Multi-Tenant Isolation & Workspace RBAC

[Cedarich]

Labels: backend, security, product, wave4
Complexity: 200 points
Branch: feat/be-multi-tenant

Summary
Introduce logical isolation between different organizations or workspaces so that users can belong to multiple teams without data leakage.
Tasks

• Implement organization_id on all core entities (links, transactions, keys, webhooks).
• Add workspace context to all API requests and middleware.
• Implement Role-Based Access Control (Admin, Member, Read-Only) per organization.
• Add organization switching and invite management endpoints.
  Acceptance Criteria
• Users cannot access data from organizations they don't belong to.
• API keys are scoped to a specific organization.
• Invites and role changes are reflected immediately in access checks.

---

[BigMick03]

@BigMick03 has applied to work on this issue as part of the Stellar Wave Program's 4th wave.

Hi there Maintainer, I will like to work on this please assign this to me

ℹ️ Repo Maintainers: To accept this application, review their application or assign @BigMick03 to this issue.

[drips-wave]

Congratulations, @BigMick03! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on April 29, 2026.

🧑‍💻 @BigMick03: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊