Use the secretOrKeyProvider option in PassportStrategy to perform a dynamic secret lookup. Decode the token without verifying it to extract the tenantId, look up the tenant's secret, and return it to Passport for signature verification. This is safe because the secret is used for verification, not trust.
Decoding without verifying to read tenantId is safe — the payload is only used to look up the verification secret.
The signature is verified by Passport after secretOrKeyProvider returns the correct secret.
validate() confirms the user belongs to the tenant in the token — prevents cross-tenant token reuse.
Use a different signing key per tenant — a compromised tenant's secret does not affect other tenants.
Cache tenant secrets with a short TTL to avoid a database lookup on every request.