ib SSKJr SSKrSSKrSSKJrJr SSKJrJ r \R"S\ RS9r \R"S\ RS9r"SS 5r\R"S S S 9r"S S\R"\5r\R"SS S9r"SS\R(\5r\R"SS S9r\R"SS S9r\R"SS S9r\R"SS S9r\R"SS S9r"SS\R(\\\\\45r"SS\\ R8\ R:\ R<\ R>\ R@45r!"SS\\ RD\ RF\ RH\ RJ\ RL45r'"SS\\ RP\ RR\ RT\ RV\ RX45r-"S S!5r.\R"S"\\/\0\Rb4S9r2"S#S$5r3S)S%jr4S*S&jr5S+S'jr6/S(Qr7g),) annotationsN)CallableSequence) exceptionstypesTH)boundAHc<\rSrSrSrSr\r\rSSjrS Sjr Sr g) Auth a Add custom authentication and authorization management to your LangGraph application. The Auth class provides a unified system for handling authentication and authorization in LangGraph applications. It supports custom user authentication protocols and fine-grained authorization rules for different resources and actions. To use, create a separate python file and add the path to the file to your LangGraph API configuration file (`langgraph.json`). Within that file, create an instance of the Auth class and register authentication and authorization handlers as needed. Example `langgraph.json` file: ```json { "dependencies": ["."], "graphs": { "agent": "./my_agent/agent.py:graph" }, "env": ".env", "auth": { "path": "./auth.py:my_auth" } ``` Then the LangGraph server will load your auth file and run it server-side whenever a request comes in. ???+ example "Basic Usage" ```python from langgraph_sdk import Auth my_auth = Auth() async def verify_token(token: str) -> str: # Verify token and return user_id # This would typically be a call to your auth server return "user_id" @auth.authenticate async def authenticate(authorization: str) -> str: # Verify token and return user_id result = await verify_token(authorization) if result != "user_id": raise Auth.exceptions.HTTPException( status_code=401, detail="Unauthorized" ) return result # Global fallback handler @auth.on async def authorize_default(params: Auth.on.value): return False # Reject all requests (default behavior) @auth.on.threads.create async def authorize_thread_create(params: Auth.on.threads.create.value): # Allow the allowed user to create a thread assert params.get("metadata", {}).get("owner") == "allowed_user" @auth.on.store async def authorize_store(ctx: Auth.types.AuthContext, value: Auth.types.on): assert ctx.user.identity in value["namespace"], "Not authorized" ``` ???+ note "Request Processing Flow" 1. Authentication (your `@auth.authenticate` handler) is performed first on **every request** 2. For authorization, the most specific matching handler is called: * If a handler exists for the exact resource and action, it is used (e.g., `@auth.on.threads.create`) * Otherwise, if a handler exists for the resource with any action, it is used (e.g., `@auth.on.threads`) * Finally, if no specific handlers match, the global handler is used (e.g., `@auth.on`) * If no global handler is set, the request is accepted This allows you to set default behavior with a global handler while overriding specific routes as needed. )on _handlers_global_handlers_authenticate_handler_handler_cachec^[U5Ul0Ul/UlSUl0UlgN)_Onrrrrr)selfs U/home/james-whalen/.local/lib/python3.13/site-packages/langgraph_sdk/auth/__init__.py__init__ Auth.__init__ns6d)= @FH57AE"DFcBURb [S5eXlU$)a6 Register an authentication handler function. The authentication handler is responsible for verifying credentials and returning user scopes. It can accept any of the following parameters by name: - request (Request): The raw ASGI request object - body (dict): The parsed request body - path (str): The request path, e.g., "/threads/abcd-1234-abcd-1234/runs/abcd-1234-abcd-1234/stream" - method (str): The HTTP method, e.g., "GET" - path_params (dict[str, str]): URL path parameters, e.g., {"thread_id": "abcd-1234-abcd-1234", "run_id": "abcd-1234-abcd-1234"} - query_params (dict[str, str]): URL query parameters, e.g., {"stream": "true"} - headers (dict[bytes, bytes]): Request headers - authorization (str | None): The Authorization header value (e.g., "Bearer ") Args: fn: The authentication handler function to register. Must return a representation of the user. This could be a: - string (the user id) - dict containing {"identity": str, "permissions": list[str]} - or an object with identity and permissions properties Permissions can be optionally used by your handlers downstream. Returns: The registered handler function. Raises: ValueError: If an authentication handler is already registered. ???+ example "Examples" Basic token authentication: ```python @auth.authenticate async def authenticate(authorization: str) -> str: user_id = verify_token(authorization) return user_id ``` Accept the full request context: ```python @auth.authenticate async def authenticate( method: str, path: str, headers: dict[str, bytes] ) -> str: user = await verify_request(method, path, headers) return user ``` Return user name and permissions: ```python @auth.authenticate async def authenticate( method: str, path: str, headers: dict[str, bytes] ) -> Auth.types.MinimalUserDict: permissions, user = await verify_request(method, path, headers) # Permissions could be things like ["runs:read", "runs:write", "threads:read", "threads:write"] return { "identity": user["id"], "permissions": permissions, "display_name": user["name"], } ``` zCAuthentication handler already set as {self._authenticate_handler}.)r ValueErrorrfns r authenticateAuth.authenticates.H  % % 1U &(" r)rrrrrN)returnNone)rr r!r ) __name__ __module__ __qualname____firstlineno____doc__ __slots__rrrr__static_attributes__rrr r s6JXI E0 J EGNIrr VT) contravariantc*\rSrSrSSjrSrg)_ActionHandleric # g7frr*)rctxvalues r__call___ActionHandler.__call__s!sr*N)r0ztypes.AuthContextr1r+r!ztypes.HandlerResult)r#r$r%r&r2r)r*rrr.r.s"'"01" "rr.T) covariantc<\rSrSrSSjrSSjrSrg)_ResourceActionOnic4XlX lX0lX@lgr)authresourceactionr1)rr9r:r;r1s rr_ResourceActionOn.__init__s    rct[U5 [URURURU5 U$r)_validate_handler_register_handlerr9r:r;rs rr2_ResourceActionOn.__call__s)"$))T]]DKKD r)r;r9r:r1N) r9r r:0typing.Literal['threads', 'crons', 'assistants']r;zLtyping.Literal['create', 'read', 'update', 'delete', 'search', 'create_run']r1ztype[T]r!r")r_ActionHandler[T]r!rB)r#r$r%r&rr2r)r*rrr7r7s=  C     rr7VCreateVUpdateVReadVDeleteVSearchc\rSrSr%SrS\S'S\S'S\S'S \S 'S \S 'S \S'SSjr\RSSj5r \RSS.SSjj5r SSSS.SSjjjr Sr g) _ResourceOni+z4 Generic base class for resource-specific handlers. z3type[VCreate | VUpdate | VRead | VDelete | VSearch]r1z type[VCreate]Createz type[VRead]Readz type[VUpdate]Updatez type[VDelete]Deletez type[VSearch]Searchc4XlX l[XSUR5Ul[XSUR 5Ul[XSUR5Ul[XSUR5Ul [XSUR5Ul g)Ncreatereadupdatedeletesearch) r9r:r7rJrPrKrQrLrRrMrSrNrT)rr9r:s rr_ResourceOn.__init__8s   2C Hdkk3  /@ FDII/  3D Hdkk3  3D Hdkk3  3D Hdkk3  rcgrr*rs rr2_ResourceOn.__call__Os ILrNactionscgrr*r resourcesrYs rr2rWXs rr\rYc ^Ubs[U5 [R"[[R[ [ [[[4[TRTRSU55$SU4SjjnX#4nU$)N*c >[U5 [R"[[R[ [ [[[4[TRTRSU55$Nr_ r>typingcastr.UnionrCrDrErFrGr?r9r:)handlerrs r decorator'_ResourceOn.__call__..decorator{sP g &;;v||GWeWg,UVW!$))T]]CI r)rf=_ActionHandler[VCreate | VUpdate | VRead | VDelete | VSearch]r!rirb)rrr\rYrg_s` rr2rWcsz" > b !;;v||GWeWg,UVW!$))T]]CD   R  J   r)r9rPrSrQr:rTrRr9r r:rAr!r")rze_ActionHandler[VCreate | VUpdate | VRead | VDelete | VSearch] | _ActionHandler[dict[str, typing.Any]]r!ri)r\str | Sequence[str]rYstr | Sequence[str] | Noner!zCallable[[_ActionHandler[VCreate | VUpdate | VRead | VDelete | VSearch]], _ActionHandler[VCreate | VUpdate | VRead | VDelete | VSearch]]r)rzl_ActionHandler[VCreate | VUpdate | VRead | VDelete | VSearch] | _ActionHandler[dict[str, typing.Any]] | Noner\rmrYrmr!z_ActionHandler[VCreate | VUpdate | VRead | VDelete | VSearch] | Callable[[_ActionHandler[VCreate | VUpdate | VRead | VDelete | VSearch]], _ActionHandler[VCreate | VUpdate | VRead | VDelete | VSearch]]) r#r$r%r&r'__annotations__rrcoverloadr2r)r*rrrIrI+s ?>       C    . __L 4L G LL __ /3  ' ,       #15.2# #.#,# ##rrIc\rSrSr\R \R\R\R\R\R4r \Rr \Rr\Rr\Rr\RrSrg) _AssistantsOnir*N)r#r$r%r&rcrerAssistantsCreateAssistantsReadAssistantsUpdateAssistantsDeleteAssistantsSearchr1rJrKrLrMrNr)r*rrrqrqs} LL        E # #F   D  # #F  # #F  # #Frrqc^\rSrSr\R \\R\\R\\R\\R\\R\\R4r\Rr\Rr\Rr\Rr\Rr\RrSU4SjjrSrU=r$) _ThreadsOnic\>[TU]X5 [XSUR5Ulg)N create_run)superrr7 CreateRunrz)rr9r: __class__s rr_ThreadsOn.__init__s* (?P L$..@ r)rzrk)r#r$r%r&rcretyper ThreadsCreate ThreadsRead ThreadsUpdate ThreadsDelete ThreadsSearch RunsCreater1rJrKrLrMrNr|rr) __classcell__)r}s@rrxrxs LL U ! U   U ! U ! U ! U     E F   D  F  F  F  I  C     rrxc\rSrSr\\R \R\R\R\R\R4r \Rr\Rr\Rr\Rr\RrSrg)_CronsOnir*N)r#r$r%r&rrcrer CronsCreate CronsRead CronsUpdate CronsDelete CronsSearchr1rJrKrLrMrNr)r*rrrrs     OO             E  F ??D   F   F   Frrc\rSrSrS Sjr\R SS.S Sjj5r\R S Sj5rS SS.S SjjjrSrg)_StoreOnicXlgr_authrr9s rr_StoreOn.__init__s rNrXcgrr*)rrYs rr2_StoreOn.__call__s #rcgrr*rs rr2r(+rc^^^Ub[TRSSU5 U$SUU4SjjnU$)auRegister a handler for specific resources and actions. Can be used as a decorator or with explicit resource/action parameters: @auth.on.store async def handler(): ... # Handle all store ops @auth.on.store(actions=("put", "get", "search", "delete")) async def handler(): ... # Handle specific store ops @auth.on.store.put async def handler(): ... # Handle store.put ops Nstorec>[T[5(aT/nOTb [T5OS/nUHn[TRSX 5 M U$)Nr_r isinstancestrlistr?r)rf action_listr;rYrs rrg$_StoreOn.__call__..decoratorsJ'3''&i /6/Bd7m %!$**gvG&NrrfAHOr!rr?r)rrrYrgs` ` rr2rsC2 > djj'4 <I     rrr9r r!r")rYtyping.Literal['put', 'get', 'search', 'list_namespaces', 'delete'] | Sequence[typing.Literal['put', 'get', 'search', 'list_namespaces', 'delete']] | Noner!Callable[[AHO], AHO]rrr!rr)r AHO | NonerYrr!AHO | Callable[[AHO], AHO]) r#r$r%r&rrcror2r)r*rrrrs __  #  #  # # __++* * *   * $**rrrc\rSrSrSrSrS Sjr\RSS.S Sjj5r \RSSj5r SSSS .SS jjjr S r g)ri!amEntry point for authorization handlers that control access to specific resources. The _On class provides a flexible way to define authorization rules for different resources and actions in your application. It supports three main usage patterns: 1. Global handlers that run for all resources and actions 2. Resource-specific handlers that run for all actions on a resource 3. Resource and action specific handlers for fine-grained control Each handler must be an async function that accepts two parameters: - ctx (AuthContext): Contains request context and authenticated user info - value: The data being authorized (type varies by endpoint) The handler should return one of: - None or True: Accept the request - False: Reject with 403 error - FilterType: Apply filtering rules to the response ???+ example "Examples" Global handler for all requests: ```python @auth.on async def log_all_requests(ctx: AuthContext, value: Any) -> None: print(f"Request to {ctx.path} by {ctx.user.identity}") return True ``` Resource-specific handler: ```python @auth.on.threads async def check_thread_access(ctx: AuthContext, value: Any) -> bool: # Allow access only to threads created by the user return value.get("created_by") == ctx.user.identity ``` Resource and action specific handler: ```python @auth.on.threads.delete async def prevent_thread_deletion(ctx: AuthContext, value: Any) -> bool: # Only admins can delete threads return "admin" in ctx.user.permissions ``` Multiple resources or actions: ```python @auth.on(resources=["threads", "runs"], actions=["create", "update"]) async def rate_limit_writes(ctx: AuthContext, value: Any) -> bool: # Implement rate limiting for write operations return await check_rate_limit(ctx.user.identity) ``` )r assistantsthreadsrunscronsrr1cXl[US5Ul[US5Ul[ US5Ul[U5Ul[[[R4Ul g)Nrrr)rrqrrxrrrrrdictrrcAnyr1rs rr _On.__init__asP 'l;!$ 2 dG, d^ #vzz/* rNrXcgrr*r[s rr2 _On.__call__is #rcgrr*rs rr2rqrrr]cb^^^Ub[TRSSU5 U$SUUU4SjjnU$)aRegister a handler for specific resources and actions. Can be used as a decorator or with explicit resource/action parameters: @auth.on async def handler(): ... # Global handler @auth.on(resources="threads") async def handler(): ... # types.Handler for all thread actions @auth.on(resources="threads", actions="create") async def handler(): ... # types.Handler for thread creation Nc>[T[5(aT/nOTb [T5OS/n[T[5(aT/nOTb [T5OS/nUH#nUHn[TRX4U5 M M% U$rar)rf resource_listrr:r;rYr\rs rrg_On.__call__..decorators|)S))!* 3<3HYse '3''&i /6/Bd7m ))F%djj(GL**Nrrr)rrr\rYrgs` `` rr2rtsC( > djj$b 9I     "r)rrrrrr1r)r\rlrYrmr!rrr)rrr\rmrYrmr!r) r#r$r%r&r'r(rrcror2r)r*rrrr!s3jI+ __ /3 #'#, #  ## __+++15.2 + +. + , + $ ++rrcV[U5 U=(d SnU=(d SnUS:Xa?US:Xa9UR(a [S5eURRU5 U$UbUOSnUbUOSnXE4UR;a[SUSUS35eU/URXE4'U$)Nr_zGlobal handler already set.ztypes.Handler already set for z, .)r>rrappendr)r9r:r;rras rr?r?s b3H ]sF36S=  :; ; $$R( I !,H#(Fc 6T^^ #=aS1#QGH H"$v IrcB[R"U5(d[S[USU5S35e[R"U5nSUR ;a[S[USU5S35eSUR ;a[S[USU5S35eg) zValidates that an auth handler function meets the required signature. Auth handlers must: 1. Be async functions 2. Accept a ctx parameter of type AuthContext 3. Accept a value parameter for the data being authorized zAuth handler 'r#z|' must be an async function. Add 'async' before 'def' to make it asynchronous and ensure any IO operations are non-blocking.r0zm' must have a 'ctx: AuthContext' parameter. Update the function signature to include this required parameter.r1z' must have a 'value' parameter. The value contains the mutable data being sent to the endpoint.Update the function signature to include this required parameter.N)inspectiscoroutinefunctionrgetattr signature parameters)rsigs rr>r>s  & &r * *WRR89:3 3    B C CNN"WRR89:P P  cnn$WRR89:P P  %rc[U[R5=(d+ [U[5=(a UR S5S:H$)Nkind StudioUser)rrrrget)users ris_studio_userrs> 4))* - dD ! - HHV  ,r)r rr) r9r r: str | Noner;rr types.Handlerr!r)rzCallable[..., typing.Any]r!r")rz:types.MinimalUser | types.BaseUser | types.MinimalUserDictr!bool)8 __future__rrrccollections.abcrrlanggraph_sdk.authrrTypeVarHandlerr Authenticatorr r r+Protocolr.r4Genericr7rCrDrErFrGrIrrrsrtrurvrqrrrrrrxrrrrrrrrrrrrr?r>r__all__r*rrrsi" .0 ^^D . ^^D 3 34qql NN3d+"V__Q'"  NN3$'q)* ..d 3 ..d 3w$/ ..d 3 ..d 3[&..%'7!JK[|$       $.           F       4>>B nnU.c6::o1F"GH~~B      , : D  *r