per-tenant-database

作成者: rivet-dev

Multi-tenant data isolation with one Rivet Actor per tenant: the actor key is the tenant id, so each tenant gets its own isolated dataset and migrations.

npx skills add https://github.com/rivet-dev/skills --skill per-tenant-database

Database per Tenant

IMPORTANT: Before doing anything, you MUST read BASE_SKILL.md in this skill's directory. It contains essential guidance on debugging, error handling, state management, deployment, and project setup. Those rules and patterns apply to all RivetKit work. Everything below assumes you have already read and understood it.

Working Examples

If you need a reference implementation, read the raw working example code in these templates:

Patterns for database-per-tenant architectures with RivetKit. Instead of one shared database with a tenant_id column on every table, each tenant gets its own Rivet Actor, and that actor owns the tenant's entire dataset.

Starter Code

Start with the working example on GitHub and adapt it. The example stores each tenant's dataset in JSON actor state and serves a React dashboard with live event updates.

TopicSummary
IsolationOne companyDatabase actor per tenant, keyed by company name. Switching tenants swaps the entire dataset.
StateJSON actor state holding employees and projects arrays plus timestamps. No SQLite, no queues, no scheduling.
RealtimeEvery write action mutates state, then broadcasts a typed event (employeeAdded, projectAdded) to all connected clients of that tenant.
AuthNone. The sign-in screen is cosmetic. Production guidance is in the security checklist.

The Isolation Model

The actor key is the tenant id. The client connects with useActor({ name: "companyDatabase", key: [companyName] }) and the actor reads c.key[0] in createState to seed that tenant's dataset. This gives you:

  • One actor per tenant: companyDatabase[tenantId] addresses exactly one actor instance. Two tenants can never share an actor.
  • One dataset per tenant: All reads and writes go through that actor's state, so there is no shared table with a tenant_id column to filter incorrectly. Cross-tenant leaks require constructing the wrong key, not forgetting a WHERE clause.
  • No key injection: Keys are arrays, not interpolated strings. key: [tenantId] cannot be escaped the way "tenant:" + tenantId string concatenation can. See Keys.

The example's test (tests/per-tenant-database.test.ts) proves the isolation: data written to companyDatabase["Alpha Co"] never appears in companyDatabase["Beta Co"].

Choosing a State Backend

The example uses plain JSON actor state. The same key-equals-tenant model works with any actor state backend.

BackendUse WhenDocsWorking Code
JSON actor stateSmall datasets, simple reads, whole dataset fits comfortably in memory. What the example uses.StateGitHub
Actor SQLite (rivetkit/db)Tables, indexes, SQL queries, larger-than-memory data, per-tenant relational schema.SQLiteGitHub
SQLite + DrizzleTyped schema, query builder, and generated migration files on top of actor SQLite.SQLite + DrizzleGitHub

With either SQLite option, every tenant gets its own embedded SQLite database, since the database is scoped to the actor and the actor is scoped to the tenant.

Migrations

The per-tenant example has no migrations because JSON state has no schema. When you adopt SQLite, migrations run per tenant database:

  • Raw SQL: db({ onMigrate }) runs your migration SQL inside a SQLite savepoint before the actor serves traffic. If onMigrate throws, all migration SQL rolls back atomically and the actor does not start. See SQLite.
  • Drizzle: drizzle-kit generates migration files from your typed schema, and db({ schema, migrations }) applies them when the actor wakes. See SQLite + Drizzle.

Because each tenant has its own database, migrations roll out per actor as each tenant's actor wakes, rather than as one large migration against a shared database.

Tenant Id Must Come From Auth

The example's sign-in is cosmetic: the client picks any company string and that string becomes the actor key, so any visitor can read and write any tenant's data. Do not ship this. As a required production extension (not implemented by the example):

  • Derive the tenant id from a verified credential, such as a JWT claim, never from user input.
  • Validate the credential against c.key in onBeforeConnect (pass/fail) or createConnState (store the verified user on connection state). See Authentication and Connections.
  • Add per-action permission checks on top of connection-level auth. See Access Control.

Actors

  • Key: companyDatabase[companyName] (single-element array key; c.key[0] is the company name)
  • Responsibility: One actor per tenant. Holds that company's employees and projects in persistent state, serves reads and writes via actions, and broadcasts mutations to connected clients.
  • Actions
    • addEmployee
    • listEmployees
    • addProject
    • listProjects
    • getStats
  • Queues
    • None
  • Events
    • employeeAdded
    • projectAdded
  • State
    • JSON
    • company_name
    • employees
    • projects
    • created_at
    • updated_at

Every write action follows the same mutate-then-broadcast shape: push the record into c.state, bump updated_at, broadcast the typed event, return the record. See Actions and Events.

Lifecycle

sequenceDiagram
	participant A as Tenant A client
	participant DA as companyDatabase A
	participant B as Tenant B client
	participant DB as companyDatabase B

	Note over A: authenticate and derive tenant id
	A->>DA: connect with key [tenantA]
	Note over DA: createState seeds company_name, employees, projects
	A->>DA: listEmployees() + listProjects() + getStats()
	A->>DA: addEmployee(name, role)
	DA-->>A: employeeAdded event
	B->>DB: connect with key [tenantB]
	Note over DB: separate actor, separate dataset
	B->>DB: listEmployees()
	DB-->>B: tenant B data only

In the example, the "authenticate" step is a free-text company picker. The rest of the flow matches the diagram: createState seeds the dataset on first creation, the dashboard loads with listEmployees, listProjects, and getStats, and every connected client of the same tenant receives employeeAdded and projectAdded events.

Security Checklist

The example ships with none of these. Apply all of them before production.

  • Tenant identity: Derive the tenant id from a verified JWT claim, never from a client-supplied string.
  • Connection validation: In onBeforeConnect or createConnState, verify the credential's tenant claim matches c.key and reject mismatches.
  • Per-action authorization: Check the caller's role before mutating actions (addEmployee, addProject), not just at connect time. See Access Control.
  • Input validation: Clamp name and role lengths and validate enums. The example only trims input and substitutes fallback defaults.
  • Key construction: Always pass the tenant id as an array element (key: [tenantId]). Never interpolate tenant ids into key strings, and never build keys from one tenant's input to address another tenant's actor.
  • Growth limits: As a recommended extension, cap or paginate the employees and projects arrays. The example lets them grow unboundedly in JSON state; move to SQLite when the dataset outgrows memory.

Reference Map

Actors

Cli

Clients

Cookbook

Deploy

General

Self Hosting

rivet-devのその他のスキル

ai-agent
rivet-dev
永続メモリを備えたAIエージェントバックエンドを構築する:会話ごとに1つのRivet Actor、キューによるメッセージ処理、ストリーミングLLM応答をリアルタイムイベントとして。
official
ai-agent-workspace
rivet-dev
Give every AI agent its own computer: a persistent workspace with a filesystem, processes, shells, networking, and agent sessions on a lightweight in-process…
official
chat-room
rivet-dev
Build a realtime chat room backend with Rivet Actors: one actor per room, SQLite-backed message history, and WebSocket broadcast to every connected client.
official
collaborative-text-editor
rivet-dev
Yjs CRDTとRivet Actorsを使用して、共同テキストエディタのバックエンドを構築します。ドキュメントごとのアクターが同期とアウェアネス更新を中継し、スナップショットを永続化します。
official
cron-jobs
rivet-dev
Rivet Actorsによる耐久性のあるcronジョブ:schedule.afterおよびschedule.atタイマーは再起動やクラッシュ後も持続し、さらに定期的なジョブの再設定や冪等性のあるハンドラを備えています。
official
live-cursors
rivet-dev
Rivet Actorsを使用したライブカーソルとマルチプレイヤープレゼンス:接続ごとのカーソル状態、イベントまたは生のWebSocketを介したリアルタイム更新、およびスロットリング。
official
rivetkit-client-javascript
rivet-dev
JavaScriptクライアント。ステートレスまたはステートフル接続でRivet Actorsに接続するためのもの。ブラウザ、Node.js、Bun環境をサポートし、環境変数または明示的な設定による自動エンドポイント検出を備える。独立したリクエストのためのステートレスアクション呼び出しと、リアルタイムイベントサブスクリプションを伴うステートフル接続の2つの相互作用モードを提供。onRequestまたはonWebSocketハンドラを実装するアクター向けの低レベルHTTPおよびWebSocketアクセスを含む。複合配列ベースの...
official
rivetkit-client-react
rivet-dev
Reactクライアント。フックとリアルタイム状態管理を使用してRivet Actorsに接続するためのもの。createRivetKit()で型付きフックを作成し、useActor()でキーとオプションパラメータを使用してアクターインスタンスに接続。useEvent()でアクターイベントを購読し、connStatusとerror状態を通じて接続ライフサイクルを監視。createClient()を使用してステートレスな単発呼び出し、アクター検出メソッド(get、getOrCreate、create、getForId)、および低レベルHTTP/WebSocketアクセスを実行。複合配列キーをサポート...
official