Multi-Tenant & Teams

LAST EDIT Jul 21 2021

Many apps that add chat have customers of their own. If you're building something like Slack, or a SaaS application like Invision you want to make sure that one customer can't read the messages of another customer. Stream Chat can be configured in multi-tenant mode so that users are organized in separated teams that cannot interact with each other.

Teams

Copied!

Stream Chat has the concept of teams for users and channels. The purpose of teams is to provide a simple way to separate different groups of users and channels within a single application.

If a user belongs to a team, the API will ensure that such user will only be able to connect to channels from the same team. Features such as user search can be configured so that a user can only search for users from the same team.

User teams and channel team can only be changed using server-side auth. This ensures users can't change their own team membership.

When enabling multi-tenant mode all user requests will always ensure that the request applies to a team the user belongs to. For instance, if a user from team "blue" tries to delete a message that was created on a channel from team "red" the API will return an error.

Enable Teams for your application

Copied!

In order to use Teams, your application must have multi-tenant mode enabled. You can ensure your app is in multi-tenant mode by calling the Application Settings endpoint.

You only need to activate multi-tenant once per application. Make sure to do this before using teams.

User teams

Copied!

When using teams, users must be created from your back-end and specify which teams they are a member of. (Note this is only allowed server side)

A user can be a member of a maximum of 25 teams.

Channel team

Copied!

Channels can be associated with a team. Users can create channels client-side but if their user is part of a team, they will have to specify a team or the request will be rejected with an error.

Channel teams allows you to ensure proper permission checking for a multi tenant application. Keep in mind that you will still need to enforce that channel IDs are unique. A very effective approach is to include the team name as a prefix to avoid collisions. (ie. "red-general" and "blue-general" instead of just "general")

User Search

Copied!

By default the user search endpoint allows users to search for any other user, applications in multi-tenant mode are required to specify a team filter when performing user searches client-side.

Because users can belong to multiple teams, you need to use the $contains operator for this match.

If a user tries to search for users from other teams it will receive an error from the Chat API endpoint.

Query Channels

Copied!

When using multi-tenant, the query channels endpoint will only return channels that match the query and are on the same team as the user. This happens automatically on Stream Chat side and cannot be circumvented by users.

Server-side you can use query channels to get channels from any team and you can filter them using the team field as well.