npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@squidcode/timebook

v0.6.0

Published

Command-line client and MCP server for Timebook (usetimebook.com) — track time, manage timers, and expose Timebook to AI agents (Claude, Codex, etc.) over MCP.

Downloads

364

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

squidcodesquidcode

Keywords

timebooktime-trackingclimcpmodel-context-protocolclaudecodexfreelanceinvoicing

Readme

Timebook CLI

Command-line client and MCP server for Timebook — track time, manage timers, and expose your Timebook account to AI agents (Claude, Codex, Cursor, …) over the Model Context Protocol.

npm license

Install

# one-off
npx @squidcode/timebook login

# globally
npm install -g @squidcode/timebook
timebook --help

Requires Node.js 18.17+.

Authenticate

timebook login opens your browser, you log into Timebook (or use an existing session) and pick a scope (which clients/projects this token can touch). The browser delivers the token back to a short-lived loopback HTTP listener, which the CLI then writes to a config file with 0600 permissions.

timebook login

The token is stored at:

  • macOS: ~/Library/Preferences/timebook/config.json
  • Linux: ~/.config/timebook/config.json
  • Windows: %APPDATA%\timebook\Config\config.json

The token never leaves your machine after login. To revoke it server-side, visit https://usetimebook.com/settings/api-tokens.

Use it as a CLI

timebook whoami
timebook projects                         # list projects
timebook clients                          # list clients

timebook start -p "Acme website" -d "Wireframes"
timebook status                           # show running timer
timebook stop

# manual entries
timebook log -p "Acme website" -t 1h30m -d "Code review"
timebook log -p PROJ_ID --start 2026-05-04T09:00 --end 2026-05-04T10:30

timebook entries --project "Acme website" -n 10

# edit / delete (any combination of fields; unset ones stay as-is)
timebook entries edit ENTRY_ID -t 2h -d "code review + tests"
timebook entries edit ENTRY_ID --start 2026-05-04T09:00 --end 2026-05-04T11:00
timebook entries edit ENTRY_ID -d ""                    # clear description
timebook entries delete ENTRY_ID

Duration formats accepted: 1h, 45m, 1h30m, 1.5h, 1:30, or a bare number (interpreted as minutes — e.g. 90 → 1h 30m).

Edit / delete authorization: an API token can only modify entries it created itself. JWT sessions (the web UI) and admin tokens bypass this rule. Invoiced entries are locked for everyone via the API. A 403 with a friendly message is returned on a denied attempt — fix the entry from the web UI or with the token that created it.

Use it as an MCP server

The same binary speaks MCP over stdio when invoked with timebook mcp. Drop it into any MCP-aware host (Claude Code, Claude Desktop, Codex, Cursor, …):

Claude Code / Claude Desktop

{
  "mcpServers": {
    "timebook": {
      "command": "npx",
      "args": ["-y", "@squidcode/timebook", "mcp"]
    }
  }
}

Or, if installed globally:

{
  "mcpServers": {
    "timebook": {
      "command": "timebook",
      "args": ["mcp"]
    }
  }
}

The MCP server reuses the token saved by timebook login — run timebook login once in a terminal before starting the agent.

Use it as a remote MCP (Claude.ai web)

Timebook also runs as a hosted Streamable-HTTP MCP server at https://usetimebook.com/mcp with full OAuth 2.0 (Dynamic Client Registration + PKCE + refresh-token rotation). No CLI install required — Claude.ai discovers it via the standard well-known endpoints:

  • Auth-server metadata: https://usetimebook.com/.well-known/oauth-authorization-server
  • Resource metadata: https://usetimebook.com/.well-known/oauth-protected-resource/mcp

Connect from Claude.ai → Settings → Connectors → Add → paste https://usetimebook.com/mcp. You'll be redirected to Timebook's consent page once, then Claude can use all the same tools listed below. Same OAuth-style permissions you'd see for any first-class connector.

The HTTP endpoint also accepts Authorization: Bearer tbk_* (your existing API token) for any client that prefers token-paste over OAuth — including server-to-server use.

Tools exposed to the model

| Tool | What it does | | ------------------ | ------------------------------------------------------------------------------------------------------------------------- | | whoami | Current authenticated user (read-only) | | list_projects | All projects in scope (read-only) | | list_clients | All clients in scope (read-only) | | get_active_timer | The running timer, or null (read-only) | | start_timer | Start a timer on a project | | stop_timer | Stop the running timer | | log_time | Log a manual entry (duration OR startTime+endTime) | | list_entries | Recent entries (default 50, max 500), project + date filters | | update_entry | Edit one or more fields on an entry (description, duration, startTime, endTime, project, rate). Token must own the entry. | | delete_entry | Delete an entry. Token must own it. Invoiced entries are locked. |

Try it with prompts

Once the MCP server is connected, ask the model in plain English:

  • "Start a timer on my Acme website project for landing-page wireframes."
  • "How much time did I log on the Recycler project last week?"
  • "Log 1 hour 30 minutes against ChatNexus from 9am this morning at the Software Development rate, with description 'code review of the auth refactor'."
  • "What am I currently working on?" — invokes get_active_timer.
  • "Stop my timer."
  • "My last entry on Recycler should be 2 hours, not 1h45m. Fix it." — invokes list_entries then update_entry.
  • "Delete the entry I just made by mistake." — invokes delete_entry. Will 403 if the entry was created by a different token (web UI, another agent) — say so to the model so it doesn't keep retrying.

The model picks the right tool, asks list_projects first if it needs to disambiguate a name, and writes through start_timer / log_time / stop_timer.

Privacy

Timebook CLI runs on your machine and only talks to your Timebook account.

  • Authentication: timebook login mints a personal API token via Timebook's OAuth-style consent screen. The token is stored locally with 0600 permissions (~/Library/Preferences/timebook/config.json on macOS, ~/.config/timebook/config.json on Linux, %APPDATA%\timebook\Config\config.json on Windows). It is never transmitted anywhere except https://usetimebook.com (or your override) on outgoing API calls.
  • Telemetry: none. Neither the CLI nor the MCP server reports usage, errors, or analytics anywhere.
  • MCP host data: when you use timebook mcp from inside Claude / Cursor / etc., the MCP host (not Timebook) controls what the model sees. Tool inputs and outputs flow through the host's normal model-context pipeline.
  • Revoking access: visit https://usetimebook.com/settings/api-tokens to revoke the token at any time.

For Timebook's product-level privacy policy, see https://usetimebook.com/privacy.

Configuration

Override the API/web hosts (useful for self-hosted Timebook or local dev):

TIMEBOOK_API_URL=https://api.example.com \
TIMEBOOK_WEB_URL=https://example.com \
timebook login

You can also pass --api-url and --web-url to timebook login once; subsequent commands re-use the saved values.

If timebook login errors with State mismatch or you want to see exactly which requests reach the loopback callback, run with --debug:

timebook login --debug

Develop

git clone https://github.com/squidcode/timebook-cli
cd timebook-cli
npm install
npm run dev -- --help        # tsx-powered hot-loop
npm run build                # emits dist/
npm run lint && npm run typecheck && npm run test

Pre-commit hooks (ESLint + Prettier via lint-staged) are wired up by husky on npm install.

Release

prepublishOnly runs lint + typecheck + tests + build, then:

npm publish --access public

License

MIT © Squidcode LLC. See LICENSE.