The define tier is API Studio (the apistudio gateway), where you build entities and logic blocks — guarded by your org role. The run tier is the app gateway at /app/{orgCode}/..., where your app's users hit the live data APIs — guarded by tenant ACL. They never share a table or an authorizer.

Only through ACL policies, attached to a user directly (useraclpolicy) or via a group (usergroup). A tenant role is just a label and grants nothing — to change access, attach an aclpolicy. See Auth & access → ACL, roles & groups.

Use a logic block when one call needs multiple entity operations, branching or loops, an external/webhook/connector call, or AI. It's a multi-step pipeline exposed as a single endpoint.

Yes. AI providers resolve through three tiers: platform defaults, an org enable gate, and per-workspace keys. Each workspace stores its own api_key and default_model. OpenAI-compatible providers (Grok, DeepSeek, …) work by setting protocol: openai and a base_url — no code change.

Credentials are saved per workspace as an encrypted settings record (group=connector). The platform defines the connector and its credential form; the org admin builds the automation; each tenant enters their own keys, which are AES-256 encrypted and never returned by any API.

Build in the test environment, then use the Deploy view to diff and publish entities, logic blocks, events, and settings to prod. Published items land staged, then activate to go live, with one-step rollback. App data is never deployed — only configuration.

Attach an after-event to an entity's create or update. When a record changes, the platform matches your automation, resolves {{source.*}} field mappings, and asynchronously invokes the destination — a connector, webhook, notification, S3 write, or another entity write.