# Send User-Delegated OAuth API Access to your agent Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually. ## Fast path - Download the package from Yavira. - Extract it into a folder your agent can access. - Paste one of the prompts below and point your agent at the extracted folder. ## Suggested prompts ### New install ```text I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete. ``` ### Upgrade existing ```text I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run. ``` ## Machine-readable fields ```json { "schemaVersion": "1.0", "item": { "slug": "clawauth", "name": "User-Delegated OAuth API Access", "source": "tencent", "type": "skill", "category": "开发工具", "sourceUrl": "https://clawhub.ai/h4gen/clawauth", "canonicalUrl": "https://clawhub.ai/h4gen/clawauth", "targetPlatform": "OpenClaw" }, "install": { "downloadUrl": "/downloads/clawauth", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=clawauth", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "packageFormat": "ZIP package", "primaryDoc": "SKILL.md", "includedAssets": [ "SKILL.md", "references/commands.md" ], "downloadMode": "redirect", "sourceHealth": { "source": "tencent", "slug": "clawauth", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-05-10T13:27:58.377Z", "expiresAt": "2026-05-17T13:27:58.377Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=clawauth", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=clawauth", "contentDisposition": "attachment; filename=\"clawauth-1.0.6.zip\"", "redirectLocation": null, "bodySnippet": null, "slug": "clawauth" }, "scope": "item", "summary": "Item download looks usable.", "detail": "Yavira can redirect you to the upstream package for this item.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/clawauth" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] } }, "links": { "detailUrl": "https://openagent3.xyz/skills/clawauth", "downloadUrl": "https://openagent3.xyz/downloads/clawauth", "agentUrl": "https://openagent3.xyz/skills/clawauth/agent", "manifestUrl": "https://openagent3.xyz/skills/clawauth/agent.json", "briefUrl": "https://openagent3.xyz/skills/clawauth/agent.md" } } ``` ## Documentation ### Clawauth OAuth Skill This skill gives agents a production-safe OAuth handover flow that is async by default and works across chat/session interruptions. Use this when the agent needs provider credentials from a human user, but must avoid blocking execution and must avoid long-lived token storage on a third-party auth SaaS. ### Why this exists Most "OAuth gateway" patterns keep user refresh tokens in a central hosted database. clawauth avoids that model: Hosted edge service mints short-lived auth sessions. User authorizes directly with the provider. Token response is encrypted end-to-end to the requesting CLI session. CLI claims once and stores token locally in system keychain. Server-side session is ephemeral and deleted on claim/expiry. Result: async UX for agents, minimal operator overhead, and no permanent central token vault by design. ### Runtime prerequisite clawauth must already be preinstalled in the trusted runtime image/environment by the operator. This skill does not instruct dynamic package installation. OpenClaw can detect this requirement from frontmatter metadata: metadata.openclaw.requires.bins: ["clawauth"] gates eligibility. metadata.openclaw.install can expose an operator-approved install action in OpenClaw UI/Gateway flows. ### How installation is documented and triggered Installation intent is declared in frontmatter, not in free-form shell instructions. This skill declares a Node installer in metadata.openclaw.install for package clawauth. OpenClaw/Gateway uses that metadata to offer a managed install action when clawauth is missing. If multiple installer options are present, Gateway selects a preferred one (OpenClaw docs: brew preferred when available, otherwise node manager policy). For this skill we publish a single Node installer path to keep behavior deterministic across hosts. Reference: https://docs.openclaw.ai/tools/skills Reference: https://docs.openclaw.ai/platforms/mac/skills Source code (review before install): https://github.com/claw-auth/clawauth ### Manual install (operator fallback) If OpenClaw/Gateway does not run the install action automatically, install the CLI manually: npm i -g clawauth Then verify: clawauth --help openclaw skills check --json ### Install policy (recommended) Pre-install clawauth in the base image/runner and disable ad-hoc package fetches. Pin and approve the CLI version in operator-managed tooling policy. Keep package source/provenance controls outside this skill (CI image build or internal artifact policy). ### Hosted service endpoint The published CLI is already wired to: https://auth.clawauth.app Agents do not need CLAWAUTH_WORKER_URL for normal hosted usage. ### Provider support Implemented providers in current worker: notion github discord linear airtable todoist asana trello dropbox digitalocean slack gitlab reddit figma spotify bitbucket box calendly fathom twitch Always treat server output as source of truth: clawauth providers --json ### Canonical async flow (non-blocking) Start auth and return immediately: clawauth login start --json Extract and forward shortAuthUrl to the user. Continue other work. Do not block. Later poll/check: clawauth login status --json When status is completed, claim once: clawauth login claim --json Claim completion and hand off control to the operator-defined API call layer. This skill intentionally avoids instructing raw token materialization commands. ### Token exposure boundaries login claim may return sensitive token payload data in JSON output. Do not paste sensitive command output to chat, logs, traces, or telemetry. Do not materialize tokens into shell environments from this skill. Use operator-controlled secret handling for downstream provider API calls. ### Login lifecycle clawauth login start [provider] [--ttl ] [--scope ] [--json] clawauth login status [--json] clawauth login claim [--json] clawauth login wait [--timeout ] [--interval ] [--json] ### Session management clawauth sessions [--json] clawauth session-rm [--json] ### Token access clawauth token list [--json] ### Discovery and docs clawauth providers [--json] clawauth explain clawauth docs ### login start --json provider sessionId expiresIn shortAuthUrl authUrl statusCommand claimCommand ### login status --json status (pending | completed | error) provider error ### login claim --json status (pending | completed | error) provider tokenData storedInKeychain keychainService keychainAccount ### Agent behavior rules Prefer --json for machine parsing. Never block by default; only use login wait when explicitly needed. On pending: schedule retry later. On completed: run login claim once. On error: surface concise reason and restart with new login start. If session context is lost, recover using clawauth sessions --json. If provider unknown, run clawauth providers --json and choose supported value. Never print raw tokens into user-facing chat. Do not run package install/fetch commands from this skill. Do not export tokens into shell environment variables from this skill. ### Security model summary Short-lived session data in Cloudflare KV (default TTL: 3600s, configurable). Signed OAuth state binding provider and expiry. Signed request verification for status/claim with timestamp + nonce. Replay and rate-limit protections during polling. End-to-end encrypted token blob (nacl.box) from callback to CLI claimant. Session blob removed from server on successful claim. Tokens stored locally in OS keychain via CLI. ### Failure handling Provider not implemented: login start returns error indicating feature request recorded. Provider misconfigured on backend: server returns clear missing secret/config message. Session expired: status/claim returns not found/expired; start new session. Lost chat context: run clawauth sessions --json, then continue with status/claim. No token found later: run clawauth token list --json and select provider/account explicitly. ### Minimal end-to-end example # 1) Start clawauth login start notion --json # 2) Share shortAuthUrl with user (from JSON output) # 3) Later check clawauth login status --json # 4) Claim when completed clawauth login claim --json # 5) Continue with operator-defined downstream API handling ### Reference See references/commands.md for compact copy-paste command blocks. ## Trust - Source: tencent - Verification: Indexed source record - Publisher: h4gen - Version: 1.0.6 ## Source health - Status: healthy - Item download looks usable. - Yavira can redirect you to the upstream package for this item. - Health scope: item - Reason: direct_download_ok - Checked at: 2026-05-10T13:27:58.377Z - Expires at: 2026-05-17T13:27:58.377Z - Recommended action: Download for OpenClaw ## Links - [Detail page](https://openagent3.xyz/skills/clawauth) - [Send to Agent page](https://openagent3.xyz/skills/clawauth/agent) - [JSON manifest](https://openagent3.xyz/skills/clawauth/agent.json) - [Markdown brief](https://openagent3.xyz/skills/clawauth/agent.md) - [Download page](https://openagent3.xyz/downloads/clawauth)