Skip to main content
Orchestration

Authentication

Authenticate connections to agentOS actors using Rivet Actor connection params and hooks.

agentOS uses the same authentication system as Rivet Actors: clients send credentials as connection params, and you validate them server-side.

  • Clients pass credentials in params when they connect.
  • Validate them on the server in onBeforeConnect (throw to reject the connection), or extract user data into connection state with createConnState (read it in actions via c.conn.state).
  • You can declare the credential shape with agentOS<ConnParams>(...) to document what you accept, but the client’s params is unknown and is not checked against it. The real check is your hook, not the types.
  • The current @rivet-dev/agentos runtime is an interim stub, so wiring these hooks end to end depends on the native runtime landing.

Example

The server declares the credential shape and validates it in onBeforeConnect (throw to reject); the client passes credentials as params.

See Actor Authentication for JWT validation, role-based access control, external auth providers, and token caching.