Skip to main content
This guide shows you how to add custom authentication to your LangSmith application. The steps on this page apply to both cloud and self-hosted deployments. It does not apply to isolated usage of the LangGraph open source library in your own custom server.

Add custom authentication to your deployment

To leverage custom authentication and access user-level metadata in your deployments, set up custom authentication to automatically populate the config["configurable"]["langgraph_auth_user"] object through a custom authentication handler. You can then access this object in your graph with the langgraph_auth_user key to allow an agent to perform authenticated actions on behalf of the user.
  1. Implement authentication:
    Without a custom @auth.authenticate handler, LangGraph sees only the API-key owner (usually the developer), so requests aren’t scoped to individual end-users. To propagate custom tokens, you must implement your own handler.
  • This handler receives the request (headers, etc.), validates the user, and returns a dictionary with at least an identity field.
  • You can add any custom fields you want (e.g., OAuth tokens, roles, org IDs, etc.).
  1. In your langgraph.json, add the path to your auth file:
  2. Once you’ve set up authentication in your server, requests must include the required authorization information based on your chosen scheme. Assuming you are using JWT token authentication, you could access your deployments using any of the following methods:
    For more details on RemoteGraph, refer to the Use RemoteGraph guide.

Enable agent authentication

After authentication, the platform creates a special configuration object (config) that is passed to LangSmith deployment. This object contains information about the current user, including any custom fields you return from your @auth.authenticate handler. To allow an agent to perform authenticated actions on behalf of the user, access this object in your graph with the langgraph_auth_user key:
Fetch user credentials from a secure secret store. Storing secrets in graph state is not recommended.

Authorizing a user for Studio

By default, if you add custom authorization on your resources, this will also apply to interactions made from Studio. If you want, you can handle logged-in Studio users differently by checking is_studio_user().
is_studio_user was added in version 0.1.73 of the langgraph-sdk. If you’re on an older version, you can still check whether isinstance(ctx.user, StudioUser).
Only use this if you want to permit developer access to a graph deployed on the managed LangSmith SaaS.

Learn more