Multi-tenant research is the architecture that lets one platform run studies on behalf of many end customers from a single integration, with each customer walled off in their own workspace. One API key, one codebase, and every customer sees only their own participants, studies, and findings — never another tenant’s data. This guide is for builders and platforms embedding qualitative research via API to serve their own customers: what multi-tenancy means, how per-customer isolation works, where role-based access and the dashboard fit, and the tenancy layer you would otherwise spend a quarter of engineering time building yourself. It builds on User Intuition’s research infrastructure API and stays conceptual — for exact tool names, endpoints, and payloads, defer to the MCP server docs rather than the illustrative shapes here.
This is a distinct concern from wiring research into a single product for your own team. If you are embedding interviews as a feature your own people consume, the guide to embedding customer interviews in your product covers that integration end to end. Multi-tenancy is the layer you add on top of that pattern once your customers — not just your team — are the ones running studies. This guide is about that layer.
What Is Multi-Tenant Research?
Multi-tenant research is an embedded-research model where one platform runs studies on behalf of many end customers, and each customer is isolated in a separate workspace. A tenant is one of your customers. Their studies, participants, results, and accumulated research memory belong only to them and are never visible to another tenant. Your product is the integrator; from each customer’s point of view, the research is theirs alone.
The distinction that matters is single-tenant versus multi-tenant. In a single-tenant setup, you integrate a research API to run studies for yourself — one workspace, your own questions, your own findings. That is the pattern the pillar guide on building customer research into your product walks through. Multi-tenant is what you reach for when the person launching a study is not you but your customer, and you have ten, a hundred, or a thousand of them who must never see each other’s data. The research becomes a feature you sell, and multi-tenancy is what makes that feature safe to sell.
Concretely, a tenant is the unit of isolation. Everything that happens inside a study — the discussion guide, the recruited participants, the transcripts, the structured findings, the cross-study synthesis — is scoped to one workspace. Two customers can run studies on the same topic, in the same week, recruiting from the same panel, and neither will ever encounter the other’s existence. That boundary is the entire point of the architecture, and getting it right is what separates a product you can put a customer’s name on from a liability.
How Does One API Key Serve Many Customers?
One API key serves many customers because tenancy is expressed as workspace scope, not as a separate integration per customer. You wire up the research API once, and from then on every customer is a workspace you provision against that same connection. You do not re-integrate, re-authenticate, or maintain a key per tenant. The platform enforces the boundary; your product decides which workspace each call targets.
The lifecycle is consistent regardless of how many customers you serve:
- Integrate once. Connect the research API and MCP server to your backend a single time. Store the key server-side. This is the only integration work, and it does not repeat as you add customers.
- Provision a workspace per customer. When a customer onboards, create their workspace. This is the tenant boundary — the container everything else scopes to. It carries no other customer’s data and never will.
- Launch studies scoped to that workspace. When a customer starts a study — from your UI, a template, or an internal signal in your product — you create it against their workspace. Recruitment, moderation, and analysis all run inside that scope.
- Retrieve only that tenant’s data. When you pull results, you pull that customer’s results and nothing else. The structured JSON — preference splits, ranked themes, minority objections, verbatim quotes — comes back scoped to the workspace it belongs to.
- Meter and price per workspace. Usage aggregates per tenant, so you can attribute cost, bill each customer independently, and build your own pricing on top.
The advantage compounds as you grow. Adding your thousandth customer is the same operation as adding your first — provision a workspace, launch studies against it — because the integration never changes. Your engineering cost per new customer is close to zero, which is precisely what you want from infrastructure. For the exact tool names and request shapes behind each step, the MCP server overview is authoritative; treat the sequence above as the conceptual model, not the literal API.
Serve research to your customers from one integration. Provision a workspace per customer, launch studies against it, and pull back only their data. Explore the research infrastructure API →
The Tenancy Layer You’d Otherwise Build Yourself
If you decide to serve research to many customers without a multi-tenant API, the tenancy layer becomes your problem — and it is a bigger one than it looks. It is not a database column that says which customer owns a row. It is a set of guarantees you have to design, build, and defend against every future feature. Realistically, it is about a quarter of engineering work before a single interview runs, and it competes for roadmap with the product your customers are paying for.
Here is what “build the tenancy layer yourself” expands into:
- Per-tenant boundaries. Every query, every job, every retrieval has to be scoped to a tenant, and the scoping has to be enforced in a place a bug cannot bypass. One missed filter and Customer A sees Customer B’s verbatims — a breach you cannot walk back.
- Role-based access. You need a permission model that decides which user can reach which workspace and do what inside it, and it has to hold as you add roles, seats, and customer admins.
- Usage attribution. You need to meter consumption per tenant accurately enough to bill on, which means instrumenting every study, interview, and retrieval against the right workspace.
- Supply separation. When one customer uploads their own contact list, that list must never leak into another customer’s recruitment. Blending the panel with per-tenant lists safely is its own design problem.
- Isolation of accumulated knowledge. As studies pile up, each customer’s cross-study synthesis has to draw only on their own history — not the aggregate — or the compounding insight becomes both a privacy leak and irrelevant.
A multi-tenant research API collapses all of that into a boundary the platform already enforces. You get the isolation, the access model, and the attribution as properties of the integration rather than code you own and audit. The comparison is stark once you lay it side by side.
| Dimension | Build the tenancy layer yourself | Multi-tenant research API |
|---|---|---|
| Up-front cost | About a quarter of engineering work before the first interview | One integration; workspaces provision on demand |
| Per-customer boundary | You design, enforce, and audit scoping on every query | Enforced by the platform at the workspace level |
| Role-based access | Build and maintain your own permission model | Roles scope users to workspaces out of the box |
| Usage attribution | Instrument metering per tenant yourself | Usage rolls up per workspace natively |
| Panel + own-list separation | Prevent cross-tenant list leakage in your own code | Both supply paths stay scoped to the tenant |
| Cost of a bug | A cross-tenant data leak you cannot undo | Isolation is a platform guarantee, not your surface |
| What you own | The research plumbing and its failure modes | Your product, on top of the plumbing |
The decision mirrors the one you already made for payments, authentication, and voice. You did not build a card network to charge customers or a telephony stack to place calls. Multi-tenant research is the same class of decision: unless the tenancy and recruitment stack is your core differentiation, building it is spending your scarcest engineering time on infrastructure your customers will never thank you for. Research infrastructure exists so that layer is a call, not a build.
How Is Each Customer’s Data Kept Separate?
Each customer’s data is kept separate because the workspace is a hard boundary, not a convention. Studies, participants, transcripts, structured results, and accumulated research memory all belong to exactly one workspace, and nothing crosses between them. When your product retrieves a customer’s findings, it retrieves that customer’s findings — the isolation is enforced at the point of access, not left to your query discipline.
This keeps three concerns clean at once. Data isolation means one customer’s verbatim quotes and preference splits never appear in another’s results, which is the baseline any customer will expect before they trust you with their research. Attribution means usage is scoped per workspace, so you always know whose study consumed what. And knowledge separation means the compounding research memory — the layer that answers cross-study questions over a customer’s accumulated history — draws only on that customer’s own past studies. That last point is easy to underrate: a customer’s cross-study synthesis is valuable precisely because it is theirs. Blend it with the aggregate and you have both leaked data and diluted the relevance that made the insight worth having.
Isolation is what lets you put a customer’s name on the feature. A tenant researching their own churned accounts, and a different tenant researching a brand-new market segment, coexist on the same integration with zero visibility into each other. From the platform’s side there is one integrator — your product. From each customer’s side there is only their own research. That is the property that turns “we call a research API” into “our customers have their own research workspace,” which is a very different thing to sell.
Role-Based Access: Who Sees What
Multi-tenancy is not only about separating customers from each other; it is also about controlling who does what inside a workspace. Role-based access is the mechanism. A role determines which workspace a user can reach and which actions they can take there, so the boundary holds even when many different people — your engineers, your customers’ admins, individual researchers, and participants — all touch the same integration.
The roles fall into predictable tiers:
| Role | Scope | Typical actions |
|---|---|---|
| Integrator (your platform) | Across all workspaces, programmatically | Provision workspaces, create studies, wire recruitment, pull results |
| Customer admin | One workspace | Configure studies, manage their team’s access, read all of their findings |
| Customer user / researcher | One workspace, scoped further if needed | Launch studies, monitor interviews, read results for their projects |
| Participant | A single interview | Join and complete the interview they were invited to |
The reason this matters is that the buyer and the builder are rarely the same person, and neither is the participant. Your engineer integrates the API but never reads a customer’s themes. A product manager on your customer’s team reads the themes but never writes code. A participant answers questions but sees none of the analysis. Role-based access lets all of them operate against one system without any of them crossing a line they should not. You wrap the high-frequency actions in your own UI and let roles enforce the rest, so a customer admin inviting a teammate never has to think about how the underlying isolation works — it simply holds.
Blending the Panel With Each Customer’s Own List
One of the more powerful things multi-tenancy enables is giving each customer two independent ways to source participants, without either one bleeding across the boundary. Every tenant can recruit from the managed panel or bring their own contact list, and both stay scoped to that tenant’s workspace.
The two supply paths answer different research questions:
- The managed panel. For market-facing questions — a new segment, a category study, an audience the customer does not already have access to — a tenant recruits from a 4M+ vetted panel across 50+ languages by passing targeting parameters like role, industry, and company size. This is the reach a customer could never assemble on their own, and it is the same panel for every tenant, drawn against per-workspace scope.
- The customer’s own list. For product feedback, account research, or an advisory panel, a tenant passes their existing users, leads, or community as a contact list. That uploaded list belongs to that workspace and is never visible to another customer — the separation you built into the tenancy layer is exactly what makes bring-your-own-participant safe in a shared integration.
Most embedded products expose both options per customer, because most customers eventually need both. A tenant researching who might buy a new offering recruits from the panel; the same tenant researching why their own users churned passes a list. Offering both from one integration means your product answers the full spread of questions a customer will ever raise, while the multi-tenant boundary guarantees that one customer’s uploaded list is never another customer’s supply. The mechanics of both paths are identical to the single-tenant case; multi-tenancy only adds the scoping that keeps them per-customer.
Where Does the Dashboard Fit?
The dashboard is where your customers’ non-technical users live. A common assumption is that embedding research via API forces everyone through code — it does not. The integration exposes a dual surface, and you decide who lands where. Your engineers drive the API and MCP server; your customers’ non-technical people work from a dashboard for study setup, monitoring, and reading results, without writing a line of code.
That split is what makes research-as-a-feature usable by the people who consume research. The engineer who integrates the API is on your team. The researcher or product manager who reads the themes is on your customer’s team, and they need a place to configure a study, watch interviews land, and read the analyzed findings. In a multi-tenant setup, each of those users is already scoped to their own workspace by role, so the dashboard they see is theirs — their studies, their participants, their results. You choose how much of that to replicate inside your own product versus hand off to the dashboard; most builders wrap the high-frequency actions in their own UI and let the dashboard carry the long tail of configuration and deep review.
This is also where the question of brand surface comes up, and it is worth keeping light. If you present the research inside your own product, your customers interact with your product, not the underlying platform — the API is the backend, your interface is what they see. How far you take that surface is a decision to make per integration rather than a default to assume; the decision guide on embedding versus white-labeling versus building research covers the trade-offs. The architectural point here is narrower and firmer: isolation and role-based access mean each customer’s dashboard shows only their own research, regardless of how much of your own brand wraps it.
Give your customers a research dashboard without building one. Non-technical users configure studies and read findings; your engineers keep the API. Read the embed-in-product guide →
How Does User Intuition Handle Multi-Tenant Research?
User Intuition exposes the full qualitative research stack — recruitment, AI-moderated interviews, and analysis — as one API and MCP server built for multi-tenant use. You integrate once and provision a workspace per customer; each workspace isolates that customer’s studies, participants, results, and accumulated knowledge from every other tenant. Studies launch scoped to a workspace, results return as structured JSON scoped to the same workspace, and usage rolls up per workspace so you can meter and price each customer independently. Role-based access keeps your engineers, your customers’ users, and participants each inside the boundary they belong to.
Both supply paths work per tenant: a customer can recruit from a 4M+ vetted panel across 50+ languages or pass their own contact list, and neither crosses the workspace boundary. Results come back within 24 hours, only quality interviews are billed, and participant satisfaction runs at 98% with 5/5 ratings on G2 and Capterra — so the experience your customers’ participants have is not a weak point in your product. A single key authenticates the whole integration, and the MCP server connects natively to agent frameworks and coding assistants; if your customers are agents rather than dashboards, the customer research API for AI agents covers that path on the same infrastructure.
The pricing anchors are the underlying platform rates, not what your customers ultimately pay: studies start at $150, audio interviews are $25 each on the Pro plan, and the Starter plan is free with three interviews so you can build and test the multi-tenant integration before spending anything. For reseller economics, volume tiers, and how pricing layers under your own product, talk to us — those terms are set to fit your model rather than published as a fixed rate card. For the tool reference, request and response schemas, and authentication details, see the MCP server documentation. For the broader platform picture, start with the research infrastructure API overview.
Serve customer research to your customers, each in their own isolated workspace. Three free interviews to start, no card, only quality interviews billed. Start building with User Intuition → · Explore the research infrastructure API → · Read the build-on-a-research-API pillar →