Pre-flight Checklist
Problem or Motivation
Agno v2.7 (agno-agi/agno#8747) put agno's AG-UI endpoint (POST {prefix}/agui) behind AgentOS's central auth middleware. Any deployment using OS_SECURITY_KEY, JWT auth, or platform access tokens now answers anonymous requests with:
HTTP 401 {"detail":"Authorization header required"}
The dojo builds its AgnoAgent instances from AGNO_URL alone:
(path) => new AgnoAgent({ url: `${envVars.agnoUrl}/${path}/agui` }),
There is no way to attach a credential, so the stock dojo cannot connect to any secured agno backend — every agno feature page fails with a 401.
Proposed Solution
An opt-in AGNO_AUTH_TOKEN env var, mirroring the watsonx credential pattern (#1665):
env.ts — read AGNO_AUTH_TOKEN with an empty-string default
agents.ts — when the token is set, pass headers: { Authorization: "Bearer <token>" } in the AgnoAgent config
No SDK changes needed: HttpAgent (which AgnoAgent extends) already accepts headers and sends them on every request. agents.ts is server-only, so the token never reaches the browser. When the var is unset, behavior is byte-identical to today.
AGNO_URL=http://localhost:9001 AGNO_AUTH_TOKEN=<key-or-token> pnpm dev
The change is ~6 lines plus a README note — implemented in #2132.
Alternatives Considered
- Extending the per-request
x-* header forwarding (#1763) — solves a different problem (forwarding browser request headers), not server-side static credentials.
- Reading env vars inside
@ag-ui/agno — the SDK should stay env-agnostic; the dojo is the right layer, as with watsonx.
Additional Context
The agno maintainers requested this dojo plumbing on the v2.7 review thread (agno#8747).
Pre-flight Checklist
Problem or Motivation
Agno v2.7 (agno-agi/agno#8747) put agno's AG-UI endpoint (
POST {prefix}/agui) behind AgentOS's central auth middleware. Any deployment usingOS_SECURITY_KEY, JWT auth, or platform access tokens now answers anonymous requests with:The dojo builds its
AgnoAgentinstances fromAGNO_URLalone:There is no way to attach a credential, so the stock dojo cannot connect to any secured agno backend — every agno feature page fails with a 401.
Proposed Solution
An opt-in
AGNO_AUTH_TOKENenv var, mirroring the watsonx credential pattern (#1665):env.ts— readAGNO_AUTH_TOKENwith an empty-string defaultagents.ts— when the token is set, passheaders: { Authorization: "Bearer <token>" }in theAgnoAgentconfigNo SDK changes needed:
HttpAgent(whichAgnoAgentextends) already acceptsheadersand sends them on every request.agents.tsisserver-only, so the token never reaches the browser. When the var is unset, behavior is byte-identical to today.The change is ~6 lines plus a README note — implemented in #2132.
Alternatives Considered
x-*header forwarding (#1763) — solves a different problem (forwarding browser request headers), not server-side static credentials.@ag-ui/agno— the SDK should stay env-agnostic; the dojo is the right layer, as with watsonx.Additional Context
The agno maintainers requested this dojo plumbing on the v2.7 review thread (agno#8747).