| name | auth-tool-cloudbase |
| description | CloudBase auth provider configuration and login-readiness guide. This skill should be used when users need to inspect, enable, disable, or configure auth providers, publishable-key prerequisites, login methods, SMS/email sender setup, or other provider-side readiness before implementing a client or backend auth flow. |
| alwaysApply | false |
Activation Contract
Use this first when
- The task is to inspect, enable, disable, or configure CloudBase auth providers, login methods, publishable key prerequisites, SMS/email delivery, or third-party login readiness.
- An auth implementation cannot proceed until provider status and login configuration are confirmed.
- A CloudBase Web auth flow needs provider verification before
auth-web.
Read before writing code if
- The request mentions provider setup, auth console configuration, publishable key retrieval, login method availability, SMS/email sender setup, or third-party provider credentials.
- The task mixes provider configuration with Web, mini program, Node, or raw HTTP auth implementation.
Then also read
- Web auth UI ->
../auth-web/SKILL.md
- Mini program native auth ->
../auth-wechat/SKILL.md
- Node server-side identity / custom ticket ->
../auth-nodejs/SKILL.md
- Native App / raw HTTP auth client ->
../http-api/SKILL.md
Do NOT use this as
- The default implementation guide for every login or registration request.
- A replacement for mini program native auth behavior when no provider change is involved.
- A replacement for Node-side caller identity, user lookup, or custom login ticket flows.
- A replacement for frontend integration, session handling, or client UX implementation.
Common mistakes / gotchas
- Writing login UI before enabling the required provider.
- Treating any mention of "auth" as a provider-management task.
- Implementing Web login in cloud functions.
- Routing native App auth to Web SDK flows.
Minimal checklist
Overview
Configure CloudBase authentication providers: Anonymous, Username/Password, SMS, Email, WeChat, Google, and more.
Prerequisites: CloudBase environment ID (env)
Authentication Scenarios
1. Get Login Config
Use the official login-config API. Do not use lowcode/DescribeLoginStrategy or lowcode/ModifyLoginStrategy as the default path.
Query current login configuration:
{
"params": { "EnvId": `env` },
"service": "tcb",
"action": "DescribeLoginConfig"
}
The response contains fields such as:
AnonymousLogin
UserNameLogin
PhoneNumberLogin
EmailLogin
SmsVerificationConfig
MfaConfig
PwdUpdateStrategy
Parameter mapping for downstream Web auth code:
PhoneNumberLogin controls phone OTP flows used by auth-web auth.signInWithOtp({ phone }) and auth.signUp({ phone })
EmailLogin controls email OTP flows used by auth-web auth.signInWithOtp({ email }) and auth.signUp({ email })
UserNameLogin controls password login flows used by auth-web auth.signInWithPassword({ username, password })
SmsVerificationConfig.Type = "apis" requires both Name and Method
EnvId is always the CloudBase environment ID, not the publishable key
Before calling ModifyLoginConfig, rebuild the payload from writable keys only. Do not spread the full response object back into the request.
const WritableLoginConfig = {
"PhoneNumberLogin": LoginConfig.PhoneNumberLogin,
"EmailLogin": LoginConfig.EmailLogin,
"UserNameLogin": LoginConfig.UserNameLogin,
"AnonymousLogin": LoginConfig.AnonymousLogin,
...(LoginConfig.SmsVerificationConfig ? { "SmsVerificationConfig": LoginConfig.SmsVerificationConfig } : {}),
...(LoginConfig.MfaConfig ? { "MfaConfig": LoginConfig.MfaConfig } : {}),
...(LoginConfig.PwdUpdateStrategy ? { "PwdUpdateStrategy": LoginConfig.PwdUpdateStrategy } : {})
}
2. Anonymous Login
- Get
LoginConfig (see Scenario 1)
- Set
LoginConfig.AnonymousLogin = true (on) or false (off)
- Update:
{
"params": { "EnvId": `env`, ...WritableLoginConfig, "AnonymousLogin": true },
"service": "tcb",
"action": "ModifyLoginConfig"
}
3. Username/Password Login
- Get
LoginConfig (see Scenario 1)
- Set
LoginConfig.UserNameLogin = true (on) or false (off)
- Update:
{
"params": { "EnvId": `env`, ...WritableLoginConfig, "UserNameLogin": true },
"service": "tcb",
"action": "ModifyLoginConfig"
}
4. SMS Login
- Get
LoginConfig (see Scenario 1)
- Modify:
- Turn on:
LoginConfig.PhoneNumberLogin = true
- Turn off:
LoginConfig.PhoneNumberLogin = false
- Config (optional):
LoginConfig.SmsVerificationConfig = {
Type: 'default',
Name: 'method_53978f9f96a35',
Method: 'SendVerificationCode',
SmsDayLimit: 30
}
- Update:
{
"params": {
"EnvId": `env`,
...WritableLoginConfig,
"PhoneNumberLogin": true,
"SmsVerificationConfig": {
"Type": "default",
"SmsDayLimit": 30
}
},
"service": "tcb",
"action": "ModifyLoginConfig"
}
Use custom apis to send SMS:
{
"params": {
"EnvId": `env`,
...WritableLoginConfig,
"PhoneNumberLogin": true,
"SmsVerificationConfig": {
"Type": "apis",
"Name": "method_53978f9f96a35",
"Method": "SendVerificationCode",
"SmsDayLimit": 20
}
},
"service": "tcb",
"action": "ModifyLoginConfig"
}
5. Email Login
Email has two layers of configuration:
ModifyLoginConfig.EmailLogin: controls whether email/password login is enabled
ModifyProvider(Id="email"): controls the email sender channel and SMTP configuration
- In Web auth code, this maps to
auth.signInWithOtp({ email }) and auth.signUp({ email })
Turn on email/password login:
{
"params": { "EnvId": `env`, ...WritableLoginConfig, "EmailLogin": true },
"service": "tcb",
"action": "ModifyLoginConfig"
}
Turn off email/password login:
{
"params": { "EnvId": `env`, ...WritableLoginConfig, "EmailLogin": false },
"service": "tcb",
"action": "ModifyLoginConfig"
}
Configure email provider (Tencent Cloud email):
{
"params": {
"EnvId": `env`,
"Id": "email",
"On": "TRUE",
"EmailConfig": { "On": "TRUE", "SmtpConfig": {} }
},
"service": "tcb",
"action": "ModifyProvider"
}
Disable email provider:
{
"params": { "EnvId": `env`, "Id": "email", "On": "FALSE" },
"service": "tcb",
"action": "ModifyProvider"
}
Configure email provider (custom SMTP):
{
"params": {
"EnvId": `env`,
"Id": "email",
"On": "TRUE",
"EmailConfig": {
"On": "FALSE",
"SmtpConfig": {
"AccountPassword": "password",
"AccountUsername": "username",
"SecurityMode": "SSL",
"SenderAddress": "sender@example.com",
"ServerHost": "smtp.qq.com",
"ServerPort": 465
}
}
},
"service": "tcb",
"action": "ModifyProvider"
}
6. WeChat Login
- Get WeChat config:
{
"params": { "EnvId": `env` },
"service": "tcb",
"action": "GetProviders"
}
Filter by Id == "wx_open", save as WeChatProvider.
-
Get credentials from WeChat Open Platform:
-
Update:
{
"params": {
"EnvId": `env`,
"Id": "wx_open",
"On": "TRUE",
"Config": {
...WeChatProvider.Config,
ClientId: `AppID`,
ClientSecret: `AppSecret`
}
},
"service": "tcb",
"action": "ModifyProvider"
}
7. Google Login
- Get redirect URI:
{
"params": { "EnvId": `env` },
"service": "lowcode",
"action": "DescribeStaticDomain"
}
Save result.Data.StaticDomain as staticDomain.
-
Configure at Google Cloud Console:
- Create OAuth 2.0 Client ID
- Set redirect URI:
https://{staticDomain}/__auth/
- Get
Client ID and Client Secret
-
Enable:
{
"params": {
"EnvId": `env`,
"ProviderType": "OAUTH",
"Id": "google",
"On": "TRUE",
"Name": { "Message": "Google" },
"Description": { "Message": "" },
"Config": {
"ClientId": `Client ID`,
"ClientSecret": `Client Secret`,
"Scope": "email openid profile",
"AuthorizationEndpoint": "https://accounts.google.com/o/oauth2/v2/auth",
"TokenEndpoint": "https://oauth2.googleapis.com/token",
"UserinfoEndpoint": "https://www.googleapis.com/oauth2/v3/userinfo",
"TokenEndpointAuthMethod": "CLIENT_SECRET_BASIC",
"RequestParametersMap": {
"RegisterUserSyncScope": "syncEveryLogin",
"IsGoogle": "TRUE"
}
},
"Picture": "https://qcloudimg.tencent-cloud.cn/raw/f9131c00dcbcbccd5899a449d68da3ba.png",
"TransparentMode": "FALSE",
"ReuseUserId": "TRUE",
"AutoSignUpWithProviderUser": "TRUE"
},
"service": "tcb",
"action": "ModifyProvider"
}
8. Client Configuration Boundary
Use client APIs for client metadata and token/session settings. Do not use them as a replacement for login strategy or provider management.
Query client config:
{
"params": { "EnvId": `env`, "Id": `env` },
"service": "tcb",
"action": "DescribeClient"
}
Update client config:
{
"params": {
"EnvId": `env`,
"Id": `env`,
"AccessTokenExpiresIn": 7200,
"RefreshTokenExpiresIn": 2592000,
"MaxDevice": 3
},
"service": "tcb",
"action": "ModifyClient"
}
9. Get Publishable Key
Query existing key:
{
"params": { "EnvId": `env`, "KeyType": "publish_key", "PageNumber": 1, "PageSize": 10 },
"service": "lowcode",
"action": "DescribeApiKeyTokens"
}
Return PublishableKey.ApiKey if exists (filter by Name == "publish_key").
Create new key (if not exists):
{
"params": { "EnvId": `env`, "KeyType": "publish_key", "KeyName": "publish_key" },
"service": "lowcode",
"action": "CreateApiKeyToken"
}
If creation fails, direct user to: "https://tcb.cloud.tencent.com/dev?envId=`env`#/env/apikey"