Authentication

Pass user auth context from your frontend to the agent so it can scope tools, data, and decisions to the signed-in user.

You have a chat surface or a hook driving an agent and you want every agent run to know who the request came from. By the end of this guide, your frontend will forward a token, the runtime will pass it through, and your agent code will read the resulting user info on every turn.

When to use this#

Multi-tenant apps where the agent reads or writes per-user data.
Tool gating where some tools should only run for authorised users.
Audit and billing where every run needs an identity to attribute it to.
Session-aware UX where the agent's behaviour depends on the user's role or permissions.

If you don't need any of those, skip auth entirely. The agent runs anonymously and the frontend never has to care about tokens.

Live Demo: LangGraph (Python) — authOpen full demo →

Frontend#

Pass your token via the properties prop. CopilotKit forwards it to LangGraph as a Bearer token automatically.

frontend/src/app/page.tsx

tsx

import { CopilotKit } from "@copilotkit/react-core/v2";

<CopilotKit
  runtimeUrl="/api/copilotkit"
  properties={{
    authorization: userToken,
  }}
>
  <YourApp />
</CopilotKit>

Backend#

LangGraph supports two deployment modes. The frontend code above is the same in both, but the backend wiring differs in where the resolved user identity lands. Pick the tab that matches where your agent runs.

On LangGraph Platform, authentication is a managed service. You declare an @auth.authenticate handler, and Platform runs it on every request before the graph starts. The handler returns a user object that becomes available to every node in the run.

backend/auth.py

python

from langgraph_sdk import Auth

auth = Auth()

@auth.authenticate
async def authenticate(authorization: str | None):
    if not authorization or not authorization.startswith("Bearer "):
        raise Auth.exceptions.HTTPException(status_code=401, detail="Unauthorized")

    token = authorization.replace("Bearer ", "")
    user_info = validate_your_token(token)  # your validation logic

    return {
        "identity": user_info["user_id"],
        "role": user_info.get("role"),
        "permissions": user_info.get("permissions", []),
    }

The return value of the handler shows up in every node's config["configuration"]["langgraph_auth_user"]. From there, scoping tool access or filtering data is straightforward:

backend/agent.py

python

async def my_agent_node(state: AgentState, config: RunnableConfig):
    user_info = config["configuration"]["langgraph_auth_user"]
    user_id = user_info["identity"]
    user_role = user_info.get("role")
    # agent logic with user context
    return state

For full handler details, see the LangGraph Platform Authentication documentation.

Tool gating#

The most common reason to wire auth is so individual tools can decline to run. Read the resolved user inside the tool's handler and bail if the role doesn't match:

def delete_record(record_id: str, *, user: User):
    if "admin" not in user.permissions:
        raise PermissionError("admin role required")
    # do the delete

This composes with Human in the loop: gate on auth first, surface a confirmation card next, execute last.

Security checklist#

Always validate the token on the backend. Never trust the frontend's claim.
Scope every read and write to the resolved user. Auth context only matters if you actually use it to filter data.
Don't log raw tokens. Log the resolved user id (or anonymous) instead.
Use HTTPS in production. The Bearer token is sensitive.
Refresh strategy. Your frontend is responsible for rotating expired tokens before they reach the agent. CopilotKit doesn't refresh on your behalf.

Supported by

Built-in Agent (TanStack AI)LangGraph (Python)LangGraph (TypeScript)LangGraph (FastAPI)Google ADK Mastra CrewAI (Crews)PydanticAI Claude Agent SDK (Python)Claude Agent SDK (TypeScript)Agno AG2 LlamaIndex AWS Strands Langroid MS Agent Framework (Python)MS Agent Framework (.NET)Spring AI

Authentication

Pass user auth context from your frontend to the agent so it can scope tools, data, and decisions to the signed-in user.

When to use this#

Multi-tenant apps where the agent reads or writes per-user data.
Tool gating where some tools should only run for authorised users.
Audit and billing where every run needs an identity to attribute it to.
Session-aware UX where the agent's behaviour depends on the user's role or permissions.

If you don't need any of those, skip auth entirely. The agent runs anonymously and the frontend never has to care about tokens.

Live Demo: LangGraph (Python) — authOpen full demo →

Frontend#

Pass your token via the properties prop. CopilotKit forwards it to LangGraph as a Bearer token automatically.

frontend/src/app/page.tsx

tsx

import { CopilotKit } from "@copilotkit/react-core/v2";

<CopilotKit
  runtimeUrl="/api/copilotkit"
  properties={{
    authorization: userToken,
  }}
>
  <YourApp />
</CopilotKit>

Backend#

backend/auth.py

python

from langgraph_sdk import Auth

auth = Auth()

@auth.authenticate
async def authenticate(authorization: str | None):
    if not authorization or not authorization.startswith("Bearer "):
        raise Auth.exceptions.HTTPException(status_code=401, detail="Unauthorized")

    token = authorization.replace("Bearer ", "")
    user_info = validate_your_token(token)  # your validation logic

    return {
        "identity": user_info["user_id"],
        "role": user_info.get("role"),
        "permissions": user_info.get("permissions", []),
    }

The return value of the handler shows up in every node's config["configuration"]["langgraph_auth_user"]. From there, scoping tool access or filtering data is straightforward:

backend/agent.py

python

async def my_agent_node(state: AgentState, config: RunnableConfig):
    user_info = config["configuration"]["langgraph_auth_user"]
    user_id = user_info["identity"]
    user_role = user_info.get("role")
    # agent logic with user context
    return state

For full handler details, see the LangGraph Platform Authentication documentation.

Tool gating#

The most common reason to wire auth is so individual tools can decline to run. Read the resolved user inside the tool's handler and bail if the role doesn't match:

def delete_record(record_id: str, *, user: User):
    if "admin" not in user.permissions:
        raise PermissionError("admin role required")
    # do the delete

This composes with Human in the loop: gate on auth first, surface a confirmation card next, execute last.

Security checklist#

Always validate the token on the backend. Never trust the frontend's claim.
Scope every read and write to the resolved user. Auth context only matters if you actually use it to filter data.
Don't log raw tokens. Log the resolved user id (or anonymous) instead.
Use HTTPS in production. The Bearer token is sensitive.
Refresh strategy. Your frontend is responsible for rotating expired tokens before they reach the agent. CopilotKit doesn't refresh on your behalf.

Supported by