Testing

Testing Feature Flags Per Tenant: Strategies and Common Pitfalls

HelpMeTest

HelpMeTest

7 min read
Testing Feature Flags Per Tenant: Strategies and Common Pitfalls

Feature flags are one of the most powerful tools in a SaaS team's deployment toolkit. They decouple deployment from release, enable gradual rollouts, and let you run experiments without code changes. But in a multi-tenant environment, they also introduce a category of bugs that are extremely hard to debug: wrong tenant gets the flag, flag state bleeds between tenants, A/B experiments interfere with each other, and rollout percentages don't behave as expected.

This guide covers the test strategies you need to verify that your per-tenant feature flag system actually works — from basic isolation checks to rollout mechanics to A/B test interference prevention.

Understanding Per-Tenant Flag State

In a single-tenant context, a flag is either on or off. In a multi-tenant SaaS, the state space is more complex:

  • A flag can be globally on (all tenants)
  • A flag can be globally off (no tenants)
  • A flag can be on for specific tenants (allowlist)
  • A flag can be on for a percentage of tenants (gradual rollout)
  • A flag can be on for tenants matching criteria (plan, region, signup date)
  • A flag can be on for specific users within a tenant (user-level targeting)

Each of these states is a separate test case. Each has separate failure modes.

Basic Flag Isolation Tests

The most fundamental test: a flag enabled for Tenant A must not affect Tenant B.

Test: Flag enabled for Tenant A is not visible to Tenant B
  Setup:
    - Enable flag "new-dashboard" for Tenant A
    - Confirm flag "new-dashboard" is OFF for Tenant B

  Assertions:
    - Authenticate as Tenant A user
    - Assert: new dashboard feature visible/accessible
    - Authenticate as Tenant B user
    - Assert: new dashboard feature NOT visible/accessible
    - Assert: old dashboard shown to Tenant B

Test: Flag disabled for Tenant A does not affect Tenant B
  Setup:
    - Disable flag "experimental-export" for Tenant A
    - Enable flag "experimental-export" for Tenant B

  Assertions:
    - Authenticate as Tenant A user
    - Assert: experimental export NOT available
    - Authenticate as Tenant B user
    - Assert: experimental export IS available

These tests sound obvious but catch the most common class of flag bug: a global flag change that accidentally modifies the wrong scope.

Flag Evaluation Order and Override Testing

Most feature flag systems evaluate flags in priority order: user-level overrides beat tenant-level settings which beat global defaults. Test this hierarchy explicitly:

Test: User-level flag overrides tenant default
  Setup:
    - Global default for "beta-feature": OFF
    - Tenant A setting for "beta-feature": OFF
    - User A1 (within Tenant A) override for "beta-feature": ON

  Assertions:
    - Authenticate as User A1
    - Assert: beta-feature IS enabled (user override wins)
    - Authenticate as User A2 (different user, same tenant, no override)
    - Assert: beta-feature NOT enabled (tenant default applies)

Test: Tenant override supersedes global default
  Setup:
    - Global default for "feature-x": OFF
    - Tenant B override for "feature-x": ON

  Assertions:
    - Authenticate as any Tenant B user
    - Assert: feature-x IS enabled
    - Authenticate as Tenant C user (no override)
    - Assert: feature-x NOT enabled (global default applies)

Testing Flag Inheritance

If your system supports hierarchical flag inheritance (org → workspace → user), test every level:

Test: Workspace-level flag is scoped correctly
  - Org has 3 workspaces: W1, W2, W3
  - Enable flag for W2 only
  - Assert: W2 users see the flag
  - Assert: W1 and W3 users do NOT see the flag
  - Assert: other orgs' workspaces are unaffected

Gradual Rollout Testing

Percentage-based rollouts are where flag bugs get subtle. You can't test randomness directly, but you can test the mechanics.

Rollout Consistency

The most critical property: a given tenant must get the same flag value on every request. Rollouts must be deterministic based on tenant ID, not random on each evaluation:

Test: Rollout assignment is consistent for a tenant
  Setup:
    - Enable flag with 50% rollout

  Test sequence:
    - Evaluate flag for Tenant X: record result (e.g., ON)
    - Evaluate flag for Tenant X again 100 times
    - Assert: EVERY evaluation returns ON (same as first)
    - Never: flag flips between ON and OFF for the same tenant

Flipping flag values on each request is one of the worst flag bugs. It causes intermittent failures that are nearly impossible to reproduce.

Rollout Percentage Distribution

When you set a 10% rollout, approximately 10% of tenants should receive it. Test this at scale:

Test: 10% rollout reaches approximately 10% of tenants
  - Create 1000 test tenant IDs
  - Evaluate flag for each
  - Assert: between 80 and 120 tenants receive the flag (8-12% range)
  - This allows for hash distribution variance

If your flag system uses a hash of the tenant ID against the rollout percentage, verify that the hash function distributes evenly. Biased hashes cause rollouts to affect more or fewer tenants than intended.

Rollout Ratcheting

When you increase a rollout percentage, previously included tenants should remain included:

Test: Increasing rollout percentage doesn't flip existing tenants
  Setup:
    - Set rollout to 10%, record which 100 tenants (of 1000) are in
  
  Action:
    - Increase rollout to 20%

  Assertions:
    - All 100 original tenants are STILL in the rollout
    - An additional ~100 tenants are now added
    - No tenant that was in at 10% is out at 20%

This is the "sticky rollout" property. Without it, increasing from 10% to 20% randomly reassigns the entire set, causing unexpected feature disappearances for tenants who already had access.

A/B Test Interference Testing

Running multiple A/B experiments simultaneously in a multi-tenant system creates interference risks. Tenants in Experiment 1's group B might also be in Experiment 2's group A, creating confounded results.

Mutual Exclusivity Tests

Test: Mutually exclusive experiments don't overlap
  Setup:
    - Experiment A: 50% of tenants get variant "checkout-v2"
    - Experiment B: 50% of tenants get variant "pricing-v2"
    - Configured as mutually exclusive

  Assertions:
    - Sample 1000 tenants
    - Assert: NO tenant is in both Experiment A variant AND Experiment B variant
    - Assert: approximately 50% in Experiment A, 50% in Experiment B, ~0% in both

Test: Non-exclusive experiments can coexist
  Setup:
    - Flag experiment for "new-nav": 30% rollout
    - Flag experiment for "new-search": 30% rollout
    - Not configured as mutually exclusive

  Assertions:
    - Some tenants should be in both (approximately 9% = 30% × 30%)
    - Verify no error or unexpected behavior for tenants in both experiments

Holdout Groups

If you use holdout groups (tenants excluded from all experiments for clean baseline measurement), verify they're correctly excluded:

Test: Holdout tenants receive no experiment flags
  - Identify 5% holdout group
  - Run all active experiments
  - Assert: holdout tenants receive control variant for EVERY experiment
  - Assert: holdout tenants are never assigned a non-control variant

Caching and Flag Staleness Testing

Feature flag systems often cache flag values for performance. Cache bugs are common sources of flag isolation failures.

Cache Invalidation

Test: Flag change propagates within expected window
  1. Tenant A has flag X = OFF (cached)
  2. Admin enables flag X for Tenant A
  3. Wait for cache TTL (or trigger invalidation)
  4. Assert: next request by Tenant A sees flag X = ON
  5. Assert: Tenant B's cache is not affected by Tenant A's change

Test: Cache does not serve stale flag to wrong tenant
  1. Request flag X for Tenant A (caches result)
  2. Request flag X for Tenant B
  3. Assert: Tenant B receives their own flag value, not Tenant A's cached value
  4. This tests that the cache key includes the tenant context

Cache keys that omit tenant context are a classic multi-tenant bug: the first tenant's flag value gets cached and served to all subsequent tenants until the cache expires.

Request-Level Flag Consistency

Test: Flag value is consistent within a single request
  - Even if cache refreshes mid-request, the flag value seen at request start
    must be the same throughout the request lifecycle
  - Assert: no flag value changes between the start and end of one request

Testing Flag Cleanup and Removal

Flags that are never cleaned up accumulate technical debt and eventually cause bugs when old flag checks reference removed flags.

Test: Removed flag returns safe default
  1. Create code that checks flag "old-feature"
  2. Remove "old-feature" from flag system
  3. Assert: code returns the configured default (ON or OFF per your policy)
  4. Assert: no exception or error thrown on flag lookup

Test: Archived flag cannot be re-enabled accidentally
  - Archive/delete flag "deprecated-feature"
  - Attempt to enable it via API or UI
  - Assert: appropriate error or rejection

Monitoring Flag State in Production

With HelpMeTest, you can set up health checks that verify critical flag states are correctly applied per tenant on a schedule. For example: check that your enterprise tenant's premium feature flags are active, that your free-tier tenants don't have access to paid features, and that experiment assignments are consistent. These monitors catch flag system regressions — a flag service downtime, a cache invalidation bug, or a deployment that reset flag state — before your customers notice unexpected behavior changes.

Common Per-Tenant Flag Testing Mistakes

Testing flags only at the API level. Flag behavior needs to be tested at the UI level too. A flag might be correctly evaluated server-side but the UI component might not respond to it correctly.

Not testing the "flag system down" scenario. What happens when your flag service is unavailable? Does your app fail open (treat all flags as ON), fail closed (treat all flags as OFF), or return the last cached value? Test your fallback behavior explicitly.

Assuming hash-based rollouts are perfectly uniform. Verify your actual distribution empirically. Some hash functions cluster poorly for short strings like tenant IDs.

Not testing flag changes during a user session. If a flag changes while a user is logged in, what happens? Do they need to reload? Does your application handle mid-session flag changes gracefully, or does it render into an inconsistent state?

Treating flag tests as optional. Flag bugs are deployment bugs. They bypass your normal code review process because "it's just a flag change." Test them with the same rigor as code changes.

Conclusion

Per-tenant feature flags are powerful but they introduce isolation, consistency, and interference challenges that require dedicated testing. Build a flag test suite that covers: basic isolation between tenants, evaluation order and override priority, rollout consistency and distribution, A/B experiment interference, cache invalidation correctness, and safe fallback behavior.

Flag systems that aren't tested become a source of mysterious, hard-to-reproduce bugs. Flag systems that are tested become a powerful, reliable deployment mechanism.

Read more