Two Lines of Code to Lock Down Your Agents - Mastra Studio Auth

Mastra Studio started as a local playground for developers to test agents and workflows without having to spin up a custom UI. But as the feature set grew, teams started asking: how do we share this with non-technical teammates? How do we control what different users can do? Ryan, an engineer at Mastra, walks through the new Mastra Studio Auth — now baked directly into Studio. Starting with simple token-based auth (two lines of config), you can lock down your Studio from the open internet. From there, RBAC lets you map roles to granular permissions — 80 auto-generated permissions derived directly from Studio's routes and handlers, controllable via wildcard patterns. Out-of-the-box providers include WorkOS, Auth0, Supabase, Firebase, and Clerk, with GitHub and others in open PRs. The team also discusses what's coming next: audit logs so you can see exactly what an agent did, why it accessed a given tool, and whether it should have. Auth for agents in production isn't magic — your tool files still need to check permissions — but Mastra handles the plumbing so you can focus on building securely.