Deep links and permission expectations

Last reviewed: 2026-04-27 · Owner: Product & Engineering

Goal

Launch partner experiences with the right tenant and partner context without surprising 403 responses.

Prerequisites

• Known partner_key and tenant id (use synthetic samples in documentation).
• Understanding of your role’s mutation rights per SPEC-001.

Steps

1. Confirm deep links issued by Tapestry include the expected query or path segments for tenant and partner.
2. Validate the user’s session carries claims mapped to admin or partner roles as designed.
3. Retry with corrected scope when reads fail—do not escalate without checking X-Actor-Tenant-Id in dev.

Verify

• Same link works for an allowed persona and is denied (with clear error) for an under-scoped persona.
• No link embeds secrets or long-lived tokens in URLs logged to browsers.

If it fails

Compare against routing policy docs; capture HTTP status and message fields, not full JWTs.

Further reading

• SPEC-001 — RBAC and admin headers.
• Partner registry and routing