In the first four chapters of this series I've talked about what the Auth Gateway decides. This chapter is about who it decides for. We run a multi-tenant platform. Every request, on every endpoint, belongs to one tenant. Get tenant resolution wrong and you don't have a security incident — you have a cross-tenant data leak incident, which is a category of bad you don't recover from. This chapter is the boring, careful, paranoid story of how NGINX and the Auth Service cooperate to never let a request through without a clear tenant identity. The two questions Every multi-tenant request raises two questions: Which tenant is this for? (resolution) Where does the request go for that tenant? (routing) We answer #1 at the NGINX layer, before auth. We answer #2 partly at NGINX (path-based routing) and partly inside the upstream service (tenant-scoped queries). The Auth Service sits between them: it makes sure the token's tenant matches the request's tenant before either service sees the request.…