Agent Skillsspinabot/brigade › oauth-setup

oauth-setup

GitHub

指导使用oauth_authorize工具配置Gmail等OAuth服务。强调必须使用Desktop-app客户端以避免重定向错误,正确设置scope并获取离线访问令牌。流程包括启动授权、等待回调及通过凭证存储调用API,严禁手动处理监听或读取密钥文件。

skills/oauth-setup/SKILL.md spinabot/brigade

Trigger Scenarios

连接Gmail 配置Google API OAuth 需要发送电子邮件的OAuth认证

Install

npx skills add spinabot/brigade --skill oauth-setup -g -y
More Options

Use without installing

npx skills use spinabot/brigade@oauth-setup

指定 Agent (Claude Code)

npx skills add spinabot/brigade --skill oauth-setup -a claude-code -g -y

安装 repo 全部 skill

npx skills add spinabot/brigade --all -g -y

预览 repo 内 skill

npx skills add spinabot/brigade --list

SKILL.md

Frontmatter
{
    "name": "oauth-setup",
    "metadata": {
        "brigade": {
            "emoji": "🔐"
        }
    },
    "description": "Connect an OAuth 2.0 service (Gmail, Google APIs, etc.) using the built-in oauth_authorize tool — get a click-to-authorize link, auto-capture the code, and seal the tokens. Use whenever the operator asks to connect Gmail \/ a Google API \/ any OAuth account."
}

OAuth setup

Use the oauth_authorize tool — NEVER hand-roll an http listener in bash. It opens a one-shot loopback listener on a free port (no EADDRINUSE, no port juggling), captures the code, and seals the tokens into the credential store.

The two mistakes to avoid (they cost a whole session once)

  1. Use a Desktop-app OAuth client, not a Web client. In Google Cloud Console → Credentials → Create OAuth client ID → Application type: Desktop app. Desktop clients accept ANY http://127.0.0.1:<port> loopback redirect with no redirect-URI registration. A Web client requires the exact redirect URI pre-registered, which is what causes redirect_uri_mismatch.
  2. Use the real scope. Gmail send is https://www.googleapis.com/auth/gmail.send (NOT https://gmail.com/..., which doesn't exist). Add openid https://www.googleapis.com/auth/userinfo.email if you want the account address auto-filled.

Flow

  1. Ask the operator to create a Desktop-app OAuth client (Gmail API enabled, consent screen in Testing with themselves as a test user) and paste the client id + secret.
  2. Start the flow:
    oauth_authorize({
      action: "start",
      provider: "google-gmail",
      authorizationEndpoint: "https://accounts.google.com/o/oauth2/v2/auth",
      tokenEndpoint: "https://oauth2.googleapis.com/token",
      userInfoEndpoint: "https://www.googleapis.com/oauth2/v3/userinfo",
      clientId: "<id>", clientSecret: "<secret>",
      scopes: ["https://www.googleapis.com/auth/gmail.send", "openid", "https://www.googleapis.com/auth/userinfo.email"],
      extraAuthParams: { access_type: "offline", prompt: "consent" }
    })
    
    access_type=offline + prompt=consent are required for a refresh token (otherwise re-auth is needed when the access token expires).
  3. Send the operator the returned authUrl to click.
  4. Await the redirect — it exchanges the code and seals the tokens:
    oauth_authorize({ action: "await", flowId: "<flowId from start>" })
    
    If it returns status pending, the operator hasn't clicked yet — tell them, then call await again.

Using a connected account (sending mail)

The tokens are sealed in the credential store — you can't read them from a file or the DB, and you shouldn't try. To use a connected account:

  1. Check what's connected: oauth_authorize({ action: "status" }) → lists each account (provider, email, scopes, expiry). No secrets.
  2. Get a usable token: oauth_authorize({ action: "token", provider: "google-gmail" }) → returns accessToken. It auto-refreshes from the sealed refresh token when the old one expired, so you always get a live token. (Pass provider only if more than one account is connected.)
  3. Call the API with it. Gmail send: POST https://gmail.googleapis.com/gmail/v1/users/me/messages/send, header Authorization: Bearer <accessToken>, body { "raw": "<base64url RFC-822 message>" }.

Never cat the credential store, grep for the token, or hand-roll a refresh — action:"token" is the only retrieval path, and it keeps the refresh token + client secret sealed.

Version History

  • db99206 Current 2026-07-05 10:59

Same Skill Collection

skills/1password/SKILL.md
skills/apple-notes/SKILL.md
skills/apple-reminders/SKILL.md
skills/bear-notes/SKILL.md
skills/blogwatcher/SKILL.md
skills/blucli/SKILL.md
skills/bluebubbles/SKILL.md
skills/canvas/SKILL.md
skills/discord/SKILL.md
skills/docx/SKILL.md
skills/eightctl/SKILL.md
skills/gemini/SKILL.md
skills/gh-issues/SKILL.md
skills/gifgrep/SKILL.md
skills/git-commit/SKILL.md
skills/github/SKILL.md
skills/gog/SKILL.md
skills/goplaces/SKILL.md
skills/healthcheck/SKILL.md
skills/himalaya/SKILL.md
skills/hyperframes/SKILL.md
skills/imsg/SKILL.md
skills/lead-scout/SKILL.md
skills/mcporter/SKILL.md
skills/model-usage/SKILL.md
skills/nano-pdf/SKILL.md
skills/node-connect/SKILL.md
skills/notion/SKILL.md
skills/obsidian/SKILL.md
skills/openai-whisper-api/SKILL.md
skills/openai-whisper/SKILL.md
skills/openhue/SKILL.md
skills/oracle/SKILL.md
skills/ordercli/SKILL.md
skills/pdf/SKILL.md
skills/peekaboo/SKILL.md
skills/session-logs/SKILL.md
skills/share-skills/SKILL.md
skills/sherpa-onnx-tts/SKILL.md
skills/slack/SKILL.md
skills/songsee/SKILL.md
skills/sonoscli/SKILL.md
skills/spotify-player/SKILL.md
skills/summarize/SKILL.md
skills/taskflow-inbox-triage/SKILL.md
skills/taskflow/SKILL.md
skills/things-mac/SKILL.md
skills/tmux/SKILL.md
skills/trello/SKILL.md
skills/video-frames/SKILL.md
skills/voice-call/SKILL.md
skills/wacli/SKILL.md
skills/weather/SKILL.md
skills/xlsx/SKILL.md
skills/xurl/SKILL.md
skills/camsnap/SKILL.md
skills/coding-agent/SKILL.md
skills/sag/SKILL.md
skills/skill-creator/SKILL.md

Metadata

Files
0
Version
3a48cfb
Hash
0e8060ca
Indexed
2026-07-05 10:59

Home - Wiki
Copyright © 2011-2026 iteam. Current version is 2.155.2. UTC+08:00, 2026-07-16 17:54
浙ICP备14020137号-1 $Map of visitor$