Auth Overview
Mastra lets you choose how you handle authentication, so you can secure access to your application's endpoints using the identity system that fits your stack.
You can start with simple shared secret JWT authentication and switch to providers like Supabase, Firebase Auth, Auth0, Clerk, or WorkOS when you need more advanced identity features.
Default behaviorDirect link to Default behavior
Authentication is optional in Mastra. When you configure authentication:
- All built-in API routes (
/api/agents/*,/api/workflows/*, etc.) require authentication by default - Custom API routes also require authentication by default
- Public access can be enabled on custom routes using
requiresAuth: false
If no authentication is configured, all routes are publicly accessible.
See Custom API Routes for controlling authentication on custom endpoints.
Available providersDirect link to Available providers
Built-inDirect link to Built-in
- Simple Auth - Token-to-user mapping for development and API keys
- JSON Web Token (JWT) - HMAC-signed JWT verification
Third-party integrationsDirect link to Third-party integrations
AdvancedDirect link to Advanced
- Composite Auth - Combine multiple auth providers
- Custom Auth Provider - Build your own provider