Tenant Setup Guide
This guide provides step-by-step instructions for configuring tenants in the Inference API platform. The platform supports multi-tenancy with complete data isolation, where each tenant has its own MongoDB database and Redis instance.
Table of Contents
- Prerequisites
- Understanding Tenant Configuration
- Configuration Parameters
- Setup Steps
- Configuration Examples
- Database Setup
- Testing the Configuration
- Troubleshooting
- Security Best Practices
Prerequisites
Before setting up a tenant, ensure you have:
- Database Access: Access to MongoDB and Redis instances for the tenant
- Network Access: The platform must be able to reach tenant database instances
- Platform Access: Access to configure environment variables or tenant settings
- Unique Tenant ID: A unique identifier for the tenant (alphanumeric, underscores, hyphens)
- Frontend URL: The URL of your frontend application (for OIDC redirects if using SSO)
Understanding Tenant Configuration
The Inference API platform uses a multi-tenant architecture where each tenant has:
- Isolated MongoDB Database: Each tenant has its own MongoDB database
- Isolated Redis Instance: Each tenant has its own Redis database number
- Independent Configuration: Each tenant can have its own OIDC settings, frontend URL, etc.
- Complete Data Isolation: Tenants cannot access each other's data
Tenant Context Resolution
The platform resolves tenant context from requests in the following order:
- JWT Token: Contains
tenant_idclaim in the token payload - API Key: Tenant ID is embedded in the API key format (
{tenant_id}_sk_...) - Request Header: Fallback via
x-tenant-idheader (if supported)
Connection Management
- MongoDB: Connection pool per tenant, established at application startup
- Redis: Client instance per tenant, established at application startup
- Startup: All tenant connections are initialized during application initialization
- Health Checks: Per-tenant connection monitoring
Configuration Parameters
The tenant configuration includes the following parameters:
| Parameter | Description | Required | Example |
|---|---|---|---|
| tenant_id | Unique identifier for the tenant | Yes | acme_corp |
| name | Human-readable tenant name | Yes | Acme Corporation |
| mongo_uri | MongoDB connection string | Yes | mongodb://localhost:27017 |
| mongo_database | MongoDB database name for this tenant | Yes | acme_corp_db |
| redis_addr | Redis server address (host:port) | Yes | localhost:6379 |
| redis_db | Redis database number (0-15) | Yes | 0 |
| frontend_url | Frontend application URL | No | https://app.acme.com |
| oidc_issuer | OIDC provider issuer URL | No* | https://login.microsoftonline.com/{tenant}/v2.0 |
| oidc_client_id | OIDC client ID | No* | 00001111-aaaa-2222-bbbb-3333cccc4444 |
| oidc_client_secret | OIDC client secret | No* | your-secret-value |
| oidc_redirect_url | OIDC callback URL | No* | https://api.yourplatform.com/v1/auth/oidc/callback |
| oidc_scopes | OIDC scopes (space-separated) | No | openid profile email |
* Required if oidc_issuer is provided. See OIDC Setup Guide for OIDC configuration details.
Parameter Validation
The platform validates tenant configuration as follows:
- Required Fields:
tenant_id,name,mongo_uri,mongo_database, andredis_addrmust be provided - OIDC Configuration: If
oidc_issueris provided,oidc_client_id,oidc_client_secret, andoidc_redirect_urlare required - Default OIDC Scopes: If
oidc_scopesis not provided but OIDC is configured, defaults to"openid profile email" - Unique Tenant IDs: Each tenant must have a unique
tenant_id
Setup Steps
Step 1: Prepare Database Infrastructure
-
MongoDB Setup:
- Create or identify a MongoDB instance for the tenant
- Ensure the database is accessible from the platform
- Note the connection string (e.g.,
mongodb://host:portormongodb://user:password@host:port/database) - Choose a unique database name for the tenant
-
Redis Setup:
- Create or identify a Redis instance for the tenant
- Ensure Redis is accessible from the platform
- Choose a unique Redis database number (0-15) for the tenant
- Note the Redis address (host:port)
Step 2: Create Tenant Configuration
Create a JSON configuration object for your tenant:
{
"tenant_id": "acme_corp",
"name": "Acme Corporation",
"mongo_uri": "mongodb://acme-mongo:27017",
"mongo_database": "acme_corp_db",
"redis_addr": "acme-redis:6379",
"redis_db": 0,
"frontend_url": "https://app.acme.com"
}
Step 3: Configure Environment Variables
The platform reads tenant configurations from the TENANT_CONFIGS environment variable, which should contain a JSON array of tenant configurations.
Single Tenant Example
export TENANT_CONFIGS='[
{
"tenant_id": "acme_corp",
"name": "Acme Corporation",
"mongo_uri": "mongodb://acme-mongo:27017",
"mongo_database": "acme_corp_db",
"redis_addr": "acme-redis:6379",
"redis_db": 0,
"frontend_url": "https://app.acme.com"
}
]'
Multiple Tenants Example
export TENANT_CONFIGS='[
{
"tenant_id": "acme_corp",
"name": "Acme Corporation",
"mongo_uri": "mongodb://acme-mongo:27017",
"mongo_database": "acme_corp_db",
"redis_addr": "acme-redis:6379",
"redis_db": 0,
"frontend_url": "https://app.acme.com"
},
{
"tenant_id": "globex_inc",
"name": "Globex Inc",
"mongo_uri": "mongodb://globex-mongo:27017",
"mongo_database": "globex_inc_db",
"redis_addr": "globex-redis:6379",
"redis_db": 1,
"frontend_url": "https://app.globex.com"
}
]'
Step 4: Set Default Tenant (Optional)
If you have multiple tenants, you can specify a default tenant:
export DEFAULT_TENANT_ID="acme_corp"
If DEFAULT_TENANT_ID is not set and you have multiple tenants, the platform will use the first tenant in the configuration array as the default.
Step 5: Configure OIDC (Optional)
If you want to enable OIDC authentication for the tenant, add OIDC configuration parameters:
{
"tenant_id": "acme_corp",
"name": "Acme Corporation",
"mongo_uri": "mongodb://acme-mongo:27017",
"mongo_database": "acme_corp_db",
"redis_addr": "acme-redis:6379",
"redis_db": 0,
"frontend_url": "https://app.acme.com",
"oidc_issuer": "https://login.microsoftonline.com/{tenant-id}/v2.0",
"oidc_client_id": "00001111-aaaa-2222-bbbb-3333cccc4444",
"oidc_client_secret": "your-client-secret",
"oidc_redirect_url": "https://api.yourplatform.com/v1/auth/oidc/callback",
"oidc_scopes": "openid profile email"
}
See the OIDC Setup Guide for detailed OIDC configuration instructions.
Step 6: Start the Platform
- Verify Configuration: Ensure all environment variables are set correctly
- Start the Service: Start the Inference API service
- Check Logs: Verify that tenant connections are established successfully
- Verify Health: Check that all tenant databases are accessible
Configuration Examples
Example 1: Basic Tenant (No OIDC)
{
"tenant_id": "demo_tenant",
"name": "Demo Tenant",
"mongo_uri": "mongodb://localhost:27017",
"mongo_database": "demo_db",
"redis_addr": "localhost:6379",
"redis_db": 0,
"frontend_url": "https://demo.example.com"
}
Example 2: Tenant with OIDC (Microsoft Entra ID)
{
"tenant_id": "enterprise_tenant",
"name": "Enterprise Tenant",
"mongo_uri": "mongodb://enterprise-mongo:27017",
"mongo_database": "enterprise_db",
"redis_addr": "enterprise-redis:6379",
"redis_db": 0,
"frontend_url": "https://app.enterprise.com",
"oidc_issuer": "https://login.microsoftonline.com/abc123/v2.0",
"oidc_client_id": "00001111-aaaa-2222-bbbb-3333cccc4444",
"oidc_client_secret": "enterprise-secret-value",
"oidc_redirect_url": "https://api.platform.com/v1/auth/oidc/callback",
"oidc_scopes": "openid profile email"
}
Example 3: Tenant with OIDC (Keycloak)
{
"tenant_id": "keycloak_tenant",
"name": "Keycloak Tenant",
"mongo_uri": "mongodb://keycloak-mongo:27017",
"mongo_database": "keycloak_db",
"redis_addr": "keycloak-redis:6379",
"redis_db": 0,
"frontend_url": "https://app.keycloak.com",
"oidc_issuer": "https://keycloak.example.com/realms/my-realm",
"oidc_client_id": "inference-api-client",
"oidc_client_secret": "keycloak-secret",
"oidc_redirect_url": "https://api.platform.com/v1/auth/oidc/callback",
"oidc_scopes": "openid profile email"
}
Example 4: Docker Compose Environment
services:
inference-api:
environment:
TENANT_CONFIGS: |
[
{
"tenant_id": "acme_corp",
"name": "Acme Corporation",
"mongo_uri": "mongodb://mongodb:27017",
"mongo_database": "acme_corp_db",
"redis_addr": "redis:6379",
"redis_db": 0,
"frontend_url": "https://app.acme.com"
}
]
DEFAULT_TENANT_ID: "acme_corp"
Database Setup
MongoDB Setup
- Create Database: The platform will automatically create the database if it doesn't exist
- Indexes: The platform automatically creates required indexes on startup
- Connection String Formats:
- Basic:
mongodb://host:port - With Authentication:
mongodb://username:password@host:port - With Database:
mongodb://host:port/database - Replica Set:
mongodb://host1:port1,host2:port2/?replicaSet=rs0 - SSL:
mongodb://host:port/?ssl=true
- Basic:
Redis Setup
- Database Number: Choose a unique Redis database number (0-15) for each tenant
- Connection: Ensure Redis is accessible from the platform
- Persistence: Configure Redis persistence based on your requirements
- Memory: Allocate appropriate memory for each tenant's Redis instance
Testing the Configuration
Step 1: Verify Configuration Loading
-
Check Startup Logs: Look for tenant initialization messages:
Initializing tenant: acme_corp
MongoDB client created for tenant: acme_corp
Redis client created for tenant: acme_corp -
Verify Connections: Check that all tenant connections are established without errors
Step 2: Test Database Access
-
MongoDB Connection: Verify MongoDB connection:
# Test MongoDB connection from platform host
mongosh "mongodb://acme-mongo:27017" -
Redis Connection: Verify Redis connection:
# Test Redis connection from platform host
redis-cli -h acme-redis -p 6379 -n 0 PING
Step 3: Test API Access
-
Create API Key: Create an API key for the tenant (tenant ID will be embedded in the key)
-
Test Request: Make a test API request:
curl -X GET https://api.yourplatform.com/v1/some-endpoint \
-H "x-api-key: {tenant_id}_sk_..." -
Verify Tenant Context: Check that the request is routed to the correct tenant's database
Step 4: Test OIDC (If Configured)
-
Initiate Login: Test OIDC login flow:
curl -X POST https://api.yourplatform.com/v1/auth/oidc/login \
-H "Content-Type: application/json" \
-d '{"tenant_id": "acme_corp"}' -
Verify Redirect: Ensure you're redirected to the correct OIDC provider
-
Complete Flow: Complete authentication and verify token delivery
Security Best Practices
Tenant Isolation
- Separate Databases: Use completely separate MongoDB databases for each tenant
- Separate Redis Instances: Use different Redis database numbers or separate instances
- Network Isolation: Consider network-level isolation for sensitive tenants
- Access Control: Implement proper access controls at the database level
Configuration Security
- Secrets Management: Store sensitive values (OIDC secrets, database passwords) in secure secret management systems
- Environment Variables: Use environment variables or secret management tools, not hardcoded values
- Encryption: Encrypt sensitive configuration data at rest
- Access Control: Limit access to tenant configuration to authorized personnel only
API Key Security
- Tenant-Scoped Keys: API keys are automatically scoped to tenants and cannot cross tenant boundaries
- Key Rotation: Implement regular API key rotation policies
- Key Storage: Store API keys securely and never expose them in logs or error messages
Database Security
- Authentication: Use MongoDB authentication for all connections
- Encryption: Enable TLS/SSL for MongoDB and Redis connections
- Network Security: Use firewalls and network policies to restrict database access
- Backup: Implement regular backups for each tenant's database
Monitoring and Auditing
- Tenant-Aware Logging: Ensure all logs include tenant context
- Audit Trails: Track tenant data access and modifications
- Monitoring: Monitor per-tenant resource usage and performance
- Alerting: Set up alerts for tenant-specific issues
Additional Resources
- OIDC Setup Guide - Detailed OIDC configuration