I’ve been thinking about multi-tenant architecture a lot lately because it’s where modern SaaS applications live or die. When you’re building software that serves multiple customers from a single codebase, every decision around data isolation and security becomes critical. Let me walk you through what I’ve learned about creating robust multi-tenant systems.
Why does this matter right now? Because SaaS isn’t just about features anymore—it’s about delivering secure, isolated experiences at scale. I’ve seen too many projects struggle with data leakage between tenants or performance bottlenecks that could have been avoided with proper architecture from day one.
The approach I prefer uses PostgreSQL’s Row-Level Security combined with NestJS’s modular architecture. This combination gives you the security of database-level isolation while maintaining the developer experience of a modern TypeScript framework.
Let me show you how we set up the database schema. Notice how every tenant-related table includes a tenantId field? This becomes our anchor point for isolation.
model Tenant {
id String @id @default(cuid())
name String
subdomain String @unique
users User[]
projects Project[]
}
model User {
id String @id @default(cuid())
email String @unique
tenantId String
tenant Tenant @relation(fields: [tenantId], references: [id])
}But here’s where it gets interesting: how do we ensure that a user from one tenant can never access another tenant’s data? That’s where Row-Level Security policies come into play.
CREATE POLICY tenant_isolation ON users
USING (tenant_id = current_setting('app.current_tenant_id')::text);This policy ensures that every query against the users table automatically filters by the current tenant context. But wait—how does PostgreSQL know which tenant we’re talking about? That’s where our application logic comes in.
In NestJS, we create a middleware that extracts the tenant context from incoming requests. This could come from JWT tokens, subdomains, or custom headers. Here’s a simplified version:
@Injectable()
export class TenantMiddleware implements NestMiddleware {
constructor(private prisma: PrismaService) {}
async use(req: Request, res: Response, next: NextFunction) {
const tenantId = this.extractTenantId(req);
if (tenantId) {
await this.prisma.$executeRaw`SELECT set_config('app.current_tenant_id', ${tenantId}, false)`;
}
next();
}
}See what we’re doing here? Before any request handler runs, we’re setting a PostgreSQL session variable that our RLS policies can reference. This creates a watertight separation between tenants without cluttering our application code with tenant checks.
But here’s a question I often get: what about performance? Won’t all these policies slow things down? Actually, PostgreSQL’s RLS is remarkably efficient. The real performance consideration comes from proper indexing.
model User {
id String @id @default(cuid())
email String @unique
tenantId String
@@index([tenantId, email])
}Composite indexes like this ensure that tenant-scoped queries remain fast even as your data grows. I’ve seen applications handle millions of records across thousands of tenants with response times under 100ms.
Now, let’s talk about authentication. How do we ensure users only authenticate within their own tenant? Our JWT strategy needs to be tenant-aware:
@Injectable()
export class JwtStrategy extends PassportStrategy(Strategy) {
constructor(private prisma: PrismaService) {
super({
jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
secretOrKey: process.env.JWT_SECRET,
});
}
async validate(payload: any) {
const user = await this.prisma.user.findFirst({
where: {
id: payload.sub,
tenantId: payload.tenantId
},
});
if (!user) throw new UnauthorizedException();
return user;
}
}Notice how we’re validating both the user ID and tenant ID from the JWT payload? This prevents a user from one tenant using their token to access another tenant’s resources.
What about creating new resources? Our services need to automatically attach the tenant context:
@Injectable()
export class ProjectsService {
constructor(private prisma: PrismaService) {}
async create(createProjectDto: CreateProjectDto, tenantId: string) {
return this.prisma.project.create({
data: {
...createProjectDto,
tenantId, // Injected from request context
},
});
}
}The beauty of this approach is that once you set up the middleware and RLS policies, your business logic remains clean and focused. You don’t need to remember to add tenant checks everywhere—the database handles it for you.
But what happens when you need to query across tenants? For administrative purposes, you might need to disable RLS temporarily. Here’s how we handle that safely:
async getTenantStatistics(adminUserId: string) {
// Verify admin privileges first
await this.verifyAdminUser(adminUserId);
return this.prisma.$transaction(async (tx) => {
await tx.$executeRaw`SET LOCAL row_level_security = false`;
return tx.tenant.findMany({
include: { _count: { select: { users: true, projects: true } } },
});
});
}The key here is using transactions and LOCAL setting changes, which revert automatically when the transaction ends. This prevents any accidental data exposure.
Migration strategy is another area where multi-tenant applications differ. When you need to modify your schema, you’re affecting all tenants simultaneously. Prisma makes this straightforward:
npx prisma migrate dev --name add_project_descriptionBut have you considered what happens when a migration fails halfway through? That’s why we always wrap schema changes in transactions and test them thoroughly in staging environments first.
Testing multi-tenant applications requires special consideration too. We need to verify that data isolation works correctly:
it('should not leak data between tenants', async () => {
const [tenant1, tenant2] = await createTestTenants();
const project1 = await createProject(tenant1.id);
const project2 = await createProject(tenant2.id);
// Simulate request from tenant1
setTenantContext(tenant1.id);
const projects = await projectsService.findAll();
expect(projects).toHaveLength(1);
expect(projects[0].id).toBe(project1.id);
});This type of test gives me confidence that our isolation layers are working as intended.
As we think about deployment, monitoring becomes crucial. We need metrics that show performance per tenant, not just overall application health. This helps identify problematic tenants before they affect others.
@Injectable()
export class MetricsMiddleware implements NestMiddleware {
use(req: Request, res: Response, next: NextFunction) {
const start = Date.now();
const tenantId = extractTenantId(req);
res.on('finish', () => {
const duration = Date.now() - start;
metrics.recordRequest(tenantId, req.path, res.statusCode, duration);
});
next();
}
}What I love about this architecture is how it scales with your business. You can start with a single database and later move to read replicas or even tenant-based sharding without changing your application logic.
The most common pitfall I see? Developers trying to handle tenant isolation entirely in application code. This might seem simpler initially, but it’s incredibly error-prone. One missed tenant check can lead to data leakage.
Another challenge is tenant onboarding. How do you efficiently seed initial data for new tenants? We use template-based seeding:
async onboardNewTenant(tenantId: string, template: string) {
const templates = await this.loadSeedTemplates(template);
return this.prisma.$transaction([
this.prisma.project.createMany({ data: templates.projects }),
this.prisma.user.createMany({ data: templates.users }),
]);
}This approach lets new tenants hit the ground running with pre-configured projects and user roles.
Building multi-tenant applications requires thinking about security, performance, and scalability from the very beginning. But with the right patterns and tools, you can create systems that serve thousands of customers reliably and securely.
What challenges have you faced with multi-tenant architectures? I’d love to hear your experiences and solutions. If this guide helped you, please share it with other developers who might be facing similar challenges. Your comments and feedback help me create better content for our community.
