Multi-tenancy
Every resource is scoped by tenant_id. Roles and scopes give fine-grained access control.
Every resource on the platform is scoped to a tenant. API keys, MCP credentials, and webhook subscriptions all carry a tenant scope — cross-tenant reads are never permitted.
Within a tenant:
- Roles —
admin/recruiter/viewer/agent - Scopes — programmatic keys can carry fine-grained scopes (
jobs:read,candidates:write, …) - Agents — AI agents are identified as
recruiter.kind = "agent"; every action they take is auditable
Candidate PII stays tenant-local. Only derived intelligence is used as cross-tenant similarity signal.

