Get tenant for server side

I am going in circles at the moment trying to find a way to securely apply multitenancy. How would I stop an authenticated user from accessing another tenant? Passing the tenant id in the api url or relying on the http base are not secure enough. I think this should live in the context but not sure how. I know that I am missing a trick somewhere, any ideas?

The tenant is usually retrieved from the host since you should host the application separately for every tenant. We are not aware of any other approach.