Skip to main content
In this tutorial, we will build a chatbot that only lets specific users access it. We’ll start with the LangGraph template and add token-based security step by step. By the end, you’ll have a working chatbot that checks for valid tokens before allowing access. This is part 1 of our authentication series:
  1. Set up custom authentication (you are here) - Control who can access your bot
  2. Make conversations private - Let users have private conversations
  3. Connect an authentication provider - Add real user accounts and validate using OAuth2 for production
This guide assumes basic familiarity with the following concepts:
Custom auth is only available for LangSmith SaaS deployments or Enterprise Self-Hosted deployments.

1. Create your app

Create a new chatbot using the LangGraph starter template:
The template gives us a placeholder LangGraph app. Try it out by installing the local dependencies and running the development server:
The server will start and open Studio in your browser:
If you were to self-host this on the public internet, anyone could access it. No authentication: the dev server is publicly reachable, anyone can access the bot if exposed to the internet.

2. Add authentication

Now that you have a base LangGraph app, add authentication to it.
In this tutorial, you will start with a hard-coded token for example purposes. You will get to a “production-ready” authentication scheme in the third tutorial.
The Auth object lets you register an authentication function that the LangSmith deployment will run on every request. This function receives each request and decides whether to accept or reject. Create a new file src/security/auth.py. This is where your code will live to check if users are allowed to access your bot:
src/security/auth.py
Notice that your Auth.authenticate handler does two important things:
  1. Checks if a valid token is provided in the request’s Authorization header
  2. Returns the user’s MinimalUserDict
Now tell LangGraph to use authentication by adding the following to the langgraph.json configuration:
langgraph.json

3. Test your bot

Start the server again to test everything out:
If you didn’t add the --no-browser, the Studio UI will open in the browser. By default, we also permit access from Studio, even when using custom auth. This makes it easier to develop and test your bot in Studio. You can remove this alternative authentication option by setting disable_studio_auth: true in your auth configuration:

4. Chat with your bot

You should now only be able to access the bot if you provide a valid token in the request header. Users will still, however, be able to access each other’s resources until you add resource authorization handlers in the next section of the tutorial. Auth gate passes requests with a valid token, but no per-resource filters are applied yet—so users share visibility until authorization handlers are added in the next step. Run the following code in a file or notebook:
You should see that:
  1. Without a valid token, we can’t access the bot
  2. With a valid token, we can create threads and chat
Congratulations! You’ve built a chatbot that only lets “authenticated” users access it. While this system doesn’t (yet) implement a production-ready security scheme, we’ve learned the basic mechanics of how to control access to our bot. In the next tutorial, we’ll learn how to give each user their own private conversations.

Next steps

Now that you can control who accesses your bot, you might want to:
  1. Continue the tutorial by going to Make conversations private to learn about resource authorization.
  2. Read more about authentication concepts.
  3. Check out the API reference for Auth, Auth.authenticate, and MinimalUserDict for more authentication details.