Request hits Azure Front Door
The browser request lands at Front Door with the customer-facing
hostname (e.g., billing.partner-x.app).
Capability · Tenancy
One application, six brands, physical isolation.
The active brand follows the URL. The active tenant follows the URL. The browser experience is fully branded; the database is fully isolated; the integration model is federated by default.
6
Brands shipping today
MedSuite, Millin, Electrobills, Brittco, Accumedic, EMR-Bear
1 day
New brand onboarding
Theme TS file + favicon + logo; CI smoke; production
0
Per-tenant brand setting
Brand selection is fully automatic based on hostname
How it works
Brand selection is fully automatic, based on hostname.
No per-tenant brand setting. No login-time choice. The browser request lands at the platform's edge, the host header is inspected against the brand registry, and the resolved brand drives the entire UI before any application code runs.
Hostname resolved to brand
resolveBrand() matches the hostname against each
brand's domainRoots array. The first match wins;
localhost falls back to a localStorage override.
Theme applied pre-paint
An inline script in the document head rewrites
--color-* CSS custom properties before the first
paint, so there is no flash-of-wrong-brand.
Application boots branded
React's BrandProvider reads the resolved brand from
the document; the entire SPA — login, sidebar, surfaces — is
branded from the very first frame.
Try it
Switch brands live.
The header dropdown on every page of this site swaps the active brand in real time across the entire experience. Every component reads from the same CSS-variable contract; the swap is a single set of writes to the document root.
Multi-tenancy
Physical isolation. One PostgreSQL database per customer.
There is no row-level security. Tenant resolution happens at the API edge before any business code runs; the connection string is fetched from Azure Key Vault per request, decrypted, and used to open a tenant-scoped pool. The master DB never holds tenant credentials.
Subdomain-routed tenancy
tenant.medsuite.app resolves to a tenant id in the
master DB; the rest of the stack reads only from that tenant's
database.
Key Vault-sealed credentials
Connection strings live exclusively in Azure Key Vault. The master DB stores only the tenant directory and the Key Vault reference — not the secret itself.
Cross-app handoff
Federation between the RCM app and partner EMRs uses a 30-second TTL handoff token, replay-protected by jti uniqueness.
Brand selection is fully automatic based on hostname. There is no per-tenant brand setting; the brand follows the URL.
Keep going