How to perform custom authentication + session initialization + post-response logging in ADK API Server?**

[sivakumar-d3v]

I am exposing my ADK agent using the API Server interface (e.g., /run, /sessions, etc.).
I need to add a custom workflow around each session:

1. When the user connects (or calls /run), I want to:

   • Authenticate the request using an external auth API
   • Parse the returned claims
   • Inject some claim values into the agent prompt (e.g., org_id, user_id )

2. During the session, the agent should run normally using these injected values as part of the prompt/context.

3. After the agent finishes responding, I need to perform a post-run operation such as:

   • Logging token usage
   • Saving billing metadata
   • Auditing the conversation, etc.

---

What is the recommended ADK pattern to do this?

Specifically, I want to know:

• Where should I hook custom authentication logic?

  • Middleware?
  • Custom router override?
  • Pre-execution hook on the agent?

• How can I inject authenticated claim data into the Agent prompt after authentication?

• Is there a post-run hook for cleanly running custom logic after the final agent response?

---

Additional Context

• I’m using FastAPI + ADK API Server
• Authentication should apply to all API Server endpoints (not tool auth)
• Agent prompt values depend on auth claims
• Deployment target is Cloud Run

---

Thanks in advance — looking for the best ADK-aligned design pattern rather than a workaround.