Authentication
Validate client credentials server-side with onBeforeConnect connection hooks.
Authentication
Gate access to your VMs by validating client credentials on the server before any connection is established. Reach for this whenever clients must present a token (a JWT, API key, or session ID) that you verify before letting them create sessions or send prompts.
How it works
The client passes credentials as connection params when it calls getOrCreate. Those params are forwarded to the server, where an onBeforeConnect hook inspects them and rejects the connection by throwing. Because params is typed as unknown on the wire, the hook is the real enforcement point: it checks the token’s shape and validity (signature, lookup, expiry) and either returns to admit the connection or throws to deny it. Once admitted, every action on the handle runs against that authenticated connection.
Run it
npm install
ANTHROPIC_API_KEY=sk-... npx tsx server.ts # in one terminal
ANTHROPIC_API_KEY=sk-... npx tsx client.ts # in another
A client with a valid authToken connects and lists the working directory; one with a missing or empty token is rejected before any session is created.