Tenant isolation
Tenant isolation is a product feature of Constellation OS, not an implementation detail. The design goal is that cross-tenant access has no code path, and this page walks the chain that enforces it.
From key to data plane
Every authenticated request resolves through the same chain:
- Key to tenant. The validated
x-api-keymaps to exactly one tenant. Hostname plays no part: calling a dedicated tenant's custom domain with another tenant's key yields that other tenant's scope, not the domain owner's data. - Tenant to registry entry. A registry (provided to the API as environment configuration, with no shared control-plane database to compromise) maps the tenant to its data plane: database instance, credentials secret, organization, bucket, and encryption key.
- Registry entry to data plane. The router holds one client per tenant, connected to that tenant's own store.
Dedicated resources per tenant
Each tenant's data plane is physically its own:
| Resource | Isolation |
|---|---|
| Time-series database | A dedicated Timestream-for-InfluxDB instance per tenant, not a shared cluster with row filters |
| Encryption | A dedicated KMS key per tenant |
| Access tokens | A scoped read/write token per tenant, held in Secrets Manager; admin credentials are used only by the provisioning tooling |
On top of the physical separation, the API enforces scope in both directions: every telemetry write is stamped with the authenticated tenant server-side (a request body cannot claim another tenant), and every read is filtered to the authenticated tenant.
Fail-closed behavior
The isolation chain fails closed at every step:
| Condition | Result |
|---|---|
| Key invalid | 401 auth_failed |
| Key valid, tenant disabled | 403 tenant_disabled; a disabled tenant's key stops working everywhere at once |
| Key valid, tenant not registered in this environment | 503 tenant_unavailable; authentication never falls through to another tenant's plane |
| Tenant's data plane unreachable | 503 telemetry_unavailable with a retry hint; degraded, never redirected |
The dedicated-stack tier
For programs that need isolation above the data-plane level, tenants run as dedicated stacks in their own AWS accounts: their own API deployment, their own hostname on the codename.api.constellation.space pattern, their own registry containing only themselves. This is shipped practice, not roadmap; see Enterprise for the model and the spin-up process.
GovCloud environments exist as a parallel deployment family (development is live at api.dev.gov.constellation.space), keeping government workloads on government infrastructure end to end.
What to verify as a customer
Isolation claims should be checkable. Reasonable probes:
- Your
tenant_keyechoes back on everyGET /topologyresponse; it should always be yours. - A key for one environment must fail with
401on every other environment. - Telemetry written with foreign tenant tags in the body must come back stamped with your tenant, not the claimed one.
If any of those ever fails, treat it as a critical incident and report it immediately.