@mastra/mcp-docs-server 1.2.2-alpha.9 → 1.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,281 @@
1
+ # Google
2
+
3
+ The `@mastra/auth-google` package provides authentication and role-based access control for Mastra using Google Workspace. It supports an OAuth 2.0 / OIDC login flow with encrypted session cookies, verifies Google ID tokens, and maps Google Workspace groups to Mastra permissions.
4
+
5
+ Use it when your Studio users sign in with Google and access should be limited to one or more Google Workspace domains.
6
+
7
+ ## Prerequisites
8
+
9
+ This guide uses Google Workspace authentication. Make sure to:
10
+
11
+ 1. Create or select a Google Cloud project
12
+ 2. Set up an OAuth client for web applications
13
+ 3. Add your Mastra SSO callback URL to the authorized redirect URIs
14
+ 4. Configure Google Workspace groups if you plan to use RBAC
15
+
16
+ For Google Groups RBAC, also configure a Google Workspace service account with domain-wide delegation and grant it the Directory API read-only group scope:
17
+
18
+ ```text
19
+ https://www.googleapis.com/auth/admin.directory.group.readonly
20
+ ```
21
+
22
+ Make sure your environment variables are set.
23
+
24
+ ```env
25
+ GOOGLE_CLIENT_ID=your-client-id.apps.googleusercontent.com
26
+ GOOGLE_CLIENT_SECRET=your-client-secret
27
+ GOOGLE_REDIRECT_URI=http://localhost:4111/api/auth/sso/callback
28
+ GOOGLE_COOKIE_PASSWORD=a-random-string-at-least-32-characters-long
29
+ GOOGLE_ALLOWED_DOMAINS=example.com
30
+
31
+ GOOGLE_SERVICE_ACCOUNT_EMAIL=service-account@project.iam.gserviceaccount.com
32
+ GOOGLE_SERVICE_ACCOUNT_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n"
33
+ GOOGLE_WORKSPACE_ADMIN_EMAIL=admin@example.com
34
+ ```
35
+
36
+ > **Note:** `GOOGLE_COOKIE_PASSWORD` encrypts session cookies. If omitted, an auto-generated value is used that doesn't survive server restarts. Set it explicitly for production.
37
+ >
38
+ > `MastraAuthGoogle` reads the `GOOGLE_*` auth variables automatically. The service-account variables shown above are read by the configuration code you pass to `MastraRBACGoogle`.
39
+
40
+ ## Installation
41
+
42
+ Before you can use the `MastraAuthGoogle` class, install the `@mastra/auth-google` package.
43
+
44
+ **npm**:
45
+
46
+ ```bash
47
+ npm install @mastra/auth-google
48
+ ```
49
+
50
+ **pnpm**:
51
+
52
+ ```bash
53
+ pnpm add @mastra/auth-google
54
+ ```
55
+
56
+ **Yarn**:
57
+
58
+ ```bash
59
+ yarn add @mastra/auth-google
60
+ ```
61
+
62
+ **Bun**:
63
+
64
+ ```bash
65
+ bun add @mastra/auth-google
66
+ ```
67
+
68
+ ## Usage examples
69
+
70
+ ### Basic usage with environment variables
71
+
72
+ With the environment variables above set, all constructor parameters are optional:
73
+
74
+ ```typescript
75
+ import { Mastra } from '@mastra/core'
76
+ import { MastraAuthGoogle } from '@mastra/auth-google'
77
+
78
+ export const mastra = new Mastra({
79
+ server: {
80
+ auth: new MastraAuthGoogle(),
81
+ },
82
+ })
83
+ ```
84
+
85
+ > **Warning:** Use `allowedDomains` or `GOOGLE_ALLOWED_DOMAINS` to enforce Workspace access. Mastra checks Google's verified `hd` claim, not the email address suffix.
86
+
87
+ ### Custom configuration
88
+
89
+ Pass constructor options directly if you don't want to rely on environment variables:
90
+
91
+ ```typescript
92
+ import { Mastra } from '@mastra/core'
93
+ import { MastraAuthGoogle } from '@mastra/auth-google'
94
+
95
+ export const mastra = new Mastra({
96
+ server: {
97
+ auth: new MastraAuthGoogle({
98
+ clientId: process.env.GOOGLE_CLIENT_ID,
99
+ clientSecret: process.env.GOOGLE_CLIENT_SECRET,
100
+ redirectUri: process.env.GOOGLE_REDIRECT_URI,
101
+ allowedDomains: ['example.com'],
102
+ }),
103
+ },
104
+ })
105
+ ```
106
+
107
+ ### Auth with Google Groups RBAC
108
+
109
+ Add `MastraRBACGoogle` to map Google Workspace groups to Mastra permissions:
110
+
111
+ ```typescript
112
+ import { Mastra } from '@mastra/core'
113
+ import { MastraAuthGoogle, MastraRBACGoogle } from '@mastra/auth-google'
114
+
115
+ export const mastra = new Mastra({
116
+ server: {
117
+ auth: new MastraAuthGoogle(),
118
+ rbac: new MastraRBACGoogle({
119
+ serviceAccount: {
120
+ clientEmail: process.env.GOOGLE_SERVICE_ACCOUNT_EMAIL!,
121
+ privateKey: process.env.GOOGLE_SERVICE_ACCOUNT_PRIVATE_KEY!,
122
+ subject: process.env.GOOGLE_WORKSPACE_ADMIN_EMAIL!,
123
+ },
124
+ roleMapping: {
125
+ 'admins@example.com': ['*'],
126
+ 'engineering@example.com': ['agents:*', 'workflows:*', 'tools:*'],
127
+ 'viewers@example.com': ['agents:read', 'workflows:read'],
128
+ _default: [], // users with unmapped groups get no permissions
129
+ },
130
+ }),
131
+ },
132
+ })
133
+ ```
134
+
135
+ ### Cross-provider usage
136
+
137
+ Use a different auth provider (Auth0, Clerk, etc.) for login and Google Workspace groups for RBAC. Pass a `getUserKey` function to resolve the Google Directory API user key from the other provider's user object:
138
+
139
+ ```typescript
140
+ import { Mastra } from '@mastra/core'
141
+ import { MastraAuthAuth0 } from '@mastra/auth-auth0'
142
+ import { MastraRBACGoogle } from '@mastra/auth-google'
143
+
144
+ export const mastra = new Mastra({
145
+ server: {
146
+ auth: new MastraAuthAuth0(),
147
+ rbac: new MastraRBACGoogle({
148
+ getUserKey: user => {
149
+ if (!user || typeof user !== 'object') return undefined
150
+
151
+ const { email } = user as { email?: unknown }
152
+ return typeof email === 'string' ? email : undefined
153
+ },
154
+ serviceAccount: {
155
+ clientEmail: process.env.GOOGLE_SERVICE_ACCOUNT_EMAIL!,
156
+ privateKey: process.env.GOOGLE_SERVICE_ACCOUNT_PRIVATE_KEY!,
157
+ subject: process.env.GOOGLE_WORKSPACE_ADMIN_EMAIL!,
158
+ },
159
+ roleMapping: {
160
+ 'engineering@example.com': ['agents:*', 'workflows:*'],
161
+ 'admins@example.com': ['*'],
162
+ _default: [],
163
+ },
164
+ }),
165
+ },
166
+ })
167
+ ```
168
+
169
+ > **Info:** Visit [MastraAuthGoogle](https://mastra.ai/reference/auth/google) for all available configuration options.
170
+
171
+ ## Role mapping
172
+
173
+ The `roleMapping` option maps Google Workspace group email addresses to arrays of Mastra permission strings. Permissions follow a `resource:action` pattern and support wildcards:
174
+
175
+ ```typescript
176
+ const rbac = new MastraRBACGoogle({
177
+ roleMapping: {
178
+ // full access to everything
179
+ 'admins@example.com': ['*'],
180
+
181
+ // full access to agents and workflows
182
+ 'engineering@example.com': ['agents:*', 'workflows:*'],
183
+
184
+ // read-only access
185
+ 'viewers@example.com': ['agents:read', 'workflows:read'],
186
+
187
+ // users whose groups don't match any key above
188
+ _default: [],
189
+ },
190
+ })
191
+ ```
192
+
193
+ Group email addresses are used as role IDs by default. Use `mapGroupToRoles` if you want to map by group name or another property. The `_default` key assigns permissions to users whose Google Workspace groups don't match any other key.
194
+
195
+ ## Client-side setup
196
+
197
+ When auth is enabled, requests to Mastra routes require authentication. When SSO is enabled with `GOOGLE_CLIENT_SECRET`, `MastraAuthGoogle` uses Google sign-in and sets an encrypted session cookie after login.
198
+
199
+ ### Cookie session (recommended)
200
+
201
+ For cross-origin requests (for example, a frontend on `:3000` calling Mastra on `:4111`), enable CORS credentials on the Mastra server:
202
+
203
+ ```typescript
204
+ export const mastra = new Mastra({
205
+ server: {
206
+ auth: new MastraAuthGoogle(),
207
+ cors: {
208
+ origin: 'http://localhost:3000',
209
+ credentials: true,
210
+ },
211
+ },
212
+ })
213
+ ```
214
+
215
+ Configure the client to include credentials:
216
+
217
+ ```typescript
218
+ import { MastraClient } from '@mastra/client-js'
219
+
220
+ export const mastraClient = new MastraClient({
221
+ baseUrl: 'http://localhost:4111',
222
+ credentials: 'include',
223
+ })
224
+ ```
225
+
226
+ ### Bearer token
227
+
228
+ You can also pass a Google ID token as a Bearer token. Mastra verifies the token against Google's JSON Web Key Set (JWKS) endpoint:
229
+
230
+ ```typescript
231
+ import { MastraClient } from '@mastra/client-js'
232
+
233
+ export const createMastraClient = (idToken: string) => {
234
+ return new MastraClient({
235
+ baseUrl: 'http://localhost:4111',
236
+ headers: {
237
+ Authorization: `Bearer ${idToken}`,
238
+ },
239
+ })
240
+ }
241
+ ```
242
+
243
+ > **Info:** Visit [Mastra Client SDK](https://mastra.ai/docs/server/mastra-client) for more configuration options.
244
+
245
+ ### Making authenticated requests
246
+
247
+ **MastraClient**:
248
+
249
+ ```typescript
250
+ import { mastraClient } from '../lib/mastra-client'
251
+
252
+ const agent = mastraClient.getAgent('weatherAgent')
253
+ const response = await agent.generate('Weather in London')
254
+ console.log(response)
255
+ ```
256
+
257
+ **cURL**:
258
+
259
+ ```bash
260
+ curl -X POST http://localhost:4111/api/agents/weatherAgent/generate \
261
+ -H "Content-Type: application/json" \
262
+ -H "Authorization: Bearer <your-google-id-token>" \
263
+ -d '{
264
+ "messages": "Weather in London"
265
+ }'
266
+ ```
267
+
268
+ ## Troubleshooting
269
+
270
+ - **401 after sign-in**: Check that `GOOGLE_CLIENT_ID`, `GOOGLE_CLIENT_SECRET`, and `GOOGLE_REDIRECT_URI` match the Google Cloud OAuth client.
271
+ - **Workspace users are rejected**: Verify `GOOGLE_ALLOWED_DOMAINS` matches the Google ID token `hd` claim.
272
+ - **Consumer Gmail accounts are rejected**: This is expected when `allowedDomains` is configured because Gmail accounts don't have a Workspace `hd` claim.
273
+ - **RBAC returns default permissions**: No roles were resolved for the user. Verify the user email or custom `getUserKey`, Google group membership, and `roleMapping`. If the Directory API lookup fails, the provider throws an error instead of returning `_default`.
274
+ - **Cookies are not sent cross-origin**: Set `credentials: "include"` in `MastraClient` and configure `server.cors` with your frontend origin and `credentials: true`.
275
+ - **Session lost on restart**: Set `GOOGLE_COOKIE_PASSWORD` to a stable value of at least 32 characters. Without it, an auto-generated key is used in development and changes on each restart.
276
+
277
+ ## Related
278
+
279
+ - [Auth overview](https://mastra.ai/docs/server/auth)
280
+ - [Composite Auth](https://mastra.ai/docs/server/auth/composite-auth)
281
+ - [MastraAuthGoogle reference](https://mastra.ai/reference/auth/google)
@@ -15,7 +15,7 @@ Authentication is optional. If no auth is configured, all routes and Studio are
15
15
 
16
16
  See [Custom API Routes](https://mastra.ai/docs/server/custom-api-routes) for controlling authentication on custom endpoints. Visit the [Studio Auth docs](https://mastra.ai/docs/studio/auth) for more on securing your Studio deployment.
17
17
 
18
- > **Note:** Authentication for Studio is currently supported by the following providers: Simple Auth, JWT, WorkOS, and Better Auth.
18
+ > **Note:** Authentication for Studio is currently supported by the following providers: Simple Auth, JWT, WorkOS, Better Auth, and Google.
19
19
 
20
20
  ## Available providers
21
21
 
@@ -30,6 +30,7 @@ See [Custom API Routes](https://mastra.ai/docs/server/custom-api-routes) for con
30
30
  - [Better Auth](https://mastra.ai/docs/server/auth/better-auth)
31
31
  - [Clerk](https://mastra.ai/docs/server/auth/clerk)
32
32
  - [Firebase](https://mastra.ai/docs/server/auth/firebase)
33
+ - [Google](https://mastra.ai/docs/server/auth/google)
33
34
  - [Okta](https://mastra.ai/docs/server/auth/okta)
34
35
  - [Supabase](https://mastra.ai/docs/server/auth/supabase)
35
36
  - [WorkOS](https://mastra.ai/docs/server/auth/workos)
@@ -1,6 +1,6 @@
1
1
  # ![Vercel logo](https://models.dev/logos/vercel.svg)Vercel
2
2
 
3
- Vercel aggregates models from multiple providers with enhanced features like rate limiting and failover. Access 291 models through Mastra's model router.
3
+ Vercel aggregates models from multiple providers with enhanced features like rate limiting and failover. Access 292 models through Mastra's model router.
4
4
 
5
5
  Learn more in the [Vercel documentation](https://ai-sdk.dev/providers/ai-sdk-providers).
6
6
 
@@ -302,6 +302,7 @@ ANTHROPIC_API_KEY=ant-...
302
302
  | `xai/grok-build-0.1` |
303
303
  | `xai/grok-imagine-image` |
304
304
  | `xai/grok-imagine-video` |
305
+ | `xai/grok-imagine-video-1.5` |
305
306
  | `xai/grok-imagine-video-1.5-preview` |
306
307
  | `xai/grok-stt` |
307
308
  | `xai/grok-tts` |
@@ -1,6 +1,6 @@
1
1
  # Model Providers
2
2
 
3
- Mastra provides a unified interface for working with LLMs across multiple providers, giving you access to 4544 models from 133 providers through a single API.
3
+ Mastra provides a unified interface for working with LLMs across multiple providers, giving you access to 4540 models from 133 providers through a single API.
4
4
 
5
5
  ## Features
6
6
 
@@ -34,7 +34,7 @@ for await (const chunk of stream) {
34
34
 
35
35
  | Model | Context | Tools | Reasoning | Image | Audio | Video | Input $/1M | Output $/1M |
36
36
  | -------------------------------------------------- | ------- | ----- | --------- | ----- | ----- | ----- | ---------- | ----------- |
37
- | `baseten/deepseek-ai/DeepSeek-V4-Pro` | 131K | | | | | | $2 | $3 |
37
+ | `baseten/deepseek-ai/DeepSeek-V4-Pro` | 262K | | | | | | $2 | $3 |
38
38
  | `baseten/moonshotai/Kimi-K2.5` | 262K | | | | | | $0.60 | $3 |
39
39
  | `baseten/moonshotai/Kimi-K2.6` | 262K | | | | | | $0.95 | $4 |
40
40
  | `baseten/moonshotai/Kimi-K2.7-Code` | 262K | | | | | | $0.95 | $4 |
@@ -1,6 +1,6 @@
1
1
  # ![Fireworks AI logo](https://models.dev/logos/fireworks-ai.svg)Fireworks AI
2
2
 
3
- Access 15 Fireworks AI models through Mastra's model router. Authentication is handled automatically using the `FIREWORKS_API_KEY` environment variable.
3
+ Access 16 Fireworks AI models through Mastra's model router. Authentication is handled automatically using the `FIREWORKS_API_KEY` environment variable.
4
4
 
5
5
  Learn more in the [Fireworks AI documentation](https://fireworks.ai/docs/).
6
6
 
@@ -46,6 +46,7 @@ for await (const chunk of stream) {
46
46
  | `fireworks-ai/accounts/fireworks/models/minimax-m3` | 512K | | | | | | $0.30 | $1 |
47
47
  | `fireworks-ai/accounts/fireworks/models/qwen3p7-plus` | 262K | | | | | | $0.40 | $2 |
48
48
  | `fireworks-ai/accounts/fireworks/routers/glm-5p1-fast` | 203K | | | | | | $3 | $9 |
49
+ | `fireworks-ai/accounts/fireworks/routers/glm-5p2-fast` | 1.0M | | | | | | $2 | $7 |
49
50
  | `fireworks-ai/accounts/fireworks/routers/kimi-k2p6-fast` | 262K | | | | | | $2 | $8 |
50
51
  | `fireworks-ai/accounts/fireworks/routers/kimi-k2p6-turbo` | 262K | | | | | | $2 | $8 |
51
52
  | `fireworks-ai/accounts/fireworks/routers/kimi-k2p7-code-fast` | 262K | | | | | | $2 | $8 |
@@ -1,6 +1,6 @@
1
1
  # ![Friendli logo](https://models.dev/logos/friendli.svg)Friendli
2
2
 
3
- Access 7 Friendli models through Mastra's model router. Authentication is handled automatically using the `FRIENDLI_TOKEN` environment variable.
3
+ Access 9 Friendli models through Mastra's model router. Authentication is handled automatically using the `FRIENDLI_TOKEN` environment variable.
4
4
 
5
5
  Learn more in the [Friendli documentation](https://friendli.ai/docs/guides/serverless_endpoints/introduction).
6
6
 
@@ -34,6 +34,8 @@ for await (const chunk of stream) {
34
34
 
35
35
  | Model | Context | Tools | Reasoning | Image | Audio | Video | Input $/1M | Output $/1M |
36
36
  | --------------------------------------------- | ------- | ----- | --------- | ----- | ----- | ----- | ---------- | ----------- |
37
+ | `friendli/deepseek-ai/DeepSeek-V3.2` | 164K | | | | | | $0.50 | $2 |
38
+ | `friendli/google/gemma-4-31B-it` | 262K | | | | | | $0.14 | $0.40 |
37
39
  | `friendli/meta-llama/Llama-3.1-8B-Instruct` | 131K | | | | | | $0.10 | $0.10 |
38
40
  | `friendli/meta-llama/Llama-3.3-70B-Instruct` | 131K | | | | | | $0.60 | $0.60 |
39
41
  | `friendli/MiniMaxAI/MiniMax-M2.5` | 197K | | | | | | $0.30 | $1 |
@@ -1,6 +1,6 @@
1
1
  # ![LLM Gateway logo](https://models.dev/logos/llmgateway.svg)LLM Gateway
2
2
 
3
- Access 182 LLM Gateway models through Mastra's model router. Authentication is handled automatically using the `LLMGATEWAY_API_KEY` environment variable.
3
+ Access 181 LLM Gateway models through Mastra's model router. Authentication is handled automatically using the `LLMGATEWAY_API_KEY` environment variable.
4
4
 
5
5
  Learn more in the [LLM Gateway documentation](https://llmgateway.io/docs).
6
6
 
@@ -159,7 +159,6 @@ for await (const chunk of stream) {
159
159
  | `llmgateway/ministral-8b-2512` | 262K | | | | | | $0.15 | $0.15 |
160
160
  | `llmgateway/mistral-large-2512` | 262K | | | | | | $0.50 | $2 |
161
161
  | `llmgateway/mistral-large-latest` | 128K | | | | | | $4 | $12 |
162
- | `llmgateway/mistral-ocr-latest` | — | | | | | | — | — |
163
162
  | `llmgateway/mistral-small-2506` | 128K | | | | | | $0.10 | $0.30 |
164
163
  | `llmgateway/nemotron-3-ultra-550b` | 262K | | | | | | $0.50 | $3 |
165
164
  | `llmgateway/o1` | 200K | | | | | | $15 | $60 |
@@ -1,6 +1,6 @@
1
1
  # ![Nebius Token Factory logo](https://models.dev/logos/nebius.svg)Nebius Token Factory
2
2
 
3
- Access 18 Nebius Token Factory models through Mastra's model router. Authentication is handled automatically using the `NEBIUS_API_KEY` environment variable.
3
+ Access 19 Nebius Token Factory models through Mastra's model router. Authentication is handled automatically using the `NEBIUS_API_KEY` environment variable.
4
4
 
5
5
  Learn more in the [Nebius Token Factory documentation](https://docs.tokenfactory.nebius.com/).
6
6
 
@@ -52,6 +52,7 @@ for await (const chunk of stream) {
52
52
  | `nebius/Qwen/Qwen3-Embedding-8B` | 33K | | | | | | $0.01 | — |
53
53
  | `nebius/Qwen/Qwen3-Next-80B-A3B-Thinking` | 128K | | | | | | $0.15 | $1 |
54
54
  | `nebius/Qwen/Qwen3.5-397B-A17B` | 262K | | | | | | $0.60 | $4 |
55
+ | `nebius/zai-org/GLM-5.2` | 432K | | | | | | $1 | $4 |
55
56
 
56
57
  ## Advanced configuration
57
58
 
@@ -81,7 +82,7 @@ const agent = new Agent({
81
82
  model: ({ requestContext }) => {
82
83
  const useAdvanced = requestContext.task === "complex";
83
84
  return useAdvanced
84
- ? "nebius/openai/gpt-oss-120b"
85
+ ? "nebius/zai-org/GLM-5.2"
85
86
  : "nebius/MiniMaxAI/MiniMax-M2.5";
86
87
  }
87
88
  });
@@ -43,7 +43,7 @@ for await (const chunk of stream) {
43
43
  | `opencode-go/mimo-v2.5` | 1.0M | | | | | | $0.14 | $0.28 |
44
44
  | `opencode-go/mimo-v2.5-pro` | 1.0M | | | | | | $2 | $3 |
45
45
  | `opencode-go/minimax-m2.7` | 205K | | | | | | $0.30 | $1 |
46
- | `opencode-go/minimax-m3` | 512K | | | | | | $0.10 | $0.40 |
46
+ | `opencode-go/minimax-m3` | 1.0M | | | | | | $0.10 | $0.40 |
47
47
  | `opencode-go/qwen3.6-plus` | 1.0M | | | | | | $0.50 | $3 |
48
48
  | `opencode-go/qwen3.7-max` | 1.0M | | | | | | $3 | $8 |
49
49
  | `opencode-go/qwen3.7-plus` | 1.0M | | | | | | $0.40 | $2 |
@@ -1,6 +1,6 @@
1
1
  # ![OVHcloud AI Endpoints logo](https://models.dev/logos/ovhcloud.svg)OVHcloud AI Endpoints
2
2
 
3
- Access 15 OVHcloud AI Endpoints models through Mastra's model router. Authentication is handled automatically using the `OVHCLOUD_API_KEY` environment variable.
3
+ Access 14 OVHcloud AI Endpoints models through Mastra's model router. Authentication is handled automatically using the `OVHCLOUD_API_KEY` environment variable.
4
4
 
5
5
  Learn more in the [OVHcloud AI Endpoints documentation](https://www.ovhcloud.com/en/public-cloud/ai-endpoints/catalog//).
6
6
 
@@ -36,7 +36,6 @@ for await (const chunk of stream) {
36
36
  | ---------------------------------------------- | ------- | ----- | --------- | ----- | ----- | ----- | ---------- | ----------- |
37
37
  | `ovhcloud/gpt-oss-120b` | 131K | | | | | | $0.09 | $0.47 |
38
38
  | `ovhcloud/gpt-oss-20b` | 131K | | | | | | $0.05 | $0.18 |
39
- | `ovhcloud/llama-3.1-8b-instruct` | 131K | | | | | | $0.11 | $0.11 |
40
39
  | `ovhcloud/meta-llama-3_3-70b-instruct` | 131K | | | | | | $0.74 | $0.74 |
41
40
  | `ovhcloud/mistral-7b-instruct-v0.3` | 66K | | | | | | $0.11 | $0.11 |
42
41
  | `ovhcloud/mistral-nemo-instruct-2407` | 66K | | | | | | $0.14 | $0.14 |
@@ -1,6 +1,6 @@
1
1
  # ![Scaleway logo](https://models.dev/logos/scaleway.svg)Scaleway
2
2
 
3
- Access 15 Scaleway models through Mastra's model router. Authentication is handled automatically using the `SCALEWAY_API_KEY` environment variable.
3
+ Access 16 Scaleway models through Mastra's model router. Authentication is handled automatically using the `SCALEWAY_API_KEY` environment variable.
4
4
 
5
5
  Learn more in the [Scaleway documentation](https://www.scaleway.com/en/docs/generative-apis/).
6
6
 
@@ -37,6 +37,7 @@ for await (const chunk of stream) {
37
37
  | `scaleway/bge-multilingual-gemma2` | 8K | | | | | | $0.10 | — |
38
38
  | `scaleway/gemma-3-27b-it` | 40K | | | | | | $0.25 | $0.50 |
39
39
  | `scaleway/gemma-4-26b-a4b-it` | 256K | | | | | | $0.25 | $0.50 |
40
+ | `scaleway/glm-5.2` | 256K | | | | | | $2 | $6 |
40
41
  | `scaleway/gpt-oss-120b` | 128K | | | | | | $0.15 | $0.60 |
41
42
  | `scaleway/llama-3.3-70b-instruct` | 100K | | | | | | $0.90 | $0.90 |
42
43
  | `scaleway/mistral-medium-3.5-128b` | 256K | | | | | | $2 | $8 |
@@ -1,6 +1,6 @@
1
1
  # ![Together AI logo](https://models.dev/logos/togetherai.svg)Together AI
2
2
 
3
- Access 24 Together AI models through Mastra's model router. Authentication is handled automatically using the `TOGETHER_API_KEY` environment variable.
3
+ Access 25 Together AI models through Mastra's model router. Authentication is handled automatically using the `TOGETHER_API_KEY` environment variable.
4
4
 
5
5
  Learn more in the [Together AI documentation](https://docs.together.ai/docs/serverless-models).
6
6
 
@@ -56,6 +56,7 @@ for await (const chunk of stream) {
56
56
  | `togetherai/Qwen/Qwen3.7-Max` | 1.0M | | | | | | $1 | $4 |
57
57
  | `togetherai/zai-org/GLM-5` | 203K | | | | | | $1 | $3 |
58
58
  | `togetherai/zai-org/GLM-5.1` | 203K | | | | | | $1 | $4 |
59
+ | `togetherai/zai-org/GLM-5.2` | 262K | | | | | | $1 | $4 |
59
60
 
60
61
  ## Advanced configuration
61
62
 
@@ -84,7 +85,7 @@ const agent = new Agent({
84
85
  model: ({ requestContext }) => {
85
86
  const useAdvanced = requestContext.task === "complex";
86
87
  return useAdvanced
87
- ? "togetherai/zai-org/GLM-5.1"
88
+ ? "togetherai/zai-org/GLM-5.2"
88
89
  : "togetherai/LiquidAI/LFM2-24B-A2B";
89
90
  }
90
91
  });
@@ -1,6 +1,6 @@
1
1
  # ![Xiaomi Token Plan (Europe) logo](https://models.dev/logos/xiaomi-token-plan-ams.svg)Xiaomi Token Plan (Europe)
2
2
 
3
- Access 8 Xiaomi Token Plan (Europe) models through Mastra's model router. Authentication is handled automatically using the `XIAOMI_API_KEY` environment variable.
3
+ Access 6 Xiaomi Token Plan (Europe) models through Mastra's model router. Authentication is handled automatically using the `XIAOMI_API_KEY` environment variable.
4
4
 
5
5
  Learn more in the [Xiaomi Token Plan (Europe) documentation](https://platform.xiaomimimo.com/#/docs).
6
6
 
@@ -15,7 +15,7 @@ const agent = new Agent({
15
15
  id: "my-agent",
16
16
  name: "My Agent",
17
17
  instructions: "You are a helpful assistant",
18
- model: "xiaomi-token-plan-ams/mimo-v2-omni"
18
+ model: "xiaomi-token-plan-ams/mimo-v2-tts"
19
19
  });
20
20
 
21
21
  // Generate a response
@@ -34,8 +34,6 @@ for await (const chunk of stream) {
34
34
 
35
35
  | Model | Context | Tools | Reasoning | Image | Audio | Video | Input $/1M | Output $/1M |
36
36
  | ------------------------------------------------- | ------- | ----- | --------- | ----- | ----- | ----- | ---------- | ----------- |
37
- | `xiaomi-token-plan-ams/mimo-v2-omni` | 262K | | | | | | — | — |
38
- | `xiaomi-token-plan-ams/mimo-v2-pro` | 1.0M | | | | | | — | — |
39
37
  | `xiaomi-token-plan-ams/mimo-v2-tts` | 8K | | | | | | — | — |
40
38
  | `xiaomi-token-plan-ams/mimo-v2.5` | 1.0M | | | | | | — | — |
41
39
  | `xiaomi-token-plan-ams/mimo-v2.5-pro` | 1.0M | | | | | | — | — |
@@ -53,7 +51,7 @@ const agent = new Agent({
53
51
  name: "custom-agent",
54
52
  model: {
55
53
  url: "https://token-plan-ams.xiaomimimo.com/v1",
56
- id: "xiaomi-token-plan-ams/mimo-v2-omni",
54
+ id: "xiaomi-token-plan-ams/mimo-v2-tts",
57
55
  apiKey: process.env.XIAOMI_API_KEY,
58
56
  headers: {
59
57
  "X-Custom-Header": "value"
@@ -72,7 +70,7 @@ const agent = new Agent({
72
70
  const useAdvanced = requestContext.task === "complex";
73
71
  return useAdvanced
74
72
  ? "xiaomi-token-plan-ams/mimo-v2.5-tts-voicedesign"
75
- : "xiaomi-token-plan-ams/mimo-v2-omni";
73
+ : "xiaomi-token-plan-ams/mimo-v2-tts";
76
74
  }
77
75
  });
78
76
  ```
@@ -1,6 +1,6 @@
1
1
  # ![Xiaomi Token Plan (China) logo](https://models.dev/logos/xiaomi-token-plan-cn.svg)Xiaomi Token Plan (China)
2
2
 
3
- Access 8 Xiaomi Token Plan (China) models through Mastra's model router. Authentication is handled automatically using the `XIAOMI_API_KEY` environment variable.
3
+ Access 6 Xiaomi Token Plan (China) models through Mastra's model router. Authentication is handled automatically using the `XIAOMI_API_KEY` environment variable.
4
4
 
5
5
  Learn more in the [Xiaomi Token Plan (China) documentation](https://platform.xiaomimimo.com/#/docs).
6
6
 
@@ -15,7 +15,7 @@ const agent = new Agent({
15
15
  id: "my-agent",
16
16
  name: "My Agent",
17
17
  instructions: "You are a helpful assistant",
18
- model: "xiaomi-token-plan-cn/mimo-v2-omni"
18
+ model: "xiaomi-token-plan-cn/mimo-v2-tts"
19
19
  });
20
20
 
21
21
  // Generate a response
@@ -34,8 +34,6 @@ for await (const chunk of stream) {
34
34
 
35
35
  | Model | Context | Tools | Reasoning | Image | Audio | Video | Input $/1M | Output $/1M |
36
36
  | ------------------------------------------------ | ------- | ----- | --------- | ----- | ----- | ----- | ---------- | ----------- |
37
- | `xiaomi-token-plan-cn/mimo-v2-omni` | 262K | | | | | | — | — |
38
- | `xiaomi-token-plan-cn/mimo-v2-pro` | 1.0M | | | | | | — | — |
39
37
  | `xiaomi-token-plan-cn/mimo-v2-tts` | 8K | | | | | | — | — |
40
38
  | `xiaomi-token-plan-cn/mimo-v2.5` | 1.0M | | | | | | — | — |
41
39
  | `xiaomi-token-plan-cn/mimo-v2.5-pro` | 1.0M | | | | | | — | — |
@@ -53,7 +51,7 @@ const agent = new Agent({
53
51
  name: "custom-agent",
54
52
  model: {
55
53
  url: "https://token-plan-cn.xiaomimimo.com/v1",
56
- id: "xiaomi-token-plan-cn/mimo-v2-omni",
54
+ id: "xiaomi-token-plan-cn/mimo-v2-tts",
57
55
  apiKey: process.env.XIAOMI_API_KEY,
58
56
  headers: {
59
57
  "X-Custom-Header": "value"
@@ -72,7 +70,7 @@ const agent = new Agent({
72
70
  const useAdvanced = requestContext.task === "complex";
73
71
  return useAdvanced
74
72
  ? "xiaomi-token-plan-cn/mimo-v2.5-tts-voicedesign"
75
- : "xiaomi-token-plan-cn/mimo-v2-omni";
73
+ : "xiaomi-token-plan-cn/mimo-v2-tts";
76
74
  }
77
75
  });
78
76
  ```
@@ -1,6 +1,6 @@
1
1
  # ![Xiaomi Token Plan (Singapore) logo](https://models.dev/logos/xiaomi-token-plan-sgp.svg)Xiaomi Token Plan (Singapore)
2
2
 
3
- Access 8 Xiaomi Token Plan (Singapore) models through Mastra's model router. Authentication is handled automatically using the `XIAOMI_API_KEY` environment variable.
3
+ Access 6 Xiaomi Token Plan (Singapore) models through Mastra's model router. Authentication is handled automatically using the `XIAOMI_API_KEY` environment variable.
4
4
 
5
5
  Learn more in the [Xiaomi Token Plan (Singapore) documentation](https://platform.xiaomimimo.com/#/docs).
6
6
 
@@ -15,7 +15,7 @@ const agent = new Agent({
15
15
  id: "my-agent",
16
16
  name: "My Agent",
17
17
  instructions: "You are a helpful assistant",
18
- model: "xiaomi-token-plan-sgp/mimo-v2-omni"
18
+ model: "xiaomi-token-plan-sgp/mimo-v2-tts"
19
19
  });
20
20
 
21
21
  // Generate a response
@@ -34,8 +34,6 @@ for await (const chunk of stream) {
34
34
 
35
35
  | Model | Context | Tools | Reasoning | Image | Audio | Video | Input $/1M | Output $/1M |
36
36
  | ------------------------------------------------- | ------- | ----- | --------- | ----- | ----- | ----- | ---------- | ----------- |
37
- | `xiaomi-token-plan-sgp/mimo-v2-omni` | 262K | | | | | | — | — |
38
- | `xiaomi-token-plan-sgp/mimo-v2-pro` | 1.0M | | | | | | — | — |
39
37
  | `xiaomi-token-plan-sgp/mimo-v2-tts` | 8K | | | | | | — | — |
40
38
  | `xiaomi-token-plan-sgp/mimo-v2.5` | 1.0M | | | | | | — | — |
41
39
  | `xiaomi-token-plan-sgp/mimo-v2.5-pro` | 1.0M | | | | | | — | — |
@@ -53,7 +51,7 @@ const agent = new Agent({
53
51
  name: "custom-agent",
54
52
  model: {
55
53
  url: "https://token-plan-sgp.xiaomimimo.com/v1",
56
- id: "xiaomi-token-plan-sgp/mimo-v2-omni",
54
+ id: "xiaomi-token-plan-sgp/mimo-v2-tts",
57
55
  apiKey: process.env.XIAOMI_API_KEY,
58
56
  headers: {
59
57
  "X-Custom-Header": "value"
@@ -72,7 +70,7 @@ const agent = new Agent({
72
70
  const useAdvanced = requestContext.task === "complex";
73
71
  return useAdvanced
74
72
  ? "xiaomi-token-plan-sgp/mimo-v2.5-tts-voicedesign"
75
- : "xiaomi-token-plan-sgp/mimo-v2-omni";
73
+ : "xiaomi-token-plan-sgp/mimo-v2-tts";
76
74
  }
77
75
  });
78
76
  ```
@@ -1,6 +1,6 @@
1
1
  # ![Xiaomi logo](https://models.dev/logos/xiaomi.svg)Xiaomi
2
2
 
3
- Access 6 Xiaomi models through Mastra's model router. Authentication is handled automatically using the `XIAOMI_API_KEY` environment variable.
3
+ Access 3 Xiaomi models through Mastra's model router. Authentication is handled automatically using the `XIAOMI_API_KEY` environment variable.
4
4
 
5
5
  Learn more in the [Xiaomi documentation](https://platform.xiaomimimo.com/#/docs).
6
6
 
@@ -15,7 +15,7 @@ const agent = new Agent({
15
15
  id: "my-agent",
16
16
  name: "My Agent",
17
17
  instructions: "You are a helpful assistant",
18
- model: "xiaomi/mimo-v2-flash"
18
+ model: "xiaomi/mimo-v2.5"
19
19
  });
20
20
 
21
21
  // Generate a response
@@ -34,9 +34,6 @@ for await (const chunk of stream) {
34
34
 
35
35
  | Model | Context | Tools | Reasoning | Image | Audio | Video | Input $/1M | Output $/1M |
36
36
  | --------------------------------- | ------- | ----- | --------- | ----- | ----- | ----- | ---------- | ----------- |
37
- | `xiaomi/mimo-v2-flash` | 262K | | | | | | $0.10 | $0.30 |
38
- | `xiaomi/mimo-v2-omni` | 262K | | | | | | $0.40 | $2 |
39
- | `xiaomi/mimo-v2-pro` | 1.0M | | | | | | $1 | $3 |
40
37
  | `xiaomi/mimo-v2.5` | 1.0M | | | | | | $0.40 | $2 |
41
38
  | `xiaomi/mimo-v2.5-pro` | 1.0M | | | | | | $1 | $3 |
42
39
  | `xiaomi/mimo-v2.5-pro-ultraspeed` | 1.0M | | | | | | $1 | $3 |
@@ -51,7 +48,7 @@ const agent = new Agent({
51
48
  name: "custom-agent",
52
49
  model: {
53
50
  url: "https://api.xiaomimimo.com/v1",
54
- id: "xiaomi/mimo-v2-flash",
51
+ id: "xiaomi/mimo-v2.5",
55
52
  apiKey: process.env.XIAOMI_API_KEY,
56
53
  headers: {
57
54
  "X-Custom-Header": "value"
@@ -70,7 +67,7 @@ const agent = new Agent({
70
67
  const useAdvanced = requestContext.task === "complex";
71
68
  return useAdvanced
72
69
  ? "xiaomi/mimo-v2.5-pro-ultraspeed"
73
- : "xiaomi/mimo-v2-flash";
70
+ : "xiaomi/mimo-v2.5";
74
71
  }
75
72
  });
76
73
  ```
@@ -203,9 +203,13 @@ interface PrepareResult {
203
203
 
204
204
  **activeTools** (`string[]`): Restricts execution to the named subset of the agent's tools.
205
205
 
206
- **modelSettings** (`object`): Model-specific settings such as temperature.
206
+ **modelSettings** (`object`): Model-specific settings such as temperature. Credential-bearing headers (\`Authorization\`, \`X-Api-Key\`, and similar) are stripped from the serialized snapshot before it crosses process boundaries.
207
207
 
208
- **requireToolApproval** (`boolean`): Require approval for all tool calls, which suspends the run until resumed.
208
+ **stopWhen** (`AgentExecutionOptions['stopWhen']`): Predicate or composition that ends the agentic loop early. The closure rides on the in-process run registry; cross-process resumes degrade to \`maxSteps\` only.
209
+
210
+ **system** (`string | string[]`): Additional system message appended after the agent instructions and before user messages.
211
+
212
+ **requireToolApproval** (`boolean | ((args: { toolName: string; args: unknown; requestContext: RequestContext; workspace?: string }) => boolean | Promise<boolean>)`): Require approval for tool calls. Pass \`true\` or \`false\` to gate all or none, or a function for per-call policy. Function-form policies live on the in-process run registry; cross-process resumes fall back to a \`true\` shadow.
209
213
 
210
214
  **autoResumeSuspendedTools** (`boolean`): Automatically resume tools that suspended, instead of waiting for an external \`resume()\` call.
211
215
 
@@ -217,10 +221,26 @@ interface PrepareResult {
217
221
 
218
222
  **structuredOutput** (`object`): Structured output configuration.
219
223
 
220
- **untilIdle** (`boolean | { maxIdleMs?: number }`): When set, keeps the stream open across background-task continuations until the agent is idle. Pass \`true\` for the default 5-minute idle timeout, or \`{ maxIdleMs }\` to customise. Equivalent to the deprecated \`streamUntilIdle()\` method.
224
+ **untilIdle** (`boolean | { maxIdleMs?: number }`): When set, keeps the stream open across background-task continuations until the agent is idle. Pass \`true\` for the default 5-minute idle timeout, or \`{ maxIdleMs }\` to customise. Equivalent to the deprecated \`streamUntilIdle()\` method. Also supported on \`resume()\`.
225
+
226
+ **disableBackgroundTasks** (`boolean`): Disable background-task dispatch for this run. Background-eligible tools execute inline instead.
227
+
228
+ **tracingOptions** (`AgentExecutionOptions['tracingOptions']`): Tracing metadata, tags, trace ID, parent span ID, and \`requestContextKeys\` forwarded to the agent and model spans. Fully JSON-serializable.
229
+
230
+ **actor** (`AgentExecutionOptions['actor']`): Per-call actor signal forwarded to FGA checks and tool execution.
231
+
232
+ **transform** (`AgentExecutionOptions['transform']`): Per-invocation tool payload transform policy. The \`transformToolPayload\` closure lives on the in-process run registry; only the JSON-safe \`targets\` shadow is serialized.
233
+
234
+ **prepareStep** (`AgentExecutionOptions['prepareStep']`): Per-step preparation hook invoked as a \`PrepareStepProcessor\` at the start of every iteration. Closure-only — stored on the in-process run registry. Cross-process resumes lose the hook.
235
+
236
+ **isTaskComplete** (`AgentExecutionOptions['isTaskComplete']`): Per-call completion policy. Scorer instances and \`onComplete\` live on the in-process run registry; the JSON-safe primitives (\`strategy\`, \`timeout\`, \`parallel\`, \`suppressFeedback\`, \`scorerNames\`) are serialized for cross-process observability.
237
+
238
+ **delegation** (`AgentExecutionOptions['delegation']`): Sub-agent delegation hooks (\`onDelegationStart\`, \`onDelegationComplete\`, \`messageFilter\`). Callbacks are baked into the sub-agent tool wrappers at prepare time. Cross-process resumes lose the callbacks.
221
239
 
222
240
  **versions** (`object`): Version overrides for sub-agent delegation.
223
241
 
242
+ **abortSignal** (`AbortSignal`): External abort signal. Forwarded to the durable run's internal \`AbortController\`, so either source can cancel the run. Cross-process resumes cannot recover the signal — pass a fresh one to \`resume()\` if you need post-resume abortability.
243
+
224
244
  **onChunk** (`(chunk: ChunkType) => void | Promise<void>`): Called for each streamed chunk.
225
245
 
226
246
  **onStepFinish** (`(result: AgentStepFinishEventData) => void | Promise<void>`): Called when a step in the agentic loop finishes.
@@ -231,6 +251,10 @@ interface PrepareResult {
231
251
 
232
252
  **onSuspended** (`(data: AgentSuspendedEventData) => void | Promise<void>`): Called when the run suspends, for example for tool approval.
233
253
 
254
+ **onAbort** (`AgentExecutionOptions['onAbort']`): Called when the run is aborted via \`abortSignal\` or \`result.abort()\`.
255
+
256
+ **onIterationComplete** (`AgentExecutionOptions['onIterationComplete']`): Called after every agentic-loop iteration with the latest \`messageList\`, \`finishReason\`, and \`isFinal\` flag. Observation-only on durable agents: returning \`continue: false\` or feedback does not influence the loop.
257
+
234
258
  `resume()` and `observe()` accept the same lifecycle callbacks (`onChunk`, `onStepFinish`, `onFinish`, `onError`, `onSuspended`). `observe()` also accepts an `offset` to control where replay starts.
235
259
 
236
260
  ## DurableAgentStreamResult
@@ -245,6 +269,7 @@ interface DurableAgentStreamResult<OUTPUT = undefined> {
245
269
  threadId?: string
246
270
  resourceId?: string
247
271
  cleanup: () => void
272
+ abort: () => void
248
273
  }
249
274
  ```
250
275
 
@@ -260,6 +285,8 @@ interface DurableAgentStreamResult<OUTPUT = undefined> {
260
285
 
261
286
  **cleanup** (`() => void`): Unsubscribes from PubSub and clears registry entries for the run. Call it when done with the run.
262
287
 
288
+ **abort** (`() => void`): Aborts the run by flipping the internal \`AbortController\`. Surfaces as an \`AbortError\` inside the durable LLM-execution step and fires the \`onAbort\` callback. Safe to call after the run has finished — a no-op in that case.
289
+
263
290
  ## Related
264
291
 
265
292
  - [`createInngestAgent()`](https://mastra.ai/reference/agents/inngest-agent)
@@ -0,0 +1,355 @@
1
+ # MastraAuthGoogle & MastraRBACGoogle class
2
+
3
+ ## MastraAuthGoogle class
4
+
5
+ The `MastraAuthGoogle` class provides authentication for Mastra using Google Workspace. It implements an OAuth 2.0 / OIDC login flow with encrypted session cookies, verifies Google ID tokens, and integrates with the Mastra server using the `auth` option.
6
+
7
+ ### Usage example
8
+
9
+ ```typescript
10
+ import { Mastra } from '@mastra/core'
11
+ import { MastraAuthGoogle } from '@mastra/auth-google'
12
+
13
+ export const mastra = new Mastra({
14
+ server: {
15
+ auth: new MastraAuthGoogle({
16
+ clientId: process.env.GOOGLE_CLIENT_ID,
17
+ clientSecret: process.env.GOOGLE_CLIENT_SECRET,
18
+ redirectUri: process.env.GOOGLE_REDIRECT_URI,
19
+ allowedDomains: ['example.com'],
20
+ }),
21
+ },
22
+ })
23
+ ```
24
+
25
+ > **Note:** You can omit the constructor parameters if you have the appropriately named environment variables set. In that case, use `new MastraAuthGoogle()` without any arguments.
26
+
27
+ ### Constructor parameters
28
+
29
+ **clientId** (`string`): Google OAuth client ID. (Default: `process.env.GOOGLE_CLIENT_ID`)
30
+
31
+ **clientSecret** (`string`): Google OAuth client secret. Required for Studio SSO. (Default: `process.env.GOOGLE_CLIENT_SECRET`)
32
+
33
+ **redirectUri** (`string`): OAuth redirect URI for the SSO callback. Must match the redirect URI configured in your Google Cloud OAuth client. (Default: `process.env.GOOGLE_REDIRECT_URI`)
34
+
35
+ **scopes** (`string[]`): OAuth scopes requested during the login flow. (Default: `['openid', 'profile', 'email']`)
36
+
37
+ **allowedDomains** (`string | string[]`): Allowed Google Workspace hosted domains. Mastra validates these against the verified \`hd\` claim. (Default: `process.env.GOOGLE_ALLOWED_DOMAINS`)
38
+
39
+ **hostedDomain** (`string`): Hosted-domain login hint passed to Google as \`hd\`. This is a hint only and is not used for authorization. (Default: `process.env.GOOGLE_HOSTED_DOMAIN or the single allowed domain`)
40
+
41
+ **session** (`GoogleSessionOptions`): Session cookie configuration.
42
+
43
+ **session.cookieName** (`string`): Name of the session cookie.
44
+
45
+ **session.cookieMaxAge** (`number`): Cookie max age in seconds.
46
+
47
+ **session.cookiePassword** (`string`): Password for encrypting session cookies. Must be at least 32 characters. If not set, an auto-generated value is used in development that does not survive restarts.
48
+
49
+ **session.secureCookies** (`boolean`): Set the \`Secure\` flag on session cookies.
50
+
51
+ **name** (`string`): Custom name for the auth provider instance. (Default: `'google'`)
52
+
53
+ ### Environment variables
54
+
55
+ The following environment variables are automatically used when constructor options aren't provided:
56
+
57
+ **GOOGLE\_CLIENT\_ID** (`string`): Google OAuth client ID from your Google Cloud OAuth client.
58
+
59
+ **GOOGLE\_CLIENT\_SECRET** (`string`): Google OAuth client secret. Required for the SSO authorization code flow.
60
+
61
+ **GOOGLE\_REDIRECT\_URI** (`string`): OAuth redirect URI for the SSO callback.
62
+
63
+ **GOOGLE\_COOKIE\_PASSWORD** (`string`): Password for encrypting session cookies. Must be at least 32 characters.
64
+
65
+ **GOOGLE\_ALLOWED\_DOMAINS** (`string`): Comma-separated Google Workspace hosted domains to allow.
66
+
67
+ **GOOGLE\_HOSTED\_DOMAIN** (`string`): Hosted-domain login hint passed to Google during SSO login.
68
+
69
+ ### Authentication flow
70
+
71
+ `MastraAuthGoogle` authenticates requests in the following order:
72
+
73
+ 1. **Session cookie**: When SSO is enabled, reads the encrypted session cookie and decrypts it. If the session is valid and not expired, the user is authenticated.
74
+ 2. **Google ID token fallback**: If no valid session cookie is present, verifies the `Authorization` header token against Google's JWKS endpoint.
75
+
76
+ After authentication, `authorizeUser` checks that the user has a valid Google user ID, the token-derived expiration has not passed, and the user's verified `hd` claim matches `allowedDomains` when domains are configured.
77
+
78
+ ### Authentication methods
79
+
80
+ #### `authenticateToken(token, request?)`
81
+
82
+ Authenticates a Google ID token. When SSO is enabled, this method checks the encrypted session cookie before it verifies the Bearer token.
83
+
84
+ ```typescript
85
+ const user = await auth.authenticateToken(idToken, request)
86
+ ```
87
+
88
+ Returns: `Promise<GoogleUser | null>`
89
+
90
+ #### `getCurrentUser(request)`
91
+
92
+ Returns the authenticated user from a session cookie or Bearer Google ID token.
93
+
94
+ ```typescript
95
+ const user = await auth.getCurrentUser(request)
96
+ ```
97
+
98
+ Returns: `Promise<GoogleUser | null>`
99
+
100
+ #### `authorizeUser(user)`
101
+
102
+ Returns `true` when the user has an ID, has not expired, and matches `allowedDomains` when domains are configured.
103
+
104
+ ```typescript
105
+ const allowed = auth.authorizeUser(user)
106
+ ```
107
+
108
+ Returns: `boolean`
109
+
110
+ #### `getUser(userId)`
111
+
112
+ Returns `null`. Google ID tokens are verified directly, so this provider does not perform user lookup by ID.
113
+
114
+ ```typescript
115
+ const user = await auth.getUser(userId)
116
+ ```
117
+
118
+ Returns: `Promise<GoogleUser | null>`
119
+
120
+ ### `GoogleUser` type
121
+
122
+ The `GoogleUser` type extends the base `EEUser` interface with Google-specific fields:
123
+
124
+ **id** (`string`): Mastra user ID. Uses the Google \`sub\` claim.
125
+
126
+ **googleId** (`string`): Google Account subject identifier.
127
+
128
+ **email** (`string`): User email address.
129
+
130
+ **name** (`string`): User display name from Google profile claims.
131
+
132
+ **avatarUrl** (`string`): URL to the user's Google profile picture.
133
+
134
+ **hostedDomain** (`string`): Google Workspace hosted domain from the verified \`hd\` claim.
135
+
136
+ **expiresAt** (`Date`): Verified ID token expiration time, when available.
137
+
138
+ **emailVerified** (`boolean`): Whether Google reports the email address as verified.
139
+
140
+ **groups** (`string[]`): Optional pre-resolved Google Workspace group role IDs.
141
+
142
+ ## MastraRBACGoogle class
143
+
144
+ The `MastraRBACGoogle` class maps Google Workspace groups to Mastra permissions. It fetches user groups from the Google Admin SDK Directory API and resolves them against a configurable role mapping. Use it with `MastraAuthGoogle` or any other auth provider.
145
+
146
+ > **Note:** RBAC requires a valid Enterprise Edition license. It works without a license in development so you can try it locally, but you'll need a license for production. [Contact sales](https://mastra.ai/contact) for more information.
147
+
148
+ ### Usage example
149
+
150
+ Use `MastraRBACGoogle` alongside an auth provider by passing it to the `rbac` option:
151
+
152
+ ```typescript
153
+ import { Mastra } from '@mastra/core'
154
+ import { MastraAuthGoogle, MastraRBACGoogle } from '@mastra/auth-google'
155
+
156
+ export const mastra = new Mastra({
157
+ server: {
158
+ auth: new MastraAuthGoogle(),
159
+ rbac: new MastraRBACGoogle({
160
+ serviceAccount: {
161
+ clientEmail: process.env.GOOGLE_SERVICE_ACCOUNT_EMAIL!,
162
+ privateKey: process.env.GOOGLE_SERVICE_ACCOUNT_PRIVATE_KEY!,
163
+ subject: process.env.GOOGLE_WORKSPACE_ADMIN_EMAIL!,
164
+ },
165
+ roleMapping: {
166
+ 'admins@example.com': ['*'],
167
+ 'engineering@example.com': ['agents:*', 'workflows:*', 'tools:*'],
168
+ 'viewers@example.com': ['agents:read', 'workflows:read'],
169
+ _default: [],
170
+ },
171
+ }),
172
+ },
173
+ })
174
+ ```
175
+
176
+ To use Google Workspace RBAC with a different auth provider, pass a `getUserKey` function to resolve the Google Directory API user key from the other provider's user object:
177
+
178
+ ```typescript
179
+ import { Mastra } from '@mastra/core'
180
+ import { MastraAuthAuth0 } from '@mastra/auth-auth0'
181
+ import { MastraRBACGoogle } from '@mastra/auth-google'
182
+
183
+ export const mastra = new Mastra({
184
+ server: {
185
+ auth: new MastraAuthAuth0(),
186
+ rbac: new MastraRBACGoogle({
187
+ getUserKey: user => user.email,
188
+ serviceAccount: {
189
+ clientEmail: process.env.GOOGLE_SERVICE_ACCOUNT_EMAIL!,
190
+ privateKey: process.env.GOOGLE_SERVICE_ACCOUNT_PRIVATE_KEY!,
191
+ subject: process.env.GOOGLE_WORKSPACE_ADMIN_EMAIL!,
192
+ },
193
+ roleMapping: {
194
+ 'engineering@example.com': ['agents:*', 'workflows:*'],
195
+ 'admins@example.com': ['*'],
196
+ _default: [],
197
+ },
198
+ }),
199
+ },
200
+ })
201
+ ```
202
+
203
+ ### Constructor parameters
204
+
205
+ **roleMapping** (`RoleMapping`): Maps Google Workspace group role IDs to arrays of Mastra permission strings. Use \`'\_default'\` to assign permissions to users who do not match any group. Supports wildcards like \`'\*'\` (full access) and \`'agents:\*'\` (all agent actions).
206
+
207
+ **accessToken** (`string`): Pre-obtained Workspace Directory API access token.
208
+
209
+ **getAccessToken** (`() => Promise<string> | string`): Callback that returns a Workspace Directory API access token.
210
+
211
+ **serviceAccount** (`GoogleWorkspaceServiceAccount`): Service account credentials for domain-wide delegated Directory API access.
212
+
213
+ **serviceAccount.clientEmail** (`string`): Google service account email.
214
+
215
+ **serviceAccount.privateKey** (`string`): PEM-encoded private key. Escaped \`\n\` values from .env files are supported.
216
+
217
+ **serviceAccount.privateKeyId** (`string`): Optional private key ID.
218
+
219
+ **serviceAccount.subject** (`string`): Workspace administrator user to impersonate with domain-wide delegation.
220
+
221
+ **serviceAccount.scopes** (`string[]`): OAuth scopes for the service account token.
222
+
223
+ **getUserKey** (`(user: unknown) => string | undefined`): Extract the Directory API \`userKey\` from an authenticated user. Defaults to \`user.email\`.
224
+
225
+ **mapGroupToRoles** (`(group: GoogleWorkspaceGroup) => string[]`): Map a Google Workspace group to role IDs. Defaults to \`\[group.email]\`.
226
+
227
+ **cache** (`PermissionCacheOptions`): Configure the LRU cache for group lookups.
228
+
229
+ **cache.maxSize** (`number`): Maximum number of users to cache.
230
+
231
+ **cache.ttlMs** (`number`): Time-to-live in milliseconds.
232
+
233
+ ### RBAC methods
234
+
235
+ #### `getRoles(user)`
236
+
237
+ Returns Google Workspace group role IDs for a user.
238
+
239
+ ```typescript
240
+ const roles = await rbac.getRoles(user)
241
+ ```
242
+
243
+ Returns: `Promise<string[]>`
244
+
245
+ #### `getPermissions(user)`
246
+
247
+ Returns Mastra permissions resolved from Google Workspace groups and `roleMapping`.
248
+
249
+ ```typescript
250
+ const permissions = await rbac.getPermissions(user)
251
+ ```
252
+
253
+ Returns: `Promise<string[]>`
254
+
255
+ #### `hasPermission(user, permission)`
256
+
257
+ Checks whether a user has a permission.
258
+
259
+ ```typescript
260
+ const canReadAgents = await rbac.hasPermission(user, 'agents:read')
261
+ ```
262
+
263
+ Returns: `Promise<boolean>`
264
+
265
+ #### `hasRole(user, role)`
266
+
267
+ Checks whether a user resolved to a specific Google Workspace group role.
268
+
269
+ ```typescript
270
+ const isAdmin = await rbac.hasRole(user, 'admins@example.com')
271
+ ```
272
+
273
+ Returns: `Promise<boolean>`
274
+
275
+ #### `hasAllPermissions(user, permissions)`
276
+
277
+ Checks whether a user has every requested permission.
278
+
279
+ ```typescript
280
+ const canManageAgents = await rbac.hasAllPermissions(user, ['agents:read', 'agents:update'])
281
+ ```
282
+
283
+ Returns: `Promise<boolean>`
284
+
285
+ #### `hasAnyPermission(user, permissions)`
286
+
287
+ Checks whether a user has at least one requested permission.
288
+
289
+ ```typescript
290
+ const canReadSomething = await rbac.hasAnyPermission(user, ['agents:read', 'workflows:read'])
291
+ ```
292
+
293
+ Returns: `Promise<boolean>`
294
+
295
+ #### `getAvailableRoles()`
296
+
297
+ Returns the role IDs configured in `roleMapping`, excluding `_default`.
298
+
299
+ ```typescript
300
+ const roles = await rbac.getAvailableRoles()
301
+ ```
302
+
303
+ Returns: `Promise<{ id: string; name: string }[]>`
304
+
305
+ #### `getPermissionsForRole(roleId)`
306
+
307
+ Returns the permissions configured for a role ID.
308
+
309
+ ```typescript
310
+ const permissions = await rbac.getPermissionsForRole('engineering@example.com')
311
+ ```
312
+
313
+ Returns: `Promise<string[]>`
314
+
315
+ #### `clearCache()`
316
+
317
+ Clears all cached Google Workspace group lookups.
318
+
319
+ ```typescript
320
+ rbac.clearCache()
321
+ ```
322
+
323
+ Returns: `void`
324
+
325
+ #### `clearUserCache(userKey)`
326
+
327
+ Clears the cached group lookup for one Directory API user key, such as an email address.
328
+
329
+ ```typescript
330
+ rbac.clearUserCache('user@example.com')
331
+ ```
332
+
333
+ Returns: `void`
334
+
335
+ #### `getCacheStats()`
336
+
337
+ Returns the current group lookup cache size and maximum size.
338
+
339
+ ```typescript
340
+ const stats = rbac.getCacheStats()
341
+ ```
342
+
343
+ Returns: `{ size: number; maxSize: number }`
344
+
345
+ ### Additional configuration
346
+
347
+ `MastraRBACGoogle` uses `GET https://admin.googleapis.com/admin/directory/v1/groups?userKey=...` and handles pagination. Provide a service account with domain-wide delegation for production Google Workspace deployments, or pass `accessToken` / `getAccessToken` if your application already manages Google API tokens.
348
+
349
+ If `user.groups` is already an array, `MastraRBACGoogle` uses that value and does not call the Directory API. An empty `groups` array means the user has no Google group roles and resolves to `_default` permissions when `_default` is configured.
350
+
351
+ `MastraRBACGoogle` does not automatically read service-account environment variables. Pass service-account credentials through the `serviceAccount` option, or pass `accessToken` / `getAccessToken`.
352
+
353
+ ## Related
354
+
355
+ [Google auth docs](https://mastra.ai/docs/server/auth/google)
@@ -45,6 +45,7 @@ The Reference section provides documentation of Mastra's API, including paramete
45
45
  - [Better Auth](https://mastra.ai/reference/auth/better-auth)
46
46
  - [Clerk](https://mastra.ai/reference/auth/clerk)
47
47
  - [Firebase](https://mastra.ai/reference/auth/firebase)
48
+ - [Google](https://mastra.ai/reference/auth/google)
48
49
  - [JSON Web Token](https://mastra.ai/reference/auth/jwt)
49
50
  - [Okta](https://mastra.ai/reference/auth/okta)
50
51
  - [Supabase](https://mastra.ai/reference/auth/supabase)
package/CHANGELOG.md CHANGED
@@ -1,5 +1,26 @@
1
1
  # @mastra/mcp-docs-server
2
2
 
3
+ ## 1.2.2
4
+
5
+ ### Patch Changes
6
+
7
+ - Updated dependencies [[`86623c1`](https://github.com/mastra-ai/mastra/commit/86623c1adf7d22de32cc916dda17f4155184db36), [`023766f`](https://github.com/mastra-ai/mastra/commit/023766f44d59b30a50f3a381e33eddde8ab56c00), [`0200e75`](https://github.com/mastra-ai/mastra/commit/0200e7552d02d4221cd6040bf4eddf189a97a156), [`7c9dd77`](https://github.com/mastra-ai/mastra/commit/7c9dd77bd18cb8dc72797e25f1a0fbdc71a11347), [`7f9ae70`](https://github.com/mastra-ai/mastra/commit/7f9ae70826b047e5a66218f9e92f20e54a2d791f), [`a0509c7`](https://github.com/mastra-ai/mastra/commit/a0509c731a08aa3ed626557c5338126362856f57), [`06e0d63`](https://github.com/mastra-ai/mastra/commit/06e0d63d42bc2a202e18bc091f3781f409f5e6fb), [`bf3fe49`](https://github.com/mastra-ai/mastra/commit/bf3fe49f9467dbbdb8f9eaf74e0f7971ffb19559), [`01caf93`](https://github.com/mastra-ai/mastra/commit/01caf93d71ae2c1e65f49735cafb531975187426), [`438a971`](https://github.com/mastra-ai/mastra/commit/438a9715c8b4398e5eaf8914a1f19dc8a85dc1de), [`9990965`](https://github.com/mastra-ai/mastra/commit/999096571635a83b42ef40841fd7028cfa630779), [`77518cc`](https://github.com/mastra-ai/mastra/commit/77518ccb5bb8cc684875081e64213dc85cffdbee), [`fbeda0c`](https://github.com/mastra-ai/mastra/commit/fbeda0c0f35def07e6837936dd3a003b2b7c5172), [`8a68844`](https://github.com/mastra-ai/mastra/commit/8a688443013816105a09f89c6afa34b5ff13e26d), [`bb2a13b`](https://github.com/mastra-ai/mastra/commit/bb2a13bb4b32e6bb807200fe7b18ae8fa4322118), [`24ceaea`](https://github.com/mastra-ai/mastra/commit/24ceaea0bdd8609cabbab764380608ca6621a194), [`a73cd1a`](https://github.com/mastra-ai/mastra/commit/a73cd1a62a5e4ca023dcc39ba150029f4f1f74c1), [`c0ffa3c`](https://github.com/mastra-ai/mastra/commit/c0ffa3c897ccd326de880df734740a7f0681a18f), [`462a769`](https://github.com/mastra-ai/mastra/commit/462a769da61850862ca1be3d74134d33078ee6a7), [`0504bf5`](https://github.com/mastra-ai/mastra/commit/0504bf5e8cffc571a4b343326178de371e6f859b), [`0b5cc47`](https://github.com/mastra-ai/mastra/commit/0b5cc4726dc18d9a685a27520db39ff1b36bb89a), [`87f38a3`](https://github.com/mastra-ai/mastra/commit/87f38a3de03e24731f2dd6f8ed6a60b6722b85a1), [`d5fa3cd`](https://github.com/mastra-ai/mastra/commit/d5fa3cda1788c3cb93a361a3c6ec47de6ba21e98), [`fe98ef2`](https://github.com/mastra-ai/mastra/commit/fe98ef2e66dbfcbd7d645c88c9ee1e67b458a136), [`6ccf67b`](https://github.com/mastra-ai/mastra/commit/6ccf67bf075753754927a57bc2e1734ba2c820c5), [`793ea0f`](https://github.com/mastra-ai/mastra/commit/793ea0f52f831178837f21c83af6af93bf4ce638), [`825d8de`](https://github.com/mastra-ai/mastra/commit/825d8def9fa64c2bcc3d8dd6b49e09342c3ac5c7), [`507a5c4`](https://github.com/mastra-ai/mastra/commit/507a5c461bdc3136ad80744c0efbb55ce1f18f97), [`5afe423`](https://github.com/mastra-ai/mastra/commit/5afe423e4badf040f1b0d4525183a856fcb8146e), [`307573b`](https://github.com/mastra-ai/mastra/commit/307573b9ff3149b70c79540dbc86f1319b180f29), [`79b3626`](https://github.com/mastra-ai/mastra/commit/79b3626f8d647307eb07c8da14c9073c2699719d), [`c2c1d7b`](https://github.com/mastra-ai/mastra/commit/c2c1d7bb61d2602955f14ed3952f807c2d6eb576), [`86623c1`](https://github.com/mastra-ai/mastra/commit/86623c1adf7d22de32cc916dda17f4155184db36), [`1505c07`](https://github.com/mastra-ai/mastra/commit/1505c07603f6346bae12aa82f140e8b88ffea9ab), [`f328049`](https://github.com/mastra-ai/mastra/commit/f3280498c324afd2a8d36cd828f5b9f94a2dddc1), [`e545228`](https://github.com/mastra-ai/mastra/commit/e54522856934a5dc030b7b6385771e3548020d59), [`3eb852e`](https://github.com/mastra-ai/mastra/commit/3eb852e5435bc908b800193498103dc724f455b0), [`ffa09e7`](https://github.com/mastra-ai/mastra/commit/ffa09e772a5c92270eabe2090fc42d45bd8ec4b7), [`8c9f1c0`](https://github.com/mastra-ai/mastra/commit/8c9f1c0361d89066f9bcd14a2f69e761b01766c8), [`461a7c5`](https://github.com/mastra-ai/mastra/commit/461a7c501449295287f4f0ee4b0b42344f39fcf8), [`4211472`](https://github.com/mastra-ai/mastra/commit/4211472a5a2bd319c60cd2e42d9109c3eef7ac1c), [`9e45902`](https://github.com/mastra-ai/mastra/commit/9e4590208e745055cecca202e2db0e5c65e17d3c), [`5c0df77`](https://github.com/mastra-ai/mastra/commit/5c0df776c40efa420f8c07a2f3ee66010296618e), [`e940f09`](https://github.com/mastra-ai/mastra/commit/e940f099ef5d18b403e6f2b4937e086a4da857b1)]:
8
+ - @mastra/core@1.47.0
9
+
10
+ ## 1.2.2-alpha.12
11
+
12
+ ### Patch Changes
13
+
14
+ - Updated dependencies [[`8a68844`](https://github.com/mastra-ai/mastra/commit/8a688443013816105a09f89c6afa34b5ff13e26d)]:
15
+ - @mastra/core@1.47.0-alpha.7
16
+
17
+ ## 1.2.2-alpha.10
18
+
19
+ ### Patch Changes
20
+
21
+ - Updated dependencies [[`0200e75`](https://github.com/mastra-ai/mastra/commit/0200e7552d02d4221cd6040bf4eddf189a97a156), [`06e0d63`](https://github.com/mastra-ai/mastra/commit/06e0d63d42bc2a202e18bc091f3781f409f5e6fb), [`438a971`](https://github.com/mastra-ai/mastra/commit/438a9715c8b4398e5eaf8914a1f19dc8a85dc1de), [`77518cc`](https://github.com/mastra-ai/mastra/commit/77518ccb5bb8cc684875081e64213dc85cffdbee), [`bb2a13b`](https://github.com/mastra-ai/mastra/commit/bb2a13bb4b32e6bb807200fe7b18ae8fa4322118), [`a73cd1a`](https://github.com/mastra-ai/mastra/commit/a73cd1a62a5e4ca023dcc39ba150029f4f1f74c1), [`0b5cc47`](https://github.com/mastra-ai/mastra/commit/0b5cc4726dc18d9a685a27520db39ff1b36bb89a), [`87f38a3`](https://github.com/mastra-ai/mastra/commit/87f38a3de03e24731f2dd6f8ed6a60b6722b85a1), [`d5fa3cd`](https://github.com/mastra-ai/mastra/commit/d5fa3cda1788c3cb93a361a3c6ec47de6ba21e98), [`fe98ef2`](https://github.com/mastra-ai/mastra/commit/fe98ef2e66dbfcbd7d645c88c9ee1e67b458a136), [`793ea0f`](https://github.com/mastra-ai/mastra/commit/793ea0f52f831178837f21c83af6af93bf4ce638), [`507a5c4`](https://github.com/mastra-ai/mastra/commit/507a5c461bdc3136ad80744c0efbb55ce1f18f97), [`79b3626`](https://github.com/mastra-ai/mastra/commit/79b3626f8d647307eb07c8da14c9073c2699719d)]:
22
+ - @mastra/core@1.47.0-alpha.6
23
+
3
24
  ## 1.2.2-alpha.8
4
25
 
5
26
  ### Patch Changes
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@mastra/mcp-docs-server",
3
- "version": "1.2.2-alpha.9",
3
+ "version": "1.2.2",
4
4
  "description": "MCP server for accessing Mastra.ai documentation, changelogs, and news.",
5
5
  "type": "module",
6
6
  "main": "dist/index.js",
@@ -28,8 +28,8 @@
28
28
  "jsdom": "^26.1.0",
29
29
  "local-pkg": "^1.1.2",
30
30
  "zod": "^4.4.3",
31
- "@mastra/core": "1.47.0-alpha.5",
32
- "@mastra/mcp": "^1.12.0"
31
+ "@mastra/mcp": "^1.12.0",
32
+ "@mastra/core": "1.47.0"
33
33
  },
34
34
  "devDependencies": {
35
35
  "@hono/node-server": "^1.19.11",
@@ -45,9 +45,9 @@
45
45
  "tsx": "^4.22.4",
46
46
  "typescript": "^6.0.3",
47
47
  "vitest": "4.1.8",
48
- "@internal/lint": "0.0.108",
49
- "@internal/types-builder": "0.0.83",
50
- "@mastra/core": "1.47.0-alpha.5"
48
+ "@internal/lint": "0.0.109",
49
+ "@internal/types-builder": "0.0.84",
50
+ "@mastra/core": "1.47.0"
51
51
  },
52
52
  "homepage": "https://mastra.ai",
53
53
  "repository": {