Tenants
A tenant is the unit of isolation in cloudscode. Every API call, every runtime instance, every BYOK key, and every audit-log entry is scoped to exactly one tenant.
What lives inside a tenant
Section titled “What lives inside a tenant”- Members — humans with roles (
owner,admin,member). - API keys — programmatic access to the tenant’s API surface.
- BYOK keystore — vendor keys (Anthropic, OpenAI, Gemini, …).
- Runtime instances — running agent containers.
- Conversations — message history across all instances.
- Audit log — append-only record of every state-changing call.
- Webhooks — outbound delivery targets.
Tenant header
Section titled “Tenant header”Every request to the API must carry an x-tenant-id header (or be authenticated via a session that resolves to one). Requests without it return:
{ "error": "tenant required" }with HTTP 401.
Isolation guarantees
Section titled “Isolation guarantees”| Surface | Guarantee |
|---|---|
| Database | Every row carries tenant_id; queries are filtered server-side. |
| BYOK keys | Encrypted at rest; only readable by the owning tenant’s runtimes. |
| Network | Per-tenant egress policy (optional allow-list). |
| Filesystem | Each runtime gets a fresh, isolated /workspace. |
| Audit log | Append-only; tenant-scoped retrieval. |
Roles are coarse on purpose:
- owner — billing, member management, destructive ops.
- admin — runtime management, BYOK, webhooks.
- member — start runtimes, send messages, read history.
Custom roles are not currently supported. Submit a request if you need one.