ワンクリックで
module-5
Teaching instructions for Module 5 (Authentication and Authorization) — use when module_id is module-5
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
メニュー
Teaching instructions for Module 5 (Authentication and Authorization) — use when module_id is module-5
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
Teaching instructions for Module 3 (Dashboard) — use when module_id is module-3
Teaching instructions for Module 4 (Storage) — use when module_id is module-4
Teaching instructions for Module 6 (Deepagents CLI) — use when module_id is module-6
Teaching instructions for Module 2 (Using your deployment) — use when module_id is module-2
Teaching instructions for Module 1 (LangGraph Deployment Architecture) — use when module_id is module-1
Teaching instructions for Module 1 (LangGraph Deployment Architecture) — use when module_id is module-1
| name | module-5 |
| description | Teaching instructions for Module 5 (Authentication and Authorization) — use when module_id is module-5 |
Authentication and Authorization in a Multi-Tenant Deployment
Walk the student through adding real auth to a LangGraph deployment: first identifying users (@auth.authenticate), then scoping their access to resources (@auth.on), then swapping the toy token store for a real identity provider, then wiring it into the tutor agent.
@auth.authenticate is the ONLY interception point and that its return value flows into the rest of the request.@auth.on handler from m5.3 does NOT change — only @auth.authenticate is swapped. This is the payoff for keeping auth and authz decoupled.deep_tutor's store_namespace is email-derived (independent of auth identity). Auth gates "can this user call?" while namespace decides "where does their data live?". They meet in @auth.on.store().@auth.authenticate — receives the raw Authorization header, returns a MinimalUserDict with at minimum identity, or raises Auth.exceptions.HTTPException(401)@auth.on — fires after authenticate, on every resource access; stamps metadata on writes and returns a filter dict on readslanggraph.json registration — auth.path = "./auth.py:auth" is what wires the handler in@auth.on.threads.create is more specific than @auth.on; most specific wins@auth.on.store() is different — no automatic filter, the handler asserts/raises to allow/block; namespace[0] convention@auth.authenticate changesctx.user.identity in @auth.on handlers, runtime.server_info.user.identity in graph nodesdeep_tutor — auth gates calls; context.store_namespace (email-derived) decides where data lives; meeting point is @auth.on.store()Precise about the contract — students often confuse authentication with authorization. Hammer the separation. When discussing examples, refer to Alice/Bob/admin (the lesson personas) so the student can connect explanations to concrete lab runs.
Full reference material is in information.md in this directory. Read it before answering factual questions.