# MastraAuthGoogle & MastraRBACGoogle class ## MastraAuthGoogle class The `MastraAuthGoogle` class provides authentication for Mastra using Google Workspace. It implements an OAuth 2.0 / OIDC login flow with encrypted session cookies, verifies Google ID tokens, and integrates with the Mastra server using the `auth` option. ### Usage example ```typescript import { Mastra } from '@mastra/core' import { MastraAuthGoogle } from '@mastra/auth-google' export const mastra = new Mastra({ server: { auth: new MastraAuthGoogle({ clientId: process.env.GOOGLE_CLIENT_ID, clientSecret: process.env.GOOGLE_CLIENT_SECRET, redirectUri: process.env.GOOGLE_REDIRECT_URI, allowedDomains: ['example.com'], }), }, }) ``` > **Note:** You can omit the constructor parameters if you have the appropriately named environment variables set. In that case, use `new MastraAuthGoogle()` without any arguments. ### Constructor parameters **clientId** (`string`): Google OAuth client ID. (Default: `process.env.GOOGLE_CLIENT_ID`) **clientSecret** (`string`): Google OAuth client secret. Required for Studio SSO. (Default: `process.env.GOOGLE_CLIENT_SECRET`) **redirectUri** (`string`): OAuth redirect URI for the SSO callback. Must match the redirect URI configured in your Google Cloud OAuth client. (Default: `process.env.GOOGLE_REDIRECT_URI`) **scopes** (`string[]`): OAuth scopes requested during the login flow. (Default: `['openid', 'profile', 'email']`) **allowedDomains** (`string | string[]`): Allowed Google Workspace hosted domains. Mastra validates these against the verified \`hd\` claim. (Default: `process.env.GOOGLE_ALLOWED_DOMAINS`) **hostedDomain** (`string`): Hosted-domain login hint passed to Google as \`hd\`. This is a hint only and is not used for authorization. (Default: `process.env.GOOGLE_HOSTED_DOMAIN or the single allowed domain`) **session** (`GoogleSessionOptions`): Session cookie configuration. **session.cookieName** (`string`): Name of the session cookie. **session.cookieMaxAge** (`number`): Cookie max age in seconds. **session.cookiePassword** (`string`): Password for encrypting session cookies. Must be at least 32 characters. If not set, an auto-generated value is used in development that does not survive restarts. **session.secureCookies** (`boolean`): Set the \`Secure\` flag on session cookies. **name** (`string`): Custom name for the auth provider instance. (Default: `'google'`) ### Environment variables The following environment variables are automatically used when constructor options aren't provided: **GOOGLE\_CLIENT\_ID** (`string`): Google OAuth client ID from your Google Cloud OAuth client. **GOOGLE\_CLIENT\_SECRET** (`string`): Google OAuth client secret. Required for the SSO authorization code flow. **GOOGLE\_REDIRECT\_URI** (`string`): OAuth redirect URI for the SSO callback. **GOOGLE\_COOKIE\_PASSWORD** (`string`): Password for encrypting session cookies. Must be at least 32 characters. **GOOGLE\_ALLOWED\_DOMAINS** (`string`): Comma-separated Google Workspace hosted domains to allow. **GOOGLE\_HOSTED\_DOMAIN** (`string`): Hosted-domain login hint passed to Google during SSO login. ### Authentication flow `MastraAuthGoogle` authenticates requests in the following order: 1. **Session cookie**: When SSO is enabled, reads the encrypted session cookie and decrypts it. If the session is valid and not expired, the user is authenticated. 2. **Google ID token fallback**: If no valid session cookie is present, verifies the `Authorization` header token against Google's JWKS endpoint. After authentication, `authorizeUser` checks that the user has a valid Google user ID, the token-derived expiration has not passed, and the user's verified `hd` claim matches `allowedDomains` when domains are configured. ### Authentication methods #### `authenticateToken(token, request?)` Authenticates a Google ID token. When SSO is enabled, this method checks the encrypted session cookie before it verifies the Bearer token. ```typescript const user = await auth.authenticateToken(idToken, request) ``` Returns: `Promise` #### `getCurrentUser(request)` Returns the authenticated user from a session cookie or Bearer Google ID token. ```typescript const user = await auth.getCurrentUser(request) ``` Returns: `Promise` #### `authorizeUser(user)` Returns `true` when the user has an ID, has not expired, and matches `allowedDomains` when domains are configured. ```typescript const allowed = auth.authorizeUser(user) ``` Returns: `boolean` #### `getUser(userId)` Returns `null`. Google ID tokens are verified directly, so this provider does not perform user lookup by ID. ```typescript const user = await auth.getUser(userId) ``` Returns: `Promise` ### `GoogleUser` type The `GoogleUser` type extends the base `EEUser` interface with Google-specific fields: **id** (`string`): Mastra user ID. Uses the Google \`sub\` claim. **googleId** (`string`): Google Account subject identifier. **email** (`string`): User email address. **name** (`string`): User display name from Google profile claims. **avatarUrl** (`string`): URL to the user's Google profile picture. **hostedDomain** (`string`): Google Workspace hosted domain from the verified \`hd\` claim. **expiresAt** (`Date`): Verified ID token expiration time, when available. **emailVerified** (`boolean`): Whether Google reports the email address as verified. **groups** (`string[]`): Optional pre-resolved Google Workspace group role IDs. ## MastraRBACGoogle class The `MastraRBACGoogle` class maps Google Workspace groups to Mastra permissions. It fetches user groups from the Google Admin SDK Directory API and resolves them against a configurable role mapping. Use it with `MastraAuthGoogle` or any other auth provider. > **Note:** RBAC requires a valid Enterprise Edition license. It works without a license in development so you can try it locally, but you'll need a license for production. [Contact sales](https://mastra.ai/contact) for more information. ### Usage example Use `MastraRBACGoogle` alongside an auth provider by passing it to the `rbac` option: ```typescript import { Mastra } from '@mastra/core' import { MastraAuthGoogle, MastraRBACGoogle } from '@mastra/auth-google' export const mastra = new Mastra({ server: { auth: new MastraAuthGoogle(), rbac: new MastraRBACGoogle({ serviceAccount: { clientEmail: process.env.GOOGLE_SERVICE_ACCOUNT_EMAIL!, privateKey: process.env.GOOGLE_SERVICE_ACCOUNT_PRIVATE_KEY!, subject: process.env.GOOGLE_WORKSPACE_ADMIN_EMAIL!, }, roleMapping: { 'admins@example.com': ['*'], 'engineering@example.com': ['agents:*', 'workflows:*', 'tools:*'], 'viewers@example.com': ['agents:read', 'workflows:read'], _default: [], }, }), }, }) ``` To use Google Workspace RBAC with a different auth provider, pass a `getUserKey` function to resolve the Google Directory API user key from the other provider's user object: ```typescript import { Mastra } from '@mastra/core' import { MastraAuthAuth0 } from '@mastra/auth-auth0' import { MastraRBACGoogle } from '@mastra/auth-google' export const mastra = new Mastra({ server: { auth: new MastraAuthAuth0(), rbac: new MastraRBACGoogle({ getUserKey: user => user.email, serviceAccount: { clientEmail: process.env.GOOGLE_SERVICE_ACCOUNT_EMAIL!, privateKey: process.env.GOOGLE_SERVICE_ACCOUNT_PRIVATE_KEY!, subject: process.env.GOOGLE_WORKSPACE_ADMIN_EMAIL!, }, roleMapping: { 'engineering@example.com': ['agents:*', 'workflows:*'], 'admins@example.com': ['*'], _default: [], }, }), }, }) ``` ### Constructor parameters **roleMapping** (`RoleMapping`): Maps Google Workspace group role IDs to arrays of Mastra permission strings. Use \`'\_default'\` to assign permissions to users who do not match any group. Supports wildcards like \`'\*'\` (full access) and \`'agents:\*'\` (all agent actions). **accessToken** (`string`): Pre-obtained Workspace Directory API access token. **getAccessToken** (`() => Promise | string`): Callback that returns a Workspace Directory API access token. **serviceAccount** (`GoogleWorkspaceServiceAccount`): Service account credentials for domain-wide delegated Directory API access. **serviceAccount.clientEmail** (`string`): Google service account email. **serviceAccount.privateKey** (`string`): PEM-encoded private key. Escaped \`\n\` values from .env files are supported. **serviceAccount.privateKeyId** (`string`): Optional private key ID. **serviceAccount.subject** (`string`): Workspace administrator user to impersonate with domain-wide delegation. **serviceAccount.scopes** (`string[]`): OAuth scopes for the service account token. **getUserKey** (`(user: unknown) => string | undefined`): Extract the Directory API \`userKey\` from an authenticated user. Defaults to \`user.email\`. **mapGroupToRoles** (`(group: GoogleWorkspaceGroup) => string[]`): Map a Google Workspace group to role IDs. Defaults to \`\[group.email]\`. **cache** (`PermissionCacheOptions`): Configure the LRU cache for group lookups. **cache.maxSize** (`number`): Maximum number of users to cache. **cache.ttlMs** (`number`): Time-to-live in milliseconds. ### RBAC methods #### `getRoles(user)` Returns Google Workspace group role IDs for a user. ```typescript const roles = await rbac.getRoles(user) ``` Returns: `Promise` #### `getPermissions(user)` Returns Mastra permissions resolved from Google Workspace groups and `roleMapping`. ```typescript const permissions = await rbac.getPermissions(user) ``` Returns: `Promise` #### `hasPermission(user, permission)` Checks whether a user has a permission. ```typescript const canReadAgents = await rbac.hasPermission(user, 'agents:read') ``` Returns: `Promise` #### `hasRole(user, role)` Checks whether a user resolved to a specific Google Workspace group role. ```typescript const isAdmin = await rbac.hasRole(user, 'admins@example.com') ``` Returns: `Promise` #### `hasAllPermissions(user, permissions)` Checks whether a user has every requested permission. ```typescript const canManageAgents = await rbac.hasAllPermissions(user, ['agents:read', 'agents:update']) ``` Returns: `Promise` #### `hasAnyPermission(user, permissions)` Checks whether a user has at least one requested permission. ```typescript const canReadSomething = await rbac.hasAnyPermission(user, ['agents:read', 'workflows:read']) ``` Returns: `Promise` #### `getAvailableRoles()` Returns the role IDs configured in `roleMapping`, excluding `_default`. ```typescript const roles = await rbac.getAvailableRoles() ``` Returns: `Promise<{ id: string; name: string }[]>` #### `getPermissionsForRole(roleId)` Returns the permissions configured for a role ID. ```typescript const permissions = await rbac.getPermissionsForRole('engineering@example.com') ``` Returns: `Promise` #### `clearCache()` Clears all cached Google Workspace group lookups. ```typescript rbac.clearCache() ``` Returns: `void` #### `clearUserCache(userKey)` Clears the cached group lookup for one Directory API user key, such as an email address. ```typescript rbac.clearUserCache('user@example.com') ``` Returns: `void` #### `getCacheStats()` Returns the current group lookup cache size and maximum size. ```typescript const stats = rbac.getCacheStats() ``` Returns: `{ size: number; maxSize: number }` ### Additional configuration `MastraRBACGoogle` uses `GET https://admin.googleapis.com/admin/directory/v1/groups?userKey=...` and handles pagination. Provide a service account with domain-wide delegation for production Google Workspace deployments, or pass `accessToken` / `getAccessToken` if your application already manages Google API tokens. If `user.groups` is already an array, `MastraRBACGoogle` uses that value and does not call the Directory API. An empty `groups` array means the user has no Google group roles and resolves to `_default` permissions when `_default` is configured. `MastraRBACGoogle` does not automatically read service-account environment variables. Pass service-account credentials through the `serviceAccount` option, or pass `accessToken` / `getAccessToken`. ## Related [Google auth docs](https://mastra.ai/docs/server/auth/google)