Skip to content

feat: add custom-jwt and api-key auth modes#43

Merged
myeolinmalchi merged 3 commits into
mainfrom
feat/auth-custom-jwt-apikey
Apr 15, 2026
Merged

feat: add custom-jwt and api-key auth modes#43
myeolinmalchi merged 3 commits into
mainfrom
feat/auth-custom-jwt-apikey

Conversation

@myeolinmalchi
Copy link
Copy Markdown
Collaborator

@myeolinmalchi myeolinmalchi commented Apr 13, 2026

Summary

  • Add custom-jwt auth mode: external IdP authentication with PKCE + OIDC Authorization Code Flow, JWKS-based server-side validation, CSRF state parameter protection
  • Add api-key auth mode: LangGraph Cloud API key authentication with input form UI and server-side validation via /assistants/search endpoint
  • Refactor binary auth predicates (requiresNextAuth/allowsAnonymousAccess) into fine-grained predicates (usesNextAuth/requiresLoginUI/requiresUserIdentity) with backward-compatible deprecated aliases
  • Migrate 15+ callsites across middleware, proxy route, auth handlers, layout, and service files
  • Make proxy route (/api/[..._path]) auth-mode-aware: forwards JWT Bearer for NextAuth/custom-jwt modes, x-api-key for api-key mode
  • Add SSRF protection to /api/auth/validate-api-key endpoint
  • Add server examples: examples/custom-jwt/ (PyJWKClient JWKS validation) and examples/api-key/ (LangGraph Cloud native)
  • Add auth documentation: architecture overview, custom-jwt setup guide (Keycloak/Auth0/Supabase), api-key guide, custom server auth tutorial
  • Add E2E tests for standalone (thread CRUD), api-key (form flow), and custom-jwt (OIDC flow) modes — all verified with real LangGraph server + visual screenshot confirmation

@myeolinmalchi
feat: add custom-jwt and api-key auth modes
4815a1b 
Add two new authentication modes for the universal LangGraph frontend:

- custom-jwt: External IdP authentication with PKCE + OIDC Authorization
  Code Flow, JWKS-based token validation, and CSRF state parameter
- api-key: LangGraph Cloud API key authentication with input form and
  server-side validation via /assistants/search endpoint

Refactor binary auth predicates (requiresNextAuth/allowsAnonymousAccess)
into fine-grained predicates (usesNextAuth/requiresLoginUI/requiresUserIdentity)
with backward-compatible aliases. Migrate 15+ callsites across middleware,
proxy route, auth handlers, and layout files.

Includes server examples, auth architecture docs, setup guide for
Keycloak/Auth0/Supabase, and E2E tests for all new modes.
@myeolinmalchi
style: fix prettier formatting
5924ede
@myeolinmalchi myeolinmalchi self-assigned this Apr 15, 2026
@myeolinmalchi myeolinmalchi merged commit e3fabe4 into main Apr 15, 2026
4 checks passed
@myeolinmalchi myeolinmalchi deleted the feat/auth-custom-jwt-apikey branch April 15, 2026 04:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@myeolinmalchi myeolinmalchi

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@myeolinmalchi