Issue a signed JWT on the first request with a validity of 60 seconds containing all of the details about the app, agent, workspace, user that are required to serve requests for that app. Store the JWT in a cookie. On subsequent requests, if the cookie is set and is a valid ticket (and matches the values from the URL), send traffic to the workspace without hitting the database.