Hi,

My team is working on a multi tenant platform which is already built and in production used by many clients. This platform is currently offered to the end users of our clients (B2B2C model) through web portal which is powered by a set of backend APIs.

Recently our business team decided to offer the platform as a bunch of APIs to potential clients who will then build their own front end instead of using our web portal.

With this objective, we are developing a set of Apigee API proxies that in turn are powered by the same backend apis that our own web portal is powered by.

The consumers of these backend apis (exposed to the end consumers through Apigee proxies) are essentially tenants in our platform and as such our backend apis will require ability to identify which consuming app (of a client aka tenant) is making a particular api request.

One option I have is to make every api signature also take in tenant name as a mandatory query string (or request body) parameter but as almost every api will require it, making it part of query string or request body feels redundant.

The other option I have is that as each of such clients (wishing to build their own frontend but using our backend api) will be registered as a developer app, I somehow try to identify the tenant based on the authorisation token that is included in the incoming api request.

Which according to you is the best strategy and whether is there a better approach to solving this?

Thanks.