Enterprise agent deployments are multi-tenant by design. Workspace Domain APIs give platform teams programmatic control over which user email domains can access a given agent workspace — establishing the access boundary that enterprise customers require before allowing an AI agent to touch their systems and data.

A SaaS company runs an AI operations agent for multiple enterprise customers. Each customer gets their own workspace. Using the Workspace Domain APIs, the developer configures acme-corp.com for Acme's workspace and beta-industries.com for Beta's. Scalekit blocks any user outside those domains from authenticating into the wrong workspace. Misconfigured cross-tenant access fails at the auth layer — not at the application layer, and not silently.

What's included

• Full CRUD for domain allowlists per workspace — create, read, update, and delete via gRPC/REST.
• AllowedEmailDomain enforcement at onboarding ensures the constraint applies from the first user session.
• Platform teams automate tenant provisioning as part of their own customer onboarding flows.
• Foundational for any ISV building a multi-tenant agent product on Scalekit.