When your Agents are deployed, to keep things secure, send a token from the client, then verify it on the server. This guide covers authentication patterns for WebSocket connections to agents.
WebSockets are not HTTP, so the handshake is limited when making cross-domain connections.
You cannot send:
- Custom headers during the upgrade
Authorization: Bearer ... on connect
You can:
- Put a signed, short-lived token in the connection URL as query parameters
- Verify the token in your server's connect path
If the client and server share the origin, the browser will send cookies during the WebSocket handshake. Session-based auth can work here. Prefer HTTP-only cookies.
Cookies do not help across origins. Pass credentials in the URL query, then verify on the server.
Build query values right before connect. Use Suspense for async setup.
Refresh the token when the connection fails due to authentication error.
Cross-domain authentication
Pass credentials in the URL when connecting to another host, then verify on the server.
On the server side, verify the token in the
onConnect handler:
Use short-lived tokens - Tokens in URLs may be logged. Keep expiration times short (minutes, not hours).
Scope tokens appropriately - Include the agent name or instance in the token claims to prevent token reuse across agents.
Validate on every connection - Always verify tokens in
onConnect, not just once.
Use HTTPS - Always use secure WebSocket connections (
wss://) in production.
Rotate secrets - Regularly rotate your JWT signing keys or token secrets.
Log authentication failures - Track failed authentication attempts for security monitoring.
