Authentication¶
Authentication and authorization are inherited from the Base Template. Billing adds SaaS tenant resolution on top.
Tenant context¶
Every request and message is tenant-scoped. The tenant id is resolved using TenantResolutionStrategy (ConfigurationFirstThenJwtThenHeaders by default):
- JWT claim:
tid(JwtTenantClaimType) - HTTP header:
X-Tenant-Id(HttpTenantHeaderName) - Messaging header:
tenant-id(MessagingTenantHeaderName)
The resolved tenant flows into the NHibernate SaasTenantFilter so queries are automatically scoped, and into outbound MassTransit messages via the ConnectSoft.Extensions.Saas.Messaging.MassTransit filters.
gRPC¶
Tenant metadata propagates over gRPC per ADR-0100 (tenant-id metadata). The base template's gRPC auth pipeline applies; Billing contributes the GrpcRichErrorInterceptor.