Using workers and tunnel on the same subdomain

Hi All,

So this is the situation:

Typically when setting up a FE +BE I tend to do the following:
FE: www.example.com, worker site
BE: api.example.com, which is a tunnel going into a k8s cluster to a reverse proxy and all the services are located within that)

The problem with my current project is that we want to do is having multiple companies using a single application stack.

EG
companyX.example.com, with a IDP of companyX
companyY.example.com, with a IDP of companyY

The problem we are facing is with cookies and auth, since companyX and companyY both use the same API, the cookie would be set on the api.example.com. So if a customer wants to use both URLs at the same time, they can’t since only one cookie can be set at a time. So then we have to either log them out or they have to use two browsers which is not ideal.

To resolve this I can think of two options:

  1. companyX.example.com points to companyX-api.example.com and the same for Y, both api’s point to the same Cloudflare Tunnel and both DNS records for the FE points to the same worker where the FE just looks at it’s current URL and modify it to go to the correct API enpoint.
  2. companyX.example.com/api/ points to the tunnel, as far as I can tell the only way to do it is to build some logic in the worker to fetch from <GUID>.cfargotunnel.com and return the response, basically making a proxy in workers whenever the /api path is being hit.

We want to keep the idea of a single FE and single API since that is easier for deployability, also keep in mind that the sub domain count we have to setup is high so automation is a must.

So my final question is:
Is it performant optimised to have a proxy on /api that goes to a <GUID>.cfargotunnel.com and is there any penalty other than more requests hitting the worker or are you better off going with a subdomain instead of a path postfix?