Skip to main content
Identity tells Managed Deep Agents who each run is for and how to partition threads, memory, and credentials. It is opt-in: projects without identity.ts or identity.py compile and deploy unchanged. When you add an identity declaration, the CLI wires auth, store scoping, and a frozen runtime.identity envelope into tools and middleware.
Managed Deep Agents is in private beta, available on LangSmith Cloud in the US region only. Join the waitlist to request access.

What identity solves

Without identity, every caller shares the same thread and memory boundary. With identity, Managed Deep Agents answers two questions before the agent runs: From those answers, Managed Deep Agents scopes:
  • Threads — who can open or resume a conversation
  • Memory — which durable store namespace the run uses
  • Credentials — whose token downstream calls carry (managed modes or your own resolver)
Identity is fail-closed: missing required actor or tenant values reject the request instead of falling back to shared state.

Add an identity declaration

Create identity.py or identity.ts next to your agent entry and export a named identity. Most projects start from a preset.
For the full project layout, see the CLI project file reference. When identity is present, mda generates the custom auth handler, injects it into the compiled LangGraph app, and only then enables reserved identity headers and token verification.

Choose a preset

Presets expand to a full ingress, tenancy, and scoping config. Override any field when you need a different ingress or scope. All presets default to trusted_backend ingress and tenancy: "single", except multi-tenant-saas which sets tenancy: "multi".

Ingress: how Managed Deep Agents learns who is calling

Pick one HTTP ingress mode.

Trusted backend

Your API authenticates the user, then proxies LangGraph requests with a shared ingress secret and reserved identity headers. The browser never sends the secret or raw IdP tokens to Managed Deep Agents. Required headers (case-insensitive):
Put MDA_INGRESS_SECRET in .env for mda dev and as a hosted deployment secret for mda deploy. Your production backend should perform OAuth or session auth, then attach the headers above when proxying agent traffic.

Validated token (browser-direct)

The client sends Authorization: Bearer <token>. Managed Deep Agents verifies the token server-side (JWKS, OIDC discovery, opaque introspection, or guest tokens signed by Managed Deep Agents) and maps claims into the identity envelope.
Built-in provider helpers: In validated_token mode, your frontend signs the user in with the same IdP you configured, reads an access token (or ID token where applicable), and passes it to the LangGraph client as Authorization: Bearer <token>. Do not send refresh tokens or client secrets to the deployment. When more than one provider is configured, each entry needs an id. Managed Deep Agents routes JWT providers by token iss and fails closed when the issuer is unknown.
For Supabase, pass projectRef (the subdomain before .supabase.co). Managed Deep Agents derives the JWKS URL. Use introspect: true only for legacy projects that still need /auth/v1/user, and set SUPABASE_ANON_KEY on the deployment.

Guest tokens

Add providers.guest(...) when anonymous visitors should get a short-lived, actor-scoped session without signing in. Managed Deep Agents signs guest tokens with MDA_GUEST_SIGNING_KEY (HS256). Set the key in .env for mda dev and as a hosted deployment secret for mda deploy. Rotate it like any other signing secret. With guest issuance enabled, the deployment exposes a public issuance route:

Claim a guest token

To claim a token, send an empty POST to the deployment base URL with Content-Type: application/json. If the deployment requires a public app key (LANGGRAPH_AUTH_SECRET), also send X-Auth-Key.
On success, the response body contains a signed JWT:
Decode the JWT to read the actor id from sub (for example, guest:01932f4a-... when actor_prefix is guest:) and the expiry from exp. Managed Deep Agents maps sub to runtime.identity.actor.id on subsequent requests.

Use the guest token

Send the token on LangGraph and connector requests the same way you send IdP access tokens:
For browser apps, proxy guest issuance through your own backend and store the token in an httpOnly cookie. That keeps the same guest actor across reloads until exp and lets you handle rate limits before calling the deployment.
Reclaim a token when the current one is expired or missing. While a token is still valid, reuse it so the guest keeps the same actor id, threads, and memory scope for the token lifetime.

Use runtime.identity in tools and middleware

When identity is declared, authored tools and middleware receive a frozen runtime.identity object built from the trusted auth result. Client-supplied spoofable identity keys are stripped from configurable.
The envelope shape:

Scoping axes

Presets cover the common cases. To customize, set scoping explicitly: tenancy: "single" cannot use "tenant" on any axis. Store access fails closed (403) when required identity segments are missing.

Custom downstream credentials

Set scoping.credentials: "custom" and provide either an in-process resolve function or a hosted token-exchange endpoint. Tools then call runtime.credentials.for(target) to mint per-actor headers. Secrets stay in memory and are never written to thread state or traces. To expose LangSmith capabilities to browsers or other untrusted callers, add a LangSmith connector. It requires identity so capability routes can resolve the caller and prove ownership before calling LangSmith server-side.

Secrets checklist

Put local values in .env. mda deploy forwards non-reserved .env values as hosted deployment secrets.
Never commit ingress secrets, guest signing keys, or IdP credentials. Do not send MDA_INGRESS_SECRET from the browser — only from a trusted backend proxy.

Test and deploy

Test the project locally with mda dev, then deploy it with mda deploy. Open deployment traces in LangSmith to inspect model calls, tool calls, errors, and latency. Identity misconfiguration usually surfaces as 401 (auth) or 403 (store/thread scope) during local Studio or first authenticated request. Confirm the matching secret is present and that trusted-backend proxies attach the reserved headers.

Next steps

Custom tools

Read runtime.identity from authored tools.

LangSmith connector

Expose constrained LangSmith capabilities to untrusted callers.

How it works

See how compile and deploy wire auth into the runtime.

CLI reference

Look up the identity project file and deploy flags.