腾讯云CloudBase认证配置指南：登录注册、短信邮箱、第三方登录提供商设置

auth-tool-cloudbase by tencentcloudbase/skills

542 周安装量

38 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/tencentcloudbase/skills --skill auth-tool-cloudbase

开发云服务安全

🇨🇳中文介绍

激活契约

在以下情况时首先使用此技能

用户提及登录、注册、认证、提供商设置、短信、邮箱、匿名登录或第三方登录。
在实现 Web、原生 App 或后端流程之前，需要配置 CloudBase 认证。
对于任何 CloudBase Web 认证流程，请在 auth-web 之前激活此技能。

编写代码前请阅读，如果

请求涉及任何认证 UI 或认证 API 工作。必须首先检查提供商状态。
当任务是 Web 认证流程时，请在此技能之后、编写前端代码之前阅读 auth-web。

同时请阅读

Web 认证 UI -> ../auth-web/SKILL.md
小程序认证 -> ../auth-wechat/SKILL.md
原生 App / 原始 HTTP -> ../http-api/SKILL.md

请勿将此技能用作

平台实现规则的替代品。此技能配置提供商；它不定义完整的前端或客户端集成路径。

常见错误 / 注意事项

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

1. 获取登录配置

使用官方的 login-config API。不要使用 lowcode/DescribeLoginStrategy 或 lowcode/ModifyLoginStrategy 作为默认路径。

查询当前登录配置：

{
    "params": { "EnvId": `env` },
    "service": "tcb",
    "action": "DescribeLoginConfig"
}

响应包含以下字段：

AnonymousLogin
UserNameLogin
PhoneNumberLogin
EmailLogin
SmsVerificationConfig
MfaConfig
PwdUpdateStrategy

下游 Web 认证代码的参数映射：

PhoneNumberLogin 控制 auth-web 中 auth.signInWithOtp({ phone }) 和 auth.signUp({ phone }) 使用的手机 OTP 流程。
EmailLogin 控制 auth-web 中 auth.signInWithOtp({ email }) 和 auth.signUp({ email }) 使用的邮箱 OTP 流程。
UserNameLogin 控制 auth-web 中 auth.signInWithPassword({ username, password }) 使用的密码登录流程。
SmsVerificationConfig.Type = "apis" 需要同时提供 Name 和 Method。
EnvId 始终是 CloudBase 环境 ID，不是可发布密钥。

在调用 ModifyLoginConfig 之前，仅从可写键重建有效载荷。不要将完整的响应对象直接展开到请求中。

const WritableLoginConfig = {
    "PhoneNumberLogin": LoginConfig.PhoneNumberLogin,
    "EmailLogin": LoginConfig.EmailLogin,
    "UserNameLogin": LoginConfig.UserNameLogin,
    "AnonymousLogin": LoginConfig.AnonymousLogin,
    ...(LoginConfig.SmsVerificationConfig ? { "SmsVerificationConfig": LoginConfig.SmsVerificationConfig } : {}),
    ...(LoginConfig.MfaConfig ? { "MfaConfig": LoginConfig.MfaConfig } : {}),
    ...(LoginConfig.PwdUpdateStrategy ? { "PwdUpdateStrategy": LoginConfig.PwdUpdateStrategy } : {})
}

获取 LoginConfig（见场景 1）
设置 LoginConfig.AnonymousLogin = true（开启）或 false（关闭）
更新：

{
    "params": { "EnvId": `env`, ...WritableLoginConfig, "AnonymousLogin": true },
    "service": "tcb",
    "action": "ModifyLoginConfig"
}

3. 用户名/密码登录

获取 LoginConfig（见场景 1）
设置 LoginConfig.UserNameLogin = true（开启）或 false（关闭）
更新：

{
    "params": { "EnvId": `env`, ...WritableLoginConfig, "UserNameLogin": true },
    "service": "tcb",
    "action": "ModifyLoginConfig"
}

获取 LoginConfig（见场景 1）
修改：
- 开启：LoginConfig.PhoneNumberLogin = true
- 关闭：LoginConfig.PhoneNumberLogin = false
- 配置（可选）：

LoginConfig.SmsVerificationConfig = {
    Type: 'default',      // 'default' 或 'apis'
    Name: 'method_53978f9f96a35', // 当 Type = 'apis' 时必需
    Method: 'SendVerificationCode',
    SmsDayLimit: 30       // -1 = 无限制
}

{
    "params": {
        "EnvId": `env`,
        ...WritableLoginConfig,
        "PhoneNumberLogin": true,
        "SmsVerificationConfig": {
            "Type": "default",
            "SmsDayLimit": 30
        }
    },
    "service": "tcb",
    "action": "ModifyLoginConfig"
}

使用自定义 apis 发送短信：

{
    "params": {
        "EnvId": `env`,
        ...WritableLoginConfig,
        "PhoneNumberLogin": true,
        "SmsVerificationConfig": {
            "Type": "apis",
            "Name": "method_53978f9f96a35",
            "Method": "SendVerificationCode",
            "SmsDayLimit": 20
        }
    },
    "service": "tcb",
    "action": "ModifyLoginConfig"
}

邮箱有两层配置：

ModifyLoginConfig.EmailLogin：控制邮箱/密码登录是否启用
ModifyProvider(Id="email")：控制邮箱发送渠道和 SMTP 配置
在 Web 认证代码中，这映射到 auth.signInWithOtp({ email }) 和 auth.signUp({ email })

开启邮箱/密码登录：

{
    "params": { "EnvId": `env`, ...WritableLoginConfig, "EmailLogin": true },
    "service": "tcb",
    "action": "ModifyLoginConfig"
}

关闭邮箱/密码登录：

{
    "params": { "EnvId": `env`, ...WritableLoginConfig, "EmailLogin": false },
    "service": "tcb",
    "action": "ModifyLoginConfig"
}

配置邮箱提供商（腾讯云邮箱）：

{
    "params": {
        "EnvId": `env`,
        "Id": "email",
        "On": "TRUE",
        "EmailConfig": { "On": "TRUE", "SmtpConfig": {} }
    },
    "service": "tcb",
    "action": "ModifyProvider"
}

禁用邮箱提供商：

{
    "params": { "EnvId": `env`, "Id": "email", "On": "FALSE" },
    "service": "tcb",
    "action": "ModifyProvider"
}

配置邮箱提供商（自定义 SMTP）：

{
    "params": {
        "EnvId": `env`,
        "Id": "email",
        "On": "TRUE",
        "EmailConfig": {
            "On": "FALSE",
            "SmtpConfig": {
                "AccountPassword": "password",
                "AccountUsername": "username",
                "SecurityMode": "SSL",
                "SenderAddress": "sender@example.com",
                "ServerHost": "smtp.qq.com",
                "ServerPort": 465
            }
        }
    },
    "service": "tcb",
    "action": "ModifyProvider"
}

获取微信配置：

{
    "params": { "EnvId": `env` },
    "service": "tcb",
    "action": "GetProviders"
}

筛选 Id == "wx_open"，保存为 WeChatProvider。

从微信开放平台获取凭据：
- AppID
- AppSecret
更新：

{
    "params": {
        "EnvId": `env`,
        "Id": "wx_open",
        "On": "TRUE",  // "FALSE" 表示禁用
        "Config": {
            ...WeChatProvider.Config,
            ClientId: `AppID`,
            ClientSecret: `AppSecret`
        }
    },
    "service": "tcb",
    "action": "ModifyProvider"
}

获取重定向 URI：

{
    "params": { "EnvId": `env` },
    "service": "lowcode",
    "action": "DescribeStaticDomain"
}

将 result.Data.StaticDomain 保存为 staticDomain。

在 Google Cloud Console 配置：
- 创建 OAuth 2.0 客户端 ID
- 设置重定向 URI：https://{staticDomain}/__auth/
- 获取 Client ID 和 Client Secret
启用：

{
    "params": {
        "EnvId": `env`,
        "ProviderType": "OAUTH",
        "Id": "google",
        "On": "TRUE",  // "FALSE" 表示禁用
        "Name": { "Message": "Google" },
        "Description": { "Message": "" },
        "Config": {
            "ClientId": `Client ID`,
            "ClientSecret": `Client Secret`,
            "Scope": "email openid profile",
            "AuthorizationEndpoint": "https://accounts.google.com/o/oauth2/v2/auth",
            "TokenEndpoint": "https://oauth2.googleapis.com/token",
            "UserinfoEndpoint": "https://www.googleapis.com/oauth2/v3/userinfo",
            "TokenEndpointAuthMethod": "CLIENT_SECRET_BASIC",
            "RequestParametersMap": {
                "RegisterUserSyncScope": "syncEveryLogin",
                "IsGoogle": "TRUE"
            }
        },
        "Picture": "https://qcloudimg.tencent-cloud.cn/raw/f9131c00dcbcbccd5899a449d68da3ba.png",
        "TransparentMode": "FALSE",
        "ReuseUserId": "TRUE",
        "AutoSignUpWithProviderUser": "TRUE"
    },
    "service": "tcb",
    "action": "ModifyProvider"
}

8. 客户端配置边界

使用客户端 API 处理客户端元数据和令牌/会话设置。不要将其用作登录策略或提供商管理的替代品。

查询客户端配置：

{
    "params": { "EnvId": `env`, "Id": `env` },
    "service": "tcb",
    "action": "DescribeClient"
}

更新客户端配置：

{
    "params": {
        "EnvId": `env`,
        "Id": `env`,
        "AccessTokenExpiresIn": 7200,
        "RefreshTokenExpiresIn": 2592000,
        "MaxDevice": 3
    },
    "service": "tcb",
    "action": "ModifyClient"
}

9. 获取可发布密钥

查询现有密钥：

{
    "params": { "EnvId": `env`, "KeyType": "publish_key", "PageNumber": 1, "PageSize": 10 },
    "service": "lowcode",
    "action": "DescribeApiKeyTokens"
}

如果存在则返回 PublishableKey.ApiKey（按 Name == "publish_key" 筛选）。

创建新密钥（如果不存在）：

{
    "params": { "EnvId": `env`, "KeyType": "publish_key", "KeyName": "publish_key" },
    "service": "lowcode",
    "action": "CreateApiKeyToken"
}

如果创建失败，请引导用户访问："https://tcb.cloud.tencent.com/dev?envId=env#/env/apikey"

🇺🇸English

Activation Contract

Use this first when

The user mentions login, registration, authentication, provider setup, SMS, email, anonymous login, or third-party login.
A Web, native App, or backend flow needs CloudBase auth configuration before implementation.
For any CloudBase Web auth flow, activate this skill before auth-web.

Read before writing code if

The request includes any auth UI or auth API work. Provider status must be checked first.
When the task is a Web auth flow, read auth-web after this skill and before writing frontend code.

Then also read

Web auth UI -> ../auth-web/SKILL.md
Mini program auth -> ../auth-wechat/SKILL.md
Native App / raw HTTP -> ../http-api/SKILL.md

Do NOT use this as

A replacement for platform implementation rules. This skill configures providers; it does not define the full frontend or client integration path.

Common mistakes / gotchas

Writing login UI before enabling the required provider.
Implementing Web login in cloud functions.
Routing native App auth to Web SDK flows.

Minimal checklist

Read Authentication Activation Checklist before auth implementation.

Overview

Configure CloudBase authentication providers: Anonymous, Username/Password, SMS, Email, WeChat, Google, and more.

Prerequisites : CloudBase environment ID (env)

Authentication Scenarios

1. Get Login Config

Use the official login-config API. Do not use lowcode/DescribeLoginStrategy or lowcode/ModifyLoginStrategy as the default path.

Query current login configuration:

{
    "params": { "EnvId": `env` },
    "service": "tcb",
    "action": "DescribeLoginConfig"
}

The response contains fields such as:

AnonymousLogin
UserNameLogin
PhoneNumberLogin
EmailLogin
SmsVerificationConfig
MfaConfig
PwdUpdateStrategy

Parameter mapping for downstream Web auth code:

PhoneNumberLogin controls phone OTP flows used by auth-web auth.signInWithOtp({ phone }) and auth.signUp({ phone })
EmailLogin controls email OTP flows used by auth-web auth.signInWithOtp({ email }) and auth.signUp({ email })
UserNameLogin controls password login flows used by auth-web auth.signInWithPassword({ username, password })

Before calling ModifyLoginConfig, rebuild the payload from writable keys only. Do not spread the full response object back into the request.

const WritableLoginConfig = {
    "PhoneNumberLogin": LoginConfig.PhoneNumberLogin,
    "EmailLogin": LoginConfig.EmailLogin,
    "UserNameLogin": LoginConfig.UserNameLogin,
    "AnonymousLogin": LoginConfig.AnonymousLogin,
    ...(LoginConfig.SmsVerificationConfig ? { "SmsVerificationConfig": LoginConfig.SmsVerificationConfig } : {}),
    ...(LoginConfig.MfaConfig ? { "MfaConfig": LoginConfig.MfaConfig } : {}),
    ...(LoginConfig.PwdUpdateStrategy ? { "PwdUpdateStrategy": LoginConfig.PwdUpdateStrategy } : {})
}

2. Anonymous Login

Get LoginConfig (see Scenario 1)
Set LoginConfig.AnonymousLogin = true (on) or false (off)
Update:

    "params": { "EnvId": `env`, ...WritableLoginConfig, "AnonymousLogin": true },
    "service": "tcb",
    "action": "ModifyLoginConfig"
}

3. Username/Password Login

Get LoginConfig (see Scenario 1)
Set LoginConfig.UserNameLogin = true (on) or false (off)
Update:

    "params": { "EnvId": `env`, ...WritableLoginConfig, "UserNameLogin": true },
    "service": "tcb",
    "action": "ModifyLoginConfig"
}

4. SMS Login

Get LoginConfig (see Scenario 1)

Modify:

Turn on : LoginConfig.PhoneNumberLogin = true
Turn off : LoginConfig.PhoneNumberLogin = false

Config (optional):

LoginConfig.SmsVerificationConfig = {
    Type: 'default',      // 'default' or 'apis'
    Name: 'method_53978f9f96a35', // required when Type = 'apis'
    Method: 'SendVerificationCode',
    SmsDayLimit: 30       // -1 = unlimited
}

Update:

    "params": {
        "EnvId": `env`,
        ...WritableLoginConfig,
        "PhoneNumberLogin": true,
        "SmsVerificationConfig": {
            "Type": "default",
            "SmsDayLimit": 30
        }
    },
    "service": "tcb",
    "action": "ModifyLoginConfig"
}

Use custom apis to send SMS :

{
    "params": {
        "EnvId": `env`,
        ...WritableLoginConfig,
        "PhoneNumberLogin": true,
        "SmsVerificationConfig": {
            "Type": "apis",
            "Name": "method_53978f9f96a35",
            "Method": "SendVerificationCode",
            "SmsDayLimit": 20
        }
    },
    "service": "tcb",
    "action": "ModifyLoginConfig"
}

5. Email Login

Email has two layers of configuration:

ModifyLoginConfig.EmailLogin: controls whether email/password login is enabled
ModifyProvider(Id="email"): controls the email sender channel and SMTP configuration
In Web auth code, this maps to auth.signInWithOtp({ email }) and auth.signUp({ email })

Turn on email/password login :

{
    "params": { "EnvId": `env`, ...WritableLoginConfig, "EmailLogin": true },
    "service": "tcb",
    "action": "ModifyLoginConfig"
}

Turn off email/password login :

{
    "params": { "EnvId": `env`, ...WritableLoginConfig, "EmailLogin": false },
    "service": "tcb",
    "action": "ModifyLoginConfig"
}

Configure email provider (Tencent Cloud email) :

{
    "params": {
        "EnvId": `env`,
        "Id": "email",
        "On": "TRUE",
        "EmailConfig": { "On": "TRUE", "SmtpConfig": {} }
    },
    "service": "tcb",
    "action": "ModifyProvider"
}

Disable email provider :

{
    "params": { "EnvId": `env`, "Id": "email", "On": "FALSE" },
    "service": "tcb",
    "action": "ModifyProvider"
}

Configure email provider (custom SMTP) :

{
    "params": {
        "EnvId": `env`,
        "Id": "email",
        "On": "TRUE",
        "EmailConfig": {
            "On": "FALSE",
            "SmtpConfig": {
                "AccountPassword": "password",
                "AccountUsername": "username",
                "SecurityMode": "SSL",
                "SenderAddress": "sender@example.com",
                "ServerHost": "smtp.qq.com",
                "ServerPort": 465
            }
        }
    },
    "service": "tcb",
    "action": "ModifyProvider"
}

6. WeChat Login

Get WeChat config:

    "params": { "EnvId": `env` },
    "service": "tcb",
    "action": "GetProviders"
}

Filter by Id == "wx_open", save as WeChatProvider.

Get credentials from WeChat Open Platform:
- AppID
- AppSecret
Update:

    "params": {
        "EnvId": `env`,
        "Id": "wx_open",
        "On": "TRUE",  // "FALSE" to disable
        "Config": {
            ...WeChatProvider.Config,
            ClientId: `AppID`,
            ClientSecret: `AppSecret`
        }
    },
    "service": "tcb",
    "action": "ModifyProvider"
}

7. Google Login

Get redirect URI:

    "params": { "EnvId": `env` },
    "service": "lowcode",
    "action": "DescribeStaticDomain"
}

Save result.Data.StaticDomain as staticDomain.

Configure at Google Cloud Console:
- Create OAuth 2.0 Client ID
- Set redirect URI: https://{staticDomain}/__auth/
- Get Client ID and Client Secret
Enable:

    "params": {
        "EnvId": `env`,
        "ProviderType": "OAUTH",
        "Id": "google",
        "On": "TRUE",  // "FALSE" to disable
        "Name": { "Message": "Google" },
        "Description": { "Message": "" },
        "Config": {
            "ClientId": `Client ID`,
            "ClientSecret": `Client Secret`,
            "Scope": "email openid profile",
            "AuthorizationEndpoint": "https://accounts.google.com/o/oauth2/v2/auth",
            "TokenEndpoint": "https://oauth2.googleapis.com/token",
            "UserinfoEndpoint": "https://www.googleapis.com/oauth2/v3/userinfo",
            "TokenEndpointAuthMethod": "CLIENT_SECRET_BASIC",
            "RequestParametersMap": {
                "RegisterUserSyncScope": "syncEveryLogin",
                "IsGoogle": "TRUE"
            }
        },
        "Picture": "https://qcloudimg.tencent-cloud.cn/raw/f9131c00dcbcbccd5899a449d68da3ba.png",
        "TransparentMode": "FALSE",
        "ReuseUserId": "TRUE",
        "AutoSignUpWithProviderUser": "TRUE"
    },
    "service": "tcb",
    "action": "ModifyProvider"
}

8. Client Configuration Boundary

Use client APIs for client metadata and token/session settings. Do not use them as a replacement for login strategy or provider management.

Query client config :

{
    "params": { "EnvId": `env`, "Id": `env` },
    "service": "tcb",
    "action": "DescribeClient"
}

Update client config :

{
    "params": {
        "EnvId": `env`,
        "Id": `env`,
        "AccessTokenExpiresIn": 7200,
        "RefreshTokenExpiresIn": 2592000,
        "MaxDevice": 3
    },
    "service": "tcb",
    "action": "ModifyClient"
}

9. Get Publishable Key

Query existing key :

{
    "params": { "EnvId": `env`, "KeyType": "publish_key", "PageNumber": 1, "PageSize": 10 },
    "service": "lowcode",
    "action": "DescribeApiKeyTokens"
}

Return PublishableKey.ApiKey if exists (filter by Name == "publish_key").

Create new key (if not exists):

{
    "params": { "EnvId": `env`, "KeyType": "publish_key", "KeyName": "publish_key" },
    "service": "lowcode",
    "action": "CreateApiKeyToken"
}

If creation fails, direct user to: "https://tcb.cloud.tencent.com/dev?envId=env#/env/apikey"

Weekly Installs

542

Repository

tencentcloudbase/skills

GitHub Stars

First Seen

Jan 22, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykFail

Installed on

opencode475

codex474

gemini-cli465

github-copilot452

kimi-cli444

amp442

React 组合模式指南：Vercel 组件架构最佳实践，提升代码可维护性

103,800 周安装

SmsVerificationConfig.Type = "apis" requires both Name and Method

EnvId is always the CloudBase environment ID, not the publishable key