agent-auth-mcp

Use as ferramentas do Agent Auth MCP para descobrir provedores, conectar agentes, gerenciar capacidades e executar operações através do protocolo MCP. Use ao trabalhar…

npx skills add https://github.com/better-auth/agent-auth --skill agent-auth-mcp

Agent Auth MCP Tools

You have access to Agent Auth MCP tools for interacting with Agent Auth providers. Always prefer using these MCP tools for any agent authentication operations rather than making raw HTTP requests or writing custom code.

Starting the MCP Server

The MCP server is part of the CLI:

auth-agent mcp

Or with pre-configured providers:

auth-agent mcp --url https://api.example.com

Cursor / Claude Desktop configuration

{
  "mcpServers": {
    "auth-agent": {
      "command": "npx",
      "args": ["@auth/agent-cli", "mcp", "--url", "https://api.example.com"]
    }
  }
}

Available Tools

The MCP server exposes 17 tools. Follow the numbered workflow below.

Step 1: Discovery — Find a Provider

ToolParametersWhen to use
list_providers(none)Call this first. Lists all discovered/configured providers.
search_providersintent (required)Search the directory by name or intent (e.g. "deploy web apps", "vercel").
discover_providerurl (required)Look up a specific provider by URL. Only use if list/search didn't help.

Always start with list_providers. If empty, use search_providers or discover_provider.

Step 2: Capabilities — Understand What's Available

ToolParametersWhen to use
list_capabilitiesprovider (required), query, agent_id, limit, cursorList capabilities for a provider.
describe_capabilityprovider, name (required), agent_idGet full definition including input schema. Always call before executing.

Step 3: Connect — Authenticate an Agent

ToolParametersWhen to use
connect_agentprovider (required), capabilities, mode, name, reason, preferred_method, login_hint, binding_message, force_newConnect an agent to a provider. Returns agent_id.

Key parameters:

  • capabilities — Array of capability names to request.
  • mode"delegated" (acts for a user, default) or "autonomous" (independent).
  • preferred_method"device_authorization" (default, opens browser) or "ciba" (backchannel notification).
  • login_hint — User email for CIBA flow.
  • force_new — Create a new connection even if one exists.

Step 4: Use the Agent

ToolParametersWhen to use
execute_capabilityagent_id, capability (required), argumentsExecute a granted capability.
agent_statusagent_id (required)Check agent status, grants, and constraints.
sign_jwtagent_id (required), capabilities, audienceSign an agent JWT for manual use.
request_capabilityagent_id, capabilities (required), reason, preferred_method, login_hint, binding_messageRequest additional capabilities.
disconnect_agentagent_id (required)Revoke an agent.
reactivate_agentagent_id (required)Reactivate an expired agent.

Host Management

ToolParametersWhen to use
enroll_hostprovider, enrollment_token (required), nameEnroll a host with a one-time token.
rotate_agent_keyagent_id (required)Rotate an agent's keypair.
rotate_host_keyissuer (required)Rotate the host keypair for a provider.

Workflow Example

Here is the standard workflow for connecting to a provider and executing a capability:

1. list_providers
   → See what providers are already known

2. search_providers({ intent: "deploy web apps" })
   → Find a provider if none are known (or discover_provider with a URL)

3. list_capabilities({ provider: "https://api.example.com" })
   → See what the provider offers

4. describe_capability({ name: "deploy_app", provider: "https://api.example.com" })
   → Understand the input schema before executing

5. connect_agent({ provider: "https://api.example.com", capabilities: ["deploy_app"], name: "deploy-bot" })
   → Authenticate and get an agent_id
   → If approval is required, the user will be prompted

6. agent_status({ agent_id: "..." })
   → Confirm the agent is active and capabilities are granted

7. execute_capability({ agent_id: "...", capability: "deploy_app", arguments: { app: "my-app", env: "production" } })
   → Run the capability with the correct arguments

Important Rules

  • Never make raw HTTP requests to Agent Auth endpoints. Always use MCP tools.
  • Always call list_providers first. This tells you what's already configured.
  • Always call describe_capability before execute_capability. You need the input schema.
  • Always call agent_status after connect_agent. The agent may be pending approval.
  • Save the agent_id returned by connect_agent — every subsequent tool needs it.
  • Use constraints when connecting to limit agent permissions — pass them in the capabilities parameter as objects with name and constraints fields.
  • Handle approval flows. When connect_agent returns approval info (device code URL or CIBA), the user must approve before the agent becomes active. Poll agent_status to check.
  • Errors return structured objects like { error: "message", code: "error_code" } — check these and retry or adjust accordingly.

Capability Constraints

When connecting, you can restrict what an agent can do with its capabilities:

{
  "provider": "https://api.example.com",
  "capabilities": [
    "read_data",
    {
      "name": "transfer_money",
      "constraints": {
        "amount": { "max": 1000, "min": 1 },
        "currency": { "in": ["USD", "EUR"] }
      }
    }
  ]
}

Constraint types: eq (exact match), min/max (numeric bounds), in/not_in (allowed/blocked values).

When to Use CLI vs MCP

  • Use MCP tools when operating inside an MCP-enabled environment (Cursor, Claude Code, Claude Desktop) — the tools are already available and integrated.
  • Use the CLI when running from a terminal directly, scripting, or when MCP is not available.
  • Both expose the same operations and share the same storage (~/.agent-auth/).

Mais skills de better-auth

agent-auth-cli
better-auth
Use a CLI de Autenticação de Agente (auth-agent) para descobrir provedores, conectar agentes, gerenciar capacidades e executar operações. Use quando o usuário quiser interagir…
official
better-icons
better-auth
Pesquise e recupere SVGs de mais de 200 bibliotecas de ícones com integração CLI e servidor MCP. Suporta pesquisa em coleções principais (Lucide, Material Design Icons, Heroicons, Tabler e mais de 200 outras) com filtragem por prefixo e limites de resultados. Comandos CLI para pesquisar ícones, baixar lotes como arquivos SVG e recuperar ícones individuais com personalização de cor e tamanho. Ferramentas de servidor MCP para agentes de IA, incluindo recomendações inteligentes, correspondência de similaridade, varredura de projetos e ícones em lote...
official
better-auth-best-practices
better-auth
We need to translate the given text from English to Brazilian Portuguese. The text is a description of a skill called "better-auth-best-practices". The instruction says to preserve the name if it appears in the source text, but the name does not appear in the provided text. So we just translate the text. Also preserve product names, protocol names, URLs, numbers, technical terms. The text includes terms like "Better Auth", "Prisma", "Drizzle", "MongoDB", "Redis", "KV", etc. These should remain as is. Also "database adapters", "session management", "plugins", "security configuration", "workflow", "installation", "database migration", "environment variable setup", "route handler creation", "frameworks", "model vs. table naming conventions", "session storage strategies", "secondary storage", "cookie..." - these are technical terms, but some may be translated if they are common in Portuguese tech context. However, the instruction says "preserve technical terms" - likely meaning keep them in English if they are standard. But
official
create-auth-skill
better-auth
Estrutura e implementa autenticação em aplicativos TypeScript/JavaScript com detecção de framework Better Auth, configuração de adaptador de banco de dados e integração OAuth. Detecta frameworks (Next.js, SvelteKit, Nuxt, Astro, Express, Hono), bancos de dados (Prisma, Drizzle, MongoDB, drivers nativos) e bibliotecas de autenticação existentes por meio de varredura de projeto. Suporta email/senha, OAuth (Google, GitHub, Apple, Microsoft, Discord, Twitter), links mágicos, chaves de acesso e autenticação por telefone com verificação de email configurável...
official
Email & Password Best Practices
better-auth
email-&-password-best-practices — uma skill instalável para agentes de IA, publicada por better-auth/skills.
official
email-and-password-best-practices
better-auth
Verificaçao de e-mail, fluxos de redefiniçao de senha e políticas de senha personalizáveis para o Better Auth. Suporta verificaçao de e-mail com aplicaçao opcional para bloquear o login até a verificaçao, além de expiraçao de token configurável e tokens de redefiniçao de uso único. Fluxos de redefiniçao de senha com segurança integrada: envio de e-mail em segundo plano, prevençao de ataques de temporizaçao, operaçoes fictícias em solicitaçoes inválidas e revogaçao opcional de sessao ao redefinir. Limites de comprimento de senha configuráveis (padrao 8–256 caracteres) e personalizados...
official
organization-best-practices
better-auth
Configuração de organização multi-inquilino com gerenciamento de membros, controle de acesso baseado em funções e suporte a equipes via Better Auth. Configure organizações com regras de criação personalizáveis, limites de associação e restrições de propriedade; criadores recebem automaticamente a função de proprietário. Gerencie membros e convites com entrega por e-mail, janelas de expiração e URLs de convite compartilháveis; suporte a múltiplas funções por membro. Defina funções e permissões personalizadas com controle de acesso dinâmico; verifique permissões...
official
two-factor-authentication-best-practices
better-auth
Autenticação multifator com TOTP, OTP, códigos de backup e gerenciamento de dispositivos confiáveis para Better Auth. Suporta três métodos de verificação: aplicativos autenticadores (TOTP com códigos QR), códigos por e-mail/SMS (OTP) e códigos de backup de uso único. Gerencia fluxos completos de login com 2FA, incluindo gerenciamento automático de sessão, cookies temporários de 2FA e rastreamento de dispositivos confiáveis com expiração configurável. Recursos de segurança integrados, como limitação de taxa (3 solicitações a cada 10 segundos) e criptografia em repouso para segredos...
official