Each signing order in the system is assigned to a Tenant, identified by a unique ID. This ID is assigned when the order is created, and is never changed.
Orders created through the web UI are always assigned the Tenant ID "default". In the web UI, where the user is authenticated, it is only possible to access orders that involves the user, either as solicitor, signer, or both. Thus, the Tenant ID plays no role in the authenticated web UI.
Calls to the Automation API are not authenticated. Orders created through the Automation API are assigned a Tenant ID given by the Authorization HTTP header, in the POST request to create orders. If the header is not present in the request, the order is assigned the Tenant ID "default". Subsequent requests on the order ID matches the Authorization header against the Tenant ID assigned to the order, and returns the order only if there is a match.
To keep the Automation API clients from injecting any ID, or no ID at all (thus assigning the default ID), in the Authorization header, a TLS terminating proxy must be put in front of the Automation API. Each Tenant should be assigned a unique path, accessible only for clients that can present the correct client certificate. The proxy should then convert the outward facing path to the corresponding Automation API path, while also injecting the Tenant ID in the Authorization header.