Orchestration
Authentication
agentOS uses the same authentication system as Rivet Actors: clients send credentials as connection params, and you validate them server-side.
- Clients pass credentials in
paramswhen they connect. - Validate them on the server in
onBeforeConnect(throw to reject the connection), or extract user data into connection state withcreateConnState(read it in actions viac.conn.state). - You can declare the credential shape with
agentOS<ConnParams>(...)to document what you accept, but the client’sparamsisunknownand is not checked against it. The real check is your hook, not the types. - The current
@rivet-dev/agentosruntime is an interim stub, so wiring these hooks end to end depends on the native runtime landing.
Example
Section titled “Example”The server declares the credential shape and validates it in onBeforeConnect (throw to reject); the client passes credentials as params.
import { agentOS, setup } from "@rivet-dev/agentos";import pi from "@agentos-software/pi";
interface ConnParams { authToken: string;}
// Validate credentials server-side. onBeforeConnect receives the connection// params and rejects the connection by throwing. Wired via the underlying Rivet// Actor; see Actor Authentication for the full hook signatures.export function onBeforeConnect(_c: unknown, params: ConnParams): void { if (typeof params?.authToken !== "string" || params.authToken.length === 0) { throw new Error("missing or invalid authToken"); } // verify the token (JWT signature, lookup, ...) here}
const vm = agentOS<ConnParams>({ software: [pi] });
export const registry = setup({ use: { vm } });registry.start();See Actor Authentication for JWT validation, role-based access control, external auth providers, and token caching.