Tags are free-form labels you attach to applications. They have no effect on authentication or authorisation — they're for your own bookkeeping. But once you have more than a handful of applications, the right tag scheme makes operating the tenant noticeably easier.
Where to set them
Section titled “Where to set them”Application detail → Settings tab → General → Tags. Type a tag, press Enter to add. Click an existing tag's × to remove. No save button — tags persist on change.
What to tag
Section titled “What to tag”Patterns that have paid off in practice:
- Environment —
production,staging,dev. Useful when applications-per-env is on a single application. - Team owner —
team:platform,team:payments,team:internal-tools. Useful when you have many teams. - Visibility —
customer-facing,internal,admin-only. Useful for audit triage. - Tier —
tier:critical,tier:nice-to-have. Useful when scoping incident response. - Compliance —
pci,hipaa,sox. Useful when audit asks "which apps touch regulated data?" - Lifecycle —
deprecated,migration-in-progress. Useful for finding apps that shouldn't be receiving new traffic.
You don't need all of these; pick one or two dimensions and stick to them.
Filtering by tag
Section titled “Filtering by tag”The application list view has a tag filter. Type a tag, only matching applications show. Combine multiple tags for AND filtering ("production" + "team:platform" = platform team's production apps).
Bulk operations + tags
Section titled “Bulk operations + tags”Filter to a tagged set, multi-select, bulk-disable / bulk-enable / bulk-delete. See Bulk operations.
The combination is the operational sweet spot: "deprecated" tag, filter, select all, disable. Five clicks.
Naming conventions
Section titled “Naming conventions”Two cheap suggestions:
- Use lowercase + dashes.
customer-facingnotcustomerFacingorCustomer Facing. Consistent display + search. - Use prefixes for namespaces.
team:platformnotplatform. Makes "all team-prefixed tags" easy to identify when auditing.
The platform doesn't enforce a scheme — Customer Facing is a valid tag too. Picking a convention saves grumbling later.
What tags don't do
Section titled “What tags don't do”- Tags do not affect access control. An application tagged
internal-onlyis just as accessible as one without the tag. - Tags do not appear on tokens. Don't try to communicate runtime policy via tags.
- Tags are not versioned or audit-snapshot. The audit log records changes to tags, but not the historical tag set at a given moment.
If you want a behavioural change (e.g., "this app should not be reachable from production"), use Disable. If you want to remember why something was disabled, leave a note in the application's description.