Blog/Announcements

Announcing Studio Auth: Secure, Team-Friendly Access for Deployed Mastra Studios

Secure your deployed Mastra Studio with login screens, third-party identity providers, and role-based permissions.

Ryan HansenRyan Hansen·

Mar 17, 2026

·

4 min read

Mastra Studio has evolved. It’s no longer just a local development tool. You can deploy it to your own infrastructure and share the URL with your team.

However, without authentication, anyone with the URL could access it, creating a security risk.

That’s why we built Studio Auth.

Studio Auth enables secure, team-friendly access to your deployed Mastra Studio. It builds on Mastra's existing auth solutions and provides the same protection to your deployed Studio as it does your API endpoints.

Here's how it works.

How Studio Auth works

Now when you configure an auth provider on your main Mastra instance it locks down two things at once:

  • API access: All endpoints require authentication, every request to your Mastra API must be properly authenticated.
  • Studio access: The Studio UI displays the appropriate login screen, which can be an SSO button, an email/password form, or both.

WorkOS example

Import and configure the MastraAuthWorkos provider in your main Mastra instance:

 1// src/mastra/index.ts
 2
 3import { Mastra } from "@mastra/core";
 4import { MastraAuthWorkos } from "@mastra/auth-workos";
 5
 6export const mastra = new Mastra({
 7  // ..
 8  server: {
 9    auth: new MastraAuthWorkos({
10      apiKey: process.env.WORKOS_API_KEY!,
11      clientId: process.env.WORKOS_CLIENT_ID!,
12      redirectUri: process.env.WORKOS_REDIRECT_URI!
13    })
14  }
15});

Studio automatically detects the configured provider and will show the correct login UI.

Authorized team members then have access to Studio where they can chat with agents, run workflows, view observability traces, and more.

Supported providers

Studio Auth currently supports the following providers:

Composite auth

You can also use multiple providers using the CompositeAuth class.

 1// src/mastra/index.ts
 2
 3import { Mastra } from "@mastra/core";
 4import { CompositeAuth, SimpleAuth } from '@mastra/core/server'
 5import { MastraAuthWorkos } from "@mastra/auth-workos";
 6
 7const simpleAuth = new SimpleAuth({});
 8const workOSAuth = new MastraAuthWorkos({});
 9
10export const mastra = new Mastra({
11  // ..
12  server: {
13    auth:  auth: new CompositeAuth([simpleAuth, workOSAuth])
14  }
15});

Custom providers

If your team uses an auth provider that isn’t listed above, you can extend the MastraAuthProvider class to hook it up, and Studio will recognize it just like a supported provider.

See the custom auth providers docs for more details.

Role-based access control

Authentication decides who can view Studio. Role-Based Access Control (RBAC) decides what they can do once inside. With RBAC you can map roles to permissions and Studio will enable or disable features based on the role.

For example, an admin can chat with agents, run workflows, execute tools, and edit agents and settings, while a viewer can only browse agents and workflows without triggering actions or making changes.

RBAC is part of Mastra’s Enterprise Edition. It works without a license in development so you can try it locally, but you’ll need a license for production. Contact sales for more information.

 1// src/mastra/index.ts
 2
 3import { Mastra } from "@mastra/core";
 4import { MastraAuthWorkos } from "@mastra/auth-workos";
 5import { StaticRBACProvider } from "@mastra/core/auth/ee";
 6
 7export const mastra = new Mastra({
 8  server: {
 9    auth: new MastraAuthWorkos({
10      // ...
11    }),
12    rbac: new StaticRBACProvider({
13      roleMapping: {
14        admin: ["*"],
15        member: ["agents:read", "workflows:*", "tools:execute"],
16        viewer: ["agents:read", "workflows:read"],
17      }
18    }),
19  },
20});

Use cases

Studio Auth lets you control access in practical ways:

  • Share Studio safely: Deploy a Studio URL across your organization without giving everyone admin-level access.
  • Scope access by role: Engineers can execute and configure agents, PMs can view traces and workflow results.
  • Contractor access: Give external partners read-only access to observability data without exposing agent execution or tool configuration.

Wrapping up

Mastra Studio is now a production-ready platform. With native auth support, you don’t need to build your own solution to secure the UI or API endpoints. You can use third-party providers for full identity management or extend the base class to integrate a custom provider.

For setup and configuration, see the auth docs. For deployment options, see the deployment guide.

Share:
Ryan Hansen
Ryan HansenSoftware Engineer

Ryan Hansen is a Software Engineer at Mastra, where he develops the infrastructure that powers AI agent development and operations. Earlier in his career, he built blockchain systems and large-scale data platforms to analyze massive streams of data from the crypto ecosystem.

All articles by Ryan Hansen