Most AI demos are single-player.
Production SaaS is not.
The moment companies start using an AI product, the hard problems become less about the model and more about isolation, permissions, costs, billing, observability, and operational control. The model call is only one part of the system. The SaaS around it decides whether the product can scale safely.
This is how I think about multi-tenant AI SaaS architecture.
Resolve the Tenant Early
Every request should know which tenant it belongs to before it touches product logic.
Common patterns:
- subdomain:
acme.product.com - custom domain:
interviews.acme.com - path-based:
/acme/dashboard - token-based: API key maps to tenant
In a Next.js app, middleware is a natural place to resolve the tenant and attach it to request headers.
export async function middleware(request: NextRequest) {
const hostname = request.headers.get("host") ?? "";
const tenant = await resolveTenant(hostname);
if (!tenant) {
return NextResponse.redirect(new URL("/not-found", request.url));
}
const headers = new Headers(request.headers);
headers.set("x-tenant-id", tenant.id);
return NextResponse.next({ request: { headers } });
}
The important part is consistency. If some routes resolve tenant by domain and others resolve tenant by session user, bugs will appear in the gaps.
Tenant Isolation Is a Backend Feature
For most early-stage SaaS products, shared tables with a tenant_id column are a practical starting point. They are cheaper and easier to operate than database-per-tenant.
But application-level filtering is not enough. One missing WHERE tenant_id = ... can become a data leak.
I prefer defense in depth:
- tenant ID in every tenant-owned table
- database indexes that include tenant ID
- request-scoped tenant context
- authorization helpers that require tenant ID
- tests that attempt cross-tenant reads
- admin routes with explicit tenant switching
If using Postgres, Row Level Security can add another layer:
ALTER TABLE interviews ENABLE ROW LEVEL SECURITY;
CREATE POLICY tenant_isolation ON interviews
USING (tenant_id = current_setting('app.tenant_id')::uuid);
RLS does not remove the need for good application code, but it makes the database participate in the safety model.
AI Costs Need Tenant Boundaries
AI features are expensive in a way normal CRUD features are not. One tenant can accidentally or intentionally create a cost spike.
That means usage limits should be designed as product primitives:
- requests per minute
- tokens per day
- interviews per billing cycle
- concurrent sessions
- max audio duration
- model tier access
- retry budgets
Rate limiting should be tenant-aware. A global limiter protects infrastructure, but a tenant limiter protects the business.
type LimitDecision = {
allowed: boolean;
remaining: number;
resetAt: Date;
reason?: "plan_limit" | "burst_limit" | "abuse_guard";
};
The response should be understandable enough for the product to show a useful message, not just a generic 429.
Billing and Usage Should Share a Language
If the product sells "AI interviews", the system should track AI interviews as first-class usage events. If it sells "evaluation credits", the backend should emit evaluation-credit events.
Do not make billing infer business meaning from raw infrastructure logs.
A clean usage event might look like:
{
"tenantId": "tenant_123",
"eventType": "ai_interview_completed",
"quantity": 1,
"sourceId": "interview_456",
"occurredAt": "2026-04-05T10:30:00.000Z"
}
Events should be idempotent. Billing systems fail, webhooks retry, workers crash, and users refresh pages. A usage event needs a stable identity so it cannot be counted twice.
Feature Flags Are Safety Valves
AI products need runtime control.
Useful flags:
- enable voice interviews
- enable LLM evaluation
- switch model provider
- lower max answer duration
- require human review for low-confidence scores
- disable expensive follow-up generation
- route a tenant to a safer prompt version
Flags are not only for product experiments. They are operational controls.
When an AI system misbehaves, you do not want the only rollback path to be a full redeploy.
Observability Should Be Tenant-Aware
Generic logs are not enough. You need to answer:
- Which tenant is driving cost?
- Which plan tier has the highest latency?
- Which prompt version increased retries?
- Which tenant is hitting rate limits?
- Which model provider is failing for which feature?
Every AI call should include structured metadata:
- tenant ID
- user ID if safe
- feature name
- model
- prompt version
- token usage
- latency
- cache hit or miss
- safety outcome
This is how you debug AI systems without guessing.
What I Would Not Overbuild
I would not start with database-per-tenant unless the product has strict enterprise or regulatory requirements from day one.
I would not build a complex internal admin panel before the core tenant model is stable.
I would not let every feature invent its own usage tracking.
The early architecture should be boring in the right places: one tenant model, one usage event system, one rate limit layer, one place to resolve tenant context.
The Engineering Lesson
AI SaaS is still SaaS.
The model adds new cost and safety constraints, but the foundation is familiar: isolation, authorization, billing, observability, limits, and operational control.
The best AI product engineers can move between both worlds. They know how to make the model useful, and they know how to wrap it in systems that keep working when real customers arrive.