Langsmith API Key in langchain react sdk useStream

iss44 · January 25, 2026, 12:25pm

Hi all, I may be misunderstanding the docs, but from what I can gather in the frontend langchain docs (Frontend - Docs by LangChain) it seems that if our agents are hosted on langchain cloud (langsmith now) and we use useStream we have to pass the langsmith api key in useStream which lives on the client. This will expose the api key to the client though. Am I missing something? Are there any recommended approaches or patterns regarding this?

pawel-twardziak · January 25, 2026, 7:20pm

hi @iss44

LangSmith-hosted (deployment) endpoints use API keys by default and require a valid key in the x-api-key header (docs). In the JS SDK, the apiKey option is literally turned into an x-api-key header on requests.

What the frontend docs mean: the useStream docs say “API key … required when connecting to deployed agents on LangSmith” (docs). That’s true, but it’s describing authentication requirements, not endorsing putting a long-lived secret into untrusted client code.

Recommended patterns

Backend proxy
- Keep the LangSmith API key on a server (env var).
- Expose your own endpoint (Next.js route / Express / FastAPI / etc.) that:
  - authenticates the user (cookie/JWT/session),
  - calls the LangSmith deployment using the server-side API key,
  - streams the response back to the browser (SSE).
- On the client, point useStream at your own endpoint (or use useStreamCustom + FetchStreamTransport) so no LangSmith key ever reaches the browser.
Custom auth on the deployment (browser uses per-user tokens, not a shared secret)
- LangSmith supports replacing the default API-key model with your own auth handler (JWT/session/etc.) (docs).
- Then the browser can send its normal user auth token (e.g. Authorization: Bearer <jwt>), and the deployment validates it and applies authorization rules per user/thread.
- This avoids a single “god key” entirely and is the right choice for multi-tenant apps where users shouldn’t see each other’s threads/runs.
Self-hosted
- Self-hosted Agent Server has no default authentication and you can implement whatever security model you want (docs).

Practical note

If you’ve already put a LangSmith API key into client code (even briefly), assume it’s compromised and rotate/revoke it.

LangChain “Frontend / useStream” docs (mentions apiKey needed for LangSmith deployments): Frontend - Docs by LangChain
LangGraph/LangSmith “Authentication & access control” (default x-api-key, custom auth supported): Authentication & access control - Docs by LangChain

Topic		Replies	Views
Streaming Custom Messages from Subgraph Tools JS frontend LangGraph Backend LangGraph self-hosted , js-help	1	403	July 19, 2025
Generative UI custom authentication LangGraph cloud , js-help	0	239	July 21, 2025
Langgraph deployment with langchain API key? Deployment cloud , python-help	2	600	July 4, 2025
Langgraph Self Deployment Questions LangGraph self-hosted , python-help	0	398	August 9, 2025
Utilising @langchain/google-gauth via langsmith LangChain intro-to-langsmith , js-help	0	158	August 27, 2025

Langsmith API Key in langchain react sdk useStream

Recommended patterns

Practical note

Related topics