Skip to main content

Workspaces Overview

A workspace is the home for everything you build in Miabi. It is the unit of ownership, isolation, and collaboration: every application, database, domain, certificate, volume, deployment, and backup belongs to exactly one workspace.

Miabi dashboard

What a workspace is

Think of a workspace as a self-contained tenant on your Miabi instance. When you sign up, Miabi automatically creates a personal workspace for you — your private space to deploy and experiment without inviting anyone. You can create additional workspaces at any time to separate environments (for example, staging and production) or to collaborate with a team.

Name and display name

Every workspace has two identifiers:

  • A unique name — a lowercase handle (a-z, 0-9, -) that is the workspace's URL key and its container-registry namespace (docker login -u <name>). It can be renamed (URLs and the docker handle change with it, like renaming a GitHub org), except for the built-in system workspace.
  • A free-text display name shown across the console.

Internally the numeric ID and a stable UID remain the durable references, so a rename never breaks stored relationships, foreign keys, or exports.

Multi-tenant isolation

Miabi is multi-tenant by design. Isolation is enforced in two layers:

  • Middleware checks your role on every request.
  • Repository-layer workspace_id scoping guarantees that a request — or an API token — can only ever read or write data belonging to its own workspace.

This means a token issued for one workspace can never reach another workspace's data, even if it knows the other resource's ID. There is no shared global namespace for tenant resources.

note

Roles and the dual-enforcement model are covered in detail in Roles & Permissions.

What a workspace owns

A workspace is the parent of every resource you create:

ResourceDescription
ApplicationsApps deployed from Git, a Docker image, or a marketplace template.
DeploymentsBuild/release history, including rollbacks.
DomainsCustom domains and routing configuration.
CertificatesManaged ACME certs and uploaded custom TLS certs.
DatabasesPostgreSQL, MySQL, MariaDB, Redis, MongoDB, and libSQL instances.
Volumes & backupsPersistent storage and scheduled or manual backups.
MembersUsers invited to the workspace, each with a role.
API tokensWorkspace-scoped bearer tokens.
Encryption keysA per-workspace keyring that protects secrets at rest.

For the full picture of how these resources relate to one another, see the Resource Model.

Next steps