Multi-tenancy
Tenant isolation by tenant_id, per-tenant configuration, branding & email templates, and IP allow/deny rules.
Qeet ID is multi-tenant by design. Every resource is scoped by tenant_id, and
that scoping is enforced on every query. A personal tenant is auto-created on
signup, and a user can belong to multiple tenants.
Tenants
/v1/tenantsCreate a tenant/v1/tenantsList tenants/v1/tenants/{id}Update a tenantconst tenant = await qeetid.tenants.create({ name: "Acme, Inc." });Switch the active tenant
A user with multiple memberships can switch — Qeet ID re-mints an access token scoped to the target tenant.
/v1/auth/switch-tenantRe-mint a scoped tokenPer-tenant configuration
Almost everything is configurable per tenant:
| Area | Endpoint |
|---|---|
| Auth policy (password rules, login methods, breach checks) | /v1/tenants/{tenantID}/auth-policy |
| ABAC policy | /v1/tenants/{tenantID}/policy |
| Branding | /v1/tenants/{tenantID}/branding |
| Email templates | /v1/tenants/{tenantID}/email-templates |
| IP allow/deny rules | /v1/tenants/{tenantID}/ip-rules |
| SSO connections (SAML/LDAP/social) | see Enterprise |
| Retention | /v1/tenants/{tenantID}/retention |
| Analytics overview | /v1/tenants/{tenantID}/analytics/overview |
Branding & email templates
Each tenant has its own branding and can override transactional email templates (with a preview endpoint to check rendering before going live).
/v1/tenants/{tenantID}/brandingUpdate branding/v1/tenants/{tenantID}/email-templates/{key}Override a template/v1/tenants/{tenantID}/email-templates/{key}/previewPreview a templateIP allow/deny rules
Restrict access by CIDR per tenant — allow lists, deny lists, and a check endpoint.
/v1/tenants/{tenantID}/ip-rulesList IP rules/v1/tenants/{tenantID}/ip-rulesAdd an IP rule (CIDR)/v1/tenants/{tenantID}/ip-rules/checkCheck an IPAnalytics
Per-tenant KPIs — MAU/DAU, login / MFA / failed-login counts, and method mix.
/v1/tenants/{tenantID}/analytics/overviewTenant KPIsData residency + BYOK is a deployment concern: self-host in the region you need, and source the secrets-vault key from a regional KeyProvider (AWS KMS drops in). It isn't a per-tenant toggle in the API today.
Platform
The operational surface — multi-tenancy, API keys & service principals, webhooks, tamper-evident audit, GDPR, secrets vault, rate limits, and observability.
API keys & service principals
Scoped, expirable, hashed API keys for backend access, and service principals for OAuth client_credentials.