Skip to main content

Overview

RadarOS provides built-in JWT authentication and RBAC middleware for the Express transport layer. Both are plug-and-play — just add config to RouterOptions.

Quick Start

import { createAgentRouter } from "@radaros/transport";

const router = createAgentRouter({
  jwt: {
    secret: process.env.JWT_SECRET!,
    algorithm: "HS256",
  },
  rbac: {
    agentScopes: {
      "admin-agent": ["admin:*"],
    },
  },
  cors: true,
});

JWT Configuration

OptionTypeDefaultDescription
secretstringrequiredJWT signing secret
algorithmstringAlgorithm (HS256, RS256, etc.)
issuerstringExpected token issuer
audiencestringExpected token audience
extractFrom"header" | "cookie""header"Where to find the token
cookieNamestring"token"Cookie name (when extractFrom is “cookie”)
Requires: npm install jsonwebtoken

RBAC Configuration

OptionTypeDefaultDescription
scopeFieldstring"scopes"JWT payload field containing scopes
defaultScopesRecord<string, string[]>Built-in mapRoute-to-scope mapping
agentScopesRecord<string, string[]>Per-agent scope requirements

Built-in Scope Map

RouteRequired Scopes
POST /agents/:name/runagents:run
POST /agents/:name/streamagents:run
GET /agentsagents:read
POST /teams/:name/runteams:run
GET /teamsteams:read
POST /workflows/:name/runworkflows:run
GET/POST/DELETE /admin/*admin:*

Token Format

{
  "sub": "user-123",
  "scopes": ["agents:run", "agents:read", "teams:run"],
  "iat": 1700000000,
  "exp": 1700003600
}
The wildcard scope * or admin:* grants access to all routes.