返回资源列表

PostgreSQL RLS with JWTs for Secure Multi-Tenant Architectures

17 min read
Goh Ling Yong
Technology enthusiast and software architect specializing in AI-driven development tools and modern software engineering practices. Passionate about the intersection of artificial intelligence and human creativity in building tomorrow's digital solutions.

The Achilles' Heel of Multi-Tenant Applications: Data Isolation

In a multi-tenant SaaS architecture, ensuring that one tenant cannot access another's data is the paramount security requirement. The conventional approach involves meticulously adding a WHERE tenant_id = :current_tenant_id clause to every single database query. While functional, this pattern is fragile. A single forgotten clause in a complex query, a new endpoint added by a junior developer, or a subtle bug in a data access layer can lead to a catastrophic data breach. The application layer becomes a minefield of security-critical code that is difficult to audit and maintain.

This is where a defense-in-depth strategy becomes critical. We can, and should, enforce data isolation at the database layer itself. For applications leveraging PostgreSQL, Row-Level Security (RLS) is the definitive tool for this job. RLS allows us to define policies directly on tables, which PostgreSQL then automatically and transparently applies to every query executed against them.

However, RLS alone is not enough. The database needs a secure and reliable way to know the context of the current request—specifically, which user and which tenant is making the query. This is where JSON Web Tokens (JWTs) enter the picture. By passing verified JWT claims into the database session, we can create a powerful, centralized, and non-bypassable security model. This article provides a comprehensive, production-focused guide to architecting this system, from schema design to advanced performance tuning.

Architectural Foundation: Shared Schema and JWT Context

We'll operate under a common multi-tenancy model: a shared database with a shared schema. All tenants' data resides in the same set of tables, distinguished by a tenant_id column. This model is cost-effective and generally easier to manage than a database-per-tenant or schema-per-tenant approach, but it places the entire burden of data isolation on the application and database logic.

1. Schema Imperatives

Every table containing tenant-specific data must have a non-nullable tenant_id column. This is the cornerstone of our RLS strategy. Let's define a couple of sample tables:

sql
-- A universally unique identifier for tenants
CREATE TABLE tenants (
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    name TEXT NOT NULL,
    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);

-- Users belong to a tenant
CREATE TABLE users (
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    tenant_id UUID NOT NULL REFERENCES tenants(id) ON DELETE CASCADE,
    email TEXT NOT NULL UNIQUE,
    role TEXT NOT NULL DEFAULT 'member', -- e.g., 'member', 'admin'
    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);

-- A sample resource table
CREATE TABLE projects (
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    tenant_id UUID NOT NULL REFERENCES tenants(id) ON DELETE CASCADE,
    owner_id UUID NOT NULL REFERENCES users(id),
    name TEXT NOT NULL,
    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);

-- Create indexes on the tenant_id for performance
CREATE INDEX idx_users_tenant_id ON users(tenant_id);
CREATE INDEX idx_projects_tenant_id ON projects(tenant_id);

2. The JWT Structure

Upon successful authentication, your application will generate a JWT containing the necessary claims for our RLS policies. The payload should be minimal but sufficient:

json
{
  "sub": "a1b2c3d4-e5f6-4a7b-8c9d-0e1f2a3b4c5d", // User ID
  "tenant_id": "z9y8x7w6-v5u4-4t3s-2r1q-p0o9n8m7l6k5",
  "role": "admin",
  "exp": 1678886400
}

Crucially, this token must be signed with a secret key (e.g., using HS256 or RS256) that is known only to your application server. The database will not validate the JWT signature. The application layer is responsible for validating the token's authenticity and integrity before ever establishing a database connection for that request. The database will simply trust the claims provided by the application within a given session.

Implementing the RLS Framework in PostgreSQL

With our schema in place, let's configure PostgreSQL to enforce RLS. This involves enabling RLS on our tables and creating a mechanism to pass the JWT context.

1. Enabling RLS

By default, RLS is disabled. You must explicitly enable it on each table you wish to protect. A superuser or the table owner can do this.

sql
ALTER TABLE users ENABLE ROW LEVEL SECURITY;
ALTER TABLE projects ENABLE ROW LEVEL SECURITY;

-- Force RLS for the table owner as well. This is a crucial security step!
-- Without this, queries run by the table owner would bypass RLS.
ALTER TABLE users FORCE ROW LEVEL SECURITY;
ALTER TABLE projects FORCE ROW LEVEL SECURITY;

Once enabled, the default behavior is DENY. If no policies are defined for a table, no rows can be accessed or modified.

2. The Bridge: Passing Claims via Session Variables

The core challenge is making the stateless database connection aware of the JWT claims for the duration of a single request. We cannot pass them as query parameters, as that would defeat the purpose of RLS. The correct and most secure pattern is to use transaction-scoped session variables.

We'll use SET LOCAL to set a custom configuration parameter. The LOCAL keyword is critical: it ensures the setting only lasts for the current transaction. This is vital in environments using connection pooling, as it prevents one user's claims from leaking into another user's request that might reuse the same database connection.

sql
-- In your application's database logic, for each request:
BEGIN;
SET LOCAL myapp.jwt.claims = '{"sub":"...","tenant_id":"...","role":"..."}';
-- ... your application queries go here ...
COMMIT;

3. A Helper Function to Access Claims

To avoid littering our RLS policies with verbose JSON parsing logic, we'll create a helper function to extract specific claims from this session variable.

sql
CREATE OR REPLACE FUNCTION get_current_claim(claim TEXT) RETURNS TEXT AS $$
DECLARE
    claims_json JSONB;
BEGIN
    -- Use current_setting with 't' to not error if the setting is missing
    claims_json := current_setting('myapp.jwt.claims', 't')::JSONB;

    -- Check if the JSON is null or the specific claim is missing
    IF claims_json IS NULL OR NOT (claims_json ? claim) THEN
        RETURN NULL;
    END IF;

    RETURN claims_json ->> claim;
END;
$$ LANGUAGE plpgsql STABLE;

Critical Detail: Function Volatility (STABLE)

Notice the function is marked as STABLE. This is non-negotiable for correctness and performance.

* VOLATILE (the default): The function is re-evaluated for every row. This would be disastrous for performance.

* IMMUTABLE: The function's result is considered constant and depends only on its arguments. The planner might cache its result for the entire duration of a query plan. This would be incorrect for our use case, as the current_setting can change between statements.

* STABLE: The function's result is consistent within a single statement. It will be evaluated once per statement that uses it, which is exactly the behavior we need. It reads the myapp.jwt.claims value once when the query starts and uses that value for all row checks within that query.

Crafting Granular RLS Policies

Now we can combine our helper function with RLS policies to define our access rules.

Policy for projects table:

We need to ensure users can only interact with projects within their own tenant.

sql
-- Create a policy that applies to all commands (SELECT, INSERT, UPDATE, DELETE)
CREATE POLICY tenant_isolation_policy ON projects
AS PERMISSIVE
FOR ALL
TO public
USING ( tenant_id = (get_current_claim('tenant_id'))::UUID )
WITH CHECK ( tenant_id = (get_current_claim('tenant_id'))::UUID );

Let's break this down:

AS PERMISSIVE: Policies can be PERMISSIVE or RESTRICTIVE. With PERMISSIVE, a row is accessible if any policy grants access. With RESTRICTIVE, a row is blocked if any* policy denies access. For simple isolation, PERMISSIVE is sufficient.

* FOR ALL: The policy applies to SELECT, INSERT, UPDATE, and DELETE.

* TO public: The policy applies to all roles (unless more specific policies exist).

* USING (...): This clause is for read operations (SELECT) and for checking existing rows in UPDATE/DELETE. The query will only see rows where this condition is true.

* WITH CHECK (...): This clause is for write operations (INSERT, UPDATE). It ensures that any new or modified row must satisfy this condition. This prevents a user from inserting a project with a different tenant_id or updating a project to move it to another tenant.

Policy for users table:

Here, the rules are slightly different. A user should be able to see all other users within their own tenant, but should only be able to modify their own record.

sql
-- Policy 1: Allow users to see other users in the same tenant.
CREATE POLICY select_tenant_users ON users
AS PERMISSIVE
FOR SELECT
TO public
USING ( tenant_id = (get_current_claim('tenant_id'))::UUID );

-- Policy 2: Allow a user to update their own record.
CREATE POLICY update_own_user_record ON users
AS PERMISSIVE
FOR UPDATE
TO public
USING ( id = (get_current_claim('sub'))::UUID )
WITH CHECK ( id = (get_current_claim('sub'))::UUID );

This demonstrates how multiple PERMISSIVE policies can be combined. For a SELECT on users, only the first policy applies. For an UPDATE, both are checked. The USING clause ensures they can only target their own user record for the update operation.

Application Layer Integration: A Production-Grade Node.js Example

Integrating this pattern into your application requires careful management of database connections and transactions. Here is a complete example using Node.js and the pg (node-postgres) library.

javascript
const { Pool } = require('pg');
const jwt = require('jsonwebtoken'); // e.g., jsonwebtoken library

const pool = new Pool({
    // ... your database connection config
    // Use a specific, non-superuser role for the application
    user: 'app_user',
    password: 'app_password',
});

// This function encapsulates the core logic for a single request.
// It acquires a client, sets the RLS context, executes the business logic,
// and ensures the client is released.
async function runInTenantContext(authToken, callback) {
    let decoded;
    try {
        // 1. Verify the JWT. This MUST happen before any DB interaction.
        decoded = jwt.verify(authToken, 'YOUR_SUPER_SECRET_KEY');
    } catch (err) {
        throw new Error('Invalid authentication token');
    }

    const { sub, tenant_id, role } = decoded;

    if (!sub || !tenant_id) {
        throw new Error('Token is missing required claims');
    }

    // 2. Acquire a client from the pool.
    const client = await pool.connect();

    try {
        // 3. Start a transaction.
        await client.query('BEGIN');

        // 4. Set the transaction-scoped RLS claims.
        // We serialize the entire decoded token payload as a JSON string.
        const claims = JSON.stringify(decoded);
        await client.query(`SET LOCAL myapp.jwt.claims = '${claims}'`);

        // 5. Execute the application's business logic using the provided callback.
        // The callback receives the configured client.
        const result = await callback(client);

        // 6. Commit the transaction.
        await client.query('COMMIT');

        return result;
    } catch (e) {
        // 7. If anything goes wrong, roll back the transaction.
        await client.query('ROLLBACK');
        throw e; // Re-throw the error to be handled by the caller
    } finally {
        // 8. CRITICAL: Always release the client back to the pool.
        client.release();
    }
}

// --- Example Usage in an Express.js route handler ---

app.get('/projects', async (req, res, next) => {
    try {
        const token = req.headers.authorization.split(' ')[1];

        const projects = await runInTenantContext(token, async (client) => {
            // Inside this callback, all queries on `client` are automatically
            // protected by RLS. We don't need any `WHERE tenant_id = ...` clauses.
            const { rows } = await client.query('SELECT id, name FROM projects ORDER BY created_at DESC');
            return rows;
        });

        res.json(projects);
    } catch (err) {
        next(err); // Pass to error handling middleware
    }
});

This pattern is robust because:

  • Atomicity: The BEGIN/COMMIT/ROLLBACK block ensures that setting the claims and executing queries are an atomic operation.
  • Isolation: SET LOCAL guarantees that claims do not leak across different requests sharing the same physical connection from the pool.
  • Centralization: The runInTenantContext function provides a single, auditable entry point for all tenant-aware database operations.

    • Advanced Scenarios and Edge Cases

    Real-world applications often have more complex requirements than simple tenant isolation.

    1. Super-Admin / Support Staff Access

    How can your internal support team or a super-admin view data across all tenants for debugging or administrative purposes? There are two primary patterns.

    * Pattern A: The BYPASSRLS Role (Recommended for Internal Tools)

    Create a separate, highly privileged PostgreSQL role that is only used by internal applications, never by the main public-facing API.

    sql
        CREATE ROLE internal_support WITH LOGIN PASSWORD '...';
    ALTER ROLE internal_support BYPASSRLS;

    When your internal tool connects to the database, it authenticates as internal_support. This role will completely ignore all RLS policies. This is the cleanest separation of concerns but requires a separate connection pool and application logic for these tools.

    * Pattern B: RLS Policy with a Super-Admin Check

    You can build a backdoor into your RLS policies that checks for a specific claim in the JWT.

    First, modify your JWT generation to include an is_superuser: true claim for these users. Then, update your policies:

    sql
        -- Drop the old policy first
    DROP POLICY tenant_isolation_policy ON projects;

    -- Recreate with superuser logic
    CREATE POLICY tenant_isolation_policy ON projects
    FOR ALL
    TO public
    USING (
        (get_current_claim('is_superuser') = 'true') OR
        (tenant_id = (get_current_claim('tenant_id'))::UUID)
    )
    WITH CHECK (
        -- Superusers might need to insert/update across tenants, but be careful.
        -- For safety, we can restrict their writes to their 'current' tenant context.
        tenant_id = (get_current_claim('tenant_id'))::UUID
    );

    This approach is more flexible as it uses the same application role, but it also increases the complexity of your RLS policies and widens the potential attack surface if a super-user JWT is ever compromised.

    2. Users Belonging to Multiple Tenants

    In some B2B SaaS applications, a single user account might have access to multiple organizations (tenants). Our current JWT structure is insufficient for this.

    * Solution: Modify the JWT to include an array of accessible tenant IDs and a single active_tenant_id.

    json
        {
      "sub": "a1b2c3d4-e5f6-4a7b-8c9d-0e1f2a3b4c5d",
      "active_tenant_id": "z9y8x7w6-v5u4-4t3s-2r1q-p0o9n8m7l6k5",
      "tenants": [
        "z9y8x7w6-v5u4-4t3s-2r1q-p0o9n8m7l6k5",
        "f1e2d3c4-b5a6-4988-7766-554433221100"
      ],
      "role": "member",
      "exp": 1678886400
    }

    Your RLS policies must now be adapted to check for membership in an array.

    sql
        -- New helper function to get the active tenant
    CREATE OR REPLACE FUNCTION get_active_tenant_id() RETURNS UUID AS $$
    BEGIN
        RETURN (get_current_claim('active_tenant_id'))::UUID;
    END;
    $$ LANGUAGE plpgsql STABLE;

    -- New helper to check if a tenant is in the allowed list
    CREATE OR REPLACE FUNCTION is_tenant_member(check_tenant_id UUID) RETURNS BOOLEAN AS $$
    DECLARE
        claims_json JSONB;
    BEGIN
        claims_json := current_setting('myapp.jwt.claims', 't')::JSONB;
        IF claims_json IS NULL OR NOT (claims_json ? 'tenants') THEN
            RETURN FALSE;
        END IF;
        -- Use the JSONB containment operator @> to check if the array contains the tenant ID
        RETURN claims_json -> 'tenants' @> to_jsonb(check_tenant_id);
    END;
    $$ LANGUAGE plpgsql STABLE;

    -- Updated policy
    CREATE POLICY multi_tenant_isolation_policy ON projects
    FOR ALL
    TO public
    USING ( is_tenant_member(tenant_id) )
    WITH CHECK ( tenant_id = get_active_tenant_id() );

    Here, the USING clause allows a user to read data from any tenant they are a member of, while the WITH CHECK clause ensures they can only write data into the context of their currently active tenant. This prevents accidental cross-tenant data creation.

    Performance Analysis and Optimization

    A common concern with RLS is performance overhead. If implemented correctly, the impact is minimal and often negligible.

    1. RLS vs. WHERE Clause

    PostgreSQL's query planner is intelligent. An RLS policy like USING (tenant_id = (get_current_claim('tenant_id'))::UUID) is effectively rewritten into the query's WHERE clause before execution. Compare the EXPLAIN output of these two queries:

    sql
    -- Query A: Implicit RLS
EXPLAIN ANALYZE SELECT * FROM projects WHERE name LIKE 'Q4 Report%';

-- Query B: Explicit WHERE clause (with RLS disabled for this test)
EXPLAIN ANALYZE SELECT * FROM projects WHERE name LIKE 'Q4 Report%' AND tenant_id = '...';

    In most cases, the execution plans will be identical. The planner will see the RLS policy as just another predicate and will use the index on tenant_id to narrow down the search space immediately. The primary benefit of RLS is not performance, but correctness and security.

    2. Indexing is Non-Negotiable

    The most significant performance factor is proper indexing. The tenant_id column will be part of almost every query's filter, so it must be indexed. For queries that filter by tenant_id and other columns, a compound index is essential.

    sql
    -- Bad: Two separate indexes
CREATE INDEX idx_projects_tenant_id ON projects(tenant_id);
CREATE INDEX idx_projects_created_at ON projects(created_at);

-- Good: A compound index
-- The tenant_id must come first as it's the most selective filter.
CREATE INDEX idx_projects_tenant_id_created_at ON projects(tenant_id, created_at DESC);

    With the compound index, a query like SELECT * FROM projects WHERE tenant_id = $1 ORDER BY created_at DESC LIMIT 10 can be satisfied extremely efficiently, often with an Index-Only Scan.

    3. Function Costing

    While we marked our helper functions as STABLE, we can give the planner more hints by setting a COST. For a simple function like get_current_claim, the execution cost is trivial. We can tell the planner this to encourage it to inline the function and evaluate it early.

    sql
    CREATE OR REPLACE FUNCTION get_current_claim(claim TEXT) RETURNS TEXT AS $$
-- ... function body ...
$$ LANGUAGE plpgsql STABLE COST 1;

    This is a micro-optimization but can be beneficial in highly complex query plans.

    Conclusion: Defense-in-Depth Realized

    Implementing Row-Level Security with JWTs in PostgreSQL is a powerful architectural pattern that moves security from a fragile, application-level convention to a robust, database-enforced reality. It centralizes data access logic, simplifies application code by removing the need for repetitive WHERE clauses, and provides a formidable defense against common developer errors that could lead to data leakage.

    While the initial setup is more involved than traditional application-level filtering, the long-term benefits in security, maintainability, and developer peace of mind are immeasurable. By understanding the interplay between JWTs, session context, transaction management, RLS policies, and performance tuning, senior engineers can build truly secure and scalable multi-tenant systems.

    Found this article helpful?

    Share it with others who might benefit from it.

    More Articles