diff --git a/src/main/java/net/siegeln/cameleer/saas/provisioning/DockerTenantProvisioner.java b/src/main/java/net/siegeln/cameleer/saas/provisioning/DockerTenantProvisioner.java
index d0c0695..0e25588 100644
--- a/src/main/java/net/siegeln/cameleer/saas/provisioning/DockerTenantProvisioner.java
+++ b/src/main/java/net/siegeln/cameleer/saas/provisioning/DockerTenantProvisioner.java
@@ -194,10 +194,24 @@ public class DockerTenantProvisioner implements TenantProvisioner {
         labels.put("prometheus.path", "/api/v1/prometheus");
         labels.put("prometheus.port", "8081");
 
+        // Per-tenant DB isolation: dedicated user+schema when dbPassword is set,
+        // shared credentials for backwards compatibility with pre-isolation tenants.
+        String dsUrl;
+        String dsUser;
+        String dsPass;
+        if (req.dbPassword() != null) {
+            dsUrl = props.datasourceUrl() + "?currentSchema=tenant_" + slug + "&ApplicationName=tenant_" + slug;
+            dsUser = "tenant_" + slug;
+            dsPass = req.dbPassword();
+        } else {
+            dsUrl = props.datasourceUrl();
+            dsUser = props.datasourceUsername();
+            dsPass = props.datasourcePassword();
+        }
         var env = new java.util.ArrayList<>(List.of(
-            "SPRING_DATASOURCE_URL=" + props.datasourceUrl(),
-            "SPRING_DATASOURCE_USERNAME=" + props.datasourceUsername(),
-            "SPRING_DATASOURCE_PASSWORD=" + props.datasourcePassword(),
+            "SPRING_DATASOURCE_URL=" + dsUrl,
+            "SPRING_DATASOURCE_USERNAME=" + dsUser,
+            "SPRING_DATASOURCE_PASSWORD=" + dsPass,
             "CAMELEER_SERVER_CLICKHOUSE_URL=jdbc:clickhouse://cameleer-clickhouse:8123/cameleer",
             "CAMELEER_SERVER_CLICKHOUSE_USERNAME=" + props.clickhouseUser(),
             "CAMELEER_SERVER_CLICKHOUSE_PASSWORD=" + props.clickhousePassword(),