@langchain/langgraph-api 0.0.19 → 0.0.21

package/dist/api/assistants.mjs

@@ -7,6 +7,28 @@ import { Assistants } from "../storage/ops.mjs";
 import * as schemas from "../schemas.mjs";
 import { HTTPException } from "hono/http-exception";
 const api = new Hono();
+const RunnableConfigSchema = z.object({
+    tags: z.array(z.string()).optional(),
+    metadata: z.record(z.unknown()).optional(),
+    run_name: z.string().optional(),
+    max_concurrency: z.number().optional(),
+    recursion_limit: z.number().optional(),
+    configurable: z.record(z.unknown()).optional(),
+    run_id: z.string().uuid().optional(),
+});
+const getRunnableConfig = (userConfig) => {
+    if (!userConfig)
+        return {};
+    return {
+        configurable: userConfig.configurable,
+        tags: userConfig.tags,
+        metadata: userConfig.metadata,
+        runName: userConfig.run_name,
+        maxConcurrency: userConfig.max_concurrency,
+        recursionLimit: userConfig.recursion_limit,
+        runId: userConfig.run_id,
+    };
+};
 api.post("/assistants", zValidator("json", schemas.AssistantCreate), async (c) => {
     // Create Assistant
     const payload = c.req.valid("json");
@@ -16,7 +38,7 @@ api.post("/assistants", zValidator("json", schemas.AssistantCreate), async (c) =
         metadata: payload.metadata ?? {},
         if_exists: payload.if_exists ?? "raise",
         name: payload.name ?? "Untitled",
-    });
+    }, c.var.auth);
     return c.json(assistant);
 });
 api.post("/assistants/search", zValidator("json", schemas.AssistantSearchRequest), async (c) => {
@@ -28,7 +50,7 @@ api.post("/assistants/search", zValidator("json", schemas.AssistantSearchRequest
         metadata: payload.metadata,
         limit: payload.limit ?? 10,
         offset: payload.offset ?? 0,
-    })) {
+    }, c.var.auth)) {
         result.push(item);
     }
     return c.json(result);
@@ -36,45 +58,23 @@ api.post("/assistants/search", zValidator("json", schemas.AssistantSearchRequest
 api.get("/assistants/:assistant_id", async (c) => {
     // Get Assistant
     const assistantId = getAssistantId(c.req.param("assistant_id"));
-    return c.json(await Assistants.get(assistantId));
+    return c.json(await Assistants.get(assistantId, c.var.auth));
 });
 api.delete("/assistants/:assistant_id", async (c) => {
     // Delete Assistant
     const assistantId = getAssistantId(c.req.param("assistant_id"));
-    return c.json(await Assistants.delete(assistantId));
+    return c.json(await Assistants.delete(assistantId, c.var.auth));
 });
 api.patch("/assistants/:assistant_id", zValidator("json", schemas.AssistantPatch), async (c) => {
     // Patch Assistant
     const assistantId = getAssistantId(c.req.param("assistant_id"));
     const payload = c.req.valid("json");
-    return c.json(await Assistants.patch(assistantId, payload));
+    return c.json(await Assistants.patch(assistantId, payload, c.var.auth));
 });
-const RunnableConfigSchema = z.object({
-    tags: z.array(z.string()).optional(),
-    metadata: z.record(z.unknown()).optional(),
-    run_name: z.string().optional(),
-    max_concurrency: z.number().optional(),
-    recursion_limit: z.number().optional(),
-    configurable: z.record(z.unknown()).optional(),
-    run_id: z.string().uuid().optional(),
-});
-const getRunnableConfig = (userConfig) => {
-    if (!userConfig)
-        return {};
-    return {
-        configurable: userConfig.configurable,
-        tags: userConfig.tags,
-        metadata: userConfig.metadata,
-        runName: userConfig.run_name,
-        maxConcurrency: userConfig.max_concurrency,
-        recursionLimit: userConfig.recursion_limit,
-        runId: userConfig.run_id,
-    };
-};
 api.get("/assistants/:assistant_id/graph", zValidator("query", z.object({ xray: schemas.coercedBoolean.optional() })), async (c) => {
     // Get Assistant Graph
     const assistantId = getAssistantId(c.req.param("assistant_id"));
-    const assistant = await Assistants.get(assistantId);
+    const assistant = await Assistants.get(assistantId, c.var.auth);
     const { xray } = c.req.valid("query");
     const config = getRunnableConfig(assistant.config);
     const graph = await getGraph(assistant.graph_id, config);
@@ -87,7 +87,7 @@ api.get("/assistants/:assistant_id/graph", zValidator("query", z.object({ xray:
 api.get("/assistants/:assistant_id/schemas", async (c) => {
     // Get Assistant Schemas
     const assistantId = getAssistantId(c.req.param("assistant_id"));
-    const assistant = await Assistants.get(assistantId);
+    const assistant = await Assistants.get(assistantId, c.var.auth);
     const graphSchema = await getGraphSchema(assistant.graph_id);
     const rootGraphId = Object.keys(graphSchema).find((i) => !i.includes("|"));
     if (!rootGraphId)
@@ -106,7 +106,7 @@ api.get("/assistants/:assistant_id/subgraphs/:namespace?", zValidator("param", z
     const { assistant_id, namespace } = c.req.valid("param");
     const { recurse } = c.req.valid("query");
     const assistantId = getAssistantId(assistant_id);
-    const assistant = await Assistants.get(assistantId);
+    const assistant = await Assistants.get(assistantId, c.var.auth);
     const config = getRunnableConfig(assistant.config);
     const graph = await getGraph(assistant.graph_id, config);
     const graphSchema = await getGraphSchema(assistant.graph_id);
@@ -131,7 +131,7 @@ api.post("/assistants/:assistant_id/latest", zValidator("json", schemas.Assistan
     // Set Latest Assistant Version
     const assistantId = getAssistantId(c.req.param("assistant_id"));
     const { version } = c.req.valid("json");
-    return c.json(await Assistants.setLatest(assistantId, version));
+    return c.json(await Assistants.setLatest(assistantId, version, c.var.auth));
 });
 api.post("/assistants/:assistant_id/versions", zValidator("json", z.object({
     limit: z.number().min(1).max(1000).optional().default(10),
@@ -141,10 +141,12 @@ api.post("/assistants/:assistant_id/versions", zValidator("json", z.object({
     // Get Assistant Versions
     const assistantId = getAssistantId(c.req.param("assistant_id"));
     const { limit, offset, metadata } = c.req.valid("json");
-    return c.json(await Assistants.getVersions(assistantId, {
-        limit,
-        offset,
-        metadata,
-    }));
+    const versions = await Assistants.getVersions(assistantId, { limit, offset, metadata }, c.var.auth);
+    if (!versions?.length) {
+        throw new HTTPException(404, {
+            message: `Assistant "${assistantId}" not found.`,
+        });
+    }
+    return c.json(versions);
 });
 export default api;

package/dist/api/runs.mjs

@@ -11,8 +11,9 @@ import { getDisconnectAbortSignal, jsonExtra, waitKeepAlive, } from "../utils/ho
 import { logError, logger } from "../logging.mjs";
 import { v4 as uuid4 } from "uuid";
 const api = new Hono();
-const createValidRun = async (threadId, payload) => {
+const createValidRun = async (threadId, payload, kwargs) => {
     const { assistant_id: assistantId, ...run } = payload;
+    const { auth, headers } = kwargs;
     const runId = uuid4();
     const streamMode = Array.isArray(payload.stream_mode)
         ? payload.stream_mode
@@ -32,6 +33,30 @@ const createValidRun = async (threadId, payload) => {
         config.configurable ??= {};
         Object.assign(config.configurable, run.checkpoint);
     }
+    if (headers) {
+        for (const [rawKey, value] of headers.entries()) {
+            const key = rawKey.toLowerCase();
+            if (key.startsWith("x-")) {
+                if (["x-api-key", "x-tenant-id", "x-service-key"].includes(key)) {
+                    continue;
+                }
+                config.configurable ??= {};
+                config.configurable[key] = value;
+            }
+            else if (key === "user-agent") {
+                config.configurable ??= {};
+                config.configurable[key] = value;
+            }
+        }
+    }
+    let userId;
+    if (auth) {
+        userId = auth.user.identity ?? auth.user.id;
+        config.configurable ??= {};
+        config.configurable["langgraph_auth_user"] = auth.user;
+        config.configurable["langgraph_auth_user_id"] = userId;
+        config.configurable["langgraph_auth_permissions"] = auth.scopes;
+    }
     let feedbackKeys = run.feedback_keys != null
         ? Array.isArray(run.feedback_keys)
             ? run.feedback_keys
@@ -52,19 +77,20 @@ const createValidRun = async (threadId, payload) => {
         subgraphs: run.stream_subgraphs ?? false,
     }, {
         threadId,
+        userId,
         metadata: run.metadata,
         status: "pending",
         multitaskStrategy,
         preventInsertInInflight,
         afterSeconds: payload.after_seconds,
         ifNotExists: payload.if_not_exists,
-    });
+    }, auth);
     if (first?.run_id === runId) {
         logger.info("Created run", { run_id: runId, thread_id: threadId });
         if ((multitaskStrategy === "interrupt" || multitaskStrategy === "rollback") &&
             inflight.length > 0) {
             try {
-                await Runs.cancel(threadId, inflight.map((run) => run.run_id), { action: multitaskStrategy });
+                await Runs.cancel(threadId, inflight.map((run) => run.run_id), { action: multitaskStrategy }, auth);
             }
             catch (error) {
                 logger.warn("Failed to cancel inflight runs, might be already cancelled", {
@@ -104,13 +130,16 @@ api.post("/threads/:thread_id/runs/crons", zValidator("param", z.object({ thread
 api.post("/runs/stream", zValidator("json", schemas.RunCreate), async (c) => {
     // Stream Stateless Run
     const payload = c.req.valid("json");
-    const run = await createValidRun(undefined, payload);
+    const run = await createValidRun(undefined, payload, {
+        auth: c.var.auth,
+        headers: c.req.raw.headers,
+    });
     return streamSSE(c, async (stream) => {
         const cancelOnDisconnect = payload.on_disconnect === "cancel"
             ? getDisconnectAbortSignal(c, stream)
             : undefined;
         try {
-            for await (const { event, data } of Runs.Stream.join(run.run_id, undefined, { cancelOnDisconnect, ignore404: true })) {
+            for await (const { event, data } of Runs.Stream.join(run.run_id, undefined, { cancelOnDisconnect, ignore404: true }, c.var.auth)) {
                 await stream.writeSSE({ data: serialiseAsDict(data), event });
             }
         }
@@ -122,19 +151,28 @@ api.post("/runs/stream", zValidator("json", schemas.RunCreate), async (c) => {
 api.post("/runs/wait", zValidator("json", schemas.RunCreate), async (c) => {
     // Wait Stateless Run
     const payload = c.req.valid("json");
-    const run = await createValidRun(undefined, payload);
-    return waitKeepAlive(c, Runs.wait(run.run_id, undefined));
+    const run = await createValidRun(undefined, payload, {
+        auth: c.var.auth,
+        headers: c.req.raw.headers,
+    });
+    return waitKeepAlive(c, Runs.wait(run.run_id, undefined, c.var.auth));
 });
 api.post("/runs", zValidator("json", schemas.RunCreate), async (c) => {
     // Create Stateless Run
     const payload = c.req.valid("json");
-    const run = await createValidRun(undefined, payload);
+    const run = await createValidRun(undefined, payload, {
+        auth: c.var.auth,
+        headers: c.req.raw.headers,
+    });
     return jsonExtra(c, run);
 });
 api.post("/runs/batch", zValidator("json", schemas.RunBatchCreate), async (c) => {
     // Batch Runs
     const payload = c.req.valid("json");
-    const runs = await Promise.all(payload.map((run) => createValidRun(undefined, run)));
+    const runs = await Promise.all(payload.map((run) => createValidRun(undefined, run, {
+        auth: c.var.auth,
+        headers: c.req.raw.headers,
+    })));
     return jsonExtra(c, runs);
 });
 api.get("/threads/:thread_id/runs", zValidator("param", z.object({ thread_id: z.string().uuid() })), zValidator("query", z.object({
@@ -147,13 +185,8 @@ api.get("/threads/:thread_id/runs", zValidator("param", z.object({ thread_id: z.
     const { thread_id } = c.req.valid("param");
     const { limit, offset, status, metadata } = c.req.valid("query");
     const [runs] = await Promise.all([
-        Runs.search(thread_id, {
-            limit,
-            offset,
-            status,
-            metadata,
-        }),
-        Threads.get(thread_id),
+        Runs.search(thread_id, { limit, offset, status, metadata }, c.var.auth),
+        Threads.get(thread_id, c.var.auth),
     ]);
     return jsonExtra(c, runs);
 });
@@ -161,20 +194,26 @@ api.post("/threads/:thread_id/runs", zValidator("param", z.object({ thread_id: z
     // Create Run
     const { thread_id } = c.req.valid("param");
     const payload = c.req.valid("json");
-    const run = await createValidRun(thread_id, payload);
+    const run = await createValidRun(thread_id, payload, {
+        auth: c.var.auth,
+        headers: c.req.raw.headers,
+    });
     return jsonExtra(c, run);
 });
 api.post("/threads/:thread_id/runs/stream", zValidator("param", z.object({ thread_id: z.string().uuid() })), zValidator("json", schemas.RunCreate), async (c) => {
     // Stream Run
     const { thread_id } = c.req.valid("param");
     const payload = c.req.valid("json");
-    const run = await createValidRun(thread_id, payload);
+    const run = await createValidRun(thread_id, payload, {
+        auth: c.var.auth,
+        headers: c.req.raw.headers,
+    });
     return streamSSE(c, async (stream) => {
         const cancelOnDisconnect = payload.on_disconnect === "cancel"
             ? getDisconnectAbortSignal(c, stream)
             : undefined;
         try {
-            for await (const { event, data } of Runs.Stream.join(run.run_id, thread_id, { cancelOnDisconnect })) {
+            for await (const { event, data } of Runs.Stream.join(run.run_id, thread_id, { cancelOnDisconnect }, c.var.auth)) {
                 await stream.writeSSE({ data: serialiseAsDict(data), event });
             }
         }
@@ -187,27 +226,32 @@ api.post("/threads/:thread_id/runs/wait", zValidator("param", z.object({ thread_
     // Wait Run
     const { thread_id } = c.req.valid("param");
     const payload = c.req.valid("json");
-    const run = await createValidRun(thread_id, payload);
-    return waitKeepAlive(c, Runs.join(run.run_id, thread_id));
+    const run = await createValidRun(thread_id, payload, {
+        auth: c.var.auth,
+        headers: c.req.raw.headers,
+    });
+    return waitKeepAlive(c, Runs.join(run.run_id, thread_id, c.var.auth));
 });
 api.get("/threads/:thread_id/runs/:run_id", zValidator("param", z.object({ thread_id: z.string().uuid(), run_id: z.string().uuid() })), async (c) => {
     const { thread_id, run_id } = c.req.valid("param");
     const [run] = await Promise.all([
-        Runs.get(run_id, thread_id),
-        Threads.get(thread_id),
+        Runs.get(run_id, thread_id, c.var.auth),
+        Threads.get(thread_id, c.var.auth),
     ]);
+    if (run == null)
+        throw new HTTPException(404, { message: "Run not found" });
     return jsonExtra(c, run);
 });
 api.delete("/threads/:thread_id/runs/:run_id", zValidator("param", z.object({ thread_id: z.string().uuid(), run_id: z.string().uuid() })), async (c) => {
     // Delete Run
     const { thread_id, run_id } = c.req.valid("param");
-    await Runs.delete(run_id, thread_id);
+    await Runs.delete(run_id, thread_id, c.var.auth);
     return c.body(null, 204);
 });
 api.get("/threads/:thread_id/runs/:run_id/join", zValidator("param", z.object({ thread_id: z.string().uuid(), run_id: z.string().uuid() })), async (c) => {
     // Join Run Http
     const { thread_id, run_id } = c.req.valid("param");
-    return jsonExtra(c, await Runs.join(run_id, thread_id));
+    return jsonExtra(c, await Runs.join(run_id, thread_id, c.var.auth));
 });
 api.get("/threads/:thread_id/runs/:run_id/stream", zValidator("param", z.object({ thread_id: z.string().uuid(), run_id: z.string().uuid() })), zValidator("query", z.object({ cancel_on_disconnect: schemas.coercedBoolean.optional() })), async (c) => {
     // Stream Run Http
@@ -217,9 +261,7 @@ api.get("/threads/:thread_id/runs/:run_id/stream", zValidator("param", z.object(
         const signal = cancel_on_disconnect
             ? getDisconnectAbortSignal(c, stream)
             : undefined;
-        for await (const { event, data } of Runs.Stream.join(run_id, thread_id, {
-            cancelOnDisconnect: signal,
-        })) {
+        for await (const { event, data } of Runs.Stream.join(run_id, thread_id, { cancelOnDisconnect: signal }, c.var.auth)) {
             await stream.writeSSE({ data: serialiseAsDict(data), event });
         }
     });
@@ -231,9 +273,9 @@ api.post("/threads/:thread_id/runs/:run_id/cancel", zValidator("param", z.object
     // Cancel Run Http
     const { thread_id, run_id } = c.req.valid("param");
     const { wait, action } = c.req.valid("query");
-    await Runs.cancel(thread_id, [run_id], { action });
+    await Runs.cancel(thread_id, [run_id], { action }, c.var.auth);
     if (wait)
-        await Runs.join(run_id, thread_id);
+        await Runs.join(run_id, thread_id, c.var.auth);
     return c.body(null, wait ? 204 : 202);
 });
 export default api;

package/dist/api/store.mjs

@@ -3,6 +3,7 @@ import { zValidator } from "@hono/zod-validator";
 import * as schemas from "../schemas.mjs";
 import { HTTPException } from "hono/http-exception";
 import { store as storageStore } from "../storage/store.mjs";
+import { handleAuthEvent } from "../auth/custom.mjs";
 const api = new Hono();
 const validateNamespace = (namespace) => {
     if (!namespace || namespace.length === 0) {
@@ -34,6 +35,13 @@ api.post("/store/namespaces", zValidator("json", schemas.StoreListNamespaces), a
         validateNamespace(payload.prefix);
     if (payload.suffix)
         validateNamespace(payload.suffix);
+    await handleAuthEvent(c.var.auth, "store:list_namespaces", {
+        namespace: payload.prefix,
+        suffix: payload.suffix,
+        max_depth: payload.max_depth,
+        limit: payload.limit,
+        offset: payload.offset,
+    });
     return c.json({
         namespaces: await storageStore.listNamespaces({
             limit: payload.limit ?? 100,
@@ -49,6 +57,13 @@ api.post("/store/items/search", zValidator("json", schemas.StoreSearchItems), as
     const payload = c.req.valid("json");
     if (payload.namespace_prefix)
         validateNamespace(payload.namespace_prefix);
+    await handleAuthEvent(c.var.auth, "store:search", {
+        namespace: payload.namespace_prefix,
+        filter: payload.filter,
+        limit: payload.limit,
+        offset: payload.offset,
+        query: payload.query,
+    });
     const items = await storageStore.search(payload.namespace_prefix, {
         filter: payload.filter,
         limit: payload.limit ?? 10,
@@ -62,6 +77,11 @@ api.put("/store/items", zValidator("json", schemas.StorePutItem), async (c) => {
     const payload = c.req.valid("json");
     if (payload.namespace)
         validateNamespace(payload.namespace);
+    await handleAuthEvent(c.var.auth, "store:put", {
+        namespace: payload.namespace,
+        key: payload.key,
+        value: payload.value,
+    });
     await storageStore.put(payload.namespace, payload.key, payload.value);
     return c.body(null, 204);
 });
@@ -70,12 +90,20 @@ api.delete("/store/items", zValidator("json", schemas.StoreDeleteItem), async (c
     const payload = c.req.valid("json");
     if (payload.namespace)
         validateNamespace(payload.namespace);
+    await handleAuthEvent(c.var.auth, "store:delete", {
+        namespace: payload.namespace,
+        key: payload.key,
+    });
     await storageStore.delete(payload.namespace ?? [], payload.key);
     return c.body(null, 204);
 });
 api.get("/store/items", zValidator("query", schemas.StoreGetItem), async (c) => {
     // Get Item
     const payload = c.req.valid("query");
+    await handleAuthEvent(c.var.auth, "store:get", {
+        namespace: payload.namespace,
+        key: payload.key,
+    });
     const key = payload.key;
     const namespace = payload.namespace;
     return c.json(mapItemsToApi(await storageStore.get(namespace, key)));

package/dist/api/threads.mjs

@@ -11,12 +11,9 @@ const api = new Hono();
 api.post("/threads", zValidator("json", schemas.ThreadCreate), async (c) => {
     // Create Thread
     const payload = c.req.valid("json");
-    const thread = await Threads.put(payload.thread_id || uuid4(), {
-        metadata: payload.metadata,
-        if_exists: payload.if_exists ?? "raise",
-    });
+    const thread = await Threads.put(payload.thread_id || uuid4(), { metadata: payload.metadata, if_exists: payload.if_exists ?? "raise" }, c.var.auth);
     if (payload.supersteps?.length) {
-        await Threads.State.bulk({ configurable: { thread_id: thread.thread_id } }, payload.supersteps);
+        await Threads.State.bulk({ configurable: { thread_id: thread.thread_id } }, payload.supersteps, c.var.auth);
     }
     return jsonExtra(c, thread);
 });
@@ -30,7 +27,7 @@ api.post("/threads/search", zValidator("json", schemas.ThreadSearchRequest), asy
         metadata: payload.metadata,
         limit: payload.limit ?? 10,
         offset: payload.offset ?? 0,
-    })) {
+    }, c.var.auth)) {
         result.push({
             ...item,
             created_at: item.created_at.toISOString(),
@@ -43,7 +40,7 @@ api.get("/threads/:thread_id/state", zValidator("param", z.object({ thread_id: z
     // Get Latest Thread State
     const { thread_id } = c.req.valid("param");
     const { subgraphs } = c.req.valid("query");
-    const state = stateSnapshotToThreadState(await Threads.State.get({ configurable: { thread_id } }, { subgraphs }));
+    const state = stateSnapshotToThreadState(await Threads.State.get({ configurable: { thread_id } }, { subgraphs }, c.var.auth));
     return jsonExtra(c, state);
 });
 api.post("/threads/:thread_id/state", zValidator("param", z.object({ thread_id: z.string().uuid() })), zValidator("json", z.object({
@@ -69,7 +66,7 @@ api.post("/threads/:thread_id/state", zValidator("param", z.object({ thread_id:
         config.configurable ??= {};
         Object.assign(config.configurable, payload.checkpoint);
     }
-    const inserted = await Threads.State.post(config, payload.values, payload.as_node);
+    const inserted = await Threads.State.post(config, payload.values, payload.as_node, c.var.auth);
     return jsonExtra(c, inserted);
 });
 api.get("/threads/:thread_id/state/:checkpoint_id", zValidator("param", z.object({
@@ -79,7 +76,7 @@ api.get("/threads/:thread_id/state/:checkpoint_id", zValidator("param", z.object
     // Get Thread State At Checkpoint
     const { thread_id, checkpoint_id } = c.req.valid("param");
     const { subgraphs } = c.req.valid("query");
-    const state = stateSnapshotToThreadState(await Threads.State.get({ configurable: { thread_id, checkpoint_id } }, { subgraphs }));
+    const state = stateSnapshotToThreadState(await Threads.State.get({ configurable: { thread_id, checkpoint_id } }, { subgraphs }, c.var.auth));
     return jsonExtra(c, state);
 });
 api.post("/threads/:thread_id/state/checkpoint", zValidator("param", z.object({ thread_id: z.string().uuid() })), zValidator("json", z.object({
@@ -89,7 +86,7 @@ api.post("/threads/:thread_id/state/checkpoint", zValidator("param", z.object({
     // Get Thread State At Checkpoint Post
     const { thread_id } = c.req.valid("param");
     const { checkpoint, subgraphs } = c.req.valid("json");
-    const state = stateSnapshotToThreadState(await Threads.State.get({ configurable: { thread_id, ...checkpoint } }, { subgraphs }));
+    const state = stateSnapshotToThreadState(await Threads.State.get({ configurable: { thread_id, ...checkpoint } }, { subgraphs }, c.var.auth));
     return jsonExtra(c, state);
 });
 api.get("/threads/:thread_id/history", zValidator("param", z.object({ thread_id: z.string().uuid() })), zValidator("query", z.object({
@@ -103,7 +100,7 @@ api.get("/threads/:thread_id/history", zValidator("param", z.object({ thread_id:
     // Get Thread History
     const { thread_id } = c.req.valid("param");
     const { limit, before } = c.req.valid("query");
-    const states = await Threads.State.list({ configurable: { thread_id, checkpoint_ns: "" } }, { limit, before });
+    const states = await Threads.State.list({ configurable: { thread_id, checkpoint_ns: "" } }, { limit, before }, c.var.auth);
     return jsonExtra(c, states.map(stateSnapshotToThreadState));
 });
 api.post("/threads/:thread_id/history", zValidator("param", z.object({ thread_id: z.string().uuid() })), zValidator("json", z.object({
@@ -121,29 +118,29 @@ api.post("/threads/:thread_id/history", zValidator("param", z.object({ thread_id
     // Get Thread History Post
     const { thread_id } = c.req.valid("param");
     const { limit, before, metadata, checkpoint } = c.req.valid("json");
-    const states = await Threads.State.list({ configurable: { thread_id, checkpoint_ns: "", ...checkpoint } }, { limit, before, metadata });
+    const states = await Threads.State.list({ configurable: { thread_id, checkpoint_ns: "", ...checkpoint } }, { limit, before, metadata }, c.var.auth);
     return jsonExtra(c, states.map(stateSnapshotToThreadState));
 });
 api.get("/threads/:thread_id", zValidator("param", z.object({ thread_id: z.string().uuid() })), async (c) => {
     // Get Thread
     const { thread_id } = c.req.valid("param");
-    return jsonExtra(c, await Threads.get(thread_id));
+    return jsonExtra(c, await Threads.get(thread_id, c.var.auth));
 });
 api.delete("/threads/:thread_id", zValidator("param", z.object({ thread_id: z.string().uuid() })), async (c) => {
     // Delete Thread
     const { thread_id } = c.req.valid("param");
-    await Threads.delete(thread_id);
+    await Threads.delete(thread_id, c.var.auth);
     return new Response(null, { status: 204 });
 });
 api.patch("/threads/:thread_id", zValidator("param", z.object({ thread_id: z.string().uuid() })), zValidator("json", z.object({ metadata: z.record(z.string(), z.unknown()) })), async (c) => {
     // Patch Thread
     const { thread_id } = c.req.valid("param");
     const { metadata } = c.req.valid("json");
-    return jsonExtra(c, await Threads.patch(thread_id, { metadata }));
+    return jsonExtra(c, await Threads.patch(thread_id, { metadata }, c.var.auth));
 });
 api.post("/threads/:thread_id/copy", zValidator("param", z.object({ thread_id: z.string().uuid() })), async (c) => {
     // Copy Thread
     const { thread_id } = c.req.valid("param");
-    return jsonExtra(c, await Threads.copy(thread_id));
+    return jsonExtra(c, await Threads.copy(thread_id, c.var.auth));
 });
 export default api;

package/dist/auth/custom.mjs

@@ -0,0 +1,58 @@
+import { authorize, authenticate, isAuthRegistered, isStudioAuthDisabled, } from "./index.mjs";
+export function isAuthMatching(metadata, filters) {
+    if (filters == null)
+        return true;
+    for (const [key, value] of Object.entries(filters)) {
+        if (typeof value === "object" && value != null) {
+            if (value.$eq) {
+                if (metadata?.[key] !== value.$eq)
+                    return false;
+            }
+            else if (value.$contains) {
+                if (!Array.isArray(metadata?.[key]) ||
+                    !metadata?.[key].includes(value.$contains)) {
+                    return false;
+                }
+            }
+        }
+        else {
+            if (metadata?.[key] !== value)
+                return false;
+        }
+    }
+    return true;
+}
+export const handleAuthEvent = async (context, event, value) => {
+    const [resource, action] = event.split(":");
+    const result = await authorize({
+        resource,
+        action,
+        context,
+        value,
+    });
+    return [result.filters, result.value];
+};
+const STUDIO_USER = {
+    display_name: "langgraph-studio-user",
+    identity: "langgraph-studio-user",
+    permissions: [],
+    is_authenticated: true,
+};
+export const auth = () => {
+    return async (c, next) => {
+        if (!isAuthRegistered())
+            return next();
+        if (!isStudioAuthDisabled() &&
+            c.req.header("x-auth-scheme") === "langsmith") {
+            c.set("auth", {
+                user: STUDIO_USER,
+                scopes: STUDIO_USER.permissions.slice(),
+            });
+            return next();
+        }
+        const auth = await authenticate(c.req.raw);
+        c.set("auth", auth);
+        return next();
+    };
+};
+export { registerAuth } from "./index.mjs";

package/dist/auth/index.d.mts

@@ -0,0 +1,40 @@
+export declare const isAuthRegistered: () => boolean;
+export declare const isStudioAuthDisabled: () => boolean;
+export type AuthFilters = Record<string, string | {
+    $eq?: string;
+    $contains?: string;
+}> | undefined;
+export interface AuthContext {
+    user: {
+        identity: string;
+        permissions: string[];
+        display_name: string;
+        is_authenticated: boolean;
+        [key: string]: unknown;
+    };
+    scopes: string[];
+}
+export declare function authorize(payload: {
+    resource: string;
+    action: string;
+    value: unknown;
+    context: AuthContext | undefined | null;
+}): Promise<{
+    filters: AuthFilters;
+    value: unknown;
+}>;
+export declare function authenticate(request: Request): Promise<{
+    scopes: string[];
+    user: {
+        permissions: string[];
+        is_authenticated: boolean;
+        display_name: string;
+        identity: string;
+    };
+}>;
+export declare function registerAuth(auth: {
+    path?: string;
+    disable_studio_auth?: boolean;
+}, options: {
+    cwd: string;
+}): Promise<void>;