npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

nebula-scorm-auth

v1.0.1

Published

One-time login CLI for the SCORM Builder MCP server. Signs in with Firebase Auth and issues a long-lived API key for MCP-compatible coding agents (Claude Code, OpenCode, Cursor). Zero dependencies.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

nebulaknowlabnebulaknowlab

Keywords

scormmcpmodel-context-protocolnebulafirebaseauthcliclaude-codeai-agente-learning

Readme

nebula-scorm-auth

One-time login CLI for the SCORM Builder MCP server. You sign in once with your SCORM Builder (Firebase) account and it issues a long-lived API key (sk-mcp-…) that any MCP-compatible coding agent (Claude Code, OpenCode, Cursor, …) sends as a Bearer token. The key never expires — no more re-authenticating every hour.

Zero dependencies — uses only Node built-ins and the Firebase REST API.

Quick Start

npx nebula-scorm-auth login         # sign in (browser) → issues your API key
npx nebula-scorm-auth token         # → sk-mcp-...   (use in your agent config)

Install

Run on demand with npx (no install):

npx nebula-scorm-auth login

Or install globally so you can type scorm-auth directly:

npm install -g nebula-scorm-auth
scorm-auth login

Commands

| Command | Description | |---------|-------------| | scorm-auth login | Sign in via your browser; issues and stores a long-lived API key | | scorm-auth token | Prints your API key (sk-mcp-…) — for your agent config | | scorm-auth status | Shows who you're signed in as and the active key (masked) | | scorm-auth revoke | Revokes the stored API key (stops working immediately) and clears it | | scorm-auth logout | Clears local credentials (does not revoke the key) |

Run via npx nebula-scorm-auth <command> if you didn't install globally.

How login works

  1. login starts a tiny HTTP server on a random localhost port and opens your browser to a sign-in page served from it.
  2. You enter your email/password; the page sends them to the localhost server, which exchanges them with Firebase for a short-lived ID token (your password is never stored).
  3. The CLI calls the SCORM Builder server with that ID token to issue a long-lived API key (sk-mcp-…).
  4. The API key is saved to ~/.scorm-auth/credentials.json (directory 0700, file 0600) and shown to you once. From then on, scorm-auth token just prints it — there's nothing to refresh.

Configure your agent

Claude Code

claude mcp add scorm-builder \
  --transport http \
  --url https://scorm-builder-app-759854934093.asia-south1.run.app/mcp \
  --header "Authorization: Bearer $(scorm-auth token)"

OpenCode (opencode.json)

{
  "mcpServers": {
    "scorm-builder": {
      "url": "https://scorm-builder-app-759854934093.asia-south1.run.app/mcp",
      "headers": { "Authorization": "Bearer ${SCORM_TOKEN}" }
    }
  }
}
export SCORM_TOKEN=$(scorm-auth token)
opencode

Since the key doesn't expire, you can also paste the sk-mcp-… value directly into any agent that takes a static Authorization: Bearer <token> header.

Environment variables

| Variable | Purpose | |----------|---------| | SCORM_AUTH_DIR | Override the credential directory (default ~/.scorm-auth) | | SCORM_SERVER_URL | Override the server base URL (default: production Cloud Run) | | SCORM_MCP_URL | Override the MCP endpoint URL shown in the post-login hint | | NO_COLOR | Disable colored output |

Security

  • API keys don't expire. They stop working immediately when your account is deactivated by an admin — or when you run scorm-auth revoke.
  • The server stores only a SHA-256 hash of your key (never the raw key). The raw key lives solely in ~/.scorm-auth/credentials.json (0600) on your machine.
  • The Firebase Web API key embedded in the CLI is a public client identifier (the same one the web app ships), not a secret.
  • The MCP server verifies every request and enforces the same role-based access as the web UI.