Multi-tenancy - OpenBunny

The cloud is fully multi-tenant. Each user can belong to multiple teams, and all data is scoped to a team.

Teams

Teams are the top-level organizational unit. Every task, contact, and API token belongs to exactly one team.

Roles

Role	Permissions
Owner	Full access, can delete the team
Admin	Manage members, create tokens, full data access
Member	Read and write tasks and contacts

Active team

Users can belong to multiple teams. The active team is tracked via the ob_team_id cookie and can be switched in the navigation sidebar.

Data isolation

All data queries include a team_id filter enforced at two levels:

Application level — API routes resolve the active team from the session or PAK token and scope all queries
Database level — RLS policies on every table ensure users can only access data for their teams

This means even a bug in the application code can’t leak data across teams — the database enforces isolation independently.

Inviting members

Team admins and owners can invite new members from Settings > Team Members. New members receive a magic link email and are added to the team upon first sign-in.

Cloud

​Teams

​Roles

​Active team

​Data isolation

​Inviting members

Teams

Roles

Active team

Data isolation

Inviting members