agent-auth-cli

Use a CLI de Autenticação de Agente (auth-agent) para descobrir provedores, conectar agentes, gerenciar capacidades e executar operações. Use quando o usuário quiser interagir…

npx skills add https://github.com/better-auth/agent-auth --skill agent-auth-cli

Agent Auth CLI

You have access to the auth-agent CLI for interacting with Agent Auth providers. Always prefer using the CLI for any agent authentication operations rather than making raw HTTP requests or writing custom code.

Binary

The CLI binary is auth-agent (package: @auth/agent-cli). If not installed globally, run via npx @auth/agent-cli.

Workflow

Follow this order when working with a provider:

1. Discover or find a provider

# If you have the provider URL
auth-agent discover https://api.example.com

# If you need to search by intent
auth-agent search "deploy web apps"

# List already-known providers
auth-agent providers
  • discover fetches the /.well-known/agent-configuration document and caches the provider.
  • search queries the directory and returns matching providers.
  • Always discover or search first before connecting.

2. Explore capabilities

# List all capabilities for a provider
auth-agent capabilities --provider https://api.example.com

# Filter by query
auth-agent capabilities --provider https://api.example.com --query "transfer"

# Get full definition with input schema
auth-agent describe transfer_money --provider https://api.example.com
  • Always run describe before executing a capability to understand the required input schema and constraints.
  • If connected, pass --agent-id <id> to see which capabilities are granted.

3. Connect an agent

# Basic connection with specific capabilities
auth-agent connect --provider https://api.example.com \
  --capabilities read_data transfer_money \
  --name my-agent

# With constraints on capability arguments
auth-agent connect --provider https://api.example.com \
  --capabilities read_data transfer_money \
  --constraints '{"transfer_money":{"amount":{"max":1000}}}' \
  --name constrained-agent

# Autonomous mode (no user association)
auth-agent connect --provider https://api.example.com \
  --capabilities read_data \
  --mode autonomous

# With CIBA approval (backchannel, sends notification to user)
auth-agent connect --provider https://api.example.com \
  --capabilities read_data \
  --preferred-method ciba \
  --login-hint [email protected]
  • Save the returned agent_id — you need it for all subsequent operations.
  • If approval is required, the CLI opens the browser or prints the approval URL. Pass --no-browser to suppress browser opening.
  • Use --force-new to create a new connection even if one exists.

4. Check status

auth-agent status <agent-id>
  • Shows agent status (pending_approval, active, expired, revoked), granted capabilities, and constraints.
  • Run this after connecting to confirm the agent was approved.

5. Execute capabilities

auth-agent execute <agent-id> transfer_money \
  --args '{"amount": 50, "to": "alice"}'
  • The --args flag takes a JSON string matching the capability's input schema.
  • Always describe the capability first to know the required arguments.

6. Request additional capabilities

auth-agent request <agent-id> \
  --capabilities admin_panel \
  --constraints '{"admin_panel":{"scope":{"in":["read","write"]}}}' \
  --reason "Need admin access for deployment"

7. Lifecycle management

# Disconnect (revoke) an agent
auth-agent disconnect <agent-id>

# Reactivate an expired agent
auth-agent reactivate <agent-id>

# View stored connection details
auth-agent connection <agent-id>

# List all connections for a provider
auth-agent connections <issuer-url>

8. Key rotation

# Rotate an agent's keypair
auth-agent rotate-agent-key <agent-id>

# Rotate the host keypair for a provider
auth-agent rotate-host-key <issuer-url>

9. Host enrollment

auth-agent enroll-host --provider https://api.example.com --token <enrollment-token> --name "My Device"

10. Sign JWTs manually

# Sign an agent JWT (for use with external HTTP calls)
auth-agent sign <agent-id>

# Scope to specific capabilities
auth-agent sign <agent-id> --capabilities transfer_money read_data

Global Flags

FlagEnv varDescription
--storage-dir <path>AGENT_AUTH_STORAGE_DIRStorage directory (default: ~/.agent-auth)
--directory-url <url>AGENT_AUTH_DIRECTORY_URLDirectory URL for provider search
--host-name <name>AGENT_AUTH_HOST_NAMEHost name for identification
--no-browserAGENT_AUTH_NO_BROWSER=1Suppress browser opening for approval URLs
--url <urls...>AGENT_AUTH_URLSProvider URLs to auto-discover at startup

Important Rules

  • Never make raw HTTP requests to Agent Auth endpoints. Always use the CLI.
  • Always discover before connecting. The CLI needs the provider's configuration cached locally.
  • Always describe before executing. Check the input schema so you pass correct arguments.
  • Check status after connecting. The agent may require user approval before it becomes active.
  • Store agent IDs. You need them for execute, status, request, disconnect, and all other operations.
  • Use constraints when connecting to limit what the agent can do — this is a security best practice.
  • Set AGENT_AUTH_ENCRYPTION_KEY in production to encrypt private keys stored in ~/.agent-auth/.

Storage

Connections, keys, and provider configs are stored in ~/.agent-auth/ by default:

  • host.json — host identity and keypair
  • agents/<agent-id>.json — agent connections
  • providers/<encoded-issuer>.json — cached provider configurations

Mais skills de better-auth

agent-auth-mcp
better-auth
Use as ferramentas do Agent Auth MCP para descobrir provedores, conectar agentes, gerenciar capacidades e executar operações através do protocolo MCP. Use ao trabalhar…
official
better-icons
better-auth
Pesquise e recupere SVGs de mais de 200 bibliotecas de ícones com integração CLI e servidor MCP. Suporta pesquisa em coleções principais (Lucide, Material Design Icons, Heroicons, Tabler e mais de 200 outras) com filtragem por prefixo e limites de resultados. Comandos CLI para pesquisar ícones, baixar lotes como arquivos SVG e recuperar ícones individuais com personalização de cor e tamanho. Ferramentas de servidor MCP para agentes de IA, incluindo recomendações inteligentes, correspondência de similaridade, varredura de projetos e ícones em lote...
official
better-auth-best-practices
better-auth
We need to translate the given text from English to Brazilian Portuguese. The text is a description of a skill called "better-auth-best-practices". The instruction says to preserve the name if it appears in the source text, but the name does not appear in the provided text. So we just translate the text. Also preserve product names, protocol names, URLs, numbers, technical terms. The text includes terms like "Better Auth", "Prisma", "Drizzle", "MongoDB", "Redis", "KV", etc. These should remain as is. Also "database adapters", "session management", "plugins", "security configuration", "workflow", "installation", "database migration", "environment variable setup", "route handler creation", "frameworks", "model vs. table naming conventions", "session storage strategies", "secondary storage", "cookie..." - these are technical terms, but some may be translated if they are common in Portuguese tech context. However, the instruction says "preserve technical terms" - likely meaning keep them in English if they are standard. But
official
create-auth-skill
better-auth
Estrutura e implementa autenticação em aplicativos TypeScript/JavaScript com detecção de framework Better Auth, configuração de adaptador de banco de dados e integração OAuth. Detecta frameworks (Next.js, SvelteKit, Nuxt, Astro, Express, Hono), bancos de dados (Prisma, Drizzle, MongoDB, drivers nativos) e bibliotecas de autenticação existentes por meio de varredura de projeto. Suporta email/senha, OAuth (Google, GitHub, Apple, Microsoft, Discord, Twitter), links mágicos, chaves de acesso e autenticação por telefone com verificação de email configurável...
official
Email & Password Best Practices
better-auth
email-&-password-best-practices — uma skill instalável para agentes de IA, publicada por better-auth/skills.
official
email-and-password-best-practices
better-auth
Verificaçao de e-mail, fluxos de redefiniçao de senha e políticas de senha personalizáveis para o Better Auth. Suporta verificaçao de e-mail com aplicaçao opcional para bloquear o login até a verificaçao, além de expiraçao de token configurável e tokens de redefiniçao de uso único. Fluxos de redefiniçao de senha com segurança integrada: envio de e-mail em segundo plano, prevençao de ataques de temporizaçao, operaçoes fictícias em solicitaçoes inválidas e revogaçao opcional de sessao ao redefinir. Limites de comprimento de senha configuráveis (padrao 8–256 caracteres) e personalizados...
official
organization-best-practices
better-auth
Configuração de organização multi-inquilino com gerenciamento de membros, controle de acesso baseado em funções e suporte a equipes via Better Auth. Configure organizações com regras de criação personalizáveis, limites de associação e restrições de propriedade; criadores recebem automaticamente a função de proprietário. Gerencie membros e convites com entrega por e-mail, janelas de expiração e URLs de convite compartilháveis; suporte a múltiplas funções por membro. Defina funções e permissões personalizadas com controle de acesso dinâmico; verifique permissões...
official
two-factor-authentication-best-practices
better-auth
Autenticação multifator com TOTP, OTP, códigos de backup e gerenciamento de dispositivos confiáveis para Better Auth. Suporta três métodos de verificação: aplicativos autenticadores (TOTP com códigos QR), códigos por e-mail/SMS (OTP) e códigos de backup de uso único. Gerencia fluxos completos de login com 2FA, incluindo gerenciamento automático de sessão, cookies temporários de 2FA e rastreamento de dispositivos confiáveis com expiração configurável. Recursos de segurança integrados, como limitação de taxa (3 solicitações a cada 10 segundos) e criptografia em repouso para segredos...
official