Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.lasscyber.com/llms.txt

Use this file to discover all available pages before exploring further.

A tenant in Agnes is the unit of isolation. Every customer-owned record — policies, YARA rules, SDP configurations, safety policies, analysis logs, API keys, billing — is tenant-scoped. Two tenants cannot see each other’s data, period. In product copy we often call a tenant an organization, especially when it represents a real-world company. The terms are interchangeable.

When you need a new tenant

Most customers operate one tenant — their company. You may want multiple tenants when:
  • You sell Agnes-as-a-feature to your end-customers and want strict isolation between them. (One tenant per end-customer.)
  • You operate distinct products that should not share policies or threat intel. (One tenant per product.)
  • You want a long-lived sandbox tenant for experiments without cluttering your production tenant’s analysis logs.
There is no per-tenant fee on most plans, but each tenant has its own billing relationship if you put it on a paid plan. See Billing.

Personal vs organizational tenants

Two flavours of tenant exist:
TypeCreated whenBacked by
PersonalA user signs in for the first time and does not have an existing tenant.The user’s Auth0 identity.
OrganizationAn owner explicitly creates one.An Auth0 Organization (created automatically if you do not provide one).
Personal tenants are useful for individual hacking; organizational tenants are the right shape for any team larger than one person because they support invitations, role-based access, and Auth0 organization branding.

Creating an organization

  1. Sign in to agnes.lasscyber.com.
  2. Use the tenant switcher in the top-left of the dashboard to choose Create organization.
  3. Pick a display name. Agnes provisions an Auth0 Organization behind the scenes (or accepts an existing auth0_organization_id if you already have one).
  4. Once created, you become the owner.
Programmatically, POST /api/v1/tenants/ with a JWT (not an API key — tenant creation is a JWT-only operation): 
curl -X POST https://api.lasscyber.com/api/v1/tenants/ \
  -H "Authorization: Bearer <auth0_jwt>" \
  -H "Content-Type: application/json" \
  -d '{
    "display_name": "Acme Corp",
    "tenant_type": "ORGANIZATION"
  }'
If you already have an Auth0 Organization you want to bind, pass auth0_organization_id. Otherwise Agnes will create one for you.

Switching tenants

Users with access to multiple tenants pick the active one in the tenant switcher in the top-left of the dashboard. The selection is stored in localStorage and travels with you across reloads. For programmatic clients, an API key already implies a single tenant — you cannot switch. To act on a different tenant, use a key from that tenant.

Inviting members

Organizations have first-class invitations. See Inviting team members for the flow.

Deleting a tenant

Owners can delete their tenant from agnes.lasscyber.com/agnes-info. Deletion is permanent and cascades to:
  • All API keys (immediate revocation).
  • All policies, YARA rules, SDP / safety policies.
  • All threat-intel embeddings.
  • All analysis logs and audit history.
  • The Stripe customer (subscription is canceled and downgraded to unpaid; final invoice is generated for any unbilled usage).
The Auth0 Organization is not deleted — you may want to keep it for SSO continuity. Delete it manually in Auth0 if needed.

Tenant isolation in practice

  • API key → exactly one tenant. The X-Tenant-ID header is inferred from the key; a mismatched value is rejected.
  • Auth0 JWT → bound to whichever tenant the user has currently selected in the tenant switcher.
  • Database queries → always include tenant_id. Cross-tenant reads are not possible from the public API surface.
  • Threat intel → tenant-scoped by default; the public threat-intel set is opt-in via the Semantic Threat Intelligence analyzer’s include_public_threat_intel parameter.

Personal tenants in trial

A new personal tenant lands on the trial plan with 100,000 included tokens / month. Once the trial expires, the API responds with billing_required until the user picks a paid plan or the tenant is converted to an organization on a paid plan.

Next