Multi-tenancy is one of those things that sounds simple until you're three hours deep into middleware, wildcard DNS, and Row Level Security policies wondering where it all went wrong. I built it for Pronto — an open-source POS, CRM, and booking system for service businesses. Every business that signs up gets their own subdomain: salon-maya.trypronto.app . Fully isolated. One codebase. Here's exactly how I did it, what broke, and what I'd do differently. The architecture in one diagram Client request: salon-maya.trypronto.app ↓ Cloudflare (wildcard *.trypronto.app → DigitalOcean) ↓ Next.js Middleware (extract slug from hostname) ↓ Supabase RLS (row-level isolation per business_id) ↓ Tenant data Enter fullscreen mode Exit fullscreen mode Three layers. Each one solves a different problem. Layer 1: Cloudflare wildcard DNS This is the easiest part.…