diff --git a/.changeset/fix-list-todos-tenant-leak.md b/.changeset/fix-list-todos-tenant-leak.md
new file mode 100644
index 00000000..b7b2b30f
--- /dev/null
+++ b/.changeset/fix-list-todos-tenant-leak.md
@@ -0,0 +1,5 @@
+---
+"@aws-blocks/create-blocks-app": patch
+---
+
+Fix multi-tenant data leak in demo template: `listTodos()` no longer falls back to `scan()` when no `sortBy` is provided. All paths now use `query()` with a `userId` filter, ensuring users only see their own todos.
diff --git a/packages/create-blocks-app/templates/demo/aws-blocks/index.ts b/packages/create-blocks-app/templates/demo/aws-blocks/index.ts
index 488f1634..85de1ef7 100644
--- a/packages/create-blocks-app/templates/demo/aws-blocks/index.ts
+++ b/packages/create-blocks-app/templates/demo/aws-blocks/index.ts
@@ -117,17 +117,18 @@ export const api = new ApiNamespace(scope, 'api', (context) => ({
 
   async listTodos(sortBy?: 'priority' | 'title' | 'createdAt'): Promise<Todo[]> {
     const user = await auth.requireAuth(context);
-    
-    const indexMap = { 
-      priority: 'byPriority', 
-      title: 'byTitle', 
-      createdAt: 'byCreatedAt' 
+
+    const indexMap = {
+      priority: 'byPriority',
+      title: 'byTitle',
+      createdAt: 'byCreatedAt'
     } as const;
-    
-    const iterator = sortBy 
-      ? todos.query(indexMap[sortBy], { userId: { equals: user.username } })
-      : todos.scan();
-    
+
+    const iterator = todos.query({
+      index: sortBy ? indexMap[sortBy] : 'byCreatedAt',
+      where: { userId: { equals: user.username } }
+    });
+
     return await Array.fromAsync(iterator);
   },