一键导入
auth-setup
Use when configuring OAuth providers (Google/GitHub/Apple/X/etc.), setting up post-login auth hooks, tuning JWT lifetimes, or generating service API keys
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Use when configuring OAuth providers (Google/GitHub/Apple/X/etc.), setting up post-login auth hooks, tuning JWT lifetimes, or generating service API keys
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Claude Code plugin for Butterbase — 30+ guided skills and auto-configured MCP for the AI-native backend-as-a-service.
Use when the user wants to read/write their Butterbase substrate — the per-user agent-memory backend that holds entities, business state, institutional memory, and an append-only action ledger. Use for: founder copilots, AI agents that need memory across sessions, anything that proposes actions on the user's behalf.
Use when designing, deploying, or debugging a Butterbase Agent (declarative LLM/tool graph), registering an MCP server for tool use, or wiring access controls and rate limits. Agents are first-class app resources defined by a `graph_spec` and invoked over `/v1/<app_id>/agents/<name>/runs`.
Use as the agents build stage of the Butterbase journey. Implements the Agents section of 02-plan.md by delegating to the `agents` skill for each agent. Registers any required MCP servers, validates each graph_spec, creates the agent, and smokes it via invoke_agent. Skipped if the plan has no agents.
Use as stage 1 of the Butterbase journey, when the user has only a rough idea ("I want to build something that..."). Conducts a concrete, one-question-at-a-time brainstorm that surfaces who the user is, what they do first, what the must-haves are, and inline-tags Butterbase capabilities (→ manage_schema, → deploy_function, etc.). Produces docs/butterbase/01-idea.md.
Use as stage 2 of the Butterbase journey, after journey-idea has written 01-idea.md. Translates the idea + capability map into a concrete Butterbase plan — tables (with columns/types/RLS shape), auth providers, function list (name + trigger), storage buckets, AI/RAG/realtime/durable usage, and the chosen frontend stack. In hackathon mode, ruthlessly cuts scope into a "ship now" vs "post-hackathon" split. Produces docs/butterbase/02-plan.md.
| name | auth-setup |
| description | Use when configuring OAuth providers (Google/GitHub/Apple/X/etc.), setting up post-login auth hooks, tuning JWT lifetimes, or generating service API keys |
Two umbrella tools cover end-user authentication:
manage_oauth — provider configuration (Google, GitHub, Apple, X, custom)manage_auth_config — auth hooks, JWT lifetimes, service key generationFor broad app build-out, see also butterbase-skills:build-app. This skill is the deep dive.
Every request runs under one of three database roles:
| Auth header | Role | current_user_id() | RLS |
|---|---|---|---|
| none | butterbase_anon | NULL | enforced; default deny |
End-user JWT (issued by manage_oauth or email login) | butterbase_user | user UUID | enforced |
Service key (bb_sk_*) | butterbase_service | NULL | bypassed |
Auth is what transforms a request into the right role. RLS is what filters the data. Both must be configured.
manage_oauth({
app_id: "app_abc123",
action: "configure",
provider: "google",
client_id: "123456789.apps.googleusercontent.com",
client_secret: "GOCSPX-...",
redirect_uris: ["https://api.butterbase.ai/auth/app_abc123/oauth/google/callback"]
// scopes / authorization_url / token_url / userinfo_url / provider_metadata are auto-filled for built-in providers
})
Built-in providers (URLs and scopes pre-filled): google, github, discord, facebook, linkedin, microsoft, apple, x.
Custom providers: pass authorization_url, token_url, userinfo_url, and scopes explicitly.
https://api.butterbase.ai/auth/{app_id}/oauth/{provider}/callback
Register this exact URI in the provider's developer console. Mismatch is the most common reason OAuth flows fail.
| Provider | Quirk |
|---|---|
apple | Requires provider_metadata: { teamId, keyId, privateKey }. Apple only returns the user's name on first auth and uses POST callback (handled automatically). |
x | Does not return email. Butterbase synthesises {username}@users.noreply.x.local for the user record. |
facebook | Default scopes email, public_profile. |
google | Standard. |
github | Standard. |
manage_oauth({ app_id, action: "get" }) // list all providers (secrets redacted)
manage_oauth({ app_id, action: "get", provider: "google" }) // single provider
manage_oauth({ app_id, action: "update", provider: "google", client_secret: "new-secret" })
manage_oauth({ app_id, action: "delete", provider: "google" }) // disables future logins; existing sessions valid until expiry
GET https://api.butterbase.ai/auth/{app_id}/oauth/{provider}?redirect_to=https://yourapp.com/auth/callback
User signs in at the provider, gets bounced back to redirect_to with access_token and refresh_token as query params. The Butterbase SDK wraps this:
await client.auth.signInWithOAuth({ provider: "google" });
const { user, accessToken } = await client.auth.getSession();
manage_auth_config({
app_id: "app_abc123",
action: "update_jwt",
accessTokenTtl: "15m", // formats: "15m", "1h", "2h", "1d"
refreshTokenTtlDays: 30 // integer days
})
Defaults: 15-minute access tokens, 7-day refresh tokens.
| Use case | accessTokenTtl | refreshTokenTtlDays |
|---|---|---|
| High-security (banking, admin) | 5m–15m | 1–7 |
| Standard SaaS | 15m (default) | 30 |
| Low-friction consumer apps | 1h | 90 |
Important: changes apply only to new tokens. Active tokens keep their original expiration — there is no global revoke. Treat TTL changes as forward-looking only.
A post-auth function is a deployed Butterbase function invoked fire-and-forget after every successful auth event (OAuth login, email login, email signup).
// 1. Deploy the function first (see butterbase-skills:function-dev)
deploy_function({
app_id: "app_abc123",
name: "after-auth",
code: postAuthHandlerCode,
trigger: { type: "http", config: { auth: "none" } }
})
// 2. Register it as the auth hook
manage_auth_config({
app_id: "app_abc123",
action: "configure_auth_hook",
post_auth_function: "after-auth"
})
// To remove the hook later: pass post_auth_function: null
The function must already exist when you configure the hook.
The function receives a POST with this body:
{
"event": "oauth_login | login | signup",
"user": {
"id": "uuid",
"email": "...",
"provider": "google | github | email | ...",
"display_name": "...",
"avatar_url": "..."
},
"isNewUser": true,
"provider": "google"
}
The function runs as butterbase_service (RLS bypassed, ctx.user is null). Use body.user.id to know who just logged in.
// after-auth/index.ts
export async function handler(req, ctx) {
const { user, isNewUser, event } = await req.json();
if (isNewUser) {
// 1. Create profile row
await ctx.db.query(
"INSERT INTO profiles (user_id, display_name) VALUES ($1, $2) ON CONFLICT DO NOTHING",
[user.id, user.display_name]
);
// 2. Send welcome email (via env-stored API key)
ctx.waitUntil(sendWelcomeEmail(ctx.env.RESEND_API_KEY, user.email));
}
// 3. Audit log on every login
await ctx.db.query(
"INSERT INTO login_log (user_id, event, provider) VALUES ($1, $2, $3)",
[user.id, event, ctx.user ?? null]
);
return new Response("ok", { status: 200 });
}
Auth hooks are fire-and-forget. Don't return data the user needs — they won't see it. Use them for side effects only.
bb_sk_*)Service keys grant full access to all your apps and bypass RLS. Treat them like passwords.
manage_auth_config({
action: "generate_service_key",
name: "CI/CD pipeline"
})
// → { key: "bb_sk_a1b2c3...", key_id, prefix, name, created_at }
The full key is returned once. Store it immediately in your secret manager — you cannot retrieve it again. If you lose it, generate a new one and revoke the old.
manage_api_keys({ action: "list" })
manage_api_keys({ action: "revoke", key_id: "uuid-..." })
list returns metadata only (prefix, name, last_used_at), never the secret. revoke is immediate and irreversible.
manage_auth_config (generate_service_key) — create the new key.manage_app list).manage_api_keys (revoke) — kill the old key.Do steps 1–3 before step 4 to avoid downtime.
| Don't | Do |
|---|---|
Hardcode bb_sk_* keys in client code or commit them to git | Store in env vars / secret manager |
| Reuse one OAuth app between dev, staging, prod | Separate OAuth apps per environment, with their own redirect URIs |
| Use a service key from frontend code "for convenience" | Frontends use end-user JWTs; service keys are server-only |
Increase accessTokenTtl to "fix" frequent re-auth | Use the refresh token; SDK handles this automatically |
Forget that manage_oauth delete only stops new logins | Existing sessions remain valid until they expire — rotate JWT keys via support if you need a hard kill |
| Put critical logic in the auth hook | Hooks are fire-and-forget. Errors don't surface to the user. Keep them to side effects. |
| Log the full service key in audit / debug output | Log only the prefix (bb_sk_a1b2c3) — secrets must never appear in logs |
| Task | Tool |
|---|---|
| Add Google OAuth | manage_oauth (configure) |
| List OAuth providers | manage_oauth (get) |
| Set post-login hook | manage_auth_config (configure_auth_hook) |
| Change JWT lifetimes | manage_auth_config (update_jwt) |
| Create service key | manage_auth_config (generate_service_key) |
| List service keys | manage_api_keys (list) |
| Revoke service key | manage_api_keys (revoke) |
If a docs/butterbase/00-state.md exists in the working directory, prefer invoking via /butterbase-skills:journey-auth so the journey orchestrator stays in sync.