guidesSource-backedReview first Safety ✓ Privacy ✓

Hosting The Claude Agent SDK With Multi-Tenant Isolation

Isolate Claude Agent SDK tenants in shared containers using documented options: per-tenant cwd, settingSources disabled, CLAUDE_CONFIG_DIR, CLAUDE_CODE_DISABLE_AUTO_MEMORY, and per-tenant egress rules from official hosting documentation.

by kiannidev·added 2026-06-16·

Claude Code

HarnessClaude Code

Install

Source

For each tenant call query() with a dedicated cwd, settingSources disabled, CLAUDE_CONFIG_DIR pointed at a tenant-only directory, CLAUDE_CODE_DISABLE_AUTO_MEMORY=1, and per-tenant egress rules at your outbound proxy.

Readiness

TrustReview first
Sourcesource-backed
Safety notesPresent
ReviewedYes

Documentation Source repository Registry JSON · LLM text

Review first — review before installing

Open the source and read safety notes before installing.

Safety notes

Default SDK behavior can leak one tenant's CLAUDE.md or settings into another session without isolation options.
Auto memory at ~/.claude/projects/.../memory/ loads regardless of settingSources unless CLAUDE_CODE_DISABLE_AUTO_MEMORY=1.
Each agent session maps to one subprocess—size RAM for concurrent tenants per hosting docs.

Privacy notes

Session transcripts default to local disk under ~/.claude/projects/ unless mirrored with SessionStore.
Per-tenant cwd should exclude other tenants' artifact directories.
Proxy logs may capture tool URLs—apply retention policies per tenant policy.

Prerequisites

Agent SDK application hosting multiple tenants in one container or host.
Per-tenant filesystem paths no other tenant can read.
Outbound proxy supporting per-tenant credentials or domain allowlists.
Understanding that default SDK behavior loads shared CLAUDE.md and settings from disk.

Schema details

Install type: copy
Reading time: 8 min
Difficulty score: 62
Troubleshooting: Yes
Breaking changes: No

Full copyable content

For each tenant call query() with a dedicated cwd, settingSources disabled, CLAUDE_CONFIG_DIR pointed at a tenant-only directory, CLAUDE_CODE_DISABLE_AUTO_MEMORY=1, and per-tenant egress rules at your outbound proxy.

About this resource

TL;DR

Official Agent SDK hosting documentation describes multi-tenant isolation when one container serves multiple tenants: disable filesystem settings with settingSources: [], set CLAUDE_CODE_DISABLE_AUTO_MEMORY=1, point CLAUDE_CONFIG_DIR at a tenant-only directory, pass a dedicated cwd on every query() call, and apply per-tenant egress rules at your proxy.

Prerequisites & Requirements

{"task": "Tenant paths", "description": "Separate cwd and configDir per tenant with filesystem permissions"}
{"task": "Proxy policy", "description": "Per-tenant outbound credentials or allowlists documented"}
{"task": "Capacity plan", "description": "RAM sized for one subprocess per concurrent session"}
{"task": "Storage strategy", "description": "SessionStore configured if tenants resume across restarts"}

Core Concepts Explained

Why defaults are unsafe for multi-tenant hosts

Hosting docs state that default SDK behavior reads settings and CLAUDE.md memory files from the filesystem. Shared containers without isolation can leak one tenant's context into another tenant's session.

Four SDK-level isolation options

Documentation lists: settingSources: [] (or setting_sources=[] in Python), CLAUDE_CODE_DISABLE_AUTO_MEMORY=1, per-tenant CLAUDE_CONFIG_DIR, and explicit cwd on every query() call.

Network isolation is separate

Per-tenant egress rules (distinct outbound IPs, credentials, or domain allowlists) are applied at your proxy, not inside the SDK call alone.

Step-by-Step Implementation Guide

Provision per-tenant directories. Create tenantDir and configDir paths with permissions so tenants cannot read each other's files.
Apply SDK options on every query. TypeScript example from official docs:

for await (const message of query({
  prompt,
  options: {
    cwd: tenantDir,
    settingSources: [],
    env: {
      ...process.env,
      CLAUDE_CONFIG_DIR: configDir,
      CLAUDE_CODE_DISABLE_AUTO_MEMORY: "1",
    },
  },
})) {
  // handle messages
}

Configure outbound proxy. Route each tenant through distinct credentials or domain allowlists per hosting documentation.
Mirror transcripts if sessions resume. Use a SessionStore adapter when tenants expect hybrid or long-running patterns across container restarts.
Size concurrency. Hosting docs recommend measuring peak RSS per session; default starting point is 1 GiB RAM per agent subprocess.
Validate isolation. Run two tenants concurrently and confirm neither reads the other's cwd artifacts or config files.

Troubleshooting

Tenant still sees another project's CLAUDE.md

Confirm settingSources: [] and dedicated cwd; verify auto memory disabled with CLAUDE_CODE_DISABLE_AUTO_MEMORY=1.

Sessions lost after restart

Configure SessionStore; local transcripts under ~/.claude/projects/ do not survive container restarts by default.

Rate limits on wide subagent fanouts

Hosting docs advise breaking work into smaller batches rather than one large parallel dispatch.

Source Verification Notes

Verified against https://code.claude.com/docs/en/agent-sdk/hosting on 2026-06-16:

Multi-tenant isolation section documents settingSources, CLAUDE_CODE_DISABLE_AUTO_MEMORY, CLAUDE_CONFIG_DIR, per-tenant cwd, and per-tenant egress at the proxy.
Each session maps to one CLI subprocess with local transcript state by default.
Hybrid and long-running patterns require SessionStore for transcript durability.
Secure Deployment doc covers additional network and credential hardening.

Duplicate Check

Complements secure-deployment-for-claude-agent-sdk-applications (network and credential hardening) and external-session-storage-for-claude-agent-sdk-hosts (SessionStore). This guide focuses on the documented multi-tenant isolation options inside shared Agent SDK hosts.

References

Hosting the Agent SDK - https://code.claude.com/docs/en/agent-sdk/hosting

#claude-agent-sdk #hosting #multi-tenant #isolation #deployment

Source citations

Add this badge to your README

Show that Hosting The Claude Agent SDK With Multi-Tenant Isolation is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.

[![Listed on HeyClaude](https://heyclau.de/badge/guides/hosting-the-claude-agent-sdk-with-multi-tenant-isolation.svg)](https://heyclau.de/entry/guides/hosting-the-claude-agent-sdk-with-multi-tenant-isolation)

How it compares

Hosting The Claude Agent SDK With Multi-Tenant Isolation side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.

Field	Hosting The Claude Agent SDK With Multi-Tenant Isolation Isolate Claude Agent SDK tenants in shared containers using documented options: per-tenant cwd, settingSources disabled, CLAUDE_CONFIG_DIR, CLAUDE_CODE_DISABLE_AUTO_MEMORY, and per-tenant egress rules from official hosting documentation. Open dossier	Secure Deployment for Claude Agent SDK Applications A practical walkthrough of securely deploying Claude Agent SDK applications: the prompt-injection threat model, isolation options (sandbox runtime, containers, gVisor, VMs), least privilege, the proxy credential pattern, and filesystem controls. Open dossier	Agent Skills in Claude Agent SDK Applications A practical walkthrough of using Agent Skills in the Claude Agent SDK: how skills are discovered from the filesystem via settingSources, the skills option to enable or filter them, tool access, and troubleshooting discovery. Open dossier	External Session Storage for Claude Agent SDK Hosts A practical walkthrough of mirroring Claude Agent SDK session transcripts to external storage: the SessionStore interface, the SessionKey shape, resuming across hosts, reference adapters for S3/Redis/Postgres, and behavior notes. Open dossier
Trust
Install risk	Review first	Review first	Review first	Review first
Notes	Safety ✓ Privacy ✓	Safety ✓ Privacy ✓	Safety ✓ Privacy ✓	Safety ✓ Privacy ✓
Category	guides	guides	guides	guides
Source	source-backed	source-backed	source-backed	source-backed
Author	kiannidev	JPette1783	JPette1783	JPette1783
Added	2026-06-16	2026-06-05	2026-06-05	2026-06-05
Platforms	Claude Code	Claude Code	Claude Code	Claude Code
Source repo	—	—	—	—
Safety notes	✓Default SDK behavior can leak one tenant's CLAUDE.md or settings into another session without isolation options. Auto memory at ~/.claude/projects/.../memory/ loads regardless of settingSources unless CLAUDE_CODE_DISABLE_AUTO_MEMORY=1. Each agent session maps to one subprocess—size RAM for concurrent tenants per hosting docs.	✓Agents generate actions dynamically and can be influenced by content they process (prompt injection); apply defense in depth, not a single control. Use least privilege: mount only needed directories (prefer read-only), restrict network to specific endpoints, and drop Linux capabilities in containers. Inject credentials via a proxy outside the agent boundary so the agent never sees secrets; do not mount ~/.ssh, ~/.aws, .env, or similar into the agent.	✓The skills option is a context filter, not a sandbox: unlisted skills are hidden from the model but their files remain on disk and are reachable via Read and Bash. Skills are model-invoked; pair them with a tight allowedTools list (and dontAsk where appropriate) so an invoked skill cannot use more tools than intended. The allowed-tools frontmatter in SKILL.md does not apply through the SDK; control tool access with the main allowedTools option.	✓The store is a mirror, not a replacement: the CLI writes locally first, then append() forwards. sessionStore cannot combine with persistSession: false or enableFileCheckpointing. Mirror writes are best-effort; a failed append emits a system mirror_error message and the query continues, so monitor for mirror_error to detect store data loss. Deleting the main session key must cascade to subagent subkeys; implement delete carefully or treat the backend as append-only.
Privacy notes	✓Session transcripts default to local disk under ~/.claude/projects/ unless mirrored with SessionStore. Per-tenant cwd should exclude other tenants' artifact directories. Proxy logs may capture tool URLs—apply retention policies per tenant policy.	✓Even read-only code mounts can expose credentials in .env, ~/.git-credentials, ~/.aws, .npmrc, and key files; exclude or sanitize them before mounting. Route egress through a proxy that enforces a domain allowlist and logs requests, so a compromised agent cannot exfiltrate data to arbitrary hosts. The built-in sandbox proxy does not inspect TLS; for stronger guarantees use a TLS-terminating proxy with its CA installed in the agent's trust store.	✓Skill descriptions are loaded so the model can decide when to use them; keep sensitive workflow detail and secrets out of descriptions. Skills sourced from outside your project run their instructions in your sessions; review them before enabling. Skill content is sent to the model provider when a skill is invoked; treat it like any other prompt content.	✓Transcripts contain the full conversation, tool inputs, and outputs; store them in a backend you govern with your own encryption, access controls, and retention. The SDK never deletes from your store; retention (TTLs, S3 lifecycle, scheduled cleanup) is your responsibility. Keep backend credentials out of code; pass a pre-configured client to the adapter so you control TLS, region, and pooling.
Prerequisites	Agent SDK application hosting multiple tenants in one container or host. Per-tenant filesystem paths no other tenant can read. Outbound proxy supporting per-tenant credentials or domain allowlists. Understanding that default SDK behavior loads shared CLAUDE.md and settings from disk.	A Claude Agent SDK application you intend to run beyond a trusted local laptop. Knowledge of which files, endpoints, and credentials the agent legitimately needs. Container, sandbox, or VM tooling appropriate to your isolation choice.	The Claude Agent SDK installed for Python or TypeScript. SKILL.md files in .claude/skills/ (project) or ~/.claude/skills/ (user). A cwd that points at or below the directory containing .claude/skills/, within the same repository.	The Claude Agent SDK installed for Python or TypeScript. An external backend (S3, Redis, a database) and its client library. A working-directory layout where local transcript writes are available (the store mirrors them).
Install	—	—	—	—
Config	—	—	—	—
Citations	Source repositorygithub.com 2026-06-16T22:21:21+00:00 Documentationcode.claude.com Submitted by kiannidev2026-06-16	Source repositorygithub.com 2026-06-16T22:21:21+00:00 Documentationcode.claude.com Submitted by JPette17832026-06-05	Source repositorygithub.com 2026-06-16T22:21:21+00:00 Documentationcode.claude.com Submitted by JPette17832026-06-05	Source repositorygithub.com 2026-06-16T22:21:21+00:00 Documentationcode.claude.com Submitted by JPette17832026-06-05
Claim	Unclaimed	Unclaimed	Unclaimed	Unclaimed

Signals

Loading live community signals…