Serve per-tenant configuration to millions of users with cryptographic namespace binding.
Multi-tenant SaaS applications need strict tenant isolation. Traditional authorization-based checks can have bugs; we need cryptographic guarantees that make cross-tenant access impossible at the protocol level.
ResolveDB uses Cryptographic Namespace Binding (CNB) - queries include a cryptographic signature that binds the request to a specific tenant namespace. Even with a stolen token, cross-tenant queries fail cryptographically.
sig-Namespace-Bound Authentication (NBA)HMAC-SHA256 signature cryptographically binds queries to tenant namespace. Combined with JWT for defense-in-depth.
# Signed query (signature cryptographically bound to namespace)
dig TXT get.sig-a3f2e8c1d4b5a678-t-1704067200.config.acme-corp.v1.resolvedb.net +short
# Response:
# "v=rdb1;s=ok;t=data;f=json;ttl=3600;d={\"logo\":\"https://cdn.example/acme.png\"}"
# Cross-tenant attack FAILS cryptographically:
dig TXT get.sig-a3f2e8c1d4b5a678-t-1704067200.config.evil-corp.v1.resolvedb.net +short
# Response (signature doesn't match evil-corp namespace):
# "v=rdb1;s=secviol;err=E018;d=Namespace binding validation failed"from resolvedb import ResolveDB
# Initialize with tenant query key
db = ResolveDB(
namespace="acme-corp",
tenant_key="your-tenant-query-key"
)
# SDK auto-signs queries with NBA pattern
# Signature cryptographically binds to "acme-corp" namespace
config = db.config.get("branding")
print(f"Logo: {config['logo']}")
print(f"Color: {config['primary_color']}")
# Cross-tenant attempt would fail cryptographically
# Even if attacker has valid JWT but wrong tenant_keyimport { ResolveDB } from '@resolvedb/client';
const db = new ResolveDB({
namespace: 'acme-corp',
tenantKey: 'your-tenant-query-key'
});
// SDK auto-signs with NBA pattern
// Queries cryptographically bound to namespace
const config = await db.config.get('branding');
console.log('Logo:', config.logo);
// Combined with JWT for defense-in-depth
const license = await db.config.get('license', {
auth: jwtToken // JWT tenant must match namespace
});package main
import "github.com/resolvedb/go-client"
func main() {
db := resolvedb.New(resolvedb.Config{
Namespace: "acme-corp",
TenantKey: "your-tenant-query-key",
})
// SDK auto-signs with NBA pattern
config, _ := db.Config.Get("branding")
fmt.Println("Logo:", config["logo"])
// Cross-tenant access cryptographically impossible
// Signature only valid for "acme-corp" namespace
}| Feature | ResolveDB | Alternative |
|---|---|---|
| Tenant isolation | Cryptographic (NBA) | Policy-based |
| Bug immunity | Yes (math, not code) | No |
| Token theft impact | Limited (need query_key) | Full access |
| Global distribution | DNS caching (free) | CDN ($$$) |
| Audit trail | Signature forensics | Varies |
During tenant onboarding, call POST /api/v1/tenants/<tenant>/keys. This generates a 256-bit tenant_query_key. Store it securely - it's required for all authenticated queries.
You can rotate keys via the API. The old key remains valid for 24 hours during the transition period to allow client updates.
For maximum security, yes. JWT provides user identity and permissions. NBA signature provides cryptographic namespace binding. Together they provide defense-in-depth.
Create an account and start storing data in under a minute.