actAs seam because none of them carry a browser session. Presets
in @vendoai/actions/presets mint the right auth material for common
providers so you don’t have to hand-roll actAs for each one.
When to use a preset
- You already sign users in with Auth.js, Supabase, Clerk, or Auth0.
- You want scheduled automations, webhooks, or MCP door calls to hit your host APIs as the connected user, using the same policy and approvals as in-product chat.
- You use a bespoke JWT for service-to-service auth and want the generic HS256
preset instead of writing an
actAsfunction from scratch.
Choose a preset
Presets fall into two shapes depending on what the identity provider allows. Offline session minting. Auth.js and Supabase let a host holding the session secret mint a session token the provider’s own verifier accepts. The preset mints a fresh token per away call — no extra middleware in your app. Host-owned away tokens. Clerk and Auth0 sign sessions with RS256 private keys you don’t hold, so offline minting is impossible. These presets ship two halves: a producer that signs a short-livedVendoAway HS256 token, and a
verify middleware you mount on your host app to trade that token for the
verified identity headers your API code reads.
Generic HS256. For any other provider that accepts an HS256 JWT with
configurable claims and header shape.
Wire a preset
Import the preset you want and hand it tocreateVendo as actAs. Each
preset closes over a secret you provision (session secret, project JWT
secret, or a host-generated away secret) and returns the ActAs function
Vendo calls before every away tool call.
Mount the verify middleware (Clerk and Auth0)
Because the Clerk and Auth0 presets sign a host-owned token instead of a real Clerk or Auth0 session, your host API needs to accept that token on away requests and turn it back into a user. Each preset exports a Next.js middleware and an Express middleware — mount the one that fits your app.- Strips any caller-supplied
x-vendo-away-*headers so callers can’t spoof identity by setting them by hand. - On requests that carry a valid
VendoAwaytoken, verifies the token and injects the extracted subject onx-vendo-away-*headers your API can trust. - Rejects forged, expired, or wrong-audience tokens before your handler runs.
awaySecret you pass to the preset and the middleware must match. Store
it as an environment variable and rotate by redeploying both halves.
Impersonation guard
Vendo compares the grant’ssubject to the current principal’s subject
before invoking actAs. If they don’t match, the call fails closed with an
act-as-subject-mismatch outcome and no outbound request is made. This
covers both away automations and MCP door calls, and applies to every
preset — you don’t wire it separately.
Token caching and rotation
Every preset caches minted tokens in memory until just before expiry (default 300 s safety margin, 30 s for the short-lived away tokens). Cache keys include a fingerprint of the signing secret, so rotating the secret invalidates the cache immediately — the next away call mints against the new secret. Expired entries are dropped on write, so the cache size stays bounded by the number of active principals.Verify wiring
actAs configuration end-to-end. For Clerk and Auth0,
doctor also checks that the verify middleware round-trips a synthetic away
token so a misconfigured secret surfaces before the first real away call.
If away calls fail with not-implemented, actAs is not configured. If they
fail with act-as-subject-mismatch, the grant belongs to a different user
than the current principal — see the troubleshooting
guide.