agent-auth-mcp

作者: better-auth

使用 Agent Auth MCP 工具來探索提供者、連接代理、管理能力,並透過 MCP 協定執行操作。在處理…時使用。

npx skills add https://github.com/better-auth/agent-auth --skill agent-auth-mcp

Agent Auth MCP Tools

You have access to Agent Auth MCP tools for interacting with Agent Auth providers. Always prefer using these MCP tools for any agent authentication operations rather than making raw HTTP requests or writing custom code.

Starting the MCP Server

The MCP server is part of the CLI:

auth-agent mcp

Or with pre-configured providers:

auth-agent mcp --url https://api.example.com

Cursor / Claude Desktop configuration

{
  "mcpServers": {
    "auth-agent": {
      "command": "npx",
      "args": ["@auth/agent-cli", "mcp", "--url", "https://api.example.com"]
    }
  }
}

Available Tools

The MCP server exposes 17 tools. Follow the numbered workflow below.

Step 1: Discovery — Find a Provider

ToolParametersWhen to use
list_providers(none)Call this first. Lists all discovered/configured providers.
search_providersintent (required)Search the directory by name or intent (e.g. "deploy web apps", "vercel").
discover_providerurl (required)Look up a specific provider by URL. Only use if list/search didn't help.

Always start with list_providers. If empty, use search_providers or discover_provider.

Step 2: Capabilities — Understand What's Available

ToolParametersWhen to use
list_capabilitiesprovider (required), query, agent_id, limit, cursorList capabilities for a provider.
describe_capabilityprovider, name (required), agent_idGet full definition including input schema. Always call before executing.

Step 3: Connect — Authenticate an Agent

ToolParametersWhen to use
connect_agentprovider (required), capabilities, mode, name, reason, preferred_method, login_hint, binding_message, force_newConnect an agent to a provider. Returns agent_id.

Key parameters:

  • capabilities — Array of capability names to request.
  • mode"delegated" (acts for a user, default) or "autonomous" (independent).
  • preferred_method"device_authorization" (default, opens browser) or "ciba" (backchannel notification).
  • login_hint — User email for CIBA flow.
  • force_new — Create a new connection even if one exists.

Step 4: Use the Agent

ToolParametersWhen to use
execute_capabilityagent_id, capability (required), argumentsExecute a granted capability.
agent_statusagent_id (required)Check agent status, grants, and constraints.
sign_jwtagent_id (required), capabilities, audienceSign an agent JWT for manual use.
request_capabilityagent_id, capabilities (required), reason, preferred_method, login_hint, binding_messageRequest additional capabilities.
disconnect_agentagent_id (required)Revoke an agent.
reactivate_agentagent_id (required)Reactivate an expired agent.

Host Management

ToolParametersWhen to use
enroll_hostprovider, enrollment_token (required), nameEnroll a host with a one-time token.
rotate_agent_keyagent_id (required)Rotate an agent's keypair.
rotate_host_keyissuer (required)Rotate the host keypair for a provider.

Workflow Example

Here is the standard workflow for connecting to a provider and executing a capability:

1. list_providers
   → See what providers are already known

2. search_providers({ intent: "deploy web apps" })
   → Find a provider if none are known (or discover_provider with a URL)

3. list_capabilities({ provider: "https://api.example.com" })
   → See what the provider offers

4. describe_capability({ name: "deploy_app", provider: "https://api.example.com" })
   → Understand the input schema before executing

5. connect_agent({ provider: "https://api.example.com", capabilities: ["deploy_app"], name: "deploy-bot" })
   → Authenticate and get an agent_id
   → If approval is required, the user will be prompted

6. agent_status({ agent_id: "..." })
   → Confirm the agent is active and capabilities are granted

7. execute_capability({ agent_id: "...", capability: "deploy_app", arguments: { app: "my-app", env: "production" } })
   → Run the capability with the correct arguments

Important Rules

  • Never make raw HTTP requests to Agent Auth endpoints. Always use MCP tools.
  • Always call list_providers first. This tells you what's already configured.
  • Always call describe_capability before execute_capability. You need the input schema.
  • Always call agent_status after connect_agent. The agent may be pending approval.
  • Save the agent_id returned by connect_agent — every subsequent tool needs it.
  • Use constraints when connecting to limit agent permissions — pass them in the capabilities parameter as objects with name and constraints fields.
  • Handle approval flows. When connect_agent returns approval info (device code URL or CIBA), the user must approve before the agent becomes active. Poll agent_status to check.
  • Errors return structured objects like { error: "message", code: "error_code" } — check these and retry or adjust accordingly.

Capability Constraints

When connecting, you can restrict what an agent can do with its capabilities:

{
  "provider": "https://api.example.com",
  "capabilities": [
    "read_data",
    {
      "name": "transfer_money",
      "constraints": {
        "amount": { "max": 1000, "min": 1 },
        "currency": { "in": ["USD", "EUR"] }
      }
    }
  ]
}

Constraint types: eq (exact match), min/max (numeric bounds), in/not_in (allowed/blocked values).

When to Use CLI vs MCP

  • Use MCP tools when operating inside an MCP-enabled environment (Cursor, Claude Code, Claude Desktop) — the tools are already available and integrated.
  • Use the CLI when running from a terminal directly, scripting, or when MCP is not available.
  • Both expose the same operations and share the same storage (~/.agent-auth/).

來自 better-auth 的更多技能

agent-auth-cli
better-auth
使用 Agent Auth CLI(auth-agent)來探索提供者、連接代理、管理功能以及執行操作。當使用者想要互動時使用…
official
better-icons
better-auth
從超過200個圖示庫中搜尋並擷取SVG,支援CLI與MCP伺服器整合。可跨主要圖示集(Lucide、Material Design Icons、Heroicons、Tabler等200多個)進行搜尋,並依前綴與結果數量篩選。CLI指令支援搜尋圖示、批次下載SVG檔案,以及自訂顏色與尺寸的單一圖示擷取。MCP伺服器工具則為AI代理提供智慧推薦、相似度比對、專案掃描與批次圖示等功能。
official
better-auth-best-practices
better-auth
完整的 Better Auth 伺服器與客戶端設定,包含資料庫適配器、工作階段管理、外掛程式及安全配置。涵蓋從安裝、資料庫遷移、環境變數設定到跨多個框架的路由處理器建立的完整工作流程。支援多種資料庫適配器(Prisma、Drizzle、MongoDB、直接連線),並提供關於模型與資料表命名慣例的重要指引。包含工作階段儲存策略(使用次要儲存如 Redis/KV)、Cookie...
official
create-auth-skill
better-auth
在 TypeScript/JavaScript 應用程式中搭建並實作驗證功能,包含 Better Auth 框架偵測、資料庫適配器設定及 OAuth 整合。透過專案掃描偵測框架(Next.js、SvelteKit、Nuxt、Astro、Express、Hono)、資料庫(Prisma、Drizzle、MongoDB、原生驅動程式)及現有驗證函式庫。支援電子郵件/密碼、OAuth(Google、GitHub、Apple、Microsoft、Discord、Twitter)、魔法連結、通行金鑰及電話驗證,並提供可設定的電子郵件驗證功能...
official
Email & Password Best Practices
better-auth
email-&-password-best-practices — 一個可安裝的AI代理技能,由better-auth/skills發布。
official
email-and-password-best-practices
better-auth
電子郵件驗證、密碼重設流程,以及可自訂的密碼政策,適用於 Better Auth。支援電子郵件驗證,可選擇強制執行,在驗證前封鎖登入,並可設定代幣到期時間與一次性重設代幣。密碼重設流程具備內建安全性:背景寄送電子郵件、防止時序攻擊、對無效請求執行虛擬操作,以及可選擇在重設時撤銷工作階段。可設定密碼長度限制(預設為 8 至 256 個字元)以及自訂...
official
organization-best-practices
better-auth
透過 Better Auth 進行多租戶組織設定,包含成員管理、基於角色的存取控制及團隊支援。可設定組織的自訂建立規則、成員上限與擁有者限制;建立者自動取得擁有者角色。管理成員與邀請,支援電子郵件寄送、有效期限及可分享的邀請連結;每位成員可擁有多個角色。定義自訂角色與權限,實現動態存取控制;檢查權限...
official
two-factor-authentication-best-practices
better-auth
使用TOTP、OTP、備用驗證碼及信任裝置管理,為Better Auth提供多因素驗證。支援三種驗證方式:驗證器應用程式(含QR碼的TOTP)、電子郵件/簡訊驗證碼(OTP),以及一次性備用驗證碼。處理完整的雙因素驗證登入流程,包含自動工作階段管理、臨時雙因素驗證Cookie,以及可設定有效期限的信任裝置追蹤。內建安全功能包括速率限制(每10秒3次請求)以及靜態加密機密資料...
official