Back to Resources

PostgreSQL RLS with JWTs for Bulletproof Multi-Tenant SaaS Data

17 min read
Goh Ling Yong
Technology enthusiast and software architect specializing in AI-driven development tools and modern software engineering practices. Passionate about the intersection of artificial intelligence and human creativity in building tomorrow's digital solutions.

The Fragility of Application-Layer Tenancy Checks

In any multi-tenant SaaS application, data isolation is not a feature—it's the bedrock of trust. The most common pattern for achieving this is meticulously adding a WHERE tenant_id = :current_tenant_id clause to every single database query. While simple in theory, this application-layer approach is notoriously fragile and scales poorly from a security perspective.

Consider the failure modes:

  • Human Error: A junior developer, a late-night bug fix, or a complex reporting query can easily omit the tenant_id filter, instantly creating a catastrophic data leak across your entire customer base.
  • ORM Complexity: Modern ORMs can abstract away the raw SQL, making it non-obvious when a query is missing the necessary tenancy predicate, especially with complex joins or pre-loading (eager loading) scenarios.
  • Code Bloat and Repetition: The tenancy check becomes boilerplate, scattered across every data access function in your codebase. This violates the DRY (Don't Repeat Yourself) principle and makes the security logic difficult to audit or update.
  • Inconsistent Enforcement: The security model is only as strong as the most forgetful developer on your team. It's not a systemic guarantee; it's a convention that's hoped to be followed.

    • This approach places the entire burden of security on the application developer's vigilance. A single slip-up can be fatal. We need a more robust, systemic solution that enforces data boundaries at the last possible moment: within the database itself. This is where PostgreSQL's Row-Level Security (RLS) becomes a game-changer.

    This article assumes you understand the basics of multi-tenancy and what RLS is. We will not cover introductory concepts. Instead, we will construct a production-ready architecture that couples RLS with JWT-based authentication, addressing the complex edge cases and performance considerations encountered in real-world systems.

    The Database-Layer Security Paradigm: An RLS and JWT Blueprint

    Row-Level Security moves the access control logic from the application into the database as a set of policies attached directly to tables. When RLS is enabled on a table, the database transparently appends security-filter predicates to any query accessing it, regardless of what the application code sends. The application can query SELECT FROM projects;, but the database will execute it as if it were SELECT FROM projects WHERE tenant_id = 'the-correct-tenant-id';.

    The challenge, then, is securely communicating the application context—specifically, the identity of the current user and their tenant—to the database for each request. Our architecture will use JSON Web Tokens (JWTs) for this purpose.

    Here is the end-to-end data flow:

  • Authentication: A user authenticates and receives a JWT containing custom claims like user_id, tenant_id, and role.
  • API Request: The client sends this JWT in the Authorization header of every subsequent API request.
  • Middleware Validation: A middleware layer on the API server validates the JWT signature and expiry.
  • Database Context Setting: This is the critical step. For each incoming request, before executing any business logic, the application sets a session-local configuration parameter within its database transaction. This parameter contains the JWT claims as a JSON string.
  • Query Execution: The application code executes its queries as usual, without any explicit tenant_id filters.
  • RLS Policy Enforcement: PostgreSQL invokes the RLS policies defined on the target tables. These policies read the claims from the session-local parameter to determine which rows the current session is permitted to see or modify.

    • This can be visualized with the following sequence:

    mermaid
    sequenceDiagram
    participant Client
    participant API Server
    participant Database

    Client->>API Server: POST /login {email, password}
    API Server->>Database: Verify credentials
    Database-->>API Server: User OK
    API Server-->>Client: Response (JWT in body/cookie)

    Client->>API Server: GET /api/projects (Authorization: Bearer <JWT>)
    API Server->>API Server: Middleware: Validate JWT, extract claims {tenant_id, user_id, role}
    API Server->>Database: BEGIN;
    API Server->>Database: SET LOCAL request.jwt.claims = '{"tenant_id": "...", ...}';
    API Server->>Database: SELECT * FROM projects;
    Note right of Database: RLS Policy on 'projects' is triggered.
    Note right of Database: Policy reads 'request.jwt.claims'.
    Note right of Database: Filters rows where tenant_id matches claim.
    Database-->>API Server: Returns filtered rows
    API Server->>Database: COMMIT;
    API Server-->>Client: Response (JSON with projects for that tenant only)

    This architecture centralizes the multi-tenancy logic within the database, making it impossible for application code to bypass. Let's build it.

    Production Implementation: A Step-by-Step Guide

    We'll use a standard SaaS schema with tenants, users, and projects.

    1. Schema and RLS Enablement

    First, define the tables. Note the ubiquitous tenant_id column, which will be the key for our RLS policies.

    sql
    -- Use pgcrypto for UUID generation
CREATE EXTENSION IF NOT EXISTS pgcrypto;

CREATE TABLE tenants (
  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
  name TEXT NOT NULL,
  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);

CREATE TABLE users (
  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
  tenant_id UUID NOT NULL REFERENCES tenants(id) ON DELETE CASCADE,
  email TEXT NOT NULL UNIQUE,
  hashed_password TEXT NOT NULL,
  role TEXT NOT NULL DEFAULT 'member', -- e.g., 'member', 'admin'
  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);

CREATE TABLE projects (
  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
  tenant_id UUID NOT NULL REFERENCES tenants(id) ON DELETE CASCADE,
  name TEXT NOT NULL,
  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);

-- Create indexes that lead with tenant_id for performance
CREATE INDEX idx_users_tenant_id ON users(tenant_id);
CREATE INDEX idx_projects_tenant_id ON projects(tenant_id);

    Now, enable RLS on the tables that contain tenant-specific data. We typically don't enable it on the tenants table itself, as it often contains public or cross-tenant information (like subscription status, checked by a backend service).

    sql
    ALTER TABLE users ENABLE ROW LEVEL SECURITY;
ALTER TABLE projects ENABLE ROW LEVEL SECURITY;

-- Force RLS for table owners as well, a crucial security hardening step
ALTER TABLE users FORCE ROW LEVEL SECURITY;
ALTER TABLE projects FORCE ROW LEVEL SECURITY;

    FORCE ROW LEVEL SECURITY is vital. By default, table owners (typically the role your application connects as) bypass RLS. This command closes that potential backdoor.

    2. Creating Secure RLS Policies

    Hardcoding values in policies is not feasible. We need a way to access the request-specific context. We'll use a custom PostgreSQL function that safely reads from the session configuration parameter we plan to set.

    sql
    -- This function safely retrieves the tenant_id from the JWT claims.
-- It's defined as STABLE because its result is consistent within a single query.
CREATE OR REPLACE FUNCTION auth.get_current_tenant_id() RETURNS UUID AS $$
DECLARE
  claims JSONB;
  tenant_id_text TEXT;
BEGIN
  -- `true` as the second argument makes it return NULL if the setting is not found
  -- instead of throwing an error.
  claims := current_setting('request.jwt.claims', true)::jsonb;
  
  -- Use the jsonb ->> operator to extract the text value of the key
  tenant_id_text := claims ->> 'tenant_id';

  IF tenant_id_text IS NULL THEN
    RAISE EXCEPTION 'Missing tenant_id in request.jwt.claims';
  END IF;

  -- Attempt to cast to UUID. This will raise an error for malformed UUIDs.
  RETURN tenant_id_text::UUID;

EXCEPTION
  -- Catch any exception (missing setting, invalid JSON, invalid UUID) and raise a generic error.
  WHEN OTHERS THEN
    RAISE EXCEPTION 'Invalid or missing JWT claims for tenancy';
END;
$$ LANGUAGE plpgsql STABLE;

    This helper function is superior to using current_setting() directly in the policy because it provides:

    * Type Safety: It ensures the returned value is a valid UUID.

    * Error Handling: It provides clear error messages if the claim is missing or malformed.

    * Reusability: It can be used across multiple policies.

    Now, we create the actual policy for the projects table.

    sql
    CREATE POLICY tenant_isolation_policy ON projects
  FOR ALL -- Applies to SELECT, INSERT, UPDATE, DELETE
  USING (tenant_id = auth.get_current_tenant_id())
  WITH CHECK (tenant_id = auth.get_current_tenant_id());

    Let's break down the USING and WITH CHECK clauses:

    * USING (expression): This clause applies to existing rows. It's used for SELECT, UPDATE, and DELETE. A query will only be able to see or act upon rows for which this expression evaluates to true.

    * WITH CHECK (expression): This clause applies to new or modified rows. It's used for INSERT and UPDATE. It prevents a user from inserting a new row or updating an existing row to a state that would violate the policy (e.g., trying to move a project to another tenant).

    By using the same expression for both, we create a comprehensive isolation boundary.

    3. Backend Implementation: Transactional Context

    This is where we connect the application logic to the database policies. In a web application using a connection pool, it's absolutely critical that the JWT context is scoped to a single transaction and is cleaned up afterward. If you set a global session variable on a pooled connection, the next request that receives that same connection from the pool will incorrectly inherit the previous user's identity.

    The solution is SET LOCAL.

    Here’s an example using Node.js and the node-postgres (pg) library, which is a common pattern in many languages.

    javascript
    // A higher-order function to create a tenant-aware database client
// for the duration of a single request.

const { Pool } = require('pg');
const pool = new Pool(/* connection config */);

/**
 * Executes a callback with a database client that is securely scoped
 * to the provided JWT claims for the duration of a transaction.
 * @param {object} jwtClaims - The decoded JWT claims, e.g., { tenant_id, user_id, role }
 * @param {(client: import('pg').PoolClient) => Promise<T>} callback
 * @returns {Promise<T>}
 */
async function runInTenantContext(jwtClaims, callback) {
  const client = await pool.connect();
  try {
    // Start a transaction. All subsequent commands run within it.
    await client.query('BEGIN');

    // SET LOCAL is the key. The setting 'request.jwt.claims' will only exist
    // for this transaction. It's automatically cleared on COMMIT or ROLLBACK.
    const claimsJson = JSON.stringify(jwtClaims);
    // Use pg's parameterization to prevent SQL injection on the claims string.
    await client.query('SET LOCAL request.jwt.claims = $1', [claimsJson]);

    // Execute the actual business logic using the provided client.
    // Any query here will now be subject to RLS.
    const result = await callback(client);

    // If the callback succeeds, commit the transaction.
    await client.query('COMMIT');

    return result;
  } catch (error) {
    // If any error occurs, roll back the entire transaction.
    await client.query('ROLLBACK');
    throw error;
  } finally {
    // Always release the client back to the pool.
    client.release();
  }
}

// --- Example Usage in an Express.js route handler ---

// Assume `authMiddleware` has already validated the JWT and attached it to `req.user`
app.get('/api/projects', authMiddleware, async (req, res) => {
  try {
    const projects = await runInTenantContext(req.user.claims, async (client) => {
      // Notice: No `WHERE tenant_id = ...` clause here!
      // RLS handles it automatically.
      const { rows } = await client.query('SELECT id, name FROM projects ORDER BY created_at DESC');
      return rows;
    });
    res.json(projects);
  } catch (error) {
    console.error(error);
    res.status(500).json({ error: 'Internal server error' });
  }
});

    This pattern is the cornerstone of a secure RLS implementation. The use of BEGIN, SET LOCAL, and COMMIT/ROLLBACK within a try...catch...finally block ensures that the contextual identity is applied atomically and is never leaked between requests, even with aggressive connection pooling.

    Advanced Scenarios and Edge Cases

    Basic tenant isolation is just the start. Real-world applications require more granular control.

    1. Role-Based Access Control (RBAC) within a Tenant

    What if a tenant has 'admins' who can delete projects and 'members' who can only view them? We can extend our RLS policies to handle this. First, ensure the role is in the JWT. Then, create more specific policies.

    sql
    -- A helper to get the current user's role
CREATE OR REPLACE FUNCTION auth.get_current_role() RETURNS TEXT AS $$
  SELECT current_setting('request.jwt.claims', true)::jsonb ->> 'role';
$$ LANGUAGE plpgsql STABLE;

-- First, let's modify the existing policy to be for SELECT and UPDATE only.
DROP POLICY tenant_isolation_policy ON projects;

CREATE POLICY tenant_select_update_policy ON projects
  FOR SELECT, UPDATE
  USING (tenant_id = auth.get_current_tenant_id());

-- The WITH CHECK for INSERT can be a separate, simpler policy.
CREATE POLICY tenant_insert_policy ON projects
  FOR INSERT
  WITH CHECK (tenant_id = auth.get_current_tenant_id());

-- Now, add a highly specific policy for DELETE operations.
CREATE POLICY admin_delete_policy ON projects
  FOR DELETE
  USING (tenant_id = auth.get_current_tenant_id() AND auth.get_current_role() = 'admin');

    PostgreSQL combines multiple policies for the same command using OR. A user with the 'member' role will match the tenant_select_update_policy for a SELECT query and be granted access. However, for a DELETE query, they will fail the admin_delete_policy, and since there are no other permissive DELETE policies, the operation will be denied.

    2. The Super-Admin / Support Staff Impersonation Pattern

    Your support team needs to access customer data to resolve issues. They are not members of any tenant. How do you grant them access without disabling RLS?

    A common but poor solution is to create a BYPASSRLS role. This is a sledgehammer that completely disables security for that user. A much safer and more auditable approach is impersonation.

    We can design our system so a support admin's JWT contains their own identity and the tenant_id they wish to impersonate.

    json
    // Support Admin's JWT Payload
{
  "user_id": "support-user-123",
  "role": "support_admin",
  "impersonating_tenant_id": "customer-tenant-abc"
}

    We then create a more sophisticated helper function that understands this structure.

    sql
    CREATE OR REPLACE FUNCTION auth.get_effective_tenant_id() RETURNS UUID AS $$
DECLARE
  claims JSONB;
  current_role TEXT;
  impersonated_tenant_id_text TEXT;
  own_tenant_id_text TEXT;
BEGIN
  claims := current_setting('request.jwt.claims', true)::jsonb;
  current_role := claims ->> 'role';
  impersonated_tenant_id_text := claims ->> 'impersonating_tenant_id';
  own_tenant_id_text := claims ->> 'tenant_id';

  IF current_role = 'support_admin' AND impersonated_tenant_id_text IS NOT NULL THEN
    -- If the user is a support admin and is impersonating, use that tenant ID.
    RETURN impersonated_tenant_id_text::UUID;
  ELSIF own_tenant_id_text IS NOT NULL THEN
    -- Otherwise, for regular users, use their own tenant ID.
    RETURN own_tenant_id_text::UUID;
  ELSE
    -- If neither condition is met, deny access.
    RAISE EXCEPTION 'Cannot determine effective tenant ID';
  END IF;

EXCEPTION
  WHEN OTHERS THEN
    RAISE EXCEPTION 'Invalid claims for effective tenant ID resolution';
END;
$$ LANGUAGE plpgsql STABLE;

    Now, you simply update your policies to use this new function instead of auth.get_current_tenant_id().

    sql
    -- Example update for the projects table
DROP POLICY tenant_select_update_policy ON projects;
CREATE POLICY tenant_select_update_policy ON projects
  FOR SELECT, UPDATE
  USING (tenant_id = auth.get_effective_tenant_id());
-- ... and so on for other policies ...

    This approach is vastly superior: access is still governed by RLS, it's temporary (tied to the JWT), and it's auditable (your application can log when an impersonation session is created).

    Performance Considerations and Benchmarking

    RLS is not free. Every query on a protected table invokes the policy functions, adding overhead. Senior engineers must be proactive in mitigating this.

  • Function Overhead: Each call to current_setting() and your helper functions adds a small but non-zero cost. This cost is multiplied by the number of rows the database engine must evaluate. For a SELECT on a large table, the policy function can be called thousands or millions of time. This is why keeping the functions STABLE and simple is critical.
  • Indexing is Non-Negotiable: The predicates generated by your RLS policies must be highly efficient. In our case, the policy is tenant_id = .... This means that tenant_id should be the leading column in most of your indexes. For example, an index on (created_at, tenant_id) is far less effective for RLS than an index on (tenant_id, created_at).
  • Query Planner Visibility: The PostgreSQL query planner is aware of RLS policies, but it can sometimes struggle to accurately estimate the number of rows that will be returned after the policy is applied. This can lead to suboptimal query plans (e.g., choosing a full table scan instead of an index scan).

    • Let's use EXPLAIN ANALYZE to see the impact. Consider this query:

    EXPLAIN ANALYZE SELECT * FROM projects WHERE name LIKE 'Feature%';

    Without RLS (or for a superuser):

    text
    Seq Scan on projects  (cost=0.00..35.50 rows=1 width=52) (actual time=0.015..0.025 rows=10 loops=1)
  Filter: (name ~~ 'Feature%'::text)
  Rows Removed by Filter: 990
Planning Time: 0.075 ms
Execution Time: 0.035 ms

    With RLS Enabled for a Tenant:

    text
    Seq Scan on projects  (cost=0.00..35.50 rows=1 width=52) (actual time=0.020..0.031 rows=2 loops=1)
  Filter: ((name ~~ 'Feature%'::text) AND (tenant_id = auth.get_current_tenant_id()))
  Rows Removed by Filter: 998
Planning Time: 0.115 ms
Execution Time: 0.045 ms

    Notice the new predicate (tenant_id = auth.get_current_tenant_id()) automatically added to the Filter. In this sequential scan, the performance difference is negligible. But for a large table where an index on (tenant_id, name) exists, the planner's ability to use that index efficiently is paramount. Always check your query plans.

    Testing and Auditing Strategies

    Testing RLS is a classic example of where integration testing shines. Your test suite must be able to prove that data cannot leak between tenants.

    A typical test case structure using a framework like Jest would be:

  • Setup:

    • * Create Tenant A and Tenant B in the database.

    * Create User A in Tenant A and User B in Tenant B.

    * Create Project A1 and A2 in Tenant A.

    * Create Project B1 in Tenant B.

  • Test Case: User A can only see their own projects.

    • * Generate a JWT for User A.

    * Make an API call to GET /api/projects using User A's JWT.

    * Assert that the response contains Project A1 and A2.

    * Assert that the response does not contain Project B1.

  • Test Case: User A cannot create a project in Tenant B's name.

    • * Generate a JWT for User A.

    * Make an API call to POST /api/projects with a payload attempting to set tenant_id to Tenant B's ID.

    * Assert that the database throws an error (due to the WITH CHECK policy) and the API returns a 4xx or 5xx status code.

  • Test Case: Support Admin can impersonate Tenant B.

    • * Generate a support_admin JWT with impersonating_tenant_id set to Tenant B's ID.

    * Make an API call to GET /api/projects.

    * Assert that the response contains Project B1 and not A1 or A2.

    These tests provide a high degree of confidence that your security boundaries are being correctly enforced at the database level.

    Conclusion: Beyond the `WHERE` Clause

    Implementing Row-Level Security with JWTs is a significant architectural decision. It trades the apparent simplicity of application-layer filters for the systemic robustness of database-enforced security. While the initial setup is more complex, the long-term benefits are immense:

    * Security by Default: It becomes impossible for a developer to accidentally introduce a cross-tenant data leak.

    * Centralized Logic: Your tenancy and access control rules are defined in one place—your database schema—making them easy to audit and reason about.

    * Cleaner Application Code: Your data access layer is freed from the repetitive and error-prone task of adding WHERE clauses.

    This pattern isn't a silver bullet. It requires a deep understanding of your database, careful performance tuning, and a disciplined approach to testing. But for any senior engineer building a serious multi-tenant SaaS application, moving security logic from a fragile convention into a core, enforced database primitive is a powerful and necessary evolution.

    Found this article helpful?

    Share it with others who might benefit from it.

    More Articles