auth-tool-cloudbase by tencentcloudbase/skills

Activation Contract

Use this first when

The task is to inspect, enable, disable, or configure CloudBase auth providers, login methods, publishable key prerequisites, SMS/email delivery, or third-party login readiness.
An auth implementation cannot proceed until provider status and login configuration are confirmed.
A CloudBase Web auth flow needs provider verification before auth-web.

Read before writing code if

The request mentions provider setup, auth console configuration, publishable key retrieval, login method availability, SMS/email sender setup, or third-party provider credentials.
The task mixes provider configuration with Web, mini program, Node, or raw HTTP auth implementation.

Then also read

Web auth UI -> ../auth-web/SKILL.md
Mini program native auth -> ../auth-wechat/SKILL.md
Node server-side identity / custom ticket -> ../auth-nodejs/SKILL.md
Native App / raw HTTP auth client -> ../http-api/SKILL.md

Do NOT use this as

The default implementation guide for every login or registration request.
A replacement for mini program native auth behavior when no provider change is involved.
A replacement for Node-side caller identity, user lookup, or custom login ticket flows.
A replacement for frontend integration, session handling, or client UX implementation.

Common mistakes / gotchas

Writing login UI before enabling the required provider.
Treating any mention of "auth" as a provider-management task.
Implementing Web login in cloud functions.
Routing native App auth to Web SDK flows.

Minimal checklist

Read Authentication Activation Checklist before auth implementation.

Overview

Configure CloudBase authentication providers: Anonymous, Username/Password, SMS, Email, WeChat, Google, and more.

Prerequisites: CloudBase environment ID (env)

MCP Tool Boundary

Keep these two auth domains separate:

auth: MCP / management-side login only. Use it for status, start_auth, set_env, logout, and get_temp_credentials.
queryAppAuth / manageAppAuth: app-side authentication configuration. Use them for login methods, provider settings, publishable key, static domain, client config, and custom login keys.

Preferred execution order for this skill:

Use queryAppAuth / manageAppAuth first when the needed action exists there.
Use callCloudApi only as a fallback or for debugging raw request shapes.
Do not route app-side provider configuration back to the MCP auth tool.

Authentication Scenarios

1. Get Login Config

Preferred MCP tool path: queryAppAuth(action="getLoginConfig")

Fallback API path: use the official login-config API. Do not use lowcode/DescribeLoginStrategy or lowcode/ModifyLoginStrategy as the default path.

Query current login configuration:

{
    "params": { "EnvId": `env` },
    "service": "tcb",
    "action": "DescribeLoginConfig"
}

The response contains fields such as:

AnonymousLogin
UserNameLogin
PhoneNumberLogin
EmailLogin
SmsVerificationConfig
MfaConfig
PwdUpdateStrategy

Parameter mapping for downstream Web auth code:

PhoneNumberLogin controls phone OTP flows used by auth-web auth.signInWithOtp({ phone }) and auth.signUp({ phone })
EmailLogin controls email OTP flows used by auth-web auth.signInWithOtp({ email }) and auth.signUp({ email })
UserNameLogin controls password login flows used by auth-web auth.signInWithPassword({ username, password })
SmsVerificationConfig.Type = "apis" requires both Name and Method
EnvId is always the CloudBase environment ID, not the publishable key

Before calling ModifyLoginConfig, rebuild the payload from writable keys only. Do not spread the full response object back into the request.

const WritableLoginConfig = {
    "PhoneNumberLogin": LoginConfig.PhoneNumberLogin,
    "EmailLogin": LoginConfig.EmailLogin,
    "UserNameLogin": LoginConfig.UserNameLogin,
    "AnonymousLogin": LoginConfig.AnonymousLogin,
    ...(LoginConfig.SmsVerificationConfig ? { "SmsVerificationConfig": LoginConfig.SmsVerificationConfig } : {}),
    ...(LoginConfig.MfaConfig ? { "MfaConfig": LoginConfig.MfaConfig } : {}),
    ...(LoginConfig.PwdUpdateStrategy ? { "PwdUpdateStrategy": LoginConfig.PwdUpdateStrategy } : {})
}

2. Anonymous Login

Preferred MCP tool path: manageAppAuth(action="updateLoginConfig")

Get LoginConfig (see Scenario 1)
Set LoginConfig.AnonymousLogin = true (on) or false (off)
Update:

{
    "params": { "EnvId": `env`, ...WritableLoginConfig, "AnonymousLogin": true },
    "service": "tcb",
    "action": "ModifyLoginConfig"
}

3. Username/Password Login

Preferred MCP tool path: manageAppAuth(action="updateLoginConfig")

Get LoginConfig (see Scenario 1)
Set LoginConfig.UserNameLogin = true (on) or false (off)
Update:

{
    "params": { "EnvId": `env`, ...WritableLoginConfig, "UserNameLogin": true },
    "service": "tcb",
    "action": "ModifyLoginConfig"
}

4. SMS Login

Preferred MCP tool path: manageAppAuth(action="updateLoginConfig")

Get LoginConfig (see Scenario 1)

Modify:

Turn on: LoginConfig.PhoneNumberLogin = true
Turn off: LoginConfig.PhoneNumberLogin = false

Config (optional):

LoginConfig.SmsVerificationConfig = {
    Type: 'default',      // 'default' or 'apis'
    Name: 'method_53978f9f96a35', // required when Type = 'apis'
    Method: 'SendVerificationCode',
    SmsDayLimit: 30       // -1 = unlimited
}

Update:

{
    "params": {
        "EnvId": `env`,
        ...WritableLoginConfig,
        "PhoneNumberLogin": true,
        "SmsVerificationConfig": {
            "Type": "default",
            "SmsDayLimit": 30
        }
    },
    "service": "tcb",
    "action": "ModifyLoginConfig"
}

Use custom apis to send SMS:

{
    "params": {
        "EnvId": `env`,
        ...WritableLoginConfig,
        "PhoneNumberLogin": true,
        "SmsVerificationConfig": {
            "Type": "apis",
            "Name": "method_53978f9f96a35",
            "Method": "SendVerificationCode",
            "SmsDayLimit": 20
        }
    },
    "service": "tcb",
    "action": "ModifyLoginConfig"
}

5. Email Login

Email has two layers of configuration:

ModifyLoginConfig.EmailLogin: controls whether email/password login is enabled
ModifyProvider(Id="email"): controls the email sender channel and SMTP configuration
In Web auth code, this maps to auth.signInWithOtp({ email }) and auth.signUp({ email })

Preferred MCP tool path:

manageAppAuth(action="updateLoginConfig") for EmailLogin
manageAppAuth(action="updateProvider") for provider settings

Turn on email/password login:

{
    "params": { "EnvId": `env`, ...WritableLoginConfig, "EmailLogin": true },
    "service": "tcb",
    "action": "ModifyLoginConfig"
}

Turn off email/password login:

{
    "params": { "EnvId": `env`, ...WritableLoginConfig, "EmailLogin": false },
    "service": "tcb",
    "action": "ModifyLoginConfig"
}

Configure email provider (Tencent Cloud email):

{
    "params": {
        "EnvId": `env`,
        "Id": "email",
        "On": "TRUE",
        "EmailConfig": { "On": "TRUE", "SmtpConfig": {} }
    },
    "service": "tcb",
    "action": "ModifyProvider"
}

Disable email provider:

{
    "params": { "EnvId": `env`, "Id": "email", "On": "FALSE" },
    "service": "tcb",
    "action": "ModifyProvider"
}

Configure email provider (custom SMTP):

{
    "params": {
        "EnvId": `env`,
        "Id": "email",
        "On": "TRUE",
        "EmailConfig": {
            "On": "FALSE",
            "SmtpConfig": {
                "AccountPassword": "password",
                "AccountUsername": "username",
                "SecurityMode": "SSL",
                "SenderAddress": "sender@example.com",
                "ServerHost": "smtp.qq.com",
                "ServerPort": 465
            }
        }
    },
    "service": "tcb",
    "action": "ModifyProvider"
}

6. WeChat Login

Preferred MCP tool path:

queryAppAuth(action="listProviders") or queryAppAuth(action="getProvider")
manageAppAuth(action="updateProvider")

Get WeChat config:

{
    "params": { "EnvId": `env` },
    "service": "tcb",
    "action": "GetProviders"
}

Filter by Id == "wx_open", save as WeChatProvider.

Get credentials from WeChat Open Platform:
- AppID
- AppSecret
Update:

{
    "params": {
        "EnvId": `env`,
        "Id": "wx_open",
        "On": "TRUE",  // "FALSE" to disable
        "Config": {
            ...WeChatProvider.Config,
            ClientId: `AppID`,
            ClientSecret: `AppSecret`
        }
    },
    "service": "tcb",
    "action": "ModifyProvider"
}

7. Google Login

Preferred MCP tool path:

queryAppAuth(action="getStaticDomain")
queryAppAuth(action="listProviders") or queryAppAuth(action="getProvider")
manageAppAuth(action="updateProvider")

Get redirect URI:

{
    "params": { "EnvId": `env` },
    "service": "lowcode",
    "action": "DescribeStaticDomain"
}

Save result.Data.StaticDomain as staticDomain.

Configure at Google Cloud Console:
- Create OAuth 2.0 Client ID
- Set redirect URI: https://{staticDomain}/__auth/
- Get Client ID and Client Secret
Enable:

{
    "params": {
        "EnvId": `env`,
        "ProviderType": "OAUTH",
        "Id": "google",
        "On": "TRUE",  // "FALSE" to disable
        "Name": { "Message": "Google" },
        "Description": { "Message": "" },
        "Config": {
            "ClientId": `Client ID`,
            "ClientSecret": `Client Secret`,
            "Scope": "email openid profile",
            "AuthorizationEndpoint": "https://accounts.google.com/o/oauth2/v2/auth",
            "TokenEndpoint": "https://oauth2.googleapis.com/token",
            "UserinfoEndpoint": "https://www.googleapis.com/oauth2/v3/userinfo",
            "TokenEndpointAuthMethod": "CLIENT_SECRET_BASIC",
            "RequestParametersMap": {
                "RegisterUserSyncScope": "syncEveryLogin",
                "IsGoogle": "TRUE"
            }
        },
        "Picture": "https://qcloudimg.tencent-cloud.cn/raw/f9131c00dcbcbccd5899a449d68da3ba.png",
        "TransparentMode": "FALSE",
        "ReuseUserId": "TRUE",
        "AutoSignUpWithProviderUser": "TRUE"
    },
    "service": "tcb",
    "action": "ModifyProvider"
}

8. Client Configuration Boundary

Use client APIs for client metadata and token/session settings. Do not use them as a replacement for login strategy or provider management.

Preferred MCP tool path:

queryAppAuth(action="getClientConfig")
manageAppAuth(action="updateClientConfig")

Query client config:

{
    "params": { "EnvId": `env`, "Id": `env` },
    "service": "tcb",
    "action": "DescribeClient"
}

Update client config:

{
    "params": {
        "EnvId": `env`,
        "Id": `env`,
        "AccessTokenExpiresIn": 7200,
        "RefreshTokenExpiresIn": 2592000,
        "MaxDevice": 3
    },
    "service": "tcb",
    "action": "ModifyClient"
}

9. Get Publishable Key

Preferred MCP tool path:

queryAppAuth(action="listApiKeyTokens")
manageAppAuth(action="createApiKeyToken")

Query existing key:

{
    "params": { "EnvId": `env`, "KeyType": "publish_key", "PageNumber": 1, "PageSize": 10 },
    "service": "lowcode",
    "action": "DescribeApiKeyTokens"
}

Return PublishableKey.ApiKey if exists (filter by Name == "publish_key").

Create new key (if not exists):

{
    "params": { "EnvId": `env`, "KeyType": "publish_key", "KeyName": "publish_key" },
    "service": "lowcode",
    "action": "CreateApiKeyToken"
}

If creation fails, direct user to: "https://tcb.cloud.tencent.com/dev?envId=`env`#/env/apikey"

10. Custom Login Keys

Preferred MCP tool path: manageAppAuth(action="createCustomLoginKeys")

Use custom login keys when the application needs CloudBase custom auth integration and the standard provider setup is not enough.