Multi-Tenancy

Tenancy Model

StackFlow uses a shared-infrastructure, data-isolated multi-tenancy model. All tenants share the same Aurora PostgreSQL clusters, Neptune graph, and Lambda functions. However, every record in the database includes a tenant_id column that is enforced at the application layer via Row-Level Security (RLS) policies, ensuring that one tenant's data is never accessible by another.

⚙️ Minimum Requirements

DynamoDB: StackFlow_Tenant table with at least one active tenant record; PK = tenantId
KMS: Per-tenant CMK aliases in the format alias/stackflow-tenant-{tenantId} (optional, for tenant-level key isolation)
Cognito Custom Attribute: custom:tenant_id defined on pool us-east-1_WKK1AVJ2m
Lambda Env Var: MULTI_TENANT_MODE=true set in StackFlowAPI
S3 Bucket Policy: stackflow-tenant-assets-373544523367 scoped to tenant-prefixed paths

Each tenant has its own Cognito attribute namespace, AI provider configuration, and customization settings. Tenant IDs are UUIDs assigned at provisioning time and are immutable.

RLS Enforcement: Row-Level Security is enforced in PostgreSQL via the app.current_tenant_id session variable, which is set by the StackFlowAPI Lambda at the beginning of each request using the JWT claim. Never bypass this by connecting directly to Aurora without setting this variable.

Tenant Isolation

Beyond database RLS, tenant isolation is enforced at multiple layers:

Layer	Isolation Mechanism
Authentication	Cognito `custom:tenant_id` claim in JWT
Database	PostgreSQL RLS on all tables, `tenant_id` column
Knowledge Graph	Neptune named graphs per tenant (`g:tenant_{id}`)
S3	Tenant-prefixed key paths (`tenants/{id}/attachments/...`)
AI Knowledge Base	Bedrock KB filtered retrieval using tenant metadata
Redis Cache	Key namespace prefixing (`t:{tenant_id}:...`)

Provisioning a New Tenant

New tenants are provisioned via the StackFlow super-admin console at Admin → Multi-Tenancy → Provision Tenant. The provisioning process creates the tenant record, configures default settings, and seeds the initial admin user account.

curl -X POST https://your-instance.stackflow-tech.com/prod/api/super-admin/tenants   -H "Authorization: Bearer $SUPER_ADMIN_TOKEN"   -H "Content-Type: application/json"   -d '{
    "name": "Acme Corporation",
    "slug": "acme",
    "admin_email": "admin@acme.com",
    "plan": "enterprise",
    "aws_region": "us-east-1",
    "data_residency": "us"
  }'

Tenant Settings

Each tenant can configure its own branding, default AI models, notification settings, and feature flag overrides. Tenant-level settings override platform defaults but cannot exceed the permissions granted by the tenant's subscription plan.

Cross-Tenant Reporting

Super-admin users can run cross-tenant reports from the Executive Dashboard by selecting All Tenants in the tenant selector. These reports aggregate data across all tenants and are only available to super-admin roles. Cross-tenant queries bypass tenant RLS using a dedicated database role with elevated privileges, and all such queries are logged to the audit trail.

← Previous

Departments & Locations

Organizational structure

Feature Flags

Enabling and disabling capabilities