From mblode-agent-skills
Guides multi-tenant SaaS architecture on Cloudflare or Vercel: domain strategy, tenant identification, subdomain routing, custom domains, white-label, and plan/limit mapping.
How this skill is triggered — by the user, by Claude, or both
Slash command
/mblode-agent-skills:multi-tenant-architectureThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
- **IS:** domain strategy, tenant identification and isolation, subdomain routing, custom domains, white-label setup, and plan/limit mapping on Cloudflare or Vercel.
define-architecture), or scaffolding a new repo (use scaffold-nextjs).| Signals | Platform | Load |
|---|---|---|
| Tenants run untrusted or per-tenant code; need code-level isolation; edge-first compute on D1/KV/Durable Objects | Cloudflare (Workers for Platforms, dispatch namespaces) | cloudflare-platform.md |
| All tenants share one Next.js codebase; need ISR, React Server Components, managed deploys | Vercel (App Router + Middleware) | vercel-platform.md, then vercel-domains.md for domains |
agents/openai.yaml is launcher metadata for external runners only; do not load it in normal use.random.acme.com damages the whole domain.acme.app for tenants, acme.com for brand).No PSL with the cookie-isolation reason. See psl.md.tenant.yourdomain.com. Requires wildcard DNS. Simplest at scale.yourdomain.com/tenant-slug. No per-tenant DNS/SSL, but limits branding and complicates cookie isolation.tenant_id scoping. Middleware resolves tenant from hostname; every query includes tenant context. Postgres RLS for defence-in-depth./domains/[domain] segment; Edge Config for sub-millisecond lookups. 404 when no mapping.x-tenant-id, x-tenant-slug, x-tenant-plan on forwarded request headers (not the response). Server Components read via headers(); API routes read from request headers:
// middleware.ts
import { NextRequest, NextResponse } from "next/server";
export function middleware(request: NextRequest) {
const hostname = request.headers.get("host") ?? "";
const tenant = hostname.split(".")[0]; // resolve from Edge Config/DB in production
const requestHeaders = new Headers(request.headers);
requestHeaders.set("x-tenant-id", tenant);
return NextResponse.next({ request: { headers: requestHeaders } });
}
@vercel/sdk for domain management. DB connections scoped by tenant_id, or database-per-tenant (Neon).@vercel/sdk for domain CRUD plus automatic Let's Encrypt SSL; wildcard subdomains require Vercel nameservers. See vercel-domains.md.robots.txt, sitemap.xml, llms.txt must vary by tenant; never serve from /public. Cloudflare: generate in the tenant Worker. Vercel: route handlers under the domain segment (see vercel-platform.md).headers() in Server Components reads forwarded request headers, so use NextResponse.next({ request: { headers } }) or the tenant id never arrives.tenant_id scoping: one missing WHERE clause leaks another tenant's data./.well-known/acme-challenge/* with Middleware or redirects: Let's Encrypt HTTP-01 validation fails and custom-domain SSL never issues.# Multi-tenant architecture
## Platform decision
- Platform: Cloudflare | Vercel
- Why this platform:
- Rejected platform and reason:
## Domain map
- Brand domain:
- Tenant domain:
- Tenant subdomains:
- Custom domains:
- PSL decision: Submit | No PSL
- PSL owner/timeline or No PSL reason:
## Routing matrix
| Host pattern | Resolver | Destination | Unknown tenant behavior |
|---|---|---|---|
## Tenant context flow
- Authority: Middleware | platform Worker
- Propagation:
- Server read path:
- Database/API scoping:
## Isolation model
- Compute isolation:
- Data isolation:
- Config/binding isolation:
## Custom-domain lifecycle
1. DNS target:
2. Ownership verification:
3. Certificate provisioning:
4. Routing activation:
5. Removal/failure path:
## Limits-to-plan table
| Limit | Source URL/date | Free | Pro | Enterprise | Enforcement point |
|---|---|---:|---:|---:|---|
## Validation evidence
| Check | Command/source | Expected result | Result |
|---|---|---|---|
Evidence commands (run or mark N/A):
| Check | Evidence |
|---|---|
| Tenant context exists at the boundary | `rg "x-tenant-id |
| Tenant routing works | curl -sI -H "Host: tenant.example.com" <local-or-preview-url> |
| Per-tenant static files are dynamic | curl -s -H "Host: tenant.example.com" <url>/robots.txt and curl -s -H "Host: tenant.example.com" <url>/sitemap.xml |
| Custom-domain verification path exists | API route, SDK call, or platform config path in the plan |
| Platform limits are up to date | official Cloudflare/Vercel URLs with access date in the Limits-to-plan table |
define-architecture: folder structure, module contracts, and middleware pipelines for the application itself.scaffold-nextjs: bootstrap the Next.js turborepo before applying these tenancy patterns.optimise-seo: per-tenant sitemaps, canonical URLs, and structured data once routing works.npx claudepluginhub mblode/agent-skillsDesigns multi-tenant SaaS architectures with tenant isolation, data partitioning strategies, and billing/metering systems covering pooled, siloed, and hybrid models.
Builds production-ready multi-tenant SaaS apps with AWS serverless (Lambda, DynamoDB), Stripe billing, JWT auth/RBAC, React+TypeScript+Tailwind frontend. Activate on SaaS/multi-tenant/billing mentions.
Provides Vercel architecture blueprints for static sites, full-stack Next.js apps, API backends, and multi-project setups with structures and configs.