diff --git a/iam/__version__.py b/iam/__version__.py
index c285769..60f3aa5 100644
--- a/iam/__version__.py
+++ b/iam/__version__.py
@@ -1,2 +1,2 @@
 # -*- coding: utf-8 -*-
-__version__ = "2.0.0"
+__version__ = "2.0.1"
diff --git a/iam/contrib/django/dispatcher/dispatchers.py b/iam/contrib/django/dispatcher/dispatchers.py
index fb6b195..d7e2b8e 100644
--- a/iam/contrib/django/dispatcher/dispatchers.py
+++ b/iam/contrib/django/dispatcher/dispatchers.py
@@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*-
 """
 TencentBlueKing is pleased to support the open source community by making
-蓝鲸智云-权限中心Python SDK(iam-python-sdk) available.
+蓝鲸智云 - 权限中心 Python SDK(iam-python-sdk) available.
 Copyright (C) 2017-2021 THL A29 Limited, a Tencent company. All rights reserved.
 Licensed under the MIT License (the "License"); you may not use this file except in compliance with the License.
 You may obtain a copy of the License at http://opensource.org/licenses/MIT
@@ -90,8 +90,9 @@ def _dispatch(self, request):
         method = data.get("method")
         resource_type = data.get("type")
         if not (method and resource_type):
-            logger.error("resource request(%s) failed with invalid data: %s. method and type required",
-                         request_id, data)
+            logger.error(
+                "resource request(%s) failed with invalid data: %s. method and type required", request_id, data
+            )
             return fail_response(400, "method and type is required field", request_id)
 
         # check resource type
@@ -117,7 +118,12 @@ def _dispatch(self, request):
             return fail_response(500, str(e), request_id)
 
     def _get_options(self, request):
-        return {"language": request.META.get("HTTP_BLUEKING_LANGUAGE", "zh-cn")}
+        opts = {"language": request.META.get("HTTP_BLUEKING_LANGUAGE", "zh-cn")}
+        # tenant_id is required for multi-tenant
+        if "HTTP_X_BK_TENANT_ID" in request.META:
+            opts["tenant_id"] = request.META["HTTP_X_BK_TENANT_ID"]
+
+        return opts
 
     def _dispatch_list_attr(self, request, data, request_id):
         options = self._get_options(request)
diff --git a/iam/contrib/iam_migration/utils/do_migrate.py b/iam/contrib/iam_migration/utils/do_migrate.py
index cf9e94b..4ed8bc7 100644
--- a/iam/contrib/iam_migration/utils/do_migrate.py
+++ b/iam/contrib/iam_migration/utils/do_migrate.py
@@ -129,10 +129,11 @@ def http_delete(url, data, headers=None, verify=False, cert=None, timeout=None,
 
 
 class Client(object):
-    def __init__(self, app_code, app_secret, bk_apigateway_url):
+    def __init__(self, app_code, app_secret, bk_apigateway_url, tenant_id=""):
         self.app_code = app_code
         self.app_secret = app_secret
         self.bk_apigateway_url = bk_apigateway_url.rstrip("/")
+        self.tenant_id = tenant_id
         self.system_id_set = set()
         self.resource_id_set = set()
         self.action_id_set = set()
@@ -142,6 +143,8 @@ def _call_iam_api(self, http_func, path, data):
         headers = {
             "X-Bkapi-Authorization": json.dumps({"bk_app_code": self.app_code, "bk_app_secret": self.app_secret}),
         }
+        if self.tenant_id:
+            headers["X-Bk-Tenant-Id"] = self.tenant_id
 
         url = "{host}{path}".format(host=self.bk_apigateway_url, path=path)
         ok, _data = http_func(url, data, headers=headers)
@@ -558,7 +561,7 @@ def api_ping(bk_apigateway_url):
     return ok, data
 
 
-def do_migrate(data, bk_apigateway_url=BK_APIGATEWAY_URL, app_code=APP_CODE, app_secret=APP_SECRET):
+def do_migrate(data, bk_apigateway_url=BK_APIGATEWAY_URL, app_code=APP_CODE, app_secret=APP_SECRET, tenant_id=""):
     system_id = data.get("system_id")
     if not system_id:
         print("invald json. [system_id] required, and should not be empty")
@@ -571,7 +574,7 @@ def do_migrate(data, bk_apigateway_url=BK_APIGATEWAY_URL, app_code=APP_CODE, app
 
     print("do migrate")
 
-    client = Client(app_code, app_secret, bk_apigateway_url)
+    client = Client(app_code, app_secret, bk_apigateway_url, tenant_id=tenant_id)
 
     # 1. query all data of the system
     system_ids, resource_type_ids, action_ids, instance_selection_ids = client.query_all_models(system_id)
@@ -623,6 +626,7 @@ def do_migrate(data, bk_apigateway_url=BK_APIGATEWAY_URL, app_code=APP_CODE, app
     )
     p.add_argument("-a", action="store", dest="app_code", help="app code", required=True)
     p.add_argument("-s", action="store", dest="app_secret", help="app secret", required=True)
+    p.add_argument("--tenant_id", action="store", dest="tenant_id", help="tenant id", default="", required=False)
 
     args = p.parse_args()
 
@@ -630,6 +634,7 @@ def do_migrate(data, bk_apigateway_url=BK_APIGATEWAY_URL, app_code=APP_CODE, app
     APP_CODE = args.app_code
     APP_SECRET = args.app_secret
     BK_APIGATEWAY_URL = args.bk_apigateway_url.rstrip("/")
+    tenant_id = args.tenant_id
 
     # test ping
     ok, _ = api_ping(BK_APIGATEWAY_URL)
@@ -644,7 +649,7 @@ def do_migrate(data, bk_apigateway_url=BK_APIGATEWAY_URL, app_code=APP_CODE, app
     if not data:
         exit(1)
 
-    ok = do_migrate(data, BK_APIGATEWAY_URL, APP_CODE, APP_SECRET)
+    ok = do_migrate(data, BK_APIGATEWAY_URL, APP_CODE, APP_SECRET, tenant_id=tenant_id)
     if not ok:
         print("do migrate [%s] fail" % data_file)
         exit(1)