Protecting multi-tenant APIs

Learn how to protect multi-tenant APIs using multi-tenant authorizers. Get information how to configure your multi-tenant authorizer and how to set global authorization policies. Learn how to add your tenant-specific authorization policies.

About multi-tenant APIs

Multi-tenant APIs are APIs that are shared between different tenants. In other words, those are APIs that you, for example, deliver to different customers.

Using multi-tenant authorizers in the system tenant gives you a possibility to protect your multi-tenant APIs. Such authorizers allow you to have two distinct level of authorization policies:

  • Policies that are defined in the system tenant

  • Policies that are defined for specific tenants by their administrators

Protecting APIs using multi-tenant authorizers allows you to have control over the security of your APIs, but at the same time, you can give freedom to your customers to add their own authorization policies that may differ between tenants.

To know more about this feature and how it works, see multi-tenant authorizers documentation.

You can use multiple authorizers that use different types of API gateways.


  • You have access to the system tenant’s workspace.


  1. Log into your system tenant workspace.


    You can access your system tenant workspace under {YOUR_TENANT_URL}/app/system/admin.

    By default, the password to your system tenant workspace admin account is the client secret of your system tenant. Cloudentity recommends changing the password to a new one.

  2. Navigate to APIs > Gateways.

  3. Add a gateway of your choice.

    Read more

    To know how to add a gateway and how to configure it, see the following documentation:


    Your APIs are binded and are visible in the Gateway Management > APIs.

    System tenant APIs

  4. Log into your tenant’s workspace.

  5. Navigate to APIs.


    The APIs that you have binded in your system tenant are also visible in your tenant’s workspace. There is a System label displayed for the APIs that come from the system tenant.

    System tenant APIs

What’s next

You can now proceed to add your authorization policies to protect your APIs. You can, for example, create a new policy in the system tenant and it will be also applied to the APIs and services for your tenants. You can also add an authorization policy to your specific tenant, which allows you to tailor your authorization policies according to your needs. After you apply any policy to an API both in the system tenant and a specific tenant, both policies are required to pass for the request to be successful.

To learn how to add policies, see the creating a policy documentation.

Further reading