Most identity products treat “the workspace” as a downstream concept — something you build on top of users after the fact. WRNexus inverts that: every user is born into a personal workspace, and every team workspace inherits the same primitives. Here is how, and why.
The data model in one diagram
A user has many memberships. A membership ties a user to a workspace with a
role. A workspace owns its plan, its audit log, its API keys and its billing.
Every privileged query begins with WHERE workspace_id = …, every audit row
carries the workspace id, every webhook delivery is scoped to one workspace.
users ─< memberships >─ workspaces ─< plans, billing, api_keys, audit_log
That single design constraint — workspace as the unit of isolation — is what lets us move security boundaries safely. Want to share a project across teams? Move the membership, not the data. Suspending a workspace? One foreign key, not a sprawl of side effects.
Switching without losing context
The switcher is a single dropdown in the header. Behind the scenes, switching
sets a workspace_id claim on the session cookie and re-issues the cookie
in-place, so the next page load resolves the new workspace from the very first
request. There is no logout, no double-session, no deep-link breakage.
We do one thing extra: the SDK remembers the last-used workspace per user and prefers it on next sign-in. The number of “I keep landing in the wrong place” support tickets we get is zero.
Billing isolation is non-negotiable
Stripe customers map 1:1 to workspaces, not to users. A user who belongs to three workspaces has nothing to do with their billing — each owner sees only their own invoices, their own seat count, their own dunning emails. When a workspace is suspended for non-payment, only that workspace becomes read-only; the user’s other memberships are unaffected.
What we wouldn’t change
The thing we evaluate hardest every quarter is whether to allow nested workspaces (think folders-within-folders). The answer keeps being no: the audit-log story breaks the moment one workspace’s actions can show up in another’s trail. We will introduce projects-within-a-workspace if customers need finer scoping — but the workspace itself stays flat.
If you are deciding how to model multi-tenancy in your own product, the short version is: pick the unit of isolation early, make every privileged query scoped to it, and never let yourself blur that boundary later. We are six quarters into running WRNexus on this design and the simplicity has paid for itself many times over.