How do I switch between tenants?
Short answer
Section titled “Short answer”Notory deliberately has no classic “tenant switcher”: a user account is fixed to exactly one tenant, and the tenant is permanently embedded in the sign-in token. Super admins work across tenants (they see all tenants in administration); everyone else uses a separate account with its own email address for each tenant.
Requirements
Section titled “Requirements”Working with multiple tenants
Section titled “Working with multiple tenants”-
As a super admin: sign in with the super admin account. In Administration (tenant management, user management, audit log), you see the data of all tenants and can, for example, create a user in a specific tenant on purpose.
-
As a regular administrator of several tenants: have a separate account created for you in each tenant (email addresses must be unique system-wide — for example via plus-addressing,
it+acme@company.com,it+beta@company.com). To “switch”, sign out and sign back in with the other tenant’s account — or use separate browser profiles in parallel. -
Use owner access: creating a tenant always creates an owner account — that’s your entry point into that particular tenant.
There’s no switch endpoint via the API either: the tenant is derived from the token. For automation across multiple tenants, create one API token per tenant (created by a user of that tenant) and select the tenant via the token you use:
curl -H "Authorization: Bearer inv_token_des_mandanten_a" \ https://demo.notory.io/api/v1/assetscurl -H "Authorization: Bearer inv_token_des_mandanten_b" \ https://demo.notory.io/api/v1/assetsA super admin token can additionally use the management endpoints across tenants —
for example, specifying a target tenant_id when creating a user:
curl -X POST https://demo.notory.io/api/v1/users \ -H "Authorization: Bearer inv_superadmin_token" \ -H "Content-Type: application/json" \ -d '{ "email": "lena.vogt@acme.example", "username": "lvogt-acme", "password": "Start-Kennwort-2026", "full_name": "Lena Vogt", "role": "admin", "tenant_id": "018f9c11-2b3c-7d44-8e5f-6a7b8c9d0e1f" }'Possible errors: 400 (“Token missing tenant information”), 403/404 (access to
objects of a different tenant without super admin rights).
What happens behind the scenes?
Section titled “What happens behind the scenes?”- No switch mechanism = smaller attack surface. Because the tenant is fixed in the token (a JWT claim, or stored on the API token) and there’s neither a header nor an endpoint for switching, a compromised session can never “climb over” into a different tenant. This is a deliberate security decision — see Tenant isolation.
- Super admin view: for super admins, Notory sets the RLS bypass; management lists (users, tenants, audit log) then show all tenants. The super admin account’s “home” nonetheless remains its own tenant — creating objects without an explicit target always lands there.
- API tokens are tenant-fixed: every token carries its creator’s
tenant_id; requests made with that token always run within that tenant.