home / skills / tencentcloudbase / cloudbase-mcp / auth-tool

auth-tool skill

safe

This skill helps you configure and manage CloudBase authentication providers and login methods across apps using MCP tools.

npx playbooks add skill tencentcloudbase/cloudbase-mcp --skill auth-tool

Review the files below or copy the command above to add this skill to your agents.

Files (1)

SKILL.md

5.6 KB

---
name: auth-tool-cloudbase
description: Use CloudBase Auth tool to configure and manage authentication providers for web applications - enable/disable login methods (SMS, Email, WeChat Open Platform, Google, Anonymous, Username/password, OAuth, SAML, CAS, Dingding, etc.) and configure provider settings via MCP tools `callCloudApi`.
alwaysApply: false
---

## Overview

Configure CloudBase authentication providers: Anonymous, Username/Password, SMS, Email, WeChat, Google, and more.

**Prerequisites**: CloudBase environment ID (`env`)

---


## Authentication Scenarios

### 1. Get Login Strategy

Query current login configuration:
```js
{
    "params": { "EnvId": `env` },
    "service": "lowcode",
    "action": "DescribeLoginStrategy"
}
```
Returns `LoginStrategy` object or `false` if not configured.

---

### 2. Anonymous Login

1. Get `LoginStrategy` (see Scenario 1)
2. Set `LoginStrategy.AnonymousLogin = true` (on) or `false` (off)
3. Update:
```js
{
    "params": { "EnvId": `env`, ...LoginStrategy },
    "service": "lowcode",
    "action": "ModifyLoginStrategy"
}
```

---

### 3. Username/Password Login

1. Get `LoginStrategy` (see Scenario 1)
2. Set `LoginStrategy.UserNameLogin = true` (on) or `false` (off)
3. Update:
```js
{
    "params": { "EnvId": `env`, ...LoginStrategy },
    "service": "lowcode",
    "action": "ModifyLoginStrategy"
}
```

---

### 4. SMS Login

1. Get `LoginStrategy` (see Scenario 1)
2. Modify:
   - **Turn on**: `LoginStrategy.PhoneNumberLogin = true`
   - **Turn off**: `LoginStrategy.PhoneNumberLogin = false`
   - **Config** (optional):
     ```js
     LoginStrategy.SmsVerificationConfig = {
         Type: 'default',      // 'default' or 'apis'
         Method: 'methodName',
         SmsDayLimit: 30       // -1 = unlimited
     }
     ```
3. Update:
```js
{
    "params": { "EnvId": `env`, ...LoginStrategy },
    "service": "lowcode",
    "action": "ModifyLoginStrategy"
}
```

---

### 5. Email Login

**Turn on (Tencent Cloud email)**:
```js
{
    "params": {
        "EnvId": `env`,
        "Id": "email",
        "On": "TRUE",
        "EmailConfig": { "On": "TRUE", "SmtpConfig": {} }
    },
    "service": "tcb",
    "action": "ModifyProvider"
}
```

**Turn off**:
```js
{
    "params": { "EnvId": `env`, "Id": "email", "On": "FALSE" },
    "service": "tcb",
    "action": "ModifyProvider"
}
```

**Turn on (custom SMTP)**:
```js
{
    "params": {
        "EnvId": `env`,
        "Id": "email",
        "On": "TRUE",
        "EmailConfig": {
            "On": "FALSE",
            "SmtpConfig": {
                "AccountPassword": "password",
                "AccountUsername": "username",
                "SecurityMode": "SSL",
                "SenderAddress": "[email protected]",
                "ServerHost": "smtp.qq.com",
                "ServerPort": 465
            }
        }
    },
    "service": "tcb",
    "action": "ModifyProvider"
}
```

---

### 6. WeChat Login

1. Get WeChat config:
```js
{
    "params": { "EnvId": `env` },
    "service": "tcb",
    "action": "GetProviders"
}
```
Filter by `Id == "wx_open"`, save as `WeChatProvider`.

2. Get credentials from [WeChat Open Platform](https://open.weixin.qq.com/cgi-bin/readtemplate?t=regist/regist_tmpl):
   - `AppID`
   - `AppSecret`

3. Update:
```js
{
    "params": {
        "EnvId": `env`,
        "Id": "wx_open",
        "On": "TRUE",  // "FALSE" to disable
        "Config": {
            ...WeChatProvider.Config,
            ClientId: `AppID`,
            ClientSecret: `AppSecret`
        }
    },
    "service": "tcb",
    "action": "ModifyProvider"
}
```

---

### 7. Google Login

1. Get redirect URI:
```js
{
    "params": { "EnvId": `env` },
    "service": "lowcode",
    "action": "DescribeStaticDomain"
}
```
Save `result.Data.StaticDomain` as `staticDomain`.

2. Configure at [Google Cloud Console](https://console.cloud.google.com/apis/credentials):
   - Create OAuth 2.0 Client ID
   - Set redirect URI: `https://{staticDomain}/__auth/`
   - Get `Client ID` and `Client Secret`

3. Enable:
```js
{
    "params": {
        "EnvId": `env`,
        "ProviderType": "OAUTH",
        "Id": "google",
        "On": "TRUE",  // "FALSE" to disable
        "Name": { "Message": "Google" },
        "Description": { "Message": "" },
        "Config": {
            "ClientId": `Client ID`,
            "ClientSecret": `Client Secret`,
            "Scope": "email openid profile",
            "AuthorizationEndpoint": "https://accounts.google.com/o/oauth2/v2/auth",
            "TokenEndpoint": "https://oauth2.googleapis.com/token",
            "UserinfoEndpoint": "https://www.googleapis.com/oauth2/v3/userinfo",
            "TokenEndpointAuthMethod": "CLIENT_SECRET_BASIC",
            "RequestParametersMap": {
                "RegisterUserSyncScope": "syncEveryLogin",
                "IsGoogle": "TRUE"
            }
        },
        "Picture": "https://qcloudimg.tencent-cloud.cn/raw/f9131c00dcbcbccd5899a449d68da3ba.png",
        "TransparentMode": "FALSE",
        "ReuseUserId": "TRUE",
        "AutoSignUpWithProviderUser": "TRUE"
    },
    "service": "tcb",
    "action": "ModifyProvider"
}
```

### 8. Get Publishable Key

**Query existing key**:
```js
{
    "params": { "EnvId": `env`, "KeyType": "publish_key", "PageNumber": 1, "PageSize": 10 },
    "service": "lowcode",
    "action": "DescribeApiKeyTokens"
}
```
Return `PublishableKey.ApiKey` if exists (filter by `Name == "publish_key"`).

**Create new key** (if not exists):
```js
{
    "params": { "EnvId": `env`, "KeyType": "publish_key", "KeyName": "publish_key" },
    "service": "lowcode",
    "action": "CreateApiKeyToken"
}
```
If creation fails, direct user to: "https://tcb.cloud.tencent.com/dev?envId=`env`#/env/apikey"

Overview

This skill uses the CloudBase Auth tool to configure and manage authentication providers for web applications. It lets you enable or disable login methods (Anonymous, Username/Password, SMS, Email, WeChat Open Platform, Google, OAuth, SAML, CAS, Dingding, etc.) and adjust provider settings programmatically. It works via MCP callCloudApi calls to CloudBase services and returns provider or strategy objects for inspection and updates.

How this skill works

The skill calls CloudBase MCP APIs (lowcode and tcb services) to describe and modify login strategies and providers. It fetches current LoginStrategy or provider lists, updates required fields (e.g., enable flags, credentials, SMTP config, OAuth endpoints), and submits ModifyLoginStrategy or ModifyProvider requests. It can also query or create publishable API keys used by some auth flows.

When to use it

Enable or disable specific login flows for a CloudBase environment
Configure SMS or email verification settings and limits
Add OAuth providers like Google or WeChat and supply credentials
Switch on anonymous login for frictionless testing or demos
Create or retrieve a publishable API key for client-side auth integration

Best practices

Always call DescribeLoginStrategy or GetProviders before making changes to avoid overwriting existing settings
Store EnvId and provider credentials (client secrets, SMTP passwords) securely — do not commit them to source control
When adding OAuth providers, register accurate redirect URIs using the static domain returned by DescribeStaticDomain
Test changes in a staging environment first, especially for SMS/email flows that may incur costs or rate limits
Use granular configuration (e.g., SmsVerificationConfig) to control daily limits and verification behavior

Example use cases

Turn on username/password login for a new app by toggling UserNameLogin in LoginStrategy and calling ModifyLoginStrategy
Enable Google OAuth: fetch static domain, register redirect URI at Google, then call ModifyProvider with ClientId/Secret
Configure custom SMTP for email login by setting EmailConfig.SmtpConfig and enabling the email provider
Enable anonymous login for a public demo by setting AnonymousLogin = true and updating the LoginStrategy
Query or create a publishable key for client integrations with DescribeApiKeyTokens/CreateApiKeyToken

FAQ

What parameter is required to run calls?

You must provide the CloudBase environment ID (EnvId) for every request.

How do I find the redirect URI for OAuth providers?

Call DescribeStaticDomain and use the returned StaticDomain value to build the redirect URI: https://{staticDomain}/__auth/.