Auth overview
Mastra lets you choose how you handle authentication, so you can secure access to your API and Studio using the identity system that fits your stack.
You can start with basic shared secret JWT authentication and switch to providers like Supabase, Firebase Auth, Auth0, Clerk, or WorkOS when you need more advanced identity features.
What auth securesDirect link to What auth secures
Configuring authentication locks down two things at once:
- Studio UI: Studio displays a login screen (SSO, email/password, or both) and enforces role-based access control to determine what each team member can see and do.
- API routes: All built-in routes (
/api/agents/*,/api/workflows/*, etc.) and custom routes require authentication, whether requests come from Studio or direct API calls.
Authentication is optional. If no auth is configured, all routes and Studio are publicly accessible. Public access can be enabled on individual custom routes using requiresAuth: false.
See Custom API Routes for controlling authentication on custom endpoints.
Authentication for Studio is currently supported by the following providers: Simple Auth, JWT, WorkOS, and Better Auth.
Available providersDirect link to Available providers
Built-inDirect link to Built-in
- Simple Auth: Token-to-user mapping for development and API keys
- JSON Web Token (JWT): HMAC-signed JWT verification
Third-party integrationsDirect link to Third-party integrations
AdvancedDirect link to Advanced
- Composite Auth: Combine multiple auth providers
- Custom Auth Provider: Build your own provider