agent-auth-mcp

作者: better-auth

使用Agent Auth MCP工具发现提供商、连接代理、管理能力,并通过MCP协议执行操作。在处理……时使用。

npx skills add https://github.com/better-auth/agent-auth --skill agent-auth-mcp

Agent Auth MCP Tools

You have access to Agent Auth MCP tools for interacting with Agent Auth providers. Always prefer using these MCP tools for any agent authentication operations rather than making raw HTTP requests or writing custom code.

Starting the MCP Server

The MCP server is part of the CLI:

auth-agent mcp

Or with pre-configured providers:

auth-agent mcp --url https://api.example.com

Cursor / Claude Desktop configuration

{
  "mcpServers": {
    "auth-agent": {
      "command": "npx",
      "args": ["@auth/agent-cli", "mcp", "--url", "https://api.example.com"]
    }
  }
}

Available Tools

The MCP server exposes 17 tools. Follow the numbered workflow below.

Step 1: Discovery — Find a Provider

ToolParametersWhen to use
list_providers(none)Call this first. Lists all discovered/configured providers.
search_providersintent (required)Search the directory by name or intent (e.g. "deploy web apps", "vercel").
discover_providerurl (required)Look up a specific provider by URL. Only use if list/search didn't help.

Always start with list_providers. If empty, use search_providers or discover_provider.

Step 2: Capabilities — Understand What's Available

ToolParametersWhen to use
list_capabilitiesprovider (required), query, agent_id, limit, cursorList capabilities for a provider.
describe_capabilityprovider, name (required), agent_idGet full definition including input schema. Always call before executing.

Step 3: Connect — Authenticate an Agent

ToolParametersWhen to use
connect_agentprovider (required), capabilities, mode, name, reason, preferred_method, login_hint, binding_message, force_newConnect an agent to a provider. Returns agent_id.

Key parameters:

  • capabilities — Array of capability names to request.
  • mode"delegated" (acts for a user, default) or "autonomous" (independent).
  • preferred_method"device_authorization" (default, opens browser) or "ciba" (backchannel notification).
  • login_hint — User email for CIBA flow.
  • force_new — Create a new connection even if one exists.

Step 4: Use the Agent

ToolParametersWhen to use
execute_capabilityagent_id, capability (required), argumentsExecute a granted capability.
agent_statusagent_id (required)Check agent status, grants, and constraints.
sign_jwtagent_id (required), capabilities, audienceSign an agent JWT for manual use.
request_capabilityagent_id, capabilities (required), reason, preferred_method, login_hint, binding_messageRequest additional capabilities.
disconnect_agentagent_id (required)Revoke an agent.
reactivate_agentagent_id (required)Reactivate an expired agent.

Host Management

ToolParametersWhen to use
enroll_hostprovider, enrollment_token (required), nameEnroll a host with a one-time token.
rotate_agent_keyagent_id (required)Rotate an agent's keypair.
rotate_host_keyissuer (required)Rotate the host keypair for a provider.

Workflow Example

Here is the standard workflow for connecting to a provider and executing a capability:

1. list_providers
   → See what providers are already known

2. search_providers({ intent: "deploy web apps" })
   → Find a provider if none are known (or discover_provider with a URL)

3. list_capabilities({ provider: "https://api.example.com" })
   → See what the provider offers

4. describe_capability({ name: "deploy_app", provider: "https://api.example.com" })
   → Understand the input schema before executing

5. connect_agent({ provider: "https://api.example.com", capabilities: ["deploy_app"], name: "deploy-bot" })
   → Authenticate and get an agent_id
   → If approval is required, the user will be prompted

6. agent_status({ agent_id: "..." })
   → Confirm the agent is active and capabilities are granted

7. execute_capability({ agent_id: "...", capability: "deploy_app", arguments: { app: "my-app", env: "production" } })
   → Run the capability with the correct arguments

Important Rules

  • Never make raw HTTP requests to Agent Auth endpoints. Always use MCP tools.
  • Always call list_providers first. This tells you what's already configured.
  • Always call describe_capability before execute_capability. You need the input schema.
  • Always call agent_status after connect_agent. The agent may be pending approval.
  • Save the agent_id returned by connect_agent — every subsequent tool needs it.
  • Use constraints when connecting to limit agent permissions — pass them in the capabilities parameter as objects with name and constraints fields.
  • Handle approval flows. When connect_agent returns approval info (device code URL or CIBA), the user must approve before the agent becomes active. Poll agent_status to check.
  • Errors return structured objects like { error: "message", code: "error_code" } — check these and retry or adjust accordingly.

Capability Constraints

When connecting, you can restrict what an agent can do with its capabilities:

{
  "provider": "https://api.example.com",
  "capabilities": [
    "read_data",
    {
      "name": "transfer_money",
      "constraints": {
        "amount": { "max": 1000, "min": 1 },
        "currency": { "in": ["USD", "EUR"] }
      }
    }
  ]
}

Constraint types: eq (exact match), min/max (numeric bounds), in/not_in (allowed/blocked values).

When to Use CLI vs MCP

  • Use MCP tools when operating inside an MCP-enabled environment (Cursor, Claude Code, Claude Desktop) — the tools are already available and integrated.
  • Use the CLI when running from a terminal directly, scripting, or when MCP is not available.
  • Both expose the same operations and share the same storage (~/.agent-auth/).

来自 better-auth 的更多技能

agent-auth-cli
better-auth
使用 Agent Auth CLI(auth-agent)发现提供商、连接代理、管理能力并执行操作。当用户希望交互时使用…
official
better-icons
better-auth
通过命令行界面和MCP服务器集成,从200多个图标库中搜索并获取SVG图标。支持在主要图标集合(Lucide、Material Design Icons、Heroicons、Tabler等200多个)中进行搜索,可按前缀和结果数量进行筛选。提供命令行指令用于搜索图标、批量下载SVG文件,以及获取可自定义颜色和大小的单个图标。MCP服务器工具为AI代理提供智能推荐、相似度匹配、项目扫描和批量图标处理等功能。
official
better-auth-best-practices
better-auth
完整的Better Auth服务器与客户端配置,涵盖数据库适配器、会话管理、插件及安全配置。覆盖从安装到数据库迁移、环境变量设置以及跨多个框架的路由处理器创建的完整工作流程。支持多种数据库适配器(Prisma、Drizzle、MongoDB、直连),并提供关于模型与表命名约定的关键指导。包含会话存储策略(Redis/KV辅助存储)、Cookie...
official
create-auth-skill
better-auth
在TypeScript/JavaScript应用中搭建并实现认证功能,包括Better Auth框架检测、数据库适配器配置和OAuth集成。通过项目扫描检测框架(Next.js、SvelteKit、Nuxt、Astro、Express、Hono)、数据库(Prisma、Drizzle、MongoDB、原生驱动)及现有认证库。支持邮箱/密码、OAuth(Google、GitHub、Apple、Microsoft、Discord、Twitter)、魔法链接、通行密钥和手机认证,并支持可配置的邮箱验证...
official
Email & Password Best Practices
better-auth
email-&-password-best-practices — 一个可安装的AI代理技能,由better-auth/skills发布。
official
email-and-password-best-practices
better-auth
电子邮件验证、密码重置流程以及可自定义的密码策略,适用于Better Auth。支持电子邮件验证,可选择强制要求验证通过后才能登录,并支持可配置的令牌过期时间和一次性重置令牌。密码重置流程内置安全机制:后台发送邮件、防止时序攻击、对无效请求执行虚拟操作,以及重置时可选择撤销会话。可配置密码长度限制(默认8-256个字符)及自定义...
official
organization-best-practices
better-auth
通过 Better Auth 实现多租户组织设置,包含成员管理、基于角色的访问控制和团队支持。配置组织时可自定义创建规则、成员限制和所有权约束;创建者自动获得所有者角色。管理成员和邀请,支持邮件发送、有效期设置和可分享的邀请链接;每个成员可拥有多个角色。定义自定义角色和权限,实现动态访问控制;检查权限...
official
two-factor-authentication-best-practices
better-auth
使用TOTP、OTP、备份码和可信设备管理实现Better Auth的多因素认证。支持三种验证方式:身份验证器应用(含二维码的TOTP)、电子邮件/短信验证码(OTP)以及一次性备份码。处理完整的2FA登录流程,包含自动会话管理、临时2FA Cookie以及可配置过期时间的可信设备追踪。内置安全功能包括速率限制(每10秒3次请求)和静态加密密钥保护。
official