Make authenticated HTTP requests to third-party APIs (Gmail, Slack, GitHub, Google Calendar, and more) on behalf of authenticated users via Auth0 Token Vault. Use when the user wants to make authenticated API calls to third-party services, connect or disconnect OAuth providers, or check their authentication and connection status. Wraps the tv-proxy CLI as a generic authenticated fetch proxy.
From auth0-token-vault-proxynpx claudepluginhub deepu105/token-vault-proxy --plugin auth0-token-vault-proxyThis skill is limited to using the following tools:
references/commands.mdDesigns and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.
Implements structured self-debugging workflow for AI agent failures: capture errors, diagnose patterns like loops or context overflow, apply contained recoveries, and generate introspection reports.
Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.
Use the tv-proxy command-line tool to make authenticated API requests to
third-party services on behalf of authenticated users via Auth0 Token Vault.
tv-proxy --json status 2>/dev/null || echo '{"error":{"code":"not_configured","message":"tv-proxy not configured or not logged in"}}'If tv-proxy --json status returns a not_configured error, guide the user through setup. The easiest path is:
tv-proxy init
This interactive wizard handles all prerequisites, Auth0 configuration, callback URLs, and login in one flow.
Alternatively, set up each step manually:
Install Auth0 CLI (if not already installed):
brew tap auth0/auth0-cli && brew install auth0
Run the Token Vault setup wizard (interactive — requires human):
npx configure-auth0-token-vault -- --flavor=refresh_token_exchange
The wizard handles Auth0 CLI login automatically. When prompted:
Note the Client ID from the output.
Configure callback URLs using the Auth0 CLI (replace <APP_ID> with the Client ID):
auth0 apps update <APP_ID> \
--callbacks "http://127.0.0.1:18484/callback,http://127.0.0.1:18485/callback,http://127.0.0.1:18486/callback,http://127.0.0.1:18487/callback,http://127.0.0.1:18488/callback,http://127.0.0.1:18489/callback" \
--logout-urls "http://127.0.0.1:18484,http://127.0.0.1:18485,http://127.0.0.1:18486,http://127.0.0.1:18487,http://127.0.0.1:18488,http://127.0.0.1:18489"
Get the client secret (needed during tv-proxy login):
auth0 apps show <APP_ID> --reveal-secrets
Log in with tv-proxy:
tv-proxy login
You'll be prompted for domain, client ID, and client secret. You can also pass them as flags:
tv-proxy login --domain your-tenant.auth0.com --client-id <id> --client-secret <secret>
All setup steps require human interaction. Do not attempt to run them autonomously.
All commands must use --json for structured output:
tv-proxy --json <command>
| Code | Meaning | Recovery action |
|---|---|---|
| 0 | Success | Parse JSON output |
| 1 | General error | Report error to user |
| 2 | Invalid input | Check command syntax and required flags |
| 3 | Auth required | Tell the user to run tv-proxy login |
| 4 | Connection required | Tell the user to run tv-proxy connect <provider> |
| 5 | Service error | Retry or report upstream API failure |
| 6 | Network error | Check connectivity, retry |
Important: Exit codes 3 and 4 require human intervention — login and connect open a browser for OAuth. Do not attempt to run these commands autonomously; instead, tell the user what to run.
Auth and connect/logout callback servers default to trying ports 18484-18489. If that range is blocked, pass the global --port <number> flag or set TV_PROXY_PORT to force a specific port (that port must be allowed in Auth0 app callback settings).
tv-proxy login — authenticate via browser (human-in-the-loop); prompts for config if neededtv-proxy login --reconfigure — re-prompt for domain, client ID, and secrettv-proxy login --domain d --client-id i --client-secret s — pass config as flagstv-proxy logout — clear stored credentialstv-proxy logout --local — clear only local credentialstv-proxy status — show current user and connected providerstv-proxy connect <provider> — connect a provider via browser (human-in-the-loop)tv-proxy connect <provider> --allowed-domains <domains> — connect with extra allowed domains for fetchtv-proxy disconnect <provider> — disconnect a provider (local token only by default)tv-proxy disconnect <provider> --remote — disconnect and remove the server-side connectiontv-proxy connections — list connected providerstv-proxy init — interactive guided setup wizard (installs prerequisites, configures Auth0, logs in)tv-proxy fetch <service> <url> — make an authenticated HTTP request to an allowed domaintv-proxy fetch <service> <url> -X POST -d '{"key":"value"}' — POST with inline bodytv-proxy fetch <service> <url> -X POST --data-file ./body.json — POST with body from filetv-proxy fetch <service> <url> -H "Accept: text/plain" — add custom headersEach provider has default allowed domains built in:
| Provider | Default allowed domains |
|---|---|
gmail | *.googleapis.com |
calendar | *.googleapis.com |
github | api.github.com |
slack | slack.com, *.slack.com |
Additional domains can be added via --allowed-domains on connect. Only HTTPS URLs are allowed.
See references/commands.md for full command reference with flags and JSON output examples.