docs/src/content/en/docs/server/auth/workos.mdx
import Tabs from "@theme/Tabs"; import TabItem from "@theme/TabItem";
The @mastra/auth-workos package provides authentication for Mastra using WorkOS. It verifies incoming requests using WorkOS access tokens and integrates with the Mastra server using the auth option.
This example uses WorkOS authentication. Make sure to:
WORKOS_API_KEY=sk_live_...
WORKOS_CLIENT_ID=client_...
:::note
You can find your API key and Client ID in the WorkOS Dashboard under API Keys and Applications respectively.
For detailed setup instructions, refer to the WorkOS documentation for your specific platform.
:::
Before you can use the MastraAuthWorkos class you have to install the @mastra/auth-workos package.
npm install @mastra/auth-workos@latest
import { Mastra } from '@mastra/core'
import { MastraAuthWorkos } from '@mastra/auth-workos'
export const mastra = new Mastra({
server: {
auth: new MastraAuthWorkos(),
},
})
import { Mastra } from '@mastra/core'
import { MastraAuthWorkos } from '@mastra/auth-workos'
export const mastra = new Mastra({
server: {
auth: new MastraAuthWorkos({
apiKey: process.env.WORKOS_API_KEY,
clientId: process.env.WORKOS_CLIENT_ID,
}),
},
})
By default, MastraAuthWorkos checks whether the authenticated user has an 'admin' role in any of their organization memberships. The authorization process:
To customize user authorization, provide a custom authorizeUser function:
import { MastraAuthWorkos } from '@mastra/auth-workos'
const workosAuth = new MastraAuthWorkos({
apiKey: process.env.WORKOS_API_KEY,
clientId: process.env.WORKOS_CLIENT_ID,
authorizeUser: async user => {
return !!user
},
})
:::info
Visit MastraAuthWorkos for all available configuration options.
:::
When using WorkOS auth, you'll need to implement the WorkOS authentication flow to exchange an authorization code for an access token, then use that token with your Mastra requests.
First, install the WorkOS SDK in your application:
npm install @workos-inc/node
After users complete the WorkOS authentication flow and return with an authorization code, exchange it for an access token:
import { WorkOS } from '@workos-inc/node'
const workos = new WorkOS(process.env.WORKOS_API_KEY)
export const authenticateWithWorkos = async (code: string, clientId: string) => {
const authenticationResponse = await workos.userManagement.authenticateWithCode({
code,
clientId,
})
return authenticationResponse.accessToken
}
:::note
Refer to the WorkOS User Management documentation for more authentication methods and configuration options.
:::
MastraClientWhen auth is enabled, all requests made with MastraClient must include a valid WorkOS access token in the Authorization header:
import { MastraClient } from '@mastra/client-js'
export const createMastraClient = (accessToken: string) => {
return new MastraClient({
baseUrl: 'https://<mastra-api-url>',
headers: {
Authorization: `Bearer ${accessToken}`,
},
})
}
:::info
The access token must be prefixed with Bearer in the Authorization header.
Visit Mastra Client SDK for more configuration options.
:::
Once MastraClient is configured with the WorkOS access token, you can send authenticated requests:
const workos = new WorkOS(process.env.WORKOS_API_KEY)
export const callMastraWithWorkos = async (code: string, clientId: string) => {
const authenticationResponse = await workos.userManagement.authenticateWithCode({
code,
clientId,
})
const token = authenticationResponse.accessToken
const mastra = new MastraClient({
baseUrl: 'http://localhost:4111',
headers: {
Authorization: `Bearer ${token}`,
},
})
const weatherAgent = mastra.getAgent('weatherAgent')
const response = await weatherAgent.generate("What's the weather like in Nairobi")
return response.text
}
```