Security & Isolation

Every organization on LeanCore gets complete isolation. Your data is yours -- no exceptions.

Tenant Isolation

Protection	How it Works
Dedicated Database	Your data is stored in a dedicated schema, physically separated from every other organization
Isolated Specialists	No specialist can access another organization's data, tools, or knowledge
Private Workspace	Documents, conversations, and artifacts are entirely private to your organization
Encrypted Credentials	Login details for your connected systems are locked in a vault, encrypted at rest using AES-GCM
Secure Identity	Every request is authenticated and scoped to your organization

Authentication

• JWT-based authentication -- industry-standard JSON Web Tokens
• Role-based access control -- Owner, Admin, Manager, Viewer roles with granular permissions
• Token expiration -- sessions expire automatically for security
• Invite-only access -- new team members must be invited by an admin

API Security

• Bearer token authentication -- all API calls require valid JWT
• Organization scoping -- every request is bound to a specific organization
• Rate limiting -- protects against abuse
• HTTPS encryption -- all data in transit is encrypted

MCP Connector Security

• Basic authentication -- all MCP connections are authenticated
• Per-organization credentials -- each organization uses its own connector credentials
• No cross-tenant data access -- connectors are scoped to the requesting organization

Access Badges

Two types of security credentials control external access:

• API Access Badges -- for external applications calling LeanCore's API
• Incoming Message Badges -- for messaging channels (email, WhatsApp) sending messages to specialists

Both are managed from the Access Badges page in the admin interface.

Security Best Practices

• Treat Access Badges like passwords -- don't share them publicly
• Use the minimum required role for each team member
• Review team access regularly
• Revoke badges immediately if compromised