Microsoft Todo MCP Service

Overview Schema Related Servers Score Discussions

auth-status

Check authentication status with Microsoft Graph API to verify token validity and determine if refresh is needed for Microsoft Todo task management.

Instructions

Check if you're authenticated with Microsoft Graph API. Shows current token status and expiration time, and indicates if the token needs to be refreshed.

Input Schema

TableJSON Schema

Name	Required	Description	Default
No arguments

Implementation Reference

src/todo-index.ts:301-358 (registration)

Registration of the 'auth-status' tool. Includes empty input schema {}, detailed description, and inline async handler function that reads tokens from file or memory, checks expiration, determines if personal Microsoft account, and returns markdown text with authentication status.

server.tool(
  "auth-status",
  "Check if you're authenticated with Microsoft Graph API. Shows current token status and expiration time, and indicates if the token needs to be refreshed.",
  {},
  async () => {
    const tokens = readTokens();
    if (!tokens && !currentAccessToken) {
      return {
        content: [
          {
            type: "text",
            text: "Not authenticated. Please run auth-server.js to authenticate with Microsoft.",
          },
        ],
      };
    }
    
    const tokenData = tokens || { 
      accessToken: currentAccessToken || "",
      refreshToken: currentRefreshToken || "",
      expiresAt: 0
    };
    
    const isExpired = Date.now() > tokenData.expiresAt;
    const expiryTime = new Date(tokenData.expiresAt).toLocaleString();
    
    // Check if it's a personal account
    const isPersonal = await isPersonalMicrosoftAccount();
    let accountMessage = "";
    
    if (isPersonal) {
      accountMessage = "\n\n⚠️ WARNING: You are using a personal Microsoft account. " +
        "Microsoft To Do API access is typically not available for personal accounts " +
        "through the Microsoft Graph API. You may encounter 'MailboxNotEnabledForRESTAPI' errors. " +
        "This is a Microsoft limitation, not an authentication issue.";
    }
    
    if (isExpired) {
      return {
        content: [
          {
            type: "text",
            text: `Authentication expired at ${expiryTime}. Will attempt to refresh when you call any API.${accountMessage}`,
          },
        ],
      };
    } else {
      return {
        content: [
          {
            type: "text",
            text: `Authenticated. Token expires at ${expiryTime}.${accountMessage}`,
          },
        ],
      };
    }
  }
);

src/todo-index.ts:305-357 (handler)

Inline handler function for the auth-status tool. Checks if tokens exist, determines expiration status, calls helper to check for personal account, constructs warning message if applicable, and returns structured content with authentication status and expiration info.

async () => {
  const tokens = readTokens();
  if (!tokens && !currentAccessToken) {
    return {
      content: [
        {
          type: "text",
          text: "Not authenticated. Please run auth-server.js to authenticate with Microsoft.",
        },
      ],
    };
  }
  
  const tokenData = tokens || { 
    accessToken: currentAccessToken || "",
    refreshToken: currentRefreshToken || "",
    expiresAt: 0
  };
  
  const isExpired = Date.now() > tokenData.expiresAt;
  const expiryTime = new Date(tokenData.expiresAt).toLocaleString();
  
  // Check if it's a personal account
  const isPersonal = await isPersonalMicrosoftAccount();
  let accountMessage = "";
  
  if (isPersonal) {
    accountMessage = "\n\n⚠️ WARNING: You are using a personal Microsoft account. " +
      "Microsoft To Do API access is typically not available for personal accounts " +
      "through the Microsoft Graph API. You may encounter 'MailboxNotEnabledForRESTAPI' errors. " +
      "This is a Microsoft limitation, not an authentication issue.";
  }
  
  if (isExpired) {
    return {
      content: [
        {
          type: "text",
          text: `Authentication expired at ${expiryTime}. Will attempt to refresh when you call any API.${accountMessage}`,
        },
      ],
    };
  } else {
    return {
      content: [
        {
          type: "text",
          text: `Authenticated. Token expires at ${expiryTime}.${accountMessage}`,
        },
      ],
    };
  }
}

src/todo-index.ts:246-297 (helper)

Helper function specifically used by auth-status handler to determine if the authenticated Microsoft account is personal (non-business) by fetching /me endpoint and checking email domain against known personal domains, logging detailed warning if so.

async function isPersonalMicrosoftAccount(): Promise<boolean> {
  try {
    const token = await getAccessToken();
    if (!token) return false;
    
    // Make a request to get user info
    const url = `${MS_GRAPH_BASE}/me`;
    const response = await fetch(url, {
      method: "GET",
      headers: {
        "Authorization": `Bearer ${token}`,
        "Accept": "application/json"
      }
    });
    
    if (!response.ok) {
      console.error(`Error getting user info: ${response.status}`);
      return false;
    }
    
    const userData = await response.json();
    const email = userData.mail || userData.userPrincipalName || '';
    
    // Check if the email domain indicates a personal account
    const personalDomains = ['outlook.com', 'hotmail.com', 'live.com', 'msn.com', 'passport.com'];
    const domain = email.split('@')[1]?.toLowerCase();
    
    if (domain && personalDomains.some(d => domain.includes(d))) {
      console.error(`
=================================================================
WARNING: Personal Microsoft Account Detected

Your Microsoft account (${email}) appears to be a personal account.
Microsoft To Do API access is typically not available for personal accounts
through the Microsoft Graph API, only for Microsoft 365 business accounts.

You may encounter the "MailboxNotEnabledForRESTAPI" error when trying to
access To Do lists or tasks. This is a limitation of the Microsoft Graph API,
not an issue with your authentication or this application.

You can still use Microsoft To Do through the web interface or mobile apps,
but API access is restricted for personal accounts.
=================================================================
      `);
      return true;
    }
    
    return false;
  } catch (error) {
    console.error("Error checking account type:", error);
    return false;
  }

src/todo-index.ts:42-58 (helper)

Helper function to read authentication tokens from tokens.json file, parse JSON, log details, used by auth-status to check current token status.

function readTokens(): TokenData | null {
  try {
    console.error(`Attempting to read tokens from: ${TOKEN_FILE_PATH}`);
    if (!existsSync(TOKEN_FILE_PATH)) {
      console.error('Token file does not exist');
      return null;
    }
    const data = readFileSync(TOKEN_FILE_PATH, 'utf8');
    console.error('Token file content length:', data.length);
    
    const tokenData = JSON.parse(data) as TokenData;
    console.error('Token parsed successfully, expires at:', new Date(tokenData.expiresAt).toLocaleString());
    return tokenData;
  } catch (error) {
    console.error('Failed to read tokens from file:', error);
    return null;
  }

Tool Definition Quality

A4.2/5.0

Behavior3/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations provided, the description carries full burden. It discloses that this is a read-only diagnostic tool (implied by 'Check' and 'Shows') and describes what information it returns. However, it doesn't mention potential error conditions, rate limits, or whether this operation requires any specific permissions, leaving some behavioral aspects unclear.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is perfectly concise with two sentences that each earn their place. The first sentence states the core purpose, the second elaborates on what information is returned. There's zero wasted text, and the information is front-loaded with the most important detail first.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness4/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

For a zero-parameter diagnostic tool with no output schema, the description provides good context about what information will be returned (token status, expiration time, refresh indication). However, without annotations or output schema, it could benefit from more detail about the exact format of the returned information or potential error states, preventing a perfect score.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters4/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

The tool has zero parameters with 100% schema description coverage. The description appropriately doesn't waste space discussing nonexistent parameters. A baseline of 4 is appropriate since there are no parameters to document, and the description focuses correctly on the tool's purpose rather than parameter details.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the specific action ('Check if you're authenticated'), the target resource ('Microsoft Graph API'), and the output details ('current token status and expiration time, indicates if token needs refresh'). It distinguishes itself from sibling tools which are all about task/checklist management, making its purpose uniquely about authentication status verification.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines4/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description implies usage context ('Check if you're authenticated') suggesting this tool should be used to verify authentication state before performing operations that require it. However, it doesn't explicitly state when NOT to use it or name specific alternatives for different authentication scenarios, which prevents a perfect score.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security
Open Source Has a Bot Problem
By punkpeye on March 19, 2026.
open source

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/jhirono/todoMCP'

If you have feedback or need assistance with the MCP directory API, please join our Discord server