Multi-Tenant Setup
Build SaaS RAG products with isolated workspaces, team collaboration, role-based access control, and subscription management.
Production Ready
Quick Setup
1Configure Mode
npm run config
# Select "Multi-Tenant" in deployment mode2Environment Variables
NEXT_PUBLIC_CHATRAG_DEPLOYMENT_MODE=multi-tenant
ENABLE_ORGANIZATIONS=true
ENABLE_TEAM_INVITES=true3Setup Database
# Run in Supabase SQL Editor:
supabase/multi-tenant-setup.sql4Start App
npm run dev
# Sign up - personal workspace auto-created!How Multi-Tenant Mode Works
User signs up → Personal workspace auto-created → Ready to use!
↓
Create personal projects (optional)
↓
Enable collaboration → Invite team members
↓
Switch between workspaces seamlessly
Each workspace has isolated documents & chatsWhen a user signs up, they automatically receive a personal workspace. From there, they can create personal projects for organization, or enable collaboration to invite team members. Each workspace maintains complete data isolation.
Key Features
3-Tier Workspace Architecture
Personal Workspace (Flat)
Auto-created on signup, user_id isolation only
Personal Projects
User-created, owner only, organized workspace
Collaborative Projects
Multi-member collaboration with invitations
Role-Based Access Control
Owner
Full control
Admin
Team management
Member
Regular access
Viewer
Read-only
Email Invitations
- Token-based security with 7-day expiration
- Role selection at invite time
- Resend or revoke pending invitations
- Automatic workspace access on accept
Workspace AI Customization
- Per-workspace system prompt overrides
- Split mode (pre/post context) or full override
- Legal teams: formal responses
- Creative teams: exploratory AI behavior
Complete Data Isolation
Row Level Security (RLS)
Data isolation is enforced at the database level, not application level. Even if application code has bugs, the database prevents data leakage.
Documents
Isolated per workspace. Users only see documents from workspaces they belong to.
Chats
Private per user within workspace. Chat history stays in workspace context.
RAG Search
Vector search automatically filters by workspace. No cross-workspace data leakage.
Subscription Tiers
| Tier | Storage | Documents | Team Members | Monthly Messages |
|---|---|---|---|---|
| Free | 1 GB | 50 | 1 (solo) | 100 |
| Pro | 10 GB | 500 | 10 | 1,000 |
| Enterprise | 100 GB | 5,000 | 100 | 10,000 |
| Custom | Fully customizable limits | |||
Payment Integrations
Use Cases
NotebookLM-Style App
Every user gets isolated workspace on signup. Upload personal documents and chat with AI privately.
Enterprise RAG Deployment
500-person company with departments: Marketing, Legal, Engineering, HR - each with private workspaces.
Agency Platform
Marketing agency manages 20 clients, each with their own knowledge base and team access.
Educational Platform
Online school with 50 classes. Teachers (admins) upload materials, students (members) access them.
API Endpoints
Organizations (6 endpoints)
Members (4 endpoints)
Invitations (4 endpoints)
Database Schema
Multi-Tenant Tables
organizations
Workspaces/tenants with subscription info
organization_members
Team with roles (owner/admin/member/viewer)
team_invitations
Token-based invitation system
documents + organization_id
Documents isolated per workspace
document_chunks + organization_id
Vector embeddings isolated per workspace
chats + organization_id
Chats scoped to workspace
Internationalization
18 Languages Supported
All multi-tenant UI components are fully translated. Workspace management, invitations, and AI customization work in your user's preferred language.
Troubleshooting
"This feature requires multi-tenant mode"
Set the environment variable:
NEXT_PUBLIC_CHATRAG_DEPLOYMENT_MODE=multi-tenant"infinite recursion detected"
Run the RLS fix script:
supabase/fix-multi-tenant-rls.sql"organization_id is required"
Ensure a workspace is selected before uploading documents. The organization switcher in the sidebar lets users pick their active workspace.