feat(auth): add dual auth system for Studio vs API

[rphansen91]

Summary

Adds dual auth system to Mastra, allowing separate authentication providers for:

• Studio UI → internal team members (SSO, dashboard access)
• API → external customers (tokens, API keys)

Why This Matters

Previously, the same auth provider handled both Studio and API requests. This caused confusion because:

1. Internal team using SSO to access Studio !== external apps using API tokens
2. Different audiences need different auth patterns (OAuth for humans, tokens for machines)
3. RBAC/FGA rules for "what can this teammate do in Studio" differs from "what can this API consumer do"

Changes

Core (@mastra/core)

• Add StudioConfig type with auth, rbac, and fga options
• Add studio?: StudioConfig to main Config interface
• Add mastra.getStudio() accessor

Server (@mastra/server)

• Add MASTRA_AUTH_MODE_KEY constant to track auth provider used
• Add getEffectiveAuthConfig() to route based on x-mastra-client-type header
• Add getEffectiveRBACProvider() and getEffectiveFGAProvider() for dual RBAC/FGA
• Make all auth routes studio-aware (/auth/capabilities, /auth/me, SSO, credentials, etc.)

Server Adapters (Hono, Express, Fastify, Koa)

• Update checkRoutePermission() calls to pass requestContext for dual auth routing

Security

When x-mastra-client-type: studio header is present but studio.auth is not configured, the server returns 401 Unauthorized instead of falling back to server auth. This prevents external users from spoofing the studio header to access Studio UI.

Usage Example

const mastra = new Mastra({
  // API authentication for external customers
  server: {
    auth: new MastraAuthWorkos({ ... }),
    rbac: new MastraRBACWorkos({ ... }),
  },
  // Studio authentication for internal team
  studio: {
    auth: new MastraAuthOkta({ ... }),
    rbac: new StaticRBACProvider({
      roles: DEFAULT_ROLES,
      getUserRoles: (user) => [user.role],
    }),
  },
});

Test Plan

• All 1771 server tests pass
• All 53 auth-workos tests pass
• Verified SimpleAuth blocking unauthenticated requests
• Verified WorkOS SSO flow working correctly
• Build succeeds for core, server, and all adapters

Related

• Cherry-picked from auth-vnext branch commits: 627370c, 7ccaed8, c00bf66
• Foundation for team/users management UI (next PR)

ELI5

Mastra now supports two separate login systems: one for internal team members using the Studio dashboard (which can use SSO), and another for external customers using the API (which can use API tokens). Instead of forcing everyone through the same authentication door, the system now checks where the request is coming from and uses the right authentication method for that situation.

Overview

This PR implements a dual authentication system that separates authentication and authorization for Studio UI (internal team / SSO) from API access (external customers / tokens). The system determines which authentication provider to use by inspecting the x-mastra-client-type header, with secure fallback behavior that prevents spoofing.

Changes by Package

Core (@mastra/core)

Added Studio-specific configuration support:

• New StudioConfig type with optional auth, rbac, and fga properties for Studio-specific authentication and authorization
• Added optional studio?: StudioConfig property to the main Config interface
• Added getStudio() method to the Mastra class to access configured Studio configuration

Server (@mastra/server)

Implemented dual auth routing logic:

• Added MASTRA_AUTH_MODE_KEY constant ('mastra__authMode') to track which auth provider is active in request context
• Added MastraAuthMode type ('studio' | 'server')
• Introduced getEffectiveAuthConfig(), getEffectiveRBACProvider(), and getEffectiveFGAProvider() helpers to route requests based on auth mode
• Updated auth route handlers (/auth/capabilities, /auth/me, /auth/sso/login, /auth/sso/callback, /auth/logout, /auth/refresh, /auth/credentials/*) to select providers based on Studio vs server context
• Security behavior: responds with 401 Unauthorized when x-mastra-client-type: studio header is present but Studio auth is not configured (no fallback to API auth to prevent header spoofing)

Server Adapter (@mastra/server)

Enhanced server adapter to support dual auth routing:

• Added auth mode detection based on x-mastra-client-type header
• Store selected auth mode in RequestContext for downstream authorization decisions
• Updated checkRouteAuth to use effective auth config
• Updated checkRoutePermission() to accept optional RequestContext parameter and select RBAC provider based on auth mode
• Re-exported MastraAuthMode type

Server Adapter Implementations (Express, Fastify, Hono, Koa)

Updated all adapters to pass RequestContext to checkRoutePermission() calls:

• Express: Refactored permission checks to capture and use local requestContext variable from res.locals.requestContext
• Fastify: Updated permission check logic to pass request.requestContext to checkRoutePermission()
• Hono: Modified to cache requestContext from context and pass it to permission checks
• Koa: Updated to use local requestContext from ctx.state.requestContext in permission checks

All adapters maintain backward compatibility in auth error handling and session management while now supporting dual auth routing.

Security Notes

• When x-mastra-client-type: studio header is present but Studio authentication is not configured, the server returns 401 Unauthorized (no fallback to API auth) to prevent header spoofing attacks
• Auth middleware continues to set both mastra__userPermissions and namespaced variants for backward compatibility
• Studio auth is strictly isolated when configured; API auth is used only when the header is absent or when studio auth is not configured

Testing

All existing tests pass (1771 server tests, 53 auth-workos tests), with SimpleAuth and WorkOS SSO verified as functional.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 19e151b

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
mastra-docs-1.x	Skipped		Jun 9, 2026 4:55pm
mastra-playground-ui	Skipped		Jun 9, 2026 4:55pm

[coderabbitai]

Walkthrough

Adds Studio-specific authentication and authorization configuration to Mastra, including a StudioConfig type that routes requests between Studio and server auth based on request headers, stores the selected mode in request context, and updates all server adapters to pass context to permission checks.

Changes

Studio Auth Configuration and Request Routing

Layer / File(s)	Summary
StudioConfig type definition and Mastra storage packages/core/src/server/types.ts, packages/core/src/server/index.ts, packages/core/src/mastra/index.ts	StudioConfig type introduces optional auth, rbac, and fga fields. Mastra class adds private #studio field, stores config in constructor, and exposes via getStudio() method.
Auth mode constants and handler-level request classification packages/server/src/server/constants.ts, packages/server/src/server/handlers/auth.ts	MASTRA_AUTH_MODE_KEY constant and MastraAuthMode type track studio vs. server mode. isStudioRequest helper detects requests via x-mastra-client-type header. Provider getters (getAuthProvider, getRBACProvider, getFGAProvider) accept isStudio flag and prefer Studio config when set. All EE auth endpoints (/auth/capabilities, /auth/me, /auth/sso/*, /auth/logout, /auth/refresh, /auth/credentials/*) updated to select providers based on request classification.
Server adapter auth mode selection and permission refactor packages/server/src/server/server-adapter/index.ts	New getEffectiveAuthConfig, getEffectiveRBACProvider, getEffectiveFGAProvider helpers route based on header and stored auth mode. checkRouteAuth uses effective auth config selection, stores chosen mode in RequestContext via MASTRA_AUTH_MODE_KEY. checkRoutePermission signature extended to accept optional RequestContext for RBAC provider selection.
Adapter call-site alignment for permission and FGA checks server-adapters/express/src/index.ts, server-adapters/fastify/src/index.ts, server-adapters/hono/src/index.ts, server-adapters/koa/src/index.ts	Express, Fastify, Hono, and Koa adapters updated consistently: route and custom-route handlers now use local requestContext, read userPermissions from context, and pass requestContext to checkRoutePermission and checkRouteFGA calls. Eliminates direct framework-specific context lookups.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• mastra-ai/mastra#16485: Both PRs touch Mastra's EE FGA authorization path—main PR routes FGA selection via studio/server auth mode and updates checkRouteFGA call context, while retrieved PR overhauls checkRouteFGA to add route-policy coverage resolution/validation for FGA metadata.

Suggested labels

tests: green ✅, complexity: high

Suggested reviewers

• abhiaiyer91
• CalebBarnes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely describes the main change: adding a dual authentication system separating Studio UI and API authentication, which aligns with all file modifications across the codebase.
Docstring Coverage	✅ Passed	Docstring coverage is 83.33% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/dual-auth-system

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[dane-ai-mastra]

PR triage

Linked issue check skipped for core contributor @rphansen91.

---

PR complexity score

Factor	Value	Score impact
Files changed	10	+20
Lines changed	409	+24
Author merged PRs	114	-20
Test files changed	No	-0
Final score		24

Applied label: complexity: medium

---

Changed test gate

No changed test files were detected.

Label: tests: no tests added

[coderabbitai]

Actionable comments posted: 10

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

.claude/skills/auth-refactor-test/results/CODE_REVIEW.md (1)

1-179: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Review write-up is for a different change and gives a misleading merge signal.

This review analyzes PR #17142 and concludes “no behavioral changes,” which does not match #17722’s dual-auth routing/authz behavior changes. Please replace this with a review scoped to #17722 so the verdict reflects the actual risk surface.
Based on learnings from the provided PR summary, this PR introduces behavior-level auth changes that this report does not evaluate.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.claude/skills/auth-refactor-test/results/CODE_REVIEW.md around lines 1 -
179, The review file incorrectly documents PR `#17142` and claims “no behavioral
changes” while this review should target PR `#17722` (which introduces dual-auth
routing/authz behavior changes); update the CODE_REVIEW.md header and all PR
references to `#17722` and change the Branch line to the correct branch for
`#17722`, then revise the Summary/Architectural Changes/Code Quality Assessment to
explicitly evaluate behavior-level changes (inspect CompositeAuth, routing/authz
flows, and any changes to getMigrations in better-auth) and update the Verdict
to reflect the actual risk (include note to re-run smoke tests covering
dual-auth routing and authz scenarios) so the file accurately represents PR
`#17722`’s scope and risk.

packages/server/src/server/handlers/auth.ts (1)

77-97: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Do not fall back to server auth for Studio-classified auth endpoints.

At Line 79 and Line 87, Studio requests without studio.auth silently fall back to server.auth. That breaks Studio/API auth isolation and undermines the dual-auth contract.

Suggested fix

 function getAuthProvider(mastra: any, isStudio?: boolean): MastraAuthProvider | null {
   // If this is a Studio request, try studio auth first
   if (isStudio) {
     const studioConfig = mastra.getStudio?.();
     if (studioConfig?.auth && typeof studioConfig.auth.authenticateToken === 'function') {
       return studioConfig.auth as MastraAuthProvider;
     }
+    // Studio-classified request with no studio auth: do not fall back to server auth
+    return null;
   }

   // Fall back to server auth
   const serverConfig = mastra.getServer?.();

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/server/src/server/handlers/auth.ts` around lines 77 - 97, The
getAuthProvider function currently falls back to server auth for Studio
requests; change its logic so that when isStudio is true and either
mastra.getStudio() is missing or studioConfig.auth is absent/not a provider, the
function returns null immediately and does not consult mastra.getServer();
update getAuthProvider (and its checks around mastra.getStudio,
studioConfig.auth, and the existing serverConfig path) to enforce strict
Studio-only auth for isStudio requests.

server-adapters/hono/src/index.ts (1)

527-544: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Hono has the same Studio permission bypass.

Both permission blocks still hinge on this.mastra.getServer()?.auth. That means a request authenticated via studio.auth can pass checkRouteAuth() and still skip checkRoutePermission() completely whenever server.auth is unset, which defeats requiresPermission for Studio-only deployments.

As per coding guidelines, “For routes with requiresPermission configured, the permission check must only enforce permissions when RBAC provider is configured. Without RBAC, requiresPermission on routes is silently ignored.”

Also applies to: 645-663

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@server-adapters/hono/src/index.ts` around lines 527 - 544, The permission
check currently only runs when this.mastra.getServer()?.auth is set, which lets
Studio-authenticated requests bypass checkRoutePermission when server.auth is
unset; change the logic to base permission enforcement solely on the RBAC
provider flag returned by loadHasPermission() (call await loadHasPermission()
regardless of this.mastra.getServer()?.auth and only run checkRoutePermission
when hasPermission is truthy), keep using requestContext.get('userPermissions')
and route for the check, and apply the same fix to the other identical block
(the one currently at lines 645-663) so requiresPermission is only ignored when
RBAC is not configured.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.claude/skills/auth-refactor-test/results/initial-findings.md:
- Around line 4-127: The report was generated against the wrong branch
(wardpeet/auth-rework-takeover / PR `#17142`) instead of the target PR (`#17722`);
regenerate the runtime and build verification against the correct branch/PR and
update the findings to explicitly verify Studio-vs-API auth routing and
permission behavior (e.g., test AUTH_PROVIDER flows, Studio UI login, API token
vs session routing, and FGA/RBAC enforcement across packages/_internals/auth,
auth/workos/src/auth-provider.ts, auth/workos/src/fga-provider.ts and core
re-exports in packages/core/src/auth/); ensure logs mention the exact branch/PR
under test and include pass/fail outcomes for each scenario so the report can be
used as validation evidence for PR `#17722`.

In @.claude/skills/auth-refactor-test/results/SUMMARY.md:
- Around line 3-59: The summary document is stale (it reports PR `#17142`) and
must be regenerated for the active PR (`#17722`): rerun the dual-auth feature
tests and update the summary to reflect the correct Branch/Date/Tester, Test
Results, and Conclusion; ensure the regenerated report explicitly includes the
required auth-path validations — check Studio header handling, route auth
defaults and enforcement, and RBAC behavior by mode (e.g., admin/viewer roles
under each auth mode) — and mark any blocked providers (and migration errors)
separately so the conclusions and recommendations apply to PR `#17722`.

In @.claude/skills/auth-refactor-test/SKILL.md:
- Around line 3-93: Update the test plan in SKILL.md to target PR `#17722` (dual
Studio/API auth) instead of `#17142` and add explicit dual-auth assertions: verify
Studio header behavior (presence/validation of X-Stagehand-Studio or similar
header used by Studio flows), ensure the /api auth registration path and runtime
auth checks are exercised (auth registration functions and middleware invoked
for API routes), and add tests for custom route auth defaults and middleware
fallback behavior (examples/agent routes, AUTH_PROVIDER variations), plus update
Success Criteria and Testing Commands to include Stagehand-driven Studio header
flows and API vs Studio auth separation.

In `@packages/core/src/mastra/index.ts`:
- Around line 316-326: Update the Studio docstring for the studio-specific auth
block to accurately describe the fallback behavior: state that if studio.auth is
not configured the server will reject requests that include the
x-mastra-client-type: studio header (returning 401) rather than making Studio
publicly accessible, and note that an unauthenticated "no auth required" mode is
only for local/dev use when explicitly enabled; reference the studio.auth and
server.auth symbols and update the comment above the Studio auth configuration
in the mastra/index.ts docblock accordingly.

In `@packages/server/src/server/handlers/auth.ts`:
- Around line 102-104: The isStudioRequest function performs a case-sensitive
comparison on request.headers.get('x-mastra-client-type'), causing inconsistent
routing; update isStudioRequest to normalize the header value (e.g., safely read
the header, toLowerCase() it or use case-insensitive comparison) and handle
null/undefined before comparing to 'studio' so it matches the adapter-level
classification consistently.

In `@packages/server/src/server/server-adapter/index.ts`:
- Around line 474-497: getEffectiveAuthConfig currently treats any request with
isStudioClientTypeHeader(MASTRA_CLIENT_TYPE_HEADER) as allowed to bypass auth
when mastra.getStudio()?.auth is missing, enabling unauthenticated access;
update getEffectiveAuthConfig to never return null for studio-classified
requests unconditionally—instead, if studio auth is missing only allow a
development bypass when a gated flag (e.g., process.env.MASTRA_DEV === 'true')
is set and the route is marked as non-protected, otherwise require server-side
auth or return an explicit authMode that forces authentication; reference
getEffectiveAuthConfig, isStudioClientTypeHeader, mastra.getStudio()?.auth,
mastra.getServer()?.auth and ensure the later auth-check logic (the code that
interprets null at the auth-decision site) treats the new explicit values
correctly so headers alone cannot bypass protected routes.

In `@server-adapters/express/src/index.ts`:
- Around line 549-554: The code contains a stale call and duplicate declaration
of permissionError that reads userPermissions before it's declared; remove the
earlier lines that call this.checkRoutePermission(route, userPermissions,
hasPermission) and the duplicate declaration so only the correct call remains:
compute userPermissions from requestContext
(requestContext.get('userPermissions')) and then call
this.checkRoutePermission(route, userPermissions, hasPermission, requestContext)
once. Do the same cleanup for the duplicate block handling custom routes (the
block around loadHasPermission / userPermissions / checkRoutePermission) so
there are no out-of-order reads or duplicate permissionError declarations.
- Around line 547-548: The code currently gates RBAC checks on
this.mastra.getServer()?.auth which prevents Studio-only requests from running
requiresPermission; update the logic in the blocks around the checks (the ones
currently using this.mastra.getServer()?.auth) to instead use the effective auth
provider from the request context (e.g., requestContext.effectiveAuth or
whatever field/method on requestContext reflects the active auth/RBAC selection)
or simply call checkRoutePermission() unconditionally after checkRouteAuth();
ensure checkRoutePermission() is implemented to no-op when no RBAC provider is
configured so permissions are only enforced when an RBAC provider exists
(references: this.mastra.getServer()?.auth, requestContext, checkRouteAuth(),
checkRoutePermission(), requiresPermission).

In `@server-adapters/fastify/src/index.ts`:
- Around line 639-644: The code currently calls checkRoutePermission twice and
uses userPermissions before it's declared, causing a duplicate declaration of
permissionError and a TS compile error; remove the stale/incorrect call so you
only declare userPermissions first (via requestContext.get('userPermissions') as
string[] | undefined) and then call this.checkRoutePermission(route,
userPermissions, hasPermission, requestContext) once, eliminating the earlier
duplicate permissionError declaration; apply the same fix to the duplicate
custom-route block that mirrors this logic.
- Around line 637-638: The permission checks are incorrectly gated on
this.mastra.getServer()?.auth, which causes Studio RBAC to be skipped when only
studio.auth is present; update the guards in the blocks that read const
authConfig = this.mastra.getServer()?.auth; if (authConfig) { ... } (and the
similar guard around lines 774-775) to instead detect an RBAC provider
specifically (e.g., check authConfig?.provider === 'rbac' or a helper like
isRbacProvider(authConfig)) and only enforce requiresPermission when that RBAC
provider is configured; ensure checkRouteAuth() continues to use studio.auth for
authentication but that permission enforcement is conditional on RBAC provider
presence rather than on any auth config.

---

Outside diff comments:
In @.claude/skills/auth-refactor-test/results/CODE_REVIEW.md:
- Around line 1-179: The review file incorrectly documents PR `#17142` and claims
“no behavioral changes” while this review should target PR `#17722` (which
introduces dual-auth routing/authz behavior changes); update the CODE_REVIEW.md
header and all PR references to `#17722` and change the Branch line to the correct
branch for `#17722`, then revise the Summary/Architectural Changes/Code Quality
Assessment to explicitly evaluate behavior-level changes (inspect CompositeAuth,
routing/authz flows, and any changes to getMigrations in better-auth) and update
the Verdict to reflect the actual risk (include note to re-run smoke tests
covering dual-auth routing and authz scenarios) so the file accurately
represents PR `#17722`’s scope and risk.

In `@packages/server/src/server/handlers/auth.ts`:
- Around line 77-97: The getAuthProvider function currently falls back to server
auth for Studio requests; change its logic so that when isStudio is true and
either mastra.getStudio() is missing or studioConfig.auth is absent/not a
provider, the function returns null immediately and does not consult
mastra.getServer(); update getAuthProvider (and its checks around
mastra.getStudio, studioConfig.auth, and the existing serverConfig path) to
enforce strict Studio-only auth for isStudio requests.

In `@server-adapters/hono/src/index.ts`:
- Around line 527-544: The permission check currently only runs when
this.mastra.getServer()?.auth is set, which lets Studio-authenticated requests
bypass checkRoutePermission when server.auth is unset; change the logic to base
permission enforcement solely on the RBAC provider flag returned by
loadHasPermission() (call await loadHasPermission() regardless of
this.mastra.getServer()?.auth and only run checkRoutePermission when
hasPermission is truthy), keep using requestContext.get('userPermissions') and
route for the check, and apply the same fix to the other identical block (the
one currently at lines 645-663) so requiresPermission is only ignored when RBAC
is not configured.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 1092cb68-17f2-44da-9437-cfbc44148bd1

📥 Commits

Reviewing files that changed from the base of the PR and between f98977a and 2d9d069.

📒 Files selected for processing (14)

• .claude/skills/auth-refactor-test/SKILL.md
• .claude/skills/auth-refactor-test/results/CODE_REVIEW.md
• .claude/skills/auth-refactor-test/results/SUMMARY.md
• .claude/skills/auth-refactor-test/results/initial-findings.md
• packages/core/src/mastra/index.ts
• packages/core/src/server/index.ts
• packages/core/src/server/types.ts
• packages/server/src/server/constants.ts
• packages/server/src/server/handlers/auth.ts
• packages/server/src/server/server-adapter/index.ts
• server-adapters/express/src/index.ts
• server-adapters/fastify/src/index.ts
• server-adapters/hono/src/index.ts
• server-adapters/koa/src/index.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Findings are not attributable to this PR’s implementation.

This report documents a different branch/PR (#17142), so it cannot be used as validation evidence for #17722 dual auth changes. Please regenerate findings against this PR and include explicit outcomes for the new Studio-vs-API auth routing and permission behavior.
Based on learnings from the provided PR objective metadata, the evaluated branch/PR here does not match the target change under review.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.claude/skills/auth-refactor-test/results/initial-findings.md around lines 4
- 127, The report was generated against the wrong branch
(wardpeet/auth-rework-takeover / PR `#17142`) instead of the target PR (`#17722`);
regenerate the runtime and build verification against the correct branch/PR and
update the findings to explicitly verify Studio-vs-API auth routing and
permission behavior (e.g., test AUTH_PROVIDER flows, Studio UI login, API token
vs session routing, and FGA/RBAC enforcement across packages/_internals/auth,
auth/workos/src/auth-provider.ts, auth/workos/src/fga-provider.ts and core
re-exports in packages/core/src/auth/); ensure logs mention the exact branch/PR
under test and include pass/fail outcomes for each scenario so the report can be
used as validation evidence for PR `#17722`.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Summary is stale and not valid for this PR.

The branch/PR context and conclusions here are from #17142, not #17722. Please regenerate this summary from tests tied to the dual-auth feature and include the required auth-path checks (Studio header handling, route auth defaults/enforcement, RBAC behavior by mode).
As per coding guidelines, auth behavior requirements must be explicitly validated and this summary currently does not cover them for the active PR scope.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.claude/skills/auth-refactor-test/results/SUMMARY.md around lines 3 - 59,
The summary document is stale (it reports PR `#17142`) and must be regenerated for
the active PR (`#17722`): rerun the dual-auth feature tests and update the summary
to reflect the correct Branch/Date/Tester, Test Results, and Conclusion; ensure
the regenerated report explicitly includes the required auth-path validations —
check Studio header handling, route auth defaults and enforcement, and RBAC
behavior by mode (e.g., admin/viewer roles under each auth mode) — and mark any
blocked providers (and migration errors) separately so the conclusions and
recommendations apply to PR `#17722`.

Source: Coding guidelines

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Test plan targets the wrong PR and misses required dual-auth assertions.

This skill is scoped to PR #17142 (@internal/auth extraction), but this PR is #17722 (dual Studio/API auth). As written, it won’t validate the new security contracts (e.g., studio header behavior, /api auth registration/auth checks, custom route auth defaults/middleware). Please retarget scenarios to #17722 and add explicit checks for those required behaviors before relying on results.
Based on learnings from the provided PR objectives and review stack, this change is for dual auth routing, not the earlier extraction refactor.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.claude/skills/auth-refactor-test/SKILL.md around lines 3 - 93, Update the
test plan in SKILL.md to target PR `#17722` (dual Studio/API auth) instead of
`#17142` and add explicit dual-auth assertions: verify Studio header behavior
(presence/validation of X-Stagehand-Studio or similar header used by Studio
flows), ensure the /api auth registration path and runtime auth checks are
exercised (auth registration functions and middleware invoked for API routes),
and add tests for custom route auth defaults and middleware fallback behavior
(examples/agent routes, AUTH_PROVIDER variations), plus update Success Criteria
and Testing Commands to include Stagehand-driven Studio header flows and API vs
Studio auth separation.

Source: Coding guidelines

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Clarify the Studio fallback docs.

Line 325 says an unconfigured Studio falls back to “no auth required” development mode, but this PR’s server behavior explicitly rejects requests marked x-mastra-client-type: studio when studio.auth is missing. That public docstring should describe the real dev-only/401 behavior, otherwise it points users at a configuration that will lock Studio out instead of making it public.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/core/src/mastra/index.ts` around lines 316 - 326, Update the Studio
docstring for the studio-specific auth block to accurately describe the fallback
behavior: state that if studio.auth is not configured the server will reject
requests that include the x-mastra-client-type: studio header (returning 401)
rather than making Studio publicly accessible, and note that an unauthenticated
"no auth required" mode is only for local/dev use when explicitly enabled;
reference the studio.auth and server.auth symbols and update the comment above
the Studio auth configuration in the mastra/index.ts docblock accordingly.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Normalize x-mastra-client-type consistently across auth paths.

Line 103 uses a case-sensitive equality check, while adapter-level classification uses normalized matching. This can route the same request to different auth providers depending on code path.

Suggested fix

 function isStudioRequest(request: Request): boolean {
-  return request.headers.get('x-mastra-client-type') === 'studio';
+  return request.headers.get('x-mastra-client-type')?.toLowerCase() === 'studio';
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	function isStudioRequest(request: Request): boolean {
	return request.headers.get('x-mastra-client-type') === 'studio';
	}
	function isStudioRequest(request: Request): boolean {
	return request.headers.get('x-mastra-client-type')?.toLowerCase() === 'studio';
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/server/src/server/handlers/auth.ts` around lines 102 - 104, The
isStudioRequest function performs a case-sensitive comparison on
request.headers.get('x-mastra-client-type'), causing inconsistent routing;
update isStudioRequest to normalize the header value (e.g., safely read the
header, toLowerCase() it or use case-insensitive comparison) and handle
null/undefined before comparing to 'studio' so it matches the adapter-level
classification consistently.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Studio header currently bypasses authentication on protected routes.

At Line 486, getEffectiveAuthConfig() returns null for Studio-classified requests without studio.auth; then Line 558 interprets null as “no auth required.” This enables unauthenticated access by sending x-mastra-client-type: studio.

Suggested fix

-  protected getEffectiveAuthConfig(
+  protected getEffectiveAuthConfig(
     getHeader: (name: string) => string | undefined,
-  ): { authConfig: unknown; authMode: MastraAuthMode } | null {
+  ): { authConfig: unknown; authMode: MastraAuthMode; deny?: boolean } | null {
     const isStudioRequest = isStudioClientTypeHeader(getHeader(MASTRA_CLIENT_TYPE_HEADER));

     if (isStudioRequest) {
       const studioAuth = this.mastra.getStudio()?.auth;
       if (studioAuth) {
         return { authConfig: studioAuth, authMode: 'studio' };
       }
-      // Studio request but no studio auth configured - development mode, no auth required
-      return null;
+      // Studio request with no studio auth configured: deny instead of bypassing auth
+      return { authConfig: undefined, authMode: 'studio', deny: true };
     }
@@
-    if (!effectiveAuth) {
+    if (!effectiveAuth) {
       return null;
     }
+    if (effectiveAuth.deny) {
+      return { status: 401, error: 'Unauthorized' };
+    }

As per coding guidelines, development auth bypasses must be gated (e.g., MASTRA_DEV=true and protected-route checks), not enabled unconditionally by header value.

Also applies to: 558-560

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/server/src/server/server-adapter/index.ts` around lines 474 - 497,
getEffectiveAuthConfig currently treats any request with
isStudioClientTypeHeader(MASTRA_CLIENT_TYPE_HEADER) as allowed to bypass auth
when mastra.getStudio()?.auth is missing, enabling unauthenticated access;
update getEffectiveAuthConfig to never return null for studio-classified
requests unconditionally—instead, if studio auth is missing only allow a
development bypass when a gated flag (e.g., process.env.MASTRA_DEV === 'true')
is set and the route is marked as non-protected, otherwise require server-side
auth or return an explicit authMode that forces authentication; reference
getEffectiveAuthConfig, isStudioClientTypeHeader, mastra.getStudio()?.auth,
mastra.getServer()?.auth and ensure the later auth-check logic (the code that
interprets null at the auth-decision site) treats the new explicit values
correctly so headers alone cannot bypass protected routes.

Source: Coding guidelines

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Don’t gate RBAC on server.auth here.

Lines 547-548 and 657-658 still use this.mastra.getServer()?.auth as the feature flag. In a Studio-only deployment, checkRouteAuth() can authenticate via studio.auth, but these blocks short-circuit before checkRoutePermission(), so requiresPermission never runs for Studio requests. Gate this on the effective auth/RBAC selection in requestContext instead, or call checkRoutePermission() unconditionally and let it no-op when no RBAC provider is configured.

As per coding guidelines, “For routes with requiresPermission configured, the permission check must only enforce permissions when RBAC provider is configured. Without RBAC, requiresPermission on routes is silently ignored.”

Also applies to: 657-658

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@server-adapters/express/src/index.ts` around lines 547 - 548, The code
currently gates RBAC checks on this.mastra.getServer()?.auth which prevents
Studio-only requests from running requiresPermission; update the logic in the
blocks around the checks (the ones currently using
this.mastra.getServer()?.auth) to instead use the effective auth provider from
the request context (e.g., requestContext.effectiveAuth or whatever field/method
on requestContext reflects the active auth/RBAC selection) or simply call
checkRoutePermission() unconditionally after checkRouteAuth(); ensure
checkRoutePermission() is implemented to no-op when no RBAC provider is
configured so permissions are only enforced when an RBAC provider exists
(references: this.mastra.getServer()?.auth, requestContext, checkRouteAuth(),
checkRoutePermission(), requiresPermission).

Source: Coding guidelines

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

This still skips Studio RBAC entirely.

Lines 637-638 and 774-775 gate permission checks on this.mastra.getServer()?.auth. After this PR, checkRouteAuth() can authenticate a request via studio.auth, but these guards stay false when only Studio auth is configured, so requiresPermission is never enforced for Studio traffic.

As per coding guidelines, “For routes with requiresPermission configured, the permission check must only enforce permissions when RBAC provider is configured. Without RBAC, requiresPermission on routes is silently ignored.”

Also applies to: 774-775

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@server-adapters/fastify/src/index.ts` around lines 637 - 638, The permission
checks are incorrectly gated on this.mastra.getServer()?.auth, which causes
Studio RBAC to be skipped when only studio.auth is present; update the guards in
the blocks that read const authConfig = this.mastra.getServer()?.auth; if
(authConfig) { ... } (and the similar guard around lines 774-775) to instead
detect an RBAC provider specifically (e.g., check authConfig?.provider ===
'rbac' or a helper like isRbacProvider(authConfig)) and only enforce
requiresPermission when that RBAC provider is configured; ensure
checkRouteAuth() continues to use studio.auth for authentication but that
permission enforcement is conditional on RBAC provider presence rather than on
any auth config.

Source: Coding guidelines

[coderabbitai]

🧹 Nitpick comments (1)

server-adapters/koa/src/index.ts (1)

952-953: 💤 Low value

Consider using the local requestContext variable for consistency.

The FGA check uses ctx.state.requestContext directly while the permission check above (line 939) uses the local requestContext variable declared at line 929. For consistency with the pattern used in handleMatchedRoute (line 489), consider using the local variable here as well.

Suggested change

-          const fgaError = await checkRouteFGA(server.mastra, serverRoute, ctx.state.requestContext, {
+          const fgaError = await checkRouteFGA(server.mastra, serverRoute, requestContext, {

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@server-adapters/koa/src/index.ts` around lines 952 - 953, The FGA check is
using ctx.state.requestContext directly while the surrounding code and earlier
permission check use the local requestContext variable; update the call to
checkRouteFGA to pass the local requestContext instead of
ctx.state.requestContext (i.e., call checkRouteFGA(server.mastra, serverRoute,
requestContext, {...})), mirroring the pattern used in handleMatchedRoute and
the prior permission check so the same request context object is used
consistently.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@server-adapters/koa/src/index.ts`:
- Around line 952-953: The FGA check is using ctx.state.requestContext directly
while the surrounding code and earlier permission check use the local
requestContext variable; update the call to checkRouteFGA to pass the local
requestContext instead of ctx.state.requestContext (i.e., call
checkRouteFGA(server.mastra, serverRoute, requestContext, {...})), mirroring the
pattern used in handleMatchedRoute and the prior permission check so the same
request context object is used consistently.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 98ac807f-5756-4554-8fef-f70fc090e1bc

📥 Commits

Reviewing files that changed from the base of the PR and between 2d9d069 and 2d86740.

📒 Files selected for processing (4)

• packages/server/src/server/handlers/auth.ts
• server-adapters/express/src/index.ts
• server-adapters/fastify/src/index.ts
• server-adapters/koa/src/index.ts

💤 Files with no reviewable changes (2)

• server-adapters/fastify/src/index.ts
• server-adapters/express/src/index.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/server/src/server/handlers/auth.ts

[coderabbitai]

♻️ Duplicate comments (2)

server-adapters/fastify/src/index.ts (1)

637-650: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

This still skips Studio permission enforcement.

These permission blocks still depend on this.mastra.getServer()?.auth, even though checkRouteAuth() can now succeed via studio.auth. In a Studio-only setup that keeps checkRoutePermission(...) from running, so requiresPermission is silently bypassed for Studio requests. Use the effective request-scoped provider from requestContext, or remove this legacy guard and let checkRoutePermission(..., requestContext) decide whether RBAC applies.

Also applies to: 771-798

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@server-adapters/fastify/src/index.ts` around lines 637 - 650, The current
guard uses this.mastra.getServer()?.auth which skips Studio-scoped auth and
causes requiresPermission to be bypassed; update the permission check to use the
request-scoped provider from requestContext (or remove the legacy authConfig
guard) so checkRoutePermission(route, userPermissions, hasPermission,
requestContext) runs for Studio requests too. Specifically, replace the
authConfig conditional around the block that calls loadHasPermission() and
checkRoutePermission (symbols: this.mastra.getServer()?.auth, requestContext,
loadHasPermission, checkRoutePermission, mastra__userPermissions) so the code
either reads the effective auth provider from requestContext before deciding or
simply calls checkRoutePermission unconditionally and lets it determine RBAC
applicability; apply the same change to the analogous block guarded by
authConfig at the other occurrence noted in the file.

server-adapters/express/src/index.ts (1)

547-560: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Don’t gate permission checks on server.auth.

After checkRouteAuth() a request may already be authenticated via studio.auth, but these blocks still short-circuit on this.mastra.getServer()?.auth. In a Studio-only deployment that skips checkRoutePermission(...) entirely, so requiresPermission is never enforced for Studio traffic. Gate on the effective provider carried in requestContext, or call checkRoutePermission(..., requestContext) without the legacy server.auth guard and let it no-op when no RBAC provider is configured.

Also applies to: 654-673

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@server-adapters/express/src/index.ts` around lines 547 - 560, Remove the
legacy gate that checks this.mastra.getServer()?.auth before running permission
checks: always determine RBAC from the effective provider in requestContext (or
simply call checkRoutePermission(route, userPermissions, hasPermission,
requestContext) without the this.mastra.getServer()?.auth guard) so
Studio-authenticated requests still enforce requiresPermission; update the block
around loadHasPermission() and the similar block at the other location (the
654-673 instance) to call checkRoutePermission unconditionally (letting
checkRoutePermission/no-op when no RBAC provider is configured) and use
requestContext to derive the provider/permissions.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@server-adapters/express/src/index.ts`:
- Around line 547-560: Remove the legacy gate that checks
this.mastra.getServer()?.auth before running permission checks: always determine
RBAC from the effective provider in requestContext (or simply call
checkRoutePermission(route, userPermissions, hasPermission, requestContext)
without the this.mastra.getServer()?.auth guard) so Studio-authenticated
requests still enforce requiresPermission; update the block around
loadHasPermission() and the similar block at the other location (the 654-673
instance) to call checkRoutePermission unconditionally (letting
checkRoutePermission/no-op when no RBAC provider is configured) and use
requestContext to derive the provider/permissions.

In `@server-adapters/fastify/src/index.ts`:
- Around line 637-650: The current guard uses this.mastra.getServer()?.auth
which skips Studio-scoped auth and causes requiresPermission to be bypassed;
update the permission check to use the request-scoped provider from
requestContext (or remove the legacy authConfig guard) so
checkRoutePermission(route, userPermissions, hasPermission, requestContext) runs
for Studio requests too. Specifically, replace the authConfig conditional around
the block that calls loadHasPermission() and checkRoutePermission (symbols:
this.mastra.getServer()?.auth, requestContext, loadHasPermission,
checkRoutePermission, mastra__userPermissions) so the code either reads the
effective auth provider from requestContext before deciding or simply calls
checkRoutePermission unconditionally and lets it determine RBAC applicability;
apply the same change to the analogous block guarded by authConfig at the other
occurrence noted in the file.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 4da56929-aa58-4adc-ac6c-414116912f07

📥 Commits

Reviewing files that changed from the base of the PR and between 2d86740 and 19e151b.

📒 Files selected for processing (4)

• server-adapters/express/src/index.ts
• server-adapters/fastify/src/index.ts
• server-adapters/hono/src/index.ts
• server-adapters/koa/src/index.ts

🚧 Files skipped from review as they are similar to previous changes (2)

• server-adapters/hono/src/index.ts
• server-adapters/koa/src/index.ts