From ea82a6710c3ed7c3da60404c880ed5eae78af43b Mon Sep 17 00:00:00 2001
From: Stefan Henke <stefan.henke@sap.com>
Date: Mon, 30 Mar 2026 14:44:07 +0200
Subject: [PATCH] Document tenant-specific IAS host injection in RequestContext

Added instructions for injecting tenant-specific IAS host in background threads.
---
 guides/security/cap-users.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md
index 599467b0e..e599f4e35 100644
--- a/guides/security/cap-users.md
+++ b/guides/security/cap-users.md
@@ -1529,6 +1529,16 @@ Avoid iterating through all subscriber tenants to perform tenant-specific tasks.
 Instead, prefer a task-based approach which processes specific subscriber tenants selectively.
 :::
 
+When creating a new RequestContext in a background thread (without propagating an existing request), you must manually inject the tenant-specific IAS host to use IAS-based Remote Services. Unlike inherited request contexts that automatically carry authentication details, a fresh asynchronous request lacks the IAS host information required for remote service calls. The host can be retrieved from a `TenantInfo` object provided for example by the `TenantProviderService`.
+
+```java
+TenantInto tenantInfo = ...;
+String tenantHost = tenantInfo.get("subscriber").get("tenantHost");
+runtime.requestContext().systemUser(tenantId).modifyUser(user->user.setAdditionalAttribute("iss", tenantHost)).run((reqContext) -> {
+…
+});
+```
+
 </div>
 
 <div class="impl node">