Tenant Context Propagation
How to propagate tenant identity across middleware, services, database queries, caches, and background workers in multi-tenant SaaS.
Written by Luka MarkovicTenant Context Propagation
Multi-tenant SaaS platforms isolate data by tenant while still operating inside a shared runtime. Every request must execute with a clearly defined tenant context. That context determines which database rows are visible, which authorization rules apply, and which background jobs operate on specific data.
The difficulty is not resolving the tenant at the edge of the system. The difficulty is preserving that tenant identity as execution flows through middleware, controllers, services, database queries, caches, and asynchronous workloads.
Tenant context propagation is therefore an architectural responsibility. If it fails at any point, the application can silently cross tenant boundaries.
If you’re building a SaaS product, this is exactly the kind of issue that appears when tenant boundaries are not designed properly. Teams that need to design a SaaS system properly usually treat tenant context as part of the platform architecture, not a middleware detail.
Use this with the complete multi-tenant architecture guide when designing end-to-end enforcement.
Pair this with Organization-Level Data Isolation in Multi-Tenant SaaS, Designing Tenant-Aware Background Jobs in SaaS Platforms, and Handling Tenant-Aware Caching in SaaS Platforms.
Problem Definition and System Boundary
Multi-tenancy introduces an additional identity dimension beyond the user.
A typical SaaS request contains three identity scopes:
- application identity (service handling the request)
- user identity (authenticated user)
- tenant identity (organization account)
Tenant context defines the data boundary of the request.
Typical request lifecycle:
Browser
→ CDN
→ Reverse proxy
→ ASP.NET Core middleware
→ Tenant resolution
→ Authentication
→ Authorization
→ Controller
→ Service layer
→ EF Core query execution
→ Database
Tenant context must remain available throughout this chain.
If tenant identity disappears anywhere, the system may unintentionally access global data.
Propagation boundaries include:
- HTTP middleware
- dependency injection scopes
- EF Core database queries
- caching layers
- background jobs
- event pipelines
The architectural rule is simple:
Every operation touching tenant data must carry tenant identity.
Tenant Resolution Strategy
Tenant context begins with tenant resolution.
Resolution determines which tenant owns the request before business logic executes.
Common strategies include:
Subdomain-based tenancy
https://acme.example.com https://globex.example.com
Extraction example:
var host = context.Request.Host.Host;
var tenantSlug = host.Split('.')[0];Advantages:
- clean URL structure
- strong conceptual separation
Disadvantages:
- DNS management complexity
- wildcard certificates required
Header-based tenancy
Example request header:
X-Tenant-Id: tenant_123
Extraction example:
var tenantId = context.Request.Headers["X-Tenant-Id"];Advantages:
- simple for APIs
- gateway friendly
Disadvantages:
- requires strong validation
- easier to spoof if poorly secured
Path-based tenancy
/t/acme/dashboard
Extraction example:
var segments = context.Request.Path.Value.Split('/');
var tenantSlug = segments[2];Most production SaaS systems use subdomain or header strategies.
Resolution must occur early in the request pipeline.
Establishing Tenant Context in Middleware
Tenant context should be created inside middleware immediately after request entry.
Example model:
public class TenantContext
{
public Guid TenantId { get; }
public string Slug { get; }
public TenantContext(Guid tenantId, string slug)
{
TenantId = tenantId;
Slug = slug;
}
}Middleware example:
public class TenantResolutionMiddleware
{
private readonly RequestDelegate _next;
public TenantResolutionMiddleware(RequestDelegate next)
{
_next = next;
}
public async Task Invoke(HttpContext context, ITenantStore tenantStore)
{
var host = context.Request.Host.Host;
var slug = host.Split('.')[0];
var tenant = await tenantStore.FindBySlug(slug);
if (tenant == null)
{
context.Response.StatusCode = 404;
return;
}
context.Items["TenantContext"] =
new TenantContext(tenant.Id, slug);
await _next(context);
}
}Tenant context must then be exposed through dependency injection.
Tenant provider example:
public interface ITenantProvider
{
TenantContext GetTenant();
}Implementation:
public class HttpTenantProvider : ITenantProvider
{
private readonly IHttpContextAccessor _httpContext;
public HttpTenantProvider(IHttpContextAccessor httpContext)
{
_httpContext = httpContext;
}
public TenantContext GetTenant()
{
return (TenantContext)_httpContext
.HttpContext
.Items["TenantContext"];
}
}Tenant Context Inside the Service Layer
Application services should retrieve tenant identity through the tenant provider rather than accepting raw identifiers.
Example service:
public class ActivityService
{
private readonly AppDbContext _db;
private readonly ITenantProvider _tenant;
public ActivityService(AppDbContext db, ITenantProvider tenant)
{
_db = db;
_tenant = tenant;
}
public async Task<List<Activity>> GetActivities()
{
var tenantId = _tenant.GetTenant().TenantId;
return await _db.Activities
.Where(a => a.TenantId == tenantId)
.ToListAsync();
}
}Centralizing tenant access reduces duplication and prevents missing filters.
Database Enforcement with EF Core
Tenant boundaries must also exist inside the data layer.
EF Core global query filters automatically enforce tenant constraints.
Example:
protected override void OnModelCreating(ModelBuilder modelBuilder)
{
modelBuilder.Entity<Activity>()
.HasQueryFilter(a =>
a.TenantId == _tenantProvider.GetTenant().TenantId);
}Generated SQL:
SELECT *
FROM Activities
WHERE TenantId = @TenantIdGlobal query filters act as guardrails preventing accidental cross-tenant queries.
Failure Scenario: Tenant Context Loss
A SaaS analytics platform introduced an in-memory cache for dashboard results.
Cache key implementation:
var cacheKey = $"dashboard_{userId}";Tenant identifier was missing.
Two tenants with identical user IDs caused cache collisions.
Tenant A generated dashboard data first.
Tenant B retrieved the cached result.
The result contained Tenant A’s analytics data.
Correct cache key:
var cacheKey = $"tenant_{tenantId}_dashboard_{userId}";Tenant context must propagate beyond the database layer into caching systems.
Tenant Context in Background Jobs
Background jobs execute outside the HTTP pipeline.
Tenant context must therefore be passed explicitly.
Example job payload:
public class TenantJob
{
public Guid TenantId { get; set; }
public Guid ActivityId { get; set; }
}Worker example:
public async Task Execute(TenantJob job)
{
using var scope = _scopeFactory.CreateScope();
var tenantProvider = scope
.ServiceProvider
.GetRequiredService<BackgroundTenantProvider>();
tenantProvider.SetTenant(job.TenantId);
var service = scope
.ServiceProvider
.GetRequiredService<ActivityService>();
await service.ProcessActivity(job.ActivityId);
}Without explicit tenant propagation, background workers may query global datasets.
Operational Considerations
Tenant context propagation affects several operational systems.
Logging
Logs must include tenant identifiers.
Example:
TenantId=acme UserId=9321 Action=CreateActivity
Observability
Metrics should include tenant labels.
Example:
request_latency{tenant="acme"}
Caching
All cache keys must include tenant identity.
Applies to:
- in-memory caches
- Redis
- CDN edge caching
- response caching
Testing
Integration tests must simulate multiple tenants to detect isolation failures.
Example test:
- Tenant A creates data\
- Tenant B attempts retrieval\
- Verify isolation
Architectural Tradeoffs
Several propagation strategies exist.
HttpContext-based propagation
Advantages:
- simple implementation
- natural ASP.NET integration
Disadvantages:
- fails in background jobs
Scoped tenant services
Advantages:
- DI friendly
- consistent access across services
Disadvantages:
- requires explicit initialization
Database row-level security
PostgreSQL can enforce tenant filtering directly.
Advantages:
- strongest isolation guarantee
Disadvantages:
- operational complexity
Most SaaS systems combine:
- scoped tenant services
- EF Core global filters
- database constraints
Layered enforcement minimizes catastrophic mistakes.
A tenant isolation audit is useful when propagation depends on multiple layers, because the gap is usually silent until the full execution path is tested.
Conclusion
Tenant context propagation defines whether a multi-tenant SaaS platform can guarantee data isolation.
Resolution must occur early in the request pipeline. The tenant identity must then propagate through middleware, services, database queries, caches, and background jobs.
When tenant identity disappears anywhere in the system, cross-tenant data exposure becomes possible.
That is exactly the kind of failure a tenant isolation audit can surface when context falls out of middleware, queues, or background work.
If you need to validate that propagation chain under real actors and object changes, API access control testing helps confirm whether responses still hold when the tenant context shifts.
Engineering teams building multi-tenant systems should treat tenant context as a first-class architectural concern.
Check where tenant context breaks down
We trace tenant identity through middleware, services, caches, and workers to find the paths where isolation disappears. The goal is to verify the full propagation chain, not just the request entry point.
Need implementation support? Review the Agnite Scan case study or explore our services.
Related Articles
Continue reading in Multi Tenant SaaS Architecture
Building SaaS with complex authorization?
Move from theory to request-level validation and architecture decisions that hold under scale.
SaaS Security Cluster
This article is part of our SaaS Security Architecture series.
Start with the pillar article: SaaS Security Architecture: A Practical Engineering Guide