Multi-tenant JWT tokens

As a SaaS or consumer app developer, securing your multi-tenant data application is one of your main tasks. Propel offers a simple, yet powerful, solution using Access Policies and JWT tokens.

Key concepts

Access Policies: Rules that determine which data each tenant can access.
JWT Tokens: Secure tokens that carry tenant-specific information.
Dynamic row-level filtering: Allows one policy to serve multiple tenants.

Here’s how to implement multi-tenant access control for your app:

Implementing multi-tenant security

Create a single, dynamic access policy

Instead of creating a separate policy for each tenant, define one policy with dynamic filtering:

Console
API
Terraform

Creating an Access Policy for multi-tenant access control

mutation {
  createDataPoolAccessPolicy(input: {
    uniqueName: "My multi-tenant Access Policy",
    description: "Multi-tenant policy with dynamic filtering",
    dataPool: "DPO00000000000000000000000000",
    columns: ["*"],
    filterSql: "tenant_id = ${{ tenant_id }}"
  }) {
    dataPoolAccessPolicy {
      dataPool {
        id
      }
      id
      uniqueName
    }
  }
}

resource "propel_data_pool_access_policy" "multi-tenant-policy" {
  unique_name = "My multi-tenant Access Policy"
  description = "Multi-tenant policy with dynamic filtering"
  data_pool = "DPO00000000000000000000000000"

  columns = ["*"]

  row {
    column   = "tenant_id"
    operator = "EQUALS"
    value    = "${{ tenant_id }}"
  }

  applications = ["APP00000000000000000000000000"]
}

—This policy uses ${{ tenant_id }} as a placeholder, which will be filled with the actual tenant ID at runtime.

Generate tenant-specific JWT tokens

When a user logs in, mint a JWT token that includes their tenant ID:

curl https://auth.propeldata.com/oauth2/token \
  -d grant_type=client_credentials \
  -d client_id=$YOUR_APP_ID \
  -d client_secret=$YOUR_APP_SECRET \
  -d 'policy_values={"tenant_id":"123"}'

Use the token for data queries

When querying Propel’s API, include this token in the Authorization header. Propel will automatically apply the correct tenant filter.

Benefits

Scalability: One policy serves all tenants.
Security: Each tenant is strictly limited to their own data.
Flexibility: Easily adapt to changes in your data model.
Multiple levels of tenancy: This models supports multiple levels of tenancy (e.g. Organizations, customers, workspaces and users).

Important Notes

Always create tokens server-side for security.
The resulting token is safe to use in frontend code.
You can include multiple tenant-specific values in the token if needed.

By following this approach, you can efficiently secure your multi-tenant application, ensuring that each customer only accesses their own data while minimizing the overhead of policy management.

Get Started

Manage

Identity & Access

Resources

Enterprise

Multi-tenant JWT tokens

Key concepts

Implementing multi-tenant security

Benefits

Important Notes

Get Started

Manage

Identity & Access

Resources

Enterprise

​Key concepts

​Implementing multi-tenant security

​Benefits

​Important Notes

Key concepts

Implementing multi-tenant security

Benefits

Important Notes