Multi-tenant agents: one key, many users
Serve many organizations and end users from a single agent using a delegated access key with the X-Org-Id and X-User-Id headers.
A delegated access key lets one agent serve many organizations and end users without minting a key per customer. The key carries no fixed org or user; you bind those per request with headers.
The headers
- Authorization: Bearer ucl_<key> - your delegated agent key.
- X-Org-Id: <org> - which workspace/tenant the call is for. Required for delegated keys.
- X-User-Id: <end-user> - the end user to act as on per-user connectors.
One client per end user
Construct one MCP client per end user and bind the headers at connect time. The same key serves every tenant; org-level connectors use the org credential, per-user connectors act as the X-User-Id.
from langchain_mcp_adapters.client import MultiServerMCPClient
client = MultiServerMCPClient({
"ucl": {
"transport": "streamable_http",
"url": "https://your-company.ucl.dev/mcp",
"headers": {
"Authorization": "Bearer ucl_<delegated-key>",
"X-Org-Id": "acme",
"X-User-Id": "user@acme.com",
},
}
})FAQ
Do I need a separate key per customer?
No. One delegated key serves all your tenants; you pass X-Org-Id (and X-User-Id) per request. Admin-connected keys, by contrast, are pinned to a single org and ignore those headers.
How is a tenant isolated from another?
Each call is scoped to the X-Org-Id you pass; the gateway resolves connectors, policies, and per-user tokens within that org only.
Last updated 2026-06-09