Overview Quick Start API Reference CLI Reference Connections OAuth Search AI Search
What is OAuth for TenantsDB
OAuth 2.0 lets third-party apps access your TenantsDB account with your permission, without sharing your password or API keys.

When an app like Claude wants to query your tenant databases or manage your workspaces, it does not ask for your password. Instead, it sends you to a TenantsDB consent page where you choose which project to share and what permissions to grant. If you approve, the app receives a token scoped only to that project and those permissions.

You stay in control. Revoke access anytime from the Connected Apps page in your dashboard. Every token tracks when it was last used. No app ever sees your password or your API keys.

OAuth is the same standard used by "Sign in with Google" or "Connect to GitHub" flows. TenantsDB implements RFC 6749 (OAuth 2.0), RFC 7591 (Dynamic Client Registration), RFC 7636 (PKCE), and RFC 9728 (Protected Resource Metadata).
How It Works
The standard OAuth 2.0 authorization code flow. No surprises for developers who have integrated with Google, GitHub, or Stripe.
Authorization flow
Step 1
You click "Connect to TenantsDB" in a third-party app like Claude
Step 2
Your browser opens the TenantsDB consent page. You pick a project and approve
Step 3
The app exchanges the authorization code for an access token and refresh token
Step 4
The app calls TenantsDB APIs on your behalf, scoped to the project and permissions you approved
Access tokens expire in 1 hour. Refresh tokens last 30 days and rotate on every use.
TenantsDB supports Dynamic Client Registration. Apps do not need to pre-register. They can register themselves on the fly by calling POST /oauth/register. This is what Claude Desktop, Cursor, and other MCP clients use to connect automatically. See Build an Integration for details.
Scopes
Scopes define what an app can do. Users see the requested scopes on the consent page before approving.
ScopeWhat it allows
project:read Read-only access. List workspaces, read tenant data, search across tenants, inspect schemas. Cannot modify anything.
project:write Create and modify resources. Create workspaces, deploy blueprints, create tenants, run write queries. Includes everything in project:read.
project:admin Destructive operations. Delete workspaces and tenants, suspend or resume tenants, rollback data. Includes everything in project:write.
Scopes are bound to a single project. If an app needs access to multiple projects, it must complete the OAuth flow once per project. Tokens are never cross-project.
What do you want to do?
Pick your path. Each page has everything you need for that specific goal.
Connect
Connect Claude
Reference
MCP Server
Develop
Build an Integration