@inite/cli
v0.1.2
Published
Local stdio MCP proxy + browser login for INITE — auto-authenticates and forwards tool calls to remote vertical MCP servers.
Readme
@inite/cli
Local MCP proxy + browser login for INITE. Runs as a stdio MCP server,
forwards every tool call to a remote vertical MCP URL, and — the first
time a call returns 401 — opens your browser, completes a PKCE +
loopback OAuth flow, caches the JWT in ~/.config/inite/auth.json,
and transparently retries.
Install
npx -y @inite/cli --helpNo global install required for the typical Claude Desktop use-case.
Claude Desktop / Cursor / Goose config
{
"mcpServers": {
"inite-rent": {
"command": "npx",
"args": ["-y", "@inite/cli", "proxy", "https://inite.rent/mcp/inite-rent"]
}
}
}Restart the desktop client. On the first tool call:
- The proxy POSTs the JSON-RPC to
https://inite.rent/mcp/inite-rent. - Remote returns
401. - The proxy spawns a one-shot loopback listener, opens
https://auth.inite.ai/v1/oauth/authorize?…&redirect_uri=http://127.0.0.1:<port>/callback&…. - You sign in (passkey / magic-link / password) and approve.
- Auth-service redirects to the loopback; the proxy captures the code,
exchanges it at
/v1/oauth/token, and caches the resulting JWT at~/.config/inite/auth.json(mode 0600). - The proxy retries the original tool call with
Authorization: Bearer <jwt>and returns the result to the assistant.
Every subsequent call reuses the cached token. When the access_token
expires the proxy auto-refreshes via refresh_token — only on full
refresh failure does it pop the browser again.
Standalone subcommands
inite login # browser PKCE login, cache token
inite logout # delete the cached token
inite whoami # decode the cached JWT
inite proxy <url> # stdio MCP proxy (the headline mode above)Token cache
~/.config/inite/auth.json{
"issuer": "https://auth.inite.ai",
"client_id": "inite-cli",
"access_token": "eyJ…",
"refresh_token": "…",
"expires_at": 1779600000
}Same file login.sh writes — the CLI and shell installer share state.
Env overrides
| Variable | Default |
| ---------------------- | ------------------------- |
| AUTH_SERVICE_URL | https://auth.inite.ai |
| INITE_CLIENT_ID | inite-cli |
| INITE_CONFIG_DIR | $HOME/.config/inite |
Override AUTH_SERVICE_URL for staging / on-prem.
Security model
- PKCE S256 — no client secret, no risk to CLI-pinned credentials.
- Loopback listener binds
127.0.0.1only, single request, then closes. - Token file is
chmod 600; directory ischmod 700. - Proxy never logs the bearer; the
[inite] …lines on stderr only carry error messages and the remote URL.
How it differs from login.sh
| | login.sh | @inite/cli proxy |
|---|---|---|
| Run via | curl ⋯ | bash | npx -y @inite/cli (stdio MCP) |
| Auth flow | PKCE+loopback (device-flow fallback) | PKCE+loopback |
| Trigger | manual, before connecting clients | automatic on first 401 |
| Token cache | same path | same path |
| Refresh | on rerun | inline, transparent |
Use login.sh for terminal/CI; use the proxy for desktop assistants.
