Skip to main content

Environments, organisations, and CORS

A Sumvin partner integration is partitioned into three nested pieces: an organisation, one or more environments inside it, and a set of CORS origins per environment.

The three levels

LevelWhat it represents
OrganisationA single partner tenant. One organisation per company (or per business unit).
EnvironmentAn isolated namespace inside an organisation with its own auth provider credentials and SDK credentials.
CORS originThe browser-origin allow-list tying an environment to the domains that may present credentials to .

Typical partitioning

Three environments per organisation is the standard pattern: 
organisation: acme-inc
  ├── development   — dev auth-provider credentials, localhost CORS
  ├── staging       — staging credentials, staging domain
  └── production    — production credentials, production domain only
Each environment has its own auth-provider connection — a Dynamic development tenant attaches to the development environment; a Dynamic production tenant attaches to the production environment. A JWT minted for one environment cannot authenticate to another.

What this buys you

  • Isolation. Swapping auth provider credentials in development doesn’t touch production.
  • Safe experimentation. Permissive CORS on development (for localhost) is safe because it only applies to that environment.
  • Auditability. Every call is scoped to an environment; the dashboard shows which environment a request landed in.

See also

Referenced from