Authorizing access to threads using onBeforeRequest | CopilotKit | Page 1

hallow quarry Jun 17, 2025, 12:37 AM

#

Hey team, looking for guidance around authorizing a request based on the thread id.

Looking to do something like this:

middleware: {
  onBeforeRequest: ({ request, threadId }) => {
    const token = getTokenFromRequest(request);
    const user = getUserIdFromToken(token);

    if (!canAccessThread(user, threadId)) {
      throw new AuthorizationError('')
    }
  }  
},

However it doesn't seem the request itself is passed to this middleware. Is there another recommendation you can give for how to handle this sort of authorization?

gloomy carbon Jun 17, 2025, 3:31 PM

#

@hallow quarry
You can’t rely on request inside onBeforeRequest to validate users—CopilotKit doesn’t expose raw HTTP there. Instead, do auth checks early in your API handler (e.g., Next.js/Express/FastAPI) or GraphQL resolver, validate the user, and block unauthorized access. Then pass user info into CopilotKit’s ctx.properties. Inside onBeforeRequest, use those properties (like userId) along with the threadId to run any final checks
if (!canAccessThread(properties.userId, threadId)) throw new Error("Forbidden");

#

Also check out this doc: https://docs.copilotkit.ai/reference/components/CopilotKit#properties

CopilotKit

The CopilotKit provider component, wrapping your application.

hallow quarry Jun 17, 2025, 4:03 PM

#

This is very helpful, thank you! The only thing that makes me hesitate is that onBeforeRequest doesn't seem to get called for the initial loadAgentState call. Is there somewhere I can see exactly which requests will result in the middleware being triggered?

#Authorizing access to threads using onBeforeRequest