@vibelogin/mcp

Add authentication to your app without leaving your IDE. MCP server for Cursor, Claude Code, Windsurf, and Cline.

Just say "add authentication to my app" — the agent creates your project, configures auth methods, wires up Google OAuth, and scaffolds a working sign-in flow into your codebase. All from your editor's chat.

Install

No global install needed. Wire it into your MCP client config once and it runs on demand via bunx.

Client configuration

One snippet works in every client. Paste this into your MCP settings and you're done.

{
  "mcpServers": {
    "vibelogin": {
      "command": "bunx",
      "args": ["@vibelogin/mcp"]
    }
  }
}

The first tool call opens a browser for one-click consent. After that, tokens are cached under ~/.vibelogin/credentials.json — you won't be asked to log in again for 30 days.

Claude Desktop / Claude Code

~/Library/Application Support/Claude/claude_desktop_config.json (macOS):

{
  "mcpServers": {
    "vibelogin": {
      "command": "bunx",
      "args": ["@vibelogin/mcp"]
    }
  }
}

Cursor

~/.cursor/mcp.json (or per-project .cursor/mcp.json):

{
  "mcpServers": {
    "vibelogin": {
      "command": "bunx",
      "args": ["@vibelogin/mcp"]
    }
  }
}

Windsurf / Cline / Zed

Same shape — every MCP client accepts a command + args block. The one-liner above works in all of them.

That's it — no environment variables needed. Defaults point to production automatically.

Authentication

On first use, a browser window opens for one-click consent. After that, you're authenticated for 30 days — no further prompts.

Tools

The agent picks the right tools automatically based on your conversation. Just say what you need.

create_project

Creates a new VibeLogin project in your org. Returns the project's id, slug, oauthSlug, environment, publishable key, and secret key (shown once).

list_projects

Lists every project in your org. Use this when the agent needs to discover what already exists before creating something new.

No parameters.

get_project

Look up a single project by id, slug, or oauthSlug.

configure_auth

Toggle auth methods, set redirect URLs, and/or wire up Google OAuth. Field-level updates — anything you don't set is left untouched.

If you call this without google, the response includes the exact Google Cloud Console URL + redirect URI you need to set up the credentials.

add_auth_to_project

Scaffold a working sign-in flow into your codebase. Detects the framework from package.json and writes non-destructive files (existing files are skipped, never clobbered).

Supported frameworks today: Next.js (App Router), Vite + React. Refused with guidance: Remix, Astro, Express, unknown.

Files written for Next.js

middleware.ts                       # hostedAuthMiddleware
app/auth/callback/route.ts          # createCallbackHandler
app/login/page.tsx                  # <VibeLogin />
.env.local.example                  # publishable key + secret placeholder

Next steps printed by the tool:

1. pnpm add @vibelogin/nextjs

2. Copy .env.local.example → .env.local, fill VIBELOGIN_SECRET_KEY

3. pnpm dev → open /login

Files written for Vite + React

src/auth/VibeLoginProvider.tsx      # context + useVibeLogin() hook
src/auth/Login.tsx                  # /login redirect to hosted UI
src/auth/Callback.tsx               # /auth/callback handler
.env.example                        # VITE_-prefixed publishable key

Next steps printed by the tool:

1. pnpm add @vibelogin/react react-router-dom

2. Wrap <App/> in <VibeLoginProvider/>

3. Add routes /login and /auth/callback

4. Copy .env.example → .env.local

5. pnpm dev → open /login

Example conversations

You: "Add VibeLogin to this Next.js app. Email + password and Google sign-in."

Agent: (calls create_project { name: "myapp", environment: "production" }) Created myapp (pk_live_…). (calls configure_auth { projectId, methods: { emailPassword: true } }) Email + password enabled. To turn on Google, I need a Client ID and Secret from Google Cloud Console — here's the redirect URI to authorize: https://api.vibelogin.com/oauth/myapp-xyz/google/callback. (after you paste creds:) (calls configure_auth { google: { clientId, clientSecret } }) (calls add_auth_to_project { projectDir: ".", slug: "myapp-xyz", publishableKey: "pk_live_…", appUrl: "https://myapp.com" }) Scaffold complete (next). Wrote middleware.ts, app/auth/callback/route.ts, app/login/page.tsx, .env.local.example. Run pnpm add @vibelogin/nextjs && pnpm dev and open /login.

You: "What projects do I have already?"

Agent: (calls list_projects) You have 3: myapp (production), myapp-staging (staging), internal-tools (development).

Security

• No secrets in the agent — authentication uses loopback OAuth + PKCE (RFC 8252)

• Single-use authorization codes with 2-minute TTL

• Rotated refresh tokens — every refresh invalidates the previous one

• Credentials stored securely — chmod 600 on ~/.vibelogin/credentials.json

Supported frameworks

License

Apache-2.0