Claude-skill-registry auth-http-api-cloudbase
Use when you need to implement CloudBase Auth v2 over raw HTTP endpoints (login/signup, tokens, user operations) from backends or scripts that are not using the Web or Node SDKs.
install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/auth-http-api" ~/.claude/skills/majiayu000-claude-skill-registry-auth-http-api-cloudbase && rm -rf "$T"
manifest:
skills/data/auth-http-api/SKILL.mdsource content
When to use this skill
Use this skill whenever you need to call CloudBase Auth via raw HTTP APIs, for example:
- Non-Node backends (Go, Python, Java, PHP, etc.)
- Integration tests or admin scripts that use curl or language HTTP clients
- Gateways or proxies that sit in front of CloudBase and manage tokens themselves
Do not use this skill for:
- Frontend Web login with
(use CloudBase Web Auth skill)@cloudbase/js-sdk@2.x - Node.js code that uses
(use CloudBase Node Auth skill)@cloudbase/node-sdk - Non-auth CloudBase features (database, storage, etc.)
How to use this skill (for a coding agent)
-
Clarify the scenario
- Confirm this code will call HTTP endpoints directly (not SDKs).
- Ask for:
– CloudBase environment IDenv
/clientId
– HTTP auth client credentialsclientSecret
- Confirm whether the flow is login/sign-up, anonymous access, token management, or user operations.
-
Set common variables once
- Use a shared set of shell variables for base URL and headers, then reuse them across scenarios.
-
Pick a scenario from this file
- For login / sign-up, start with Scenarios 1–3.
- For token lifecycle, use Scenarios 4–6.
- For user info and profile changes, use Scenario 7.
-
Never invent endpoints or fields
- Treat the URLs and JSON shapes in this file as canonical.
- If you are unsure, consult the HTTP API docs under
and the specific/source-of-truth/auth/http-api/登录认证接口.info.mdx
files.*.api.mdx
HTTP API basics
-
Base URL pattern
https://${env}.ap-shanghai.tcb-api.tencentcloudapi.com/auth/v1/...
-
Common headers
– device or client identifierx-device-id
– unique request ID for tracingx-request-id
–Authorization
for user endpointsBearer <access_token>- Or HTTP basic auth (
) for client-credential style endpoints-u clientId:clientSecret
-
Reusable shell variables
env="your-env-id" deviceID="backend-service-1" requestID="$(uuidgen || echo manual-request-id)" clientId="your-client-id" clientSecret="your-client-secret" base="https://${env}.ap-shanghai.tcb-api.tencentcloudapi.com/auth/v1"
Core concepts (HTTP perspective)
- CloudBase Auth uses JWT access tokens plus refresh tokens.
- HTTP login/sign-up endpoints usually return both
andaccess_token
.refresh_token - Most user-management endpoints require
.Authorization: Bearer ${accessToken} - Verification flows (SMS/email) use separate
endpoints before sign-up.verification
Scenarios (flat list)
Scenario 1: Sign-in with username/password
curl "${base}/signin" \ -X POST \ -H "x-device-id: ${deviceID}" \ -H "x-request-id: ${requestID}" \ -u "${clientId}:${clientSecret}" \ --data-raw '{"username":"test@example.com","password":"your password"}'
- Use when the user already has a username (phone/email/username) and password.
- Response includes
,access_token
, and user info.refresh_token
Scenario 2: SMS sign-up with verification code
- Send verification code
curl "${base}/verification" \ -X POST \ -H "x-device-id: ${deviceID}" \ -H "x-request-id: ${requestID}" \ -u "${clientId}:${clientSecret}" \ --data-raw '{"phone_number":"+86 13800000000"}'
- Verify code
curl "${base}/verification/verify" \ -X POST \ -H "x-device-id: ${deviceID}" \ -H "x-request-id: ${requestID}" \ -u "${clientId}:${clientSecret}" \ --data-raw '{"verification_code":"000000","verification_id":"<from previous step>"}'
- Sign up
curl "${base}/signup" \ -X POST \ -H "x-device-id: ${deviceID}" \ -H "x-request-id: ${requestID}" \ -u "${clientId}:${clientSecret}" \ --data-raw '{ "phone_number":"+86 13800000000", "verification_code":"000000", "verification_token":"<from verify>", "name":"手机用户", "password":"password", "username":"username" }'
- Use this pattern for SMS or email-based registration; adapt fields per docs.
Scenario 3: Anonymous login
curl "${base}/signin-anonymously" \ -X POST \ -H "x-device-id: ${deviceID}" \ -H "x-request-id: ${requestID}" \ -u "${clientId}:${clientSecret}" \ --data-raw '{}'
- Returns tokens for an anonymous user that you can later upgrade via sign-up.
Scenario 4: Exchange refresh token for new access token
curl "${base}/token" \ -X POST \ -H "x-device-id: ${deviceID}" \ -H "x-request-id: ${requestID}" \ -u "${clientId}:${clientSecret}" \ --data-raw '{"grant_type":"refresh_token","refresh_token":"<refresh_token>"}'
- Use when the frontend or another service sends you a refresh token and you need a fresh access token.
Scenario 5: Introspect and validate a token
curl "${base}/token/introspect?token=${accessToken}" \ -H "x-request-id: ${requestID}" \ -u "${clientId}:${clientSecret}"
- Use for backend validation of tokens before trusting them.
- Response indicates whether the token is active and may include claims.
Scenario 6: Revoke a token (logout)
curl "${base}/revoke" \ -X POST \ -H "x-request-id: ${requestID}" \ -u "${clientId}:${clientSecret}" \ --data-raw '{"token":"${accessToken}"}'
- Call when logging a user out from the backend or on security events.
Scenario 7: Basic user operations (me, update password, delete)
# Get current user curl "${base}/user/me" \ -H "Authorization: Bearer ${accessToken}" # Change password curl "${base}/user/password" \ -X PATCH \ -H "Authorization: Bearer ${accessToken}" \ --data-raw '{"old_password":"old","new_password":"new"}'
- Other endpoints:
– delete current user.DELETE ${base}/user/me
plus bind/unbind APIs – manage third-party accounts.${base}/user/providers
- Always secure these operations and log only minimal necessary data.