture

Tenant Identity

Every tenant has:

  • A UUID tenant_id.
  • An isolation boundary: API path prefix, data partition prefix, RBAC principal set.
  • Optional data-residency constraint (US, EU, AP, CUSTOMER_VPC).

API Surface

/v1/<tenant_id>/incidents
/v1/<tenant_id>/diagnostics/<id>
/v1/<tenant_id>/remediation/<id>/approve
/v1/<tenant_id>/audit
/v1/<tenant_id>/export

The first segment is extracted by middleware before the request reaches the handler. Missing or unparseable tenant id returns 400.

Data Partitioning

data/
├── tenant_<id_a>/
│   ├── metrics/
│   ├── logs/
│   ├── traces/
│   └── graph.ron
├── tenant_<id_b>/
│   └── ...

Per-tenant storage keys: &lt;bucket&gt;/&lt;tenant_id&gt;/&lt;type&gt;/....

Row-level filtering for cross-tenant analytics tables:

SELECT * FROM time_series
WHERE tenant_id = :tenant_id
  AND time_unix_nano >= :since

Indexes: idx_ts_tenant and idx_ts_entity_tenant per table.

Rate Limits + Quotas

TierRPSQuota (events/day)
Team5010,000,000
Scale200100,000,000
Growth1,0001,000,000,000

Enforcement: token-bucket per tenant in limits.rs. 429 + Retry-After on overflow.

Per-Tenant RBAC

Roles are mapped to principals per tenant. A user is "tenant_admin on tenant A" but may only be "researcher on tenant B" via separate auth tokens.

Audit Export

Each tenant can stream their audit log out to:

  • A managed SIEM (Splunk HEC, Elastic ECS) with per-tenant index.
  • S3 bucket with a tenant-prefixed key path.

Cross-Tenant Operations

Platform Admins have a separate auth context (platform_admin scope) and operate against /v1/platform/.... Every platform-admin operation emits an audit record tagged cross_tenant=true.