# Send TapAuth to your agent Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually. ## Fast path - Download the package from Yavira. - Extract it into a folder your agent can access. - Paste one of the prompts below and point your agent at the extracted folder. ## Suggested prompts ### New install ```text I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete. ``` ### Upgrade existing ```text I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run. ``` ## Machine-readable fields ```json { "schemaVersion": "1.0", "item": { "slug": "tapauth", "name": "TapAuth", "source": "tencent", "type": "skill", "category": "效率提升", "sourceUrl": "https://clawhub.ai/schwartzdev/tapauth", "canonicalUrl": "https://clawhub.ai/schwartzdev/tapauth", "targetPlatform": "OpenClaw" }, "install": { "downloadUrl": "/downloads/tapauth", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=tapauth", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "packageFormat": "ZIP package", "primaryDoc": "SKILL.md", "includedAssets": [ "CHANGELOG.md", "CONTRIBUTING.md", "README.md", "SKILL.md", "package.json", "references/asana.md" ], "downloadMode": "redirect", "sourceHealth": { "source": "tencent", "slug": "tapauth", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-05-01T09:54:33.290Z", "expiresAt": "2026-05-08T09:54:33.290Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=tapauth", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=tapauth", "contentDisposition": "attachment; filename=\"tapauth-1.0.3.zip\"", "redirectLocation": null, "bodySnippet": null, "slug": "tapauth" }, "scope": "item", "summary": "Item download looks usable.", "detail": "Yavira can redirect you to the upstream package for this item.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/tapauth" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] } }, "links": { "detailUrl": "https://openagent3.xyz/skills/tapauth", "downloadUrl": "https://openagent3.xyz/downloads/tapauth", "agentUrl": "https://openagent3.xyz/skills/tapauth/agent", "manifestUrl": "https://openagent3.xyz/skills/tapauth/agent.json", "briefUrl": "https://openagent3.xyz/skills/tapauth/agent.md" } } ``` ## Documentation ### TapAuth — Delegated Access for AI Agents TapAuth lets your agent get OAuth tokens from users without handling credentials directly. The user approves in their browser. You get a scoped token. That's it. ### Quickest Start: The CLI The tapauth CLI script is bundled with this skill. Save it and make it executable: # Copy from this skill directory and make executable cp /path/to/skill/tapauth ./tapauth chmod +x tapauth Then use it inline with command substitution: # One line. Get a token. Use it. curl -H "Authorization: Bearer $(./tapauth google drive.readonly)" \\ https://www.googleapis.com/drive/v3/files First run: Creates a grant, prints an approval URL to stderr, polls until the user approves, then outputs the token to stdout. Subsequent runs: Returns the cached token instantly — no network call if the token hasn't expired. Automatically refreshes expired tokens. # Example: access Google Calendar curl -H "Authorization: Bearer $(./tapauth google calendar.events)" \\ https://www.googleapis.com/calendar/v3/calendars/primary/events Environment variables: TAPAUTH_BASE_URL — Override the base URL (default: https://tapauth.ai) TAPAUTH_HOME — Override the cache directory (default: ./.tapauth) Security: Tokens are cached in .tapauth/ (directory mode 700, files mode 600). Grant secrets are stored locally alongside tokens for automatic refresh. ### Step 1: Create a Grant # JSON curl -X POST https://tapauth.ai/api/v1/grants \\ -H "Content-Type: application/json" \\ -d '{ "provider": "github", "scopes": ["repo", "read:user"], }' # Or form-urlencoded (what the CLI uses) curl -X POST https://tapauth.ai/api/v1/grants \\ -H "Accept: text/plain" \\ --data-urlencode "provider=github" \\ --data-urlencode "scopes=repo,read:user" JSON response: { "grant_id": "abc123", "grant_secret": "gs_live_xxxx", "approve_url": "https://tapauth.ai/approve/abc123" } Text response (with Accept: text/plain): TAPAUTH_GRANT_ID=abc123 TAPAUTH_GRANT_SECRET=gs_live_xxxx TAPAUTH_APPROVE_URL=https://tapauth.ai/approve/abc123 Important: Save grant_secret — you need it to retrieve the token. It's only returned once. ### Step 2: User Approves Show the user the approve_url. They'll see: Which agent is requesting access Which provider and scopes Options: approve with full scopes, read-only, or time-limited (1hr/24hr/7d/forever) The approval URL expires after 10 minutes. Create a new grant if it expires. ### Step 3: Retrieve the Token Poll until the user approves. Use Bearer auth with the grant_secret: # Plain text (just the token) curl https://tapauth.ai/api/v1/token/{grant_id} \\ -H "Authorization: Bearer " # .env format (token + expiry + grant ID for caching) curl https://tapauth.ai/api/v1/token/{grant_id}.env \\ -H "Authorization: Bearer " # JSON format curl https://tapauth.ai/api/v1/token/{grant_id}.json \\ -H "Authorization: Bearer " HTTPMeaning200Token returned in response body202Pending — user hasn't approved yet. Poll again in 2-5 seconds401Invalid or missing grant_secret404Grant not found410Grant expired, revoked, denied, or link expired JSON response (.json): { "token": "gho_xxxx", "expires": "2026-03-05T17:00:00Z", "provider": "github", "grant_id": "abc123" } Env response (.env): TAPAUTH_TOKEN=gho_xxxx TAPAUTH_EXPIRES=1741194000 TAPAUTH_GRANT_ID=abc123 TAPAUTH_GRANT_SECRET=gs_live_xxxx ### Revocation & Token Lifetimes TapAuth uses zero-knowledge encryption — tokens are encrypted with your grant_secret, which TapAuth never stores. This means: TapAuth cannot revoke tokens at the provider level. We literally cannot decrypt them. When a grant expires, we delete the encrypted ciphertext without ever reading it. For short-lived token providers (Google ~1hr, Linear ~1hr, Sentry ~8hr): tokens expire naturally. For never-expiring tokens (GitHub, Slack, Vercel, Notion): manually revoke in your provider settings if needed. We recommend setting expires_in for grants requesting long-lived tokens. ### Quick Reference WhatEndpointMethodCreate grant/api/v1/grantsPOSTGet token/api/v1/token/{id}GETGet token (.env)/api/v1/token/{id}.envGETGet token (.json)/api/v1/token/{id}.jsonGETCLI$(tapauth )— No API key needed. No signup needed. The user's approval is the only gate. ### Supported Providers See the references/ directory for provider-specific scopes, examples, and gotchas: GitHub (github) → references/github.md — repos, issues, PRs, user data, gists, workflows Google (google) → references/google.md — Gmail, Drive, Calendar, Sheets, Docs, Contacts (all scopes) Gmail → references/gmail.md — read, send, manage emails (uses google provider) Google Drive (google_drive) → references/google_drive.md — focused Drive-only access Google Contacts (google_contacts) → references/google_contacts.md — view and manage contacts Google Sheets (google_sheets) → references/google_sheets.md — read and write spreadsheets Google Docs (google_docs) → references/google_docs.md — read and write documents Linear (linear) → references/linear.md — issues, projects, teams Vercel (vercel) → references/vercel.md — deployments, projects, env vars, domains Notion (notion) → references/notion.md — pages, databases, search Slack (slack) → references/slack.md — channels, messages, users, files Sentry (sentry) → references/sentry.md — error tracking, projects, organizations Asana (asana) → references/asana.md — tasks, projects, workspaces Tip: The focused Google providers (google_drive, google_sheets, etc.) show simpler consent screens. Use them when you only need one Google service. Use google when you need multiple services. ### Provider Discovery To programmatically list all available providers and their valid scopes: curl https://tapauth.ai/api/providers This returns each provider with its ID, name, category, available scopes, and whether token refresh is supported. ### Provider Notes GitHub: Tokens use OAuth app authentication. The repo scope grants read/write access to repositories. Repo creation requires the user to have appropriate GitHub permissions. Some operations available with GitHub PATs may not work with OAuth tokens. Google: All Google providers support automatic token refresh. Use focused providers (google_drive, google_sheets, etc.) for simpler consent screens when you only need one service. Discord: Uses user OAuth tokens (not bot tokens). Tokens expire after ~7 days with automatic refresh. The guilds scope returns server list only — no channel/message access. Vercel/Slack/Notion: These are integration-level providers — scopes are fixed at installation time, not per-request. ### CLI Tool For a complete grant-creation + polling + caching flow, use the tapauth CLI: # Install: copy packages/cli/tapauth to your PATH TOKEN=$(tapauth github repo,read:user) # First run: creates grant, shows approval URL, polls until approved # Subsequent runs: returns cached token (auto-refreshes when expired) The CLI stores credentials in .tapauth/ (mode 700) with per-provider-scope cache files. ### Ask the user to approve, then proceed 1. Create grant for the provider/scopes you need 2. Tell the user: "Please approve access at: {approve_url}" 3. Poll GET /api/v1/token/{id} (with Bearer auth) every 3 seconds 4. Once approved, use the token for API calls ### Handle expiry gracefully If you get link_expired (410), just create a new grant and ask the user again. If you get revoked, the user withdrew access — don't retry. ### Scope selection Request the minimum scopes you need. Users see exactly what you're asking for and can approve with reduced permissions. Less scope = more trust = higher approval rate. ## Trust - Source: tencent - Verification: Indexed source record - Publisher: schwartzdev - Version: 1.2.1 ## Source health - Status: healthy - Item download looks usable. - Yavira can redirect you to the upstream package for this item. - Health scope: item - Reason: direct_download_ok - Checked at: 2026-05-01T09:54:33.290Z - Expires at: 2026-05-08T09:54:33.290Z - Recommended action: Download for OpenClaw ## Links - [Detail page](https://openagent3.xyz/skills/tapauth) - [Send to Agent page](https://openagent3.xyz/skills/tapauth/agent) - [JSON manifest](https://openagent3.xyz/skills/tapauth/agent.json) - [Markdown brief](https://openagent3.xyz/skills/tapauth/agent.md) - [Download page](https://openagent3.xyz/downloads/tapauth)