Skip to content
You are reading Hyperledger Besu development version documentation and some displayed features may not be available in the stable release. You can switch to stable version using the version box at screen bottom.
Date of last update: September 14, 2022



Orion features have been merged into Tessera! Read our Orion to Tessera migration guide and about all the new Tessera features.

By default, each participant in a privacy network uses its own Besu and Tessera node.

Multi-tenancy allows multiple participants to use the same Besu and Tessera node. Each participant is a tenant, and the operator is the owner of the Besu and Tessera node.


The operator is responsible for configuring multi-tenancy, and has access to all tenant data.



Ensure the multi-tenant Tessera node client API is configured to allow access only by the multi-tenant Besu node. Access to your data is secured through Besu using multi-tenancy mode.

If not configured to allow access only by the multi-tenant Besu node, other Tessera clients, including other Besu nodes, might be able to access tenant data.

To secure access, you can configure TLS between Besu and Tessera with the WHITELIST trust mode.

Multi-tenancy validates that tenants have permission to use the specified HTTP or WebSocket JSON-RPC requests, and the tenant has access to the requested privacy data. Private data is isolated and each tenant uses a JSON Web Token (JWT) for authentication.

You can create the JWT either externally or internally.