Tenant isolation
Retailer context is not a client hint.
Tenant identity comes from verified server-side claims and role checks.
Tenant rules
- Verified identity
- Tenant context comes from server-side claims and role checks.
- Scoped reads
- Dashboard data is fetched through protected APIs that know the retailer context.
- Direct access boundary
- Sensitive workflows are backend-owned instead of trusting browser-provided retailer IDs.
- Operational writes
- Unsupported writes to POS, catalog, orders, or account settings are blocked.
How requests are handled
A request should answer two questions before returning retailer data: who is this user, and which retailer account are they allowed to act inside? If either answer is missing or contradictory, the request should fail closed.
What should be tested
Test
Expectation
Wrong tenant ID
The backend ignores or rejects client-provided tenant overrides.
Wrong role
The route returns a permission error instead of partial data.
Expired dashboard access
The dashboard requests a new verified session or asks the user to sign in.