SKILL.md
$2d
- The request mentions provider setup, auth console configuration, publishable key retrieval, login method availability, SMS/email sender setup, or third-party provider credentials.
- The task mixes provider configuration with Web, mini program, Node, or raw HTTP auth implementation.
Then also read
- Web auth UI ->
../auth-web/SKILL.md(standalone fallback:https://cnb.cool/tencent/cloud/cloudbase/cloudbase-skills/-/git/raw/main/skills/cloudbase/references/auth-web/SKILL.md)
- Mini program native auth ->
../auth-wechat/SKILL.md(standalone fallback:https://cnb.cool/tencent/cloud/cloudbase/cloudbase-skills/-/git/raw/main/skills/cloudbase/references/auth-wechat/SKILL.md)
- Node server-side identity / custom ticket ->
../auth-nodejs/SKILL.md(standalone fallback:https://cnb.cool/tencent/cloud/cloudbase/cloudbase-skills/-/git/raw/main/skills/cloudbase/references/auth-nodejs/SKILL.md)
- Native App / raw HTTP auth client ->
../http-api/SKILL.md(standalone fallback:https://cnb.cool/tencent/cloud/cloudbase/cloudbase-skills/-/git/raw/main/skills/cloudbase/references/http-api/SKILL.md)
Do NOT use this as
- The default implementation guide for every login or registration request.
- A replacement for mini program native auth behavior when no provider change is involved.
- A replacement for Node-side caller identity, user lookup, or custom login ticket flows.
- A replacement for frontend integration, session handling, or client UX implementation.
Common mistakes / gotchas
- Writing login UI before enabling the required provider.
- Treating any mention of "auth" as a provider-management task.
- Implementing Web login in cloud functions.
- Routing native App auth to Web SDK flows.
- In an existing application, looping on provider queries after readiness is already known instead of wiring the active login and register handlers.
Minimal checklist
- Read Authentication Activation Checklist before auth implementation.
Overview
Configure CloudBase authentication providers: Anonymous, Username/Password, SMS, Email, WeChat, Google, and more.
Prerequisites: CloudBase environment ID (env)
MCP Tool Boundary
Keep these two auth domains separate:
auth: MCP / management-side login only. Use it forstatus,start_auth,set_env,logout, andget_temp_credentials.
queryAppAuth/manageAppAuth: app-side authentication configuration. Use them for login methods, provider settings, publishable key, static domain, client config, and custom login keys.
Preferred execution order for this skill:
- Use
queryAppAuth/manageAppAuthfirst when the needed action exists there.
- Use
callCloudApionly as a fallback or for debugging raw request shapes.
- Do not route app-side provider configuration back to the MCP
authtool.
- In existing projects with active login and register handlers, stop revisiting provider setup after the required login method and publishable key are confirmed. Move back to the active frontend handler and finish the actual user flow.
Authentication Scenarios
1. Get Login Config
Preferred MCP tool path: queryAppAuth(action="getLoginConfig")
Recommended MCP request:
{
"action": "getLoginConfig"
}queryAppAuth uses the currently selected environment and returns a short result by default:
{
"success": true,
"envId": "your-full-env-id",
"loginMethods": {
"usernamePassword": true,
"email": true,
"anonymous": false,
"phone": false
}
}Fallback API path: use the official login-config API. Do not use lowcode/DescribeLoginStrategy or lowcode/ModifyLoginStrategy as the default path.
Query current login configuration:
{
"params": { "EnvId": `env` },
"service": "tcb",
"action": "DescribeLoginConfig"
}The underlying login strategy contains fields such as:
AnonymousLogin
UserNameLogin
PhoneNumberLogin
EmailLogin
SmsVerificationConfig
MfaConfig
PwdUpdateStrategy
Parameter mapping for downstream Web auth code:
queryAppAuth(action="getLoginConfig")andmanageAppAuth(action="patchLoginStrategy")returnsdkStyle: "supabase-like"plussdkHints; treat that as the preferred frontend-auth calling guide
PhoneNumberLogincontrols phone OTP flows used byauth-webauth.signInWithOtp({ phone })andauth.signUp({ phone })
EmailLogincontrols email OTP flows used byauth-webauth.signInWithOtp({ email })andauth.signUp({ email })
UserNameLogincontrols username/password Web auth flows used byauth-webauth.signUp({ username, password })andauth.signInWithPassword({ username, password })
- If the account identifier is a plain username string, do not route it through email-only helpers such as
signInWithEmailAndPassword
UserNameLoginalso enables the broader password-login surface exposed byauth.signInWithPassword({ username|email|phone, password })
SmsVerificationConfig.Type = "apis"requires bothNameandMethod
EnvIdis always the CloudBase environment ID, not the publishable key
- If the conversation only contains an environment alias, nickname, or other shorthand, resolve it to the canonical full
EnvIdfirst before generating auth config, SDK init examples, or console links
Internal behavior of manageAppAuth(action="patchLoginStrategy"):
- Read the currently selected environment
- Query the current login strategy
- Merge the short
patchinto the writable strategy fields
- Update through Manager SDK
- Query again and return a short
loginMethodsresult
2. Anonymous Login
⚠️ Anonymous login is disabled by default for new environments. Inactive existing environments (no anonymous login usage within the past month) have also been automatically disabled. Additionally, anonymous users are denied AI model invocation permissions by default. Only enable anonymous login when the application explicitly requires unauthenticated access and you accept the associated security trade-offs.
Preferred MCP tool path: manageAppAuth(action="patchLoginStrategy")
To explicitly enable anonymous login (only when required):
{
"action": "patchLoginStrategy",
"patch": {
"anonymous": true
}
}The tool handles read-merge-write internally. The model does not need to build a full ModifyLoginConfig payload.
Important: Even after enabling anonymous login, anonymous users cannot call AI models by default. This permission must be explicitly granted separately if needed.
3. Username/Password Login
Preferred MCP tool path: manageAppAuth(action="patchLoginStrategy")
Recommended MCP request:
{
"action": "patchLoginStrategy",
"patch": {
"usernamePassword": true
}
}The tool handles read-merge-write internally. The model does not need to build a full ModifyLoginConfig payload.
4. SMS Login
Preferred MCP tool path: manageAppAuth(action="patchLoginStrategy")
Use patch.phone = true/false for the login method itself.
If SMS provider behavior also needs to change, keep using provider-side or raw API configuration for the extra fields such as SmsVerificationConfig.
Short MCP example:
{
"action": "patchLoginStrategy",
"patch": {
"phone": true
}
}5. Email Login
Email has two layers of configuration:
ModifyLoginConfig.EmailLogin: controls whether email/password login is enabled
ModifyProvider(Id="email"): controls the email sender channel and SMTP configuration
- In Web auth code, this maps to
auth.signInWithOtp({ email })andauth.signUp({ email })
Preferred MCP tool path:
manageAppAuth(action="patchLoginStrategy")forEmailLogin
manageAppAuth(action="updateProvider")for provider settings
Short MCP example:
{
"action": "patchLoginStrategy",
"patch": {
"email": true
}
}Configure email provider (Tencent Cloud email):
{
"params": {
"EnvId": `env`,
"Id": "email",
"On": "TRUE",
"EmailConfig": { "On": "TRUE", "SmtpConfig": {} }
},
"service": "tcb",
"action": "ModifyProvider"
}Disable email provider:
{
"params": { "EnvId": `env`, "Id": "email", "On": "FALSE" },
"service": "tcb",
"action": "ModifyProvider"
}Configure email provider (custom SMTP):
{
"params": {
"EnvId": `env`,
"Id": "email",
"On": "TRUE",
"EmailConfig": {
"On": "FALSE",
"SmtpConfig": {
"AccountPassword": "password",
"AccountUsername": "username",
"SecurityMode": "SSL",
"SenderAddress": "sender@example.com",
"ServerHost": "smtp.qq.com",
"ServerPort": 465
}
}
},
"service": "tcb",
"action": "ModifyProvider"
}6. WeChat Login
Preferred MCP tool path:
queryAppAuth(action="listProviders")orqueryAppAuth(action="getProvider")
manageAppAuth(action="updateProvider")
- Get WeChat config:
{
"params": { "EnvId": `env` },
"service": "tcb",
"action": "GetProviders"
}Filter by Id == "wx_open", save as WeChatProvider.
-
Get credentials from WeChat Open Platform:
AppID
AppSecret
-
Update:
{
"params": {
"EnvId": `env`,
"Id": "wx_open",
"On": "TRUE", // "FALSE" to disable
"Config": {
...WeChatProvider.Config,
ClientId: `AppID`,
ClientSecret: `AppSecret`
}
},
"service": "tcb",
"action": "ModifyProvider"
}7. Google Login
Preferred MCP tool path:
queryAppAuth(action="getStaticDomain")
queryAppAuth(action="listProviders")orqueryAppAuth(action="getProvider")
manageAppAuth(action="updateProvider")
- Get redirect URI (static hosting CDN domain):
{
"params": { "EnvId": `env` },
"service": "tcb",
"action": "DescribeStaticStore"
}Prefer MCP: queryAppAuth(action="getStaticDomain") — use cdnDomain / staticDomain from the tool response (first store’s CdnDomain). Raw rows are in staticStores.
-
Configure at Google Cloud Console:
- Create OAuth 2.0 Client ID
- Set redirect URI:
https://{staticDomain}/__auth/
- Get
Client IDandClient Secret
-
Enable:
{
"params": {
"EnvId": `env`,
"ProviderType": "OAUTH",
"Id": "google",
"On": "TRUE", // "FALSE" to disable
"Name": { "Message": "Google" },
"Description": { "Message": "" },
"Config": {
"ClientId": `Client ID`,
"ClientSecret": `Client Secret`,
"Scope": "email openid profile",
"AuthorizationEndpoint": "https://accounts.google.com/o/oauth2/v2/auth",
"TokenEndpoint": "https://oauth2.googleapis.com/token",
"UserinfoEndpoint": "https://www.googleapis.com/oauth2/v3/userinfo",
"TokenEndpointAuthMethod": "CLIENT_SECRET_BASIC",
"RequestParametersMap": {
"RegisterUserSyncScope": "syncEveryLogin",
"IsGoogle": "TRUE"
}
},
"Picture": "https://qcloudimg.tencent-cloud.cn/raw/f9131c00dcbcbccd5899a449d68da3ba.png",
"TransparentMode": "FALSE",
"ReuseUserId": "TRUE",
"AutoSignUpWithProviderUser": "TRUE"
},
"service": "tcb",
"action": "ModifyProvider"
}8. Provider Lifecycle Boundary
Use provider lifecycle APIs when the identity source itself needs to be created, updated, or removed.
Preferred MCP tool path:
queryAppAuth(action="listProviders")
queryAppAuth(action="getProvider")
manageAppAuth(action="addProvider")
manageAppAuth(action="updateProvider")
manageAppAuth(action="deleteProvider")
Guidance:
- Use
addProviderwhen the provider record does not exist yet and you need to create it withproviderType, optionalproviderId,displayName, andconfig.
- Use
updateProviderwhen the provider already exists and only its configuration or enablement state needs to change.
- Use
deleteProviderwhen the provider must be removed entirely instead of only disabling it.
9. Client Configuration Boundary
Use client APIs for client metadata and token/session settings. Do not use them as a replacement for login strategy or provider management.
Preferred MCP tool path:
queryAppAuth(action="getClientConfig")
manageAppAuth(action="updateClientConfig")
Both tools should default to the current selected environment's default client. Only pass clientId when you intentionally want to inspect or modify a non-default client record.
Query client config:
{
"params": { "EnvId": `env`, "Id": `env` },
"service": "tcb",
"action": "DescribeClient"
}Update client config:
{
"params": {
"EnvId": `env`,
"Id": `env`,
"AccessTokenExpiresIn": 7200,
"RefreshTokenExpiresIn": 2592000,
"MaxDevice": 3
},
"service": "tcb",
"action": "ModifyClient"
}10. Publishable Key and API Key Boundary
Preferred MCP tool path:
queryAppAuth(action="getPublishableKey")
manageAppAuth(action="ensurePublishableKey")
queryAppAuth(action="listApiKeys")
manageAppAuth(action="createApiKey")
manageAppAuth(action="deleteApiKey")
Use the shortcut pair getPublishableKey / ensurePublishableKey for the most common frontend-readiness flow.
Use the generic API key lifecycle actions when you need inventory, pagination, non-publishable keys, or explicit deletion.
Query existing publishable key:
{
"params": { "EnvId": `env`, "KeyType": "publish_key", "PageNumber": 1, "PageSize": 10 },
"service": "tcb",
"action": "DescribeApiKeyList"
}queryAppAuth(action="getPublishableKey") should always force KeyType="publish_key" and return a short payload with publishableKey, keyId, keyName, expireAt, and createdAt.
List API keys:
{
"action": "listApiKeys",
"keyType": "api_key",
"pageNumber": 1,
"pageSize": 20
}Use listApiKeys for a general key inventory view. It supports optional keyType, pageNumber, and pageSize.
Ensure publishable key exists:
{
"params": { "EnvId": `env`, "KeyType": "publish_key" },
"service": "tcb",
"action": "CreateApiKey"
}manageAppAuth(action="ensurePublishableKey") should first query the existing publish_key; if one already exists, return it directly; otherwise create it and return the new key. This keeps the MCP interface short and avoids requiring the model to reason about KeyType or whether a key already exists.
Create a generic API key:
{
"action": "createApiKey",
"keyType": "api_key",
"keyName": "server-prod",
"expireIn": 86400
}createApiKey defaults to publish_key when keyType is omitted, but it can also create api_key for generic service-side access.
Delete an API key:
{
"action": "deleteApiKey",
"keyId": "api-key-id"
}Use deleteApiKey only when you intentionally want to revoke that key token.
If creation fails, direct user to: "[https://tcb.cloud.tencent.com/dev?envId=env#/env/apikey](https://tcb.cloud.tencent.com/dev?envId=%60env%60#/env/apikey)"
11. Custom Login Keys
Preferred MCP tool path: manageAppAuth(action="createCustomLoginKeys")
Use custom login keys when the application needs CloudBase custom auth integration and the standard provider setup is not enough.