> ## Documentation Index
> Fetch the complete documentation index at: https://docs.alforse.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Tenants & Data Boundaries

> How Alforse separates customer organizations, operational data, and system metadata.

Alforse is built around a hard split between customer operational data and system metadata. The
API keeps tenant data isolated so that one customer organization cannot read another
organization's contracts, payments, files, or audit events.

<CardGroup cols={2}>
  <Card title="System metadata" icon="building">
    Tenant registry, plan entitlements, subscription state, license state, and system health
    information. This metadata is separate from contract content.
  </Card>

  <Card title="Tenant data" icon="briefcase">
    A tenant's operational data: contracts, payments, dynamic fields, workflow, files, and
    tenant-scoped audit. Every tenant-scoped row carries a tenant boundary.
  </Card>
</CardGroup>

A **tenant** is a customer organization — what you log into with a `tenantSlug`.

## How this shows up in the API

A tenant access token (`scope: "tenant"`) carries `tenantId`, `roleCode`, and `subjectScope` as
claims and can only call tenant-scoped endpoints. There is no separate tenant header to set,
and tokens are not interchangeable across tenants — see [Authentication](/api-reference/authentication).

## Administration layers

| Layer     | Role examples                         | Responsibility                                                         | Data boundary                             |
| --------- | ------------------------------------- | ---------------------------------------------------------------------- | ----------------------------------------- |
| Tenant    | tenant `admin` and other tenant roles | Members, subjects, fields, workflow, saved views, files, export policy | Limited to the current tenant             |
| Workspace | tenant `member` / `viewer` roles      | Day-to-day contract work                                               | Governed by role and workflow permissions |

See [Roles & Permissions](/concepts/roles-and-permissions) for how tenant roles and modules work
in practice.

## Applications map to this split

| Application    | Plane                      | Audience                                                          |
| -------------- | -------------------------- | ----------------------------------------------------------------- |
| `apps/deals`   | Tenant                     | Business users doing daily contract work                          |
| `apps/console` | Tenant                     | Tenant admins managing their own organization                     |
| `apps/api`     | Tenant and system services | The shared backend behind the product and direct API integrations |

## Tenant creation

Tenants are created through an Alforse onboarding process or by redeeming a code
(`POST /auth/redeem`). There is no public "sign up with just an email" path in production.
See [Plans & Editions](/concepts/plans-and-editions) for how codes and plans relate, and
[Quickstart](/quickstart) to get started.
