website/src/content/docs/actors/authentication.mdx
- **Backend-only actors**: If your publishable token is only included in your backend, then authentication is not necessary.
- **Frontend-accessible actors**: If your publishable token is included in your frontend, then implementing authentication is recommended.
- **Only accessible within private network**: If Rivet is only accessible within your private network, then authentication is not necessary.
- **Rivet exposed to the public internet**: If Rivet is configured to accept traffic from the public internet, then implementing authentication is recommended.
Authentication is configured through either:
onBeforeConnect for simple pass/fail validationcreateConnState when you need to access user data in your actions via c.conn.stateAfter a connection is authenticated, use Access Control to enforce authorization:
queues.<name>.canPublish to gate inbound queue publishes.events.<name>.canSubscribe to gate event subscriptions.onBeforeConnectThe onBeforeConnect hook validates credentials before allowing a connection. Throw an error to reject the connection.
createConnStateUse createConnState to extract user data from credentials and store it in connection state. This data is accessible in actions via c.conn.state. Like onBeforeConnect, throwing an error will reject the connection. See connections for more details.
Authentication hooks have access to several properties:
| Property | Description |
|---|---|
params | Custom data passed by the client when connecting (see connection params) |
c.request | The underlying HTTP request object |
c.request.headers | Request headers for tokens, API keys (does not work for .connect()) |
c.state | Actor state for authorization decisions (see state) |
c.key | The actor's key (see keys) |
It's recommended to use params instead of c.request.headers whenever possible since it works for both HTTP & WebSocket connections.
Pass authentication data when connecting. Use getParams when you need a fresh JWT for every connection or reconnect:
Authentication errors use the same system as regular errors. See errors for more details.
<CodeGroup> <CodeSnippet file="examples/docs/actors-authentication/handling-errors-connection.ts" title="Connection" /> <CodeSnippet file="examples/docs/actors-authentication/handling-errors-stateless.ts" title="Stateless-Action" /> </CodeGroup>Validate JSON Web Tokens and extract user claims:
<CodeSnippet file="examples/docs/actors-authentication/jwt.ts" />Validate credentials against an external authentication service:
<CodeSnippet file="examples/docs/actors-authentication/external-auth-provider.ts" />c.state In AuthorizationAccess actor state via c.state and the actor's key via c.key to make authorization decisions:
Create helper functions for common authorization patterns:
<CodeSnippet file="examples/docs/actors-authentication/role-based-access-control.ts" />Use c.vars to track connection attempts and rate limit by user:
The limits in this example are ephemeral. If you wish to persist rate limits, you can optionally replace vars with state.
Cache validated tokens in c.vars to avoid redundant validation on repeated connections. See ephemeral variables for more details.
AuthIntent - Authentication intent typeOnBeforeConnectContext - Context for auth checksOnConnectContext - Context after connection