diff --git a/client/src/App.jsx b/client/src/App.jsx
index 45c40b5..039c679 100644
--- a/client/src/App.jsx
+++ b/client/src/App.jsx
@@ -2,6 +2,7 @@ import React from 'react';
 import { BrowserRouter as Router, Routes, Route } from 'react-router-dom';
 import { Toaster } from 'react-hot-toast';
 import { AuthProvider } from './contexts/AuthContext';
+import { MultiTenantAuthProvider } from './contexts/MultiTenantAuthContext';
 import { SocketProvider } from './contexts/SocketContext';
 import APP_CONFIG from './config/app';
 import Layout from './components/Layout';
@@ -18,9 +19,10 @@ import ProtectedRoute from './components/ProtectedRoute';
 
 function App() {
   return (
-    <AuthProvider>
-      <SocketProvider>
-        <Router basename={APP_CONFIG.basePath}>
+    <MultiTenantAuthProvider>
+      <AuthProvider>
+        <SocketProvider>
+          <Router basename={APP_CONFIG.basePath}>
           <div className="App">
             <Toaster 
               position="top-center"
@@ -81,6 +83,7 @@ function App() {
         </Router>
       </SocketProvider>
     </AuthProvider>
+    </MultiTenantAuthProvider>
   );
 }
 
diff --git a/server/routes/debug.js b/server/routes/debug.js
index f08d3db..b4ead64 100644
--- a/server/routes/debug.js
+++ b/server/routes/debug.js
@@ -87,21 +87,29 @@ router.get('/heartbeat-payloads', authenticateToken, MultiTenantAuth, async (req
     const { limit = 50, offset = 0, device_id } = req.query;
     
     const whereClause = {
-      raw_payload: { [Op.ne]: null },
-      tenant_id: req.user.tenant_id  // 🔒 SECURITY: Filter by user's tenant
+      raw_payload: { [Op.ne]: null }
     };
     
     if (device_id) {
       whereClause.device_id = device_id;
     }
     
+    // 🔒 SECURITY: Filter heartbeats by user's tenant using device relationship
     const heartbeats = await Heartbeat.findAll({
       where: whereClause,
+      include: [{
+        model: Device,
+        as: 'device',
+        where: {
+          tenant_id: req.user.tenant_id
+        },
+        attributes: ['id', 'name', 'tenant_id']
+      }],
       order: [['received_at', 'DESC']],
       limit: parseInt(limit),
       offset: parseInt(offset),
       attributes: [
-        'id', 'device_id', 'device_key', 'received_at', 'raw_payload', 'tenant_id'
+        'id', 'device_id', 'device_key', 'received_at', 'raw_payload'
       ]
     });