Hostnames & domains
Summarized from PRODUCT-ARCHITECTURE-PLAN.md §4.1–4.2.
Production hostnames
| Surface | Hostname | Audience |
|---|---|---|
| Marketing | tenancyengine.com | Public |
| Operator console | console.tenancyengine.com | Builders (us + future vendors) |
| Account / MFA / security | account.tenancyengine.com | Human auth enrollment & security settings |
| Documentation | docs.tenancyengine.com | Builders (see docs tiers below) |
| Auth / OIDC (issuer) | auth.saasruntime.com | Machine OIDC metadata; apps redirect humans via account hub |
| Runtime API | api.saasruntime.com | App backends |
| Webhooks ingress | hooks.saasruntime.com (optional) | External systems |
| TE billing portal | billing.tenancyengine.com | ISVs paying TenancyEngine (white-label; TenaBill backend) |
| TenaBill marketing | tenabill.com | Standalone billing merchants |
| TenaBill merchant console | console.tenabill.com | TenaBill merchants |
| TenaBill customer portal | portal.tenabill.com or merchant CNAME | End customers |
Documentation (VitePress on Cloudflare Pages)
| Tier | TenancyEngine | TenaBill | Deploy trigger |
|---|---|---|---|
| Local | http://localhost:5173 | http://localhost:5174 | npm run dev in {repo}/docs/ |
| Dev | docs-dev.tenancyengine.com | docs-dev.tenabill.com | Push to main (with app staging deploy) |
| Staging | docs-staging.tenancyengine.com | docs-staging.tenabill.com | Push to main (with app staging deploy) |
| Production | docs.tenancyengine.com | docs.tenabill.com | promote-staging-to-production in infra |
Consoles resolve the matching docs host from the page hostname (console-dev.* → docs-dev.*, etc.).
Non-production (team-only)
| Environment | Pattern | Access control |
|---|---|---|
| Development | *-dev.* (e.g. console-dev.tenancyengine.com, auth-dev.saasruntime.com) | Cloudflare tunnel → loopback |
| Staging | *-staging.* | METEOR staging stack |
| Local dev | localhost + tunnel *-dev.* | Developers only |
No separate brand domains per environment — only DNS subdomains.
SDK environment contract
Production apps embed SaaSRuntime URLs only — never TenancyEngine URLs in customer-facing SDK config:
text
TENANCY_APPLICATION_ID=<uuid>
SAASRUNTIME_AUTHORITY=https://auth.saasruntime.com
SAASRUNTIME_API=https://api.saasruntime.comHuman vs machine surfaces
| Type | Examples | Used for |
|---|---|---|
| Human-facing | account.tenancyengine.com, console.tenancyengine.com, billing.tenancyengine.com | Login, MFA enrollment, console UI, billing portal |
| Machine-facing | auth.saasruntime.com, api.saasruntime.com, api.tenabill.com | OIDC metadata, API calls, token issuer URLs in SDKs |
Email links for humans use TenancyEngine (or merchant/app) hosts. Token issuer URLs in OIDC metadata remain SaaSRuntime.
Related
- Overview — platform ecosystem diagram
- MFA & notifications — account hub and auth domain map