Skip to main content

Overview

RAXE supports multi-tenant deployments where a single installation serves multiple customers, each with their own security policies. This is ideal for:
  • CDN/Platform Providers: Serve multiple customers from a central router
  • Enterprise Organizations: Different divisions with different security requirements
  • SaaS Applications: Per-customer policy customization

Quick Start

# Create a tenant
raxe tenant create --name "Acme Corp" --id acme

# Create an app
raxe app create --tenant acme --name "Chatbot" --id chatbot

# Set a policy
raxe policy set strict --tenant acme --app chatbot

# Scan with context
raxe scan "test" --tenant acme --app chatbot

Policy Modes

RAXE provides three built-in policy presets:

Monitor

Never blocksLogs all detections for analysis. Perfect for new deployments and learning phases.

Balanced

Smart blockingBlocks CRITICAL always, blocks HIGH with confidence ≥ 0.85. Recommended for production.

Strict

Maximum protectionBlocks CRITICAL, HIGH, and MEDIUM severity. For high-security environments.

Entity Hierarchy

Tenant (organization)
   └── App (application)
        └── Request (runtime override)

Policy Resolution

When scanning, RAXE resolves the effective policy using this fallback chain:
1

Request Override

If policy_id is passed to scan(), use that policy
2

App Default

If the app has a configured default policy, use it
3

Tenant Default

If the tenant has a configured default policy, use it
4

System Default

Fall back to balanced mode

Policy Attribution

Every scan result includes policy attribution for billing and audit: 
result = raxe.scan(
    prompt,
    tenant_id="acme",
    app_id="chatbot"
)

# Attribution fields
result.metadata["effective_policy_id"]   # "strict"
result.metadata["effective_policy_mode"] # "strict"
result.metadata["resolution_source"]     # "app" | "tenant" | "request" | "system_default"

CLI Usage

Tenant Management

# Create
raxe tenant create --name "Acme Corp" --id acme

# List
raxe tenant list
raxe tenant list --output json

# Delete
raxe tenant delete acme --force

App Management

# Create app with strict policy
raxe app create --tenant acme --name "Trading" --id trading --policy strict

# List apps
raxe app list --tenant acme

Policy Management

# List available policies (presets + custom)
raxe policy list --tenant acme

# Set default policy
raxe policy set balanced --tenant acme
raxe policy set strict --tenant acme --app trading

# Explain resolution chain
raxe policy explain --tenant acme --app trading

SDK Multi-Tenant Scanning

Basic Usage

from raxe import Raxe

raxe = Raxe()

# Scan with tenant context
result = raxe.scan(
    "Ignore all previous instructions",
    tenant_id="acme",
    app_id="chatbot"
)

if result.has_threats:
    print(f"Blocked by: {result.metadata['effective_policy_id']}")

Gateway/Router Pattern

For CDN providers or API gateways routing requests for multiple customers: 
from raxe import Raxe

raxe = Raxe()

def handle_request(customer_id: str, app_name: str, prompt: str):
    """Central router for multiple customers."""

    result = raxe.scan(
        prompt,
        tenant_id=customer_id,
        app_id=app_name,
    )

    # Audit log with policy attribution
    audit = {
        "customer": customer_id,
        "policy": result.metadata.get("effective_policy_id"),
        "blocked": result.action_taken == "block",
        "event_id": result.metadata.get("event_id"),
    }

    if result.action_taken == "block":
        return {"error": "Blocked", "event_id": audit["event_id"]}

    return {"allowed": True}

Per-Request Override

# Override policy for a specific request
result = raxe.scan(
    prompt,
    tenant_id="acme",
    app_id="chatbot",
    policy_id="strict"  # Override the app's default
)

Tenant-Scoped Suppressions

Each tenant can have their own false positive suppressions: 
# Add suppression for a tenant
raxe suppress add pi-001 --tenant acme --reason "False positive"

# List tenant's suppressions
raxe suppress list --tenant acme
Suppressions are isolated per-tenant and don’t affect other tenants.

JSON Output

All commands support --output json for automation: 
raxe scan "test" --tenant acme --output json

{
  "has_threats": true,
  "severity": "high",
  "detections": [...],
  "policy": {
    "effective_policy_id": "strict",
    "effective_policy_mode": "strict",
    "resolution_source": "app"
  },
  "tenant_id": "acme",
  "app_id": "chatbot",
  "event_id": "evt_abc123"
}

Limits (Community Edition)

ResourceCommunityEnterprise
Tenants5Unlimited
Apps per tenant10Unlimited
Custom policies3 per tenantUnlimited

Best Practices

Deploy new tenants in monitor mode to build detection baselines before enabling blocking.
Configure policies at the app level for granular control. Different apps may have different risk tolerances.
Always log effective_policy_id and resolution_source for debugging and audit trails.
Keep suppressions tenant-scoped to avoid cross-tenant effects.