@agent-native/core 0.24.4 → 0.24.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/onboarding/default-steps.d.ts.map +1 -1
- package/dist/onboarding/default-steps.js +0 -17
- package/dist/onboarding/default-steps.js.map +1 -1
- package/dist/server/auth.d.ts +0 -1
- package/dist/server/auth.d.ts.map +1 -1
- package/dist/server/auth.js +14 -338
- package/dist/server/auth.js.map +1 -1
- package/docs/content/authentication.md +8 -9
- package/docs/content/deployment.md +2 -2
- package/package.json +1 -1
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
---
|
|
2
2
|
title: "Authentication"
|
|
3
|
-
description: "Better Auth integration with email/password, social providers, organizations, and
|
|
3
|
+
description: "Better Auth integration with email/password, social providers, organizations, and MCP bearer credentials."
|
|
4
4
|
---
|
|
5
5
|
|
|
6
6
|
# Authentication
|
|
@@ -12,7 +12,6 @@ Agent-native apps use [Better Auth](https://better-auth.com) for authentication
|
|
|
12
12
|
Auth is configured automatically via `autoMountAuth(app)` in the auth server plugin. The behavior depends on your environment:
|
|
13
13
|
|
|
14
14
|
- **Default:** Better Auth with email/password + social providers. Onboarding page shown on first visit.
|
|
15
|
-
- **`ACCESS_TOKEN`:** Simple shared token for production.
|
|
16
15
|
- **Remote MCP OAuth:** Standard OAuth 2.1 for MCP hosts such as Claude Code and ChatGPT connectors.
|
|
17
16
|
- **Custom:** Bring your own auth via `getSession` callback.
|
|
18
17
|
|
|
@@ -20,7 +19,7 @@ Local development uses the same Better Auth flow as production — there is no d
|
|
|
20
19
|
|
|
21
20
|
## Better Auth (Default) {#better-auth}
|
|
22
21
|
|
|
23
|
-
|
|
22
|
+
By default, Better Auth powers authentication. It provides:
|
|
24
23
|
|
|
25
24
|
- Email/password registration and login
|
|
26
25
|
- Social providers (Google, GitHub, and 35+ others)
|
|
@@ -31,7 +30,7 @@ When no `ACCESS_TOKEN` is set, Better Auth powers authentication. It provides:
|
|
|
31
30
|
Better Auth routes are mounted at `/_agent-native/auth/ba/*`. The framework also provides backward-compatible endpoints:
|
|
32
31
|
|
|
33
32
|
- `GET /_agent-native/auth/session` — get current session
|
|
34
|
-
- `POST /_agent-native/auth/login` — email/password
|
|
33
|
+
- `POST /_agent-native/auth/login` — email/password login
|
|
35
34
|
- `POST /_agent-native/auth/register` — create account
|
|
36
35
|
- `POST /_agent-native/auth/logout` — sign out
|
|
37
36
|
|
|
@@ -113,9 +112,9 @@ Better Auth's organization plugin is built into the framework. Every app support
|
|
|
113
112
|
|
|
114
113
|
The active organization flows automatically through the system: `session.orgId` → `AGENT_ORG_ID` → SQL scoping. See the [Security & Data Scoping](/docs/security) docs for details.
|
|
115
114
|
|
|
116
|
-
##
|
|
115
|
+
## Static MCP Bearer Tokens {#access-tokens}
|
|
117
116
|
|
|
118
|
-
|
|
117
|
+
`ACCESS_TOKEN` and `ACCESS_TOKENS` are not browser auth and do not make an app private. They remain only as static bearer credentials for MCP/connect clients that cannot use the OAuth flow.
|
|
119
118
|
|
|
120
119
|
```bash
|
|
121
120
|
# Single token
|
|
@@ -125,7 +124,7 @@ ACCESS_TOKEN=my-secret-token
|
|
|
125
124
|
ACCESS_TOKENS=token1,token2,token3
|
|
126
125
|
```
|
|
127
126
|
|
|
128
|
-
|
|
127
|
+
Configuring these variables never renders a token login page for visitors. Web sign-in stays on Better Auth or your custom `getSession` provider.
|
|
129
128
|
|
|
130
129
|
## Remote MCP OAuth {#remote-mcp-oauth}
|
|
131
130
|
|
|
@@ -284,7 +283,7 @@ The default `/_agent-native/google/auth-url` route does this automatically — o
|
|
|
284
283
|
| `GOOGLE_CLIENT_SECRET` | Google OAuth secret |
|
|
285
284
|
| `GITHUB_CLIENT_ID` | Enable GitHub OAuth |
|
|
286
285
|
| `GITHUB_CLIENT_SECRET` | GitHub OAuth secret |
|
|
287
|
-
| `ACCESS_TOKEN` |
|
|
288
|
-
| `ACCESS_TOKENS` | Comma-separated
|
|
286
|
+
| `ACCESS_TOKEN` | Static bearer fallback for MCP/connect clients; not browser auth |
|
|
287
|
+
| `ACCESS_TOKENS` | Comma-separated static bearer fallbacks for MCP/connect clients; not browser auth |
|
|
289
288
|
| `A2A_SECRET` | Shared secret for JWT-signed A2A cross-app identity verification and, when present, MCP OAuth access-token signing |
|
|
290
289
|
| `AUTH_DISABLED` | Set to `true` to skip auth (infrastructure-level auth) |
|
|
@@ -233,8 +233,8 @@ These must be set before promoting an app to a real prod deploy. Missing values
|
|
|
233
233
|
|
|
234
234
|
| Variable | Description |
|
|
235
235
|
| ------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
|
236
|
-
| `ACCESS_TOKEN` |
|
|
237
|
-
| `ACCESS_TOKENS` | Comma-separated
|
|
236
|
+
| `ACCESS_TOKEN` | Static bearer fallback for MCP/connect clients that cannot use OAuth. Does not enable browser auth or make the app private. |
|
|
237
|
+
| `ACCESS_TOKENS` | Comma-separated static bearer fallbacks for MCP/connect clients. Does not enable browser auth or make the app private. |
|
|
238
238
|
| `AUTH_SKIP_EMAIL_VERIFICATION` | Skip email verification for QA accounts. Local dev/test skips by default; hosted deploys must set this explicitly. **Disables a real security control** — only use on hosted QA environments. |
|
|
239
239
|
| `GOOGLE_CLIENT_ID` | Google OAuth client ID. Auto-enables "Sign in with Google" in Better Auth. |
|
|
240
240
|
| `GOOGLE_CLIENT_SECRET` | Google OAuth client secret. |
|