{ "schemaVersion": "1.0", "item": { "slug": "tapauth", "name": "TapAuth", "source": "tencent", "type": "skill", "category": "效率提升", "sourceUrl": "https://clawhub.ai/schwartzdev/tapauth", "canonicalUrl": "https://clawhub.ai/schwartzdev/tapauth", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/tapauth", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=tapauth", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "CHANGELOG.md", "CONTRIBUTING.md", "README.md", "SKILL.md", "package.json", "references/asana.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "slug": "tapauth", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-05-01T09:54:33.290Z", "expiresAt": "2026-05-08T09:54:33.290Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=tapauth", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=tapauth", "contentDisposition": "attachment; filename=\"tapauth-1.0.3.zip\"", "redirectLocation": null, "bodySnippet": null, "slug": "tapauth" }, "scope": "item", "summary": "Item download looks usable.", "detail": "Yavira can redirect you to the upstream package for this item.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/tapauth" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/tapauth", "agentPageUrl": "https://openagent3.xyz/skills/tapauth/agent", "manifestUrl": "https://openagent3.xyz/skills/tapauth/agent.json", "briefUrl": "https://openagent3.xyz/skills/tapauth/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "TapAuth — Delegated Access for AI Agents", "body": "TapAuth lets your agent get OAuth tokens from users without handling credentials directly.\nThe user approves in their browser. You get a scoped token. That's it." }, { "title": "Quickest Start: The CLI", "body": "The tapauth CLI script is bundled with this skill. Save it and make it executable:\n\n# Copy from this skill directory and make executable\ncp /path/to/skill/tapauth ./tapauth\nchmod +x tapauth\n\nThen use it inline with command substitution:\n\n# One line. Get a token. Use it.\ncurl -H \"Authorization: Bearer $(./tapauth google drive.readonly)\" \\\n https://www.googleapis.com/drive/v3/files\n\nFirst run: Creates a grant, prints an approval URL to stderr, polls until the user approves, then outputs the token to stdout.\n\nSubsequent runs: Returns the cached token instantly — no network call if the token hasn't expired. Automatically refreshes expired tokens.\n\n# Example: access Google Calendar\ncurl -H \"Authorization: Bearer $(./tapauth google calendar.events)\" \\\n https://www.googleapis.com/calendar/v3/calendars/primary/events\n\nEnvironment variables:\n\nTAPAUTH_BASE_URL — Override the base URL (default: https://tapauth.ai)\nTAPAUTH_HOME — Override the cache directory (default: ./.tapauth)\n\nSecurity: Tokens are cached in .tapauth/ (directory mode 700, files mode 600). Grant secrets are stored locally alongside tokens for automatic refresh." }, { "title": "Step 1: Create a Grant", "body": "# JSON\ncurl -X POST https://tapauth.ai/api/v1/grants \\\n -H \"Content-Type: application/json\" \\\n -d '{\n \"provider\": \"github\",\n \"scopes\": [\"repo\", \"read:user\"],\n }'\n\n# Or form-urlencoded (what the CLI uses)\ncurl -X POST https://tapauth.ai/api/v1/grants \\\n -H \"Accept: text/plain\" \\\n --data-urlencode \"provider=github\" \\\n --data-urlencode \"scopes=repo,read:user\"\n\nJSON response:\n\n{\n \"grant_id\": \"abc123\",\n \"grant_secret\": \"gs_live_xxxx\",\n \"approve_url\": \"https://tapauth.ai/approve/abc123\"\n}\n\nText response (with Accept: text/plain):\n\nTAPAUTH_GRANT_ID=abc123\nTAPAUTH_GRANT_SECRET=gs_live_xxxx\nTAPAUTH_APPROVE_URL=https://tapauth.ai/approve/abc123\n\nImportant: Save grant_secret — you need it to retrieve the token. It's only returned once." }, { "title": "Step 2: User Approves", "body": "Show the user the approve_url. They'll see:\n\nWhich agent is requesting access\nWhich provider and scopes\nOptions: approve with full scopes, read-only, or time-limited (1hr/24hr/7d/forever)\n\nThe approval URL expires after 10 minutes. Create a new grant if it expires." }, { "title": "Step 3: Retrieve the Token", "body": "Poll until the user approves. Use Bearer auth with the grant_secret:\n\n# Plain text (just the token)\ncurl https://tapauth.ai/api/v1/token/{grant_id} \\\n -H \"Authorization: Bearer \"\n\n# .env format (token + expiry + grant ID for caching)\ncurl https://tapauth.ai/api/v1/token/{grant_id}.env \\\n -H \"Authorization: Bearer \"\n\n# JSON format\ncurl https://tapauth.ai/api/v1/token/{grant_id}.json \\\n -H \"Authorization: Bearer \"\n\nHTTPMeaning200Token returned in response body202Pending — user hasn't approved yet. Poll again in 2-5 seconds401Invalid or missing grant_secret404Grant not found410Grant expired, revoked, denied, or link expired\n\nJSON response (.json):\n\n{\n \"token\": \"gho_xxxx\",\n \"expires\": \"2026-03-05T17:00:00Z\",\n \"provider\": \"github\",\n \"grant_id\": \"abc123\"\n}\n\nEnv response (.env):\n\nTAPAUTH_TOKEN=gho_xxxx\nTAPAUTH_EXPIRES=1741194000\nTAPAUTH_GRANT_ID=abc123\nTAPAUTH_GRANT_SECRET=gs_live_xxxx" }, { "title": "Revocation & Token Lifetimes", "body": "TapAuth uses zero-knowledge encryption — tokens are encrypted with your grant_secret, which TapAuth never stores. This means:\n\nTapAuth cannot revoke tokens at the provider level. We literally cannot decrypt them.\nWhen a grant expires, we delete the encrypted ciphertext without ever reading it.\nFor short-lived token providers (Google ~1hr, Linear ~1hr, Sentry ~8hr): tokens expire naturally.\nFor never-expiring tokens (GitHub, Slack, Vercel, Notion): manually revoke in your provider settings if needed.\n\nWe recommend setting expires_in for grants requesting long-lived tokens." }, { "title": "Quick Reference", "body": "WhatEndpointMethodCreate grant/api/v1/grantsPOSTGet token/api/v1/token/{id}GETGet token (.env)/api/v1/token/{id}.envGETGet token (.json)/api/v1/token/{id}.jsonGETCLI$(tapauth )—\n\nNo API key needed. No signup needed. The user's approval is the only gate." }, { "title": "Supported Providers", "body": "See the references/ directory for provider-specific scopes, examples, and gotchas:\n\nGitHub (github) → references/github.md — repos, issues, PRs, user data, gists, workflows\nGoogle (google) → references/google.md — Gmail, Drive, Calendar, Sheets, Docs, Contacts (all scopes)\nGmail → references/gmail.md — read, send, manage emails (uses google provider)\nGoogle Drive (google_drive) → references/google_drive.md — focused Drive-only access\nGoogle Contacts (google_contacts) → references/google_contacts.md — view and manage contacts\nGoogle Sheets (google_sheets) → references/google_sheets.md — read and write spreadsheets\nGoogle Docs (google_docs) → references/google_docs.md — read and write documents\nLinear (linear) → references/linear.md — issues, projects, teams\nVercel (vercel) → references/vercel.md — deployments, projects, env vars, domains\nNotion (notion) → references/notion.md — pages, databases, search\nSlack (slack) → references/slack.md — channels, messages, users, files\nSentry (sentry) → references/sentry.md — error tracking, projects, organizations\nAsana (asana) → references/asana.md — tasks, projects, workspaces\n\nTip: The focused Google providers (google_drive, google_sheets, etc.) show simpler consent screens.\nUse them when you only need one Google service. Use google when you need multiple services." }, { "title": "Provider Discovery", "body": "To programmatically list all available providers and their valid scopes:\n\ncurl https://tapauth.ai/api/providers\n\nThis returns each provider with its ID, name, category, available scopes, and whether token refresh is supported." }, { "title": "Provider Notes", "body": "GitHub: Tokens use OAuth app authentication. The repo scope grants read/write access to repositories. Repo creation requires the user to have appropriate GitHub permissions. Some operations available with GitHub PATs may not work with OAuth tokens.\nGoogle: All Google providers support automatic token refresh. Use focused providers (google_drive, google_sheets, etc.) for simpler consent screens when you only need one service.\nDiscord: Uses user OAuth tokens (not bot tokens). Tokens expire after ~7 days with automatic refresh. The guilds scope returns server list only — no channel/message access.\nVercel/Slack/Notion: These are integration-level providers — scopes are fixed at installation time, not per-request." }, { "title": "CLI Tool", "body": "For a complete grant-creation + polling + caching flow, use the tapauth CLI:\n\n# Install: copy packages/cli/tapauth to your PATH\nTOKEN=$(tapauth github repo,read:user)\n\n# First run: creates grant, shows approval URL, polls until approved\n# Subsequent runs: returns cached token (auto-refreshes when expired)\n\nThe CLI stores credentials in .tapauth/ (mode 700) with per-provider-scope cache files." }, { "title": "Ask the user to approve, then proceed", "body": "1. Create grant for the provider/scopes you need\n2. Tell the user: \"Please approve access at: {approve_url}\"\n3. Poll GET /api/v1/token/{id} (with Bearer auth) every 3 seconds\n4. Once approved, use the token for API calls" }, { "title": "Handle expiry gracefully", "body": "If you get link_expired (410), just create a new grant and ask the user again.\nIf you get revoked, the user withdrew access — don't retry." }, { "title": "Scope selection", "body": "Request the minimum scopes you need. Users see exactly what you're asking for\nand can approve with reduced permissions. Less scope = more trust = higher approval rate." } ], "body": "TapAuth — Delegated Access for AI Agents\n\nTapAuth lets your agent get OAuth tokens from users without handling credentials directly. The user approves in their browser. You get a scoped token. That's it.\n\nQuickest Start: The CLI\n\nThe tapauth CLI script is bundled with this skill. Save it and make it executable:\n\n# Copy from this skill directory and make executable\ncp /path/to/skill/tapauth ./tapauth\nchmod +x tapauth\n\n\nThen use it inline with command substitution:\n\n# One line. Get a token. Use it.\ncurl -H \"Authorization: Bearer $(./tapauth google drive.readonly)\" \\\n https://www.googleapis.com/drive/v3/files\n\n\nFirst run: Creates a grant, prints an approval URL to stderr, polls until the user approves, then outputs the token to stdout.\n\nSubsequent runs: Returns the cached token instantly — no network call if the token hasn't expired. Automatically refreshes expired tokens.\n\n# Example: access Google Calendar\ncurl -H \"Authorization: Bearer $(./tapauth google calendar.events)\" \\\n https://www.googleapis.com/calendar/v3/calendars/primary/events\n\n\nEnvironment variables:\n\nTAPAUTH_BASE_URL — Override the base URL (default: https://tapauth.ai)\nTAPAUTH_HOME — Override the cache directory (default: ./.tapauth)\n\nSecurity: Tokens are cached in .tapauth/ (directory mode 700, files mode 600). Grant secrets are stored locally alongside tokens for automatic refresh.\n\nThe API Flow (v1)\nStep 1: Create a Grant\n# JSON\ncurl -X POST https://tapauth.ai/api/v1/grants \\\n -H \"Content-Type: application/json\" \\\n -d '{\n \"provider\": \"github\",\n \"scopes\": [\"repo\", \"read:user\"],\n }'\n\n# Or form-urlencoded (what the CLI uses)\ncurl -X POST https://tapauth.ai/api/v1/grants \\\n -H \"Accept: text/plain\" \\\n --data-urlencode \"provider=github\" \\\n --data-urlencode \"scopes=repo,read:user\"\n\n\nJSON response:\n\n{\n \"grant_id\": \"abc123\",\n \"grant_secret\": \"gs_live_xxxx\",\n \"approve_url\": \"https://tapauth.ai/approve/abc123\"\n}\n\n\nText response (with Accept: text/plain):\n\nTAPAUTH_GRANT_ID=abc123\nTAPAUTH_GRANT_SECRET=gs_live_xxxx\nTAPAUTH_APPROVE_URL=https://tapauth.ai/approve/abc123\n\n\nImportant: Save grant_secret — you need it to retrieve the token. It's only returned once.\n\nStep 2: User Approves\n\nShow the user the approve_url. They'll see:\n\nWhich agent is requesting access\nWhich provider and scopes\nOptions: approve with full scopes, read-only, or time-limited (1hr/24hr/7d/forever)\n\nThe approval URL expires after 10 minutes. Create a new grant if it expires.\n\nStep 3: Retrieve the Token\n\nPoll until the user approves. Use Bearer auth with the grant_secret:\n\n# Plain text (just the token)\ncurl https://tapauth.ai/api/v1/token/{grant_id} \\\n -H \"Authorization: Bearer \"\n\n# .env format (token + expiry + grant ID for caching)\ncurl https://tapauth.ai/api/v1/token/{grant_id}.env \\\n -H \"Authorization: Bearer \"\n\n# JSON format\ncurl https://tapauth.ai/api/v1/token/{grant_id}.json \\\n -H \"Authorization: Bearer \"\n\nHTTP\tMeaning\n200\tToken returned in response body\n202\tPending — user hasn't approved yet. Poll again in 2-5 seconds\n401\tInvalid or missing grant_secret\n404\tGrant not found\n410\tGrant expired, revoked, denied, or link expired\n\nJSON response (.json):\n\n{\n \"token\": \"gho_xxxx\",\n \"expires\": \"2026-03-05T17:00:00Z\",\n \"provider\": \"github\",\n \"grant_id\": \"abc123\"\n}\n\n\nEnv response (.env):\n\nTAPAUTH_TOKEN=gho_xxxx\nTAPAUTH_EXPIRES=1741194000\nTAPAUTH_GRANT_ID=abc123\nTAPAUTH_GRANT_SECRET=gs_live_xxxx\n\nRevocation & Token Lifetimes\n\nTapAuth uses zero-knowledge encryption — tokens are encrypted with your grant_secret, which TapAuth never stores. This means:\n\nTapAuth cannot revoke tokens at the provider level. We literally cannot decrypt them.\nWhen a grant expires, we delete the encrypted ciphertext without ever reading it.\nFor short-lived token providers (Google ~1hr, Linear ~1hr, Sentry ~8hr): tokens expire naturally.\nFor never-expiring tokens (GitHub, Slack, Vercel, Notion): manually revoke in your provider settings if needed.\n\nWe recommend setting expires_in for grants requesting long-lived tokens.\n\nQuick Reference\nWhat\tEndpoint\tMethod\nCreate grant\t/api/v1/grants\tPOST\nGet token\t/api/v1/token/{id}\tGET\nGet token (.env)\t/api/v1/token/{id}.env\tGET\nGet token (.json)\t/api/v1/token/{id}.json\tGET\nCLI\t$(tapauth )\t—\n\nNo API key needed. No signup needed. The user's approval is the only gate.\n\nSupported Providers\n\nSee the references/ directory for provider-specific scopes, examples, and gotchas:\n\nGitHub (github) → references/github.md — repos, issues, PRs, user data, gists, workflows\nGoogle (google) → references/google.md — Gmail, Drive, Calendar, Sheets, Docs, Contacts (all scopes)\nGmail → references/gmail.md — read, send, manage emails (uses google provider)\nGoogle Drive (google_drive) → references/google_drive.md — focused Drive-only access\nGoogle Contacts (google_contacts) → references/google_contacts.md — view and manage contacts\nGoogle Sheets (google_sheets) → references/google_sheets.md — read and write spreadsheets\nGoogle Docs (google_docs) → references/google_docs.md — read and write documents\nLinear (linear) → references/linear.md — issues, projects, teams\nVercel (vercel) → references/vercel.md — deployments, projects, env vars, domains\nNotion (notion) → references/notion.md — pages, databases, search\nSlack (slack) → references/slack.md — channels, messages, users, files\nSentry (sentry) → references/sentry.md — error tracking, projects, organizations\nAsana (asana) → references/asana.md — tasks, projects, workspaces\n\nTip: The focused Google providers (google_drive, google_sheets, etc.) show simpler consent screens. Use them when you only need one Google service. Use google when you need multiple services.\n\nProvider Discovery\n\nTo programmatically list all available providers and their valid scopes:\n\ncurl https://tapauth.ai/api/providers\n\n\nThis returns each provider with its ID, name, category, available scopes, and whether token refresh is supported.\n\nProvider Notes\nGitHub: Tokens use OAuth app authentication. The repo scope grants read/write access to repositories. Repo creation requires the user to have appropriate GitHub permissions. Some operations available with GitHub PATs may not work with OAuth tokens.\nGoogle: All Google providers support automatic token refresh. Use focused providers (google_drive, google_sheets, etc.) for simpler consent screens when you only need one service.\nDiscord: Uses user OAuth tokens (not bot tokens). Tokens expire after ~7 days with automatic refresh. The guilds scope returns server list only — no channel/message access.\nVercel/Slack/Notion: These are integration-level providers — scopes are fixed at installation time, not per-request.\nCLI Tool\n\nFor a complete grant-creation + polling + caching flow, use the tapauth CLI:\n\n# Install: copy packages/cli/tapauth to your PATH\nTOKEN=$(tapauth github repo,read:user)\n\n# First run: creates grant, shows approval URL, polls until approved\n# Subsequent runs: returns cached token (auto-refreshes when expired)\n\n\nThe CLI stores credentials in .tapauth/ (mode 700) with per-provider-scope cache files.\n\nCommon Patterns\nAsk the user to approve, then proceed\n1. Create grant for the provider/scopes you need\n2. Tell the user: \"Please approve access at: {approve_url}\"\n3. Poll GET /api/v1/token/{id} (with Bearer auth) every 3 seconds\n4. Once approved, use the token for API calls\n\nHandle expiry gracefully\n\nIf you get link_expired (410), just create a new grant and ask the user again. If you get revoked, the user withdrew access — don't retry.\n\nScope selection\n\nRequest the minimum scopes you need. Users see exactly what you're asking for and can approve with reduced permissions. Less scope = more trust = higher approval rate." }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/schwartzdev/tapauth", "publisherUrl": "https://clawhub.ai/schwartzdev/tapauth", "owner": "schwartzdev", "version": "1.2.1", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/tapauth", "downloadUrl": "https://openagent3.xyz/downloads/tapauth", "agentUrl": "https://openagent3.xyz/skills/tapauth/agent", "manifestUrl": "https://openagent3.xyz/skills/tapauth/agent.json", "briefUrl": "https://openagent3.xyz/skills/tapauth/agent.md" } }