Multi-tenant JWT tokens
Using JWT tokens to secure multi-tenant applications.
As a SaaS or consumer app developer, securing your multi-tenant data application is one of your main tasks. Propel offers a simple, yet powerful, solution using Access Policies and JWT tokens.
Key concepts
- Access Policies: Rules that determine which data each tenant can access.
- JWT Tokens: Secure tokens that carry tenant-specific information.
- Dynamic row-level filtering: Allows one policy to serve multiple tenants.
Here’s how to implement multi-tenant access control for your app:
Implementing multi-tenant security
Create a single, dynamic access policy
Instead of creating a separate policy for each tenant, define one policy with dynamic filtering:
Creating an Access Policy for multi-tenant access control
—
This policy uses ${{ tenant_id }} as a placeholder, which will be filled with the actual tenant ID at runtime.
Generate tenant-specific JWT tokens
When a user logs in, mint a JWT token that includes their tenant ID:
Use the token for data queries
When querying Propel’s API, include this token in the Authorization header. Propel will automatically apply the correct tenant filter.
Benefits
- Scalability: One policy serves all tenants.
- Security: Each tenant is strictly limited to their own data.
- Flexibility: Easily adapt to changes in your data model.
- Multiple levels of tenancy: This models supports multiple levels of tenancy (e.g. Organizations, customers, workspaces and users).
Important Notes
- Always create tokens server-side for security.
- The resulting token is safe to use in frontend code.
- You can include multiple tenant-specific values in the token if needed.
By following this approach, you can efficiently secure your multi-tenant application, ensuring that each customer only accesses their own data while minimizing the overhead of policy management.