How do I install api-auth?

Run the command: npx killer-skills add cyanheads/pubmed-mcp-server/api-auth. It works with Cursor, Windsurf, VS Code, Claude Code, and 19+ other IDEs.

What are the use cases for api-auth?

Key use cases include: 사용 사례: Applying Inline auth (primary pattern), 사용 사례: Applying import { tool } from '@cyanheads/mcp-ts-core';, 사용 사례: Applying const myTool = tool('my tool', {.

Which IDEs are compatible with api-auth?

This skill is compatible with Cursor, Windsurf, VS Code, Trae, Claude Code, OpenClaw, Aider, Codex, OpenCode, Goose, Cline, Roo Code, Kiro, Augment Code, Continue, GitHub Copilot, Sourcegraph Cody, and Amazon Q Developer. Use the Killer-Skills CLI for universal one-command installation.

Are there any limitations for api-auth?

제한 사항: // Only reached if caller has 'tool:my tool:read' scope. 제한 사항: // Continues only if scope is satisfied. 제한 사항: MCP AUTH SECRET KEY Yes (unless bypass) Signing secret for HS256 JWT verification. Must be ≥ 32 characters..

api-auth | AI Agent Skills

Name: api-auth
Availability: InStock
Author: cyanheads

api-auth

MCP server for the NCBI E-utilities API. It covers ai-agents, ai-tools, bioinformatics workflows. This AI agent skill supports Claude Code, Cursor, and

SKILL.md

Readonly

Upstream Repository Material

The section below is imported from the upstream repository and should be treated as secondary evidence. Use the Killer-Skills review above as the primary layer for fit, risk, and installation decisions.

Supporting Evidence

Overview

The framework handles auth at the handler factory level — tools and resources declare required scopes declaratively, and the framework enforces them before calling the handler. No try/catch or manual scope checking required for the common case.

Inline auth (primary pattern)

Declare required scopes directly on the tool or resource definition via the auth property. The handler factory checks ctx.auth.scopes against these before calling handler.

ts
1import { tool } from '@cyanheads/mcp-ts-core';
2
3const myTool = tool('my_tool', {
4  input: z.object({ query: z.string().describe('Search query') }),
5  output: z.object({ result: z.string().describe('Search result') }),
6  auth: ['tool:my_tool:read'],
7  async handler(input, ctx) {
8    // Only reached if caller has 'tool:my_tool:read' scope
9  },
10});

When MCP_AUTH_MODE=none, auth checks are skipped and defaults are allowed.

Dynamic auth

For runtime-computed scopes (e.g., scopes that depend on input values like a team or resource ID), use checkScopes from @cyanheads/mcp-ts-core/auth inside the handler:

ts
1import { checkScopes } from '@cyanheads/mcp-ts-core/auth';
2
3handler: async (input, ctx) => {
4  checkScopes(ctx, [`team:${input.teamId}:write`]);
5  // Continues only if scope is satisfied
6},

Signature: checkScopes(ctx: Context, requiredScopes: string[]): void

Throws:

McpError(Forbidden) — auth is active and one or more required scopes are missing
McpError(Unauthorized) — auth is enabled but no auth context exists on the request
No-ops when MCP_AUTH_MODE=none

Auth modes

Set via MCP_AUTH_MODE environment variable.

Mode	Value	Behavior
Disabled	`none`	No auth enforcement. All requests allowed.
JWT	`jwt`	Local secret verification via `MCP_AUTH_SECRET_KEY`. Requires explicit `DEV_MCP_AUTH_BYPASS=true` to bypass in development.
OAuth	`oauth`	JWKS verification against an external issuer.

JWT config

Variable	Required	Purpose
`MCP_AUTH_SECRET_KEY`	Yes (unless bypass)	Signing secret for HS256 JWT verification. Must be ≥ 32 characters.
`DEV_MCP_AUTH_BYPASS`	No	Set to `true` to skip JWT verification in development. Blocked in `NODE_ENV=production`.
`DEV_MCP_CLIENT_ID`	No	Client ID injected when bypass is active (default: `'dev-client-id'`).
`DEV_MCP_SCOPES`	No	Comma-separated scopes injected when bypass is active (default: `['dev-scope']`).

Important: With MCP_AUTH_MODE=jwt, a missing MCP_AUTH_SECRET_KEY is a fatal startup error unless DEV_MCP_AUTH_BYPASS=true is explicitly set. Setting DEV_MCP_AUTH_BYPASS in production (NODE_ENV=production) is rejected at config parse time.

OAuth config

Variable	Required	Purpose
`OAUTH_ISSUER_URL`	Yes	Token issuer URL (used for JWKS discovery)
`OAUTH_AUDIENCE`	Yes	Expected `aud` claim value
`OAUTH_JWKS_URI`	No	Override JWKS endpoint (defaults to `{issuer}/.well-known/jwks.json`)
`MCP_SERVER_RESOURCE_IDENTIFIER`	No	RFC 8707 resource indicator URI. When set, the OAuth strategy validates that the token's `resource` or `aud` claim matches this value — throws `Forbidden` on mismatch.

JWT claims mapping

Claim	JWT Field	Purpose
`clientId`	`cid` / `client_id`	Identifies the calling client
`scopes`	`scp` / `scope`	Space-separated list of granted scopes
`sub`	`sub`	Subject (user or service identity)
`tenantId`	`tid`	Tenant identifier — drives `ctx.state` scoping

Endpoints

Endpoint	Protected
`GET /healthz`	No
`GET /mcp`	No
`POST /mcp`	Yes (when auth enabled)
`OPTIONS /mcp`	Yes (when auth enabled)

CORS: Set MCP_ALLOWED_ORIGINS to a comma-separated list of allowed origins, or * for open access.

Stdio mode: No HTTP auth layer. Authorization is handled entirely by the host process.

Multi-tenancy

ctx.state is automatically scoped to the current tenant — no manual key prefixing needed.

tenantId sources

Transport	Source	Value
HTTP with auth	JWT `tid` claim	Auto-propagated from token
Stdio	Hardcoded default	`'default'`

Tenant ID validation rules

Max 128 characters
Characters: alphanumeric, hyphens, underscores, dots
Must start and end with an alphanumeric character
No path traversal sequences (../)
No consecutive dots (..)

Using `ctx.state`

ts
1handler: async (input, ctx) => {
2  // Automatically scoped to ctx.tenantId — no manual prefixing
3  await ctx.state.set('item:123', { name: 'Widget', count: 42 });
4  const item = await ctx.state.get<Item>('item:123');
5  await ctx.state.delete('item:123');
6
7  const page = await ctx.state.list('item:', { cursor, limit: 20 });
8  // page: { items: Array<{ key, value }>, cursor?: string }
9},

ctx.state throws McpError(InvalidRequest) if tenantId is missing. In stdio mode, tenantId defaults to 'default' so ctx.state works without auth.

Auth context shape

Available on ctx.auth inside handlers (when auth is enabled):

ts
1interface AuthContext {
2  clientId: string;        // Required — 'cid' or 'client_id' JWT claim
3  scopes: string[];        // Required — derived from 'scp' or 'scope' claim
4  sub: string;             // Required — 'sub' claim; falls back to clientId when absent
5  token: string;           // Required — raw JWT or OAuth bearer token string
6  tenantId?: string;       // Optional — 'tid' claim; present only for multi-tenant tokens
7}

Access directly for conditional logic:

ts
1handler: async (input, ctx) => {
2  const isAdmin = ctx.auth?.scopes.includes('admin:write') ?? false;
3  // ...
4},

api-auth — for Claude Code api-auth, community, for Claude Code, ide skills, ai-agents, ai-tools, bioinformatics, biomedical, citations, e-utilities

이 스킬 정보

기능

# Core Topics

Killer-Skills Review

이 스킬을 사용하는 이유

최적의 용도

↓ 실행 가능한 사용 사례 for api-auth

! 보안 및 제한 사항

Why this page is reference-only

Source Boundary

Decide The Next Action Before You Keep Reading Repository Material

Start With Installation And Validation

Cross-Check Against Trusted Picks

Move To Workflow Collections For Team Rollout

Browser Sandbox Environment

⚡️ Ready to unleash?

FAQ & Installation Steps

? Frequently Asked Questions

What is api-auth?

How do I install api-auth?

What are the use cases for api-auth?

Which IDEs are compatible with api-auth?

Are there any limitations for api-auth?

↓ How To Install

! Reference-Only Mode

Upstream Repository Material

api-auth

Overview

Inline auth (primary pattern)

Dynamic auth

Auth modes

JWT config

OAuth config

JWT claims mapping

Endpoints

Multi-tenancy

tenantId sources

Tenant ID validation rules

Using ctx.state

Auth context shape

관련 스킬

Looking for an alternative to api-auth or another community skill for your workflow? Explore these related open-source skills.

openclaw-release-maintainer

widget-generator

flags

pr-review

Using `ctx.state`