Skip to Content

OAuth apps

Two related concepts on one page: which providers you use to sign in, and which third-party apps hold tokens against your CMDOP account.

Linked sign-in providers

Connect any of these to sign in without a password:

  • Google — Workspace and consumer accounts.
  • GitHub — primary email must match your CMDOP email.
  • Microsoft — personal and Entra ID.

Connecting links the provider’s identity to your CMDOP account. Disconnecting reverts the account to password + 2FA login.

What disconnecting does

If you only signed up via OAuth, you must set a password before disconnecting the only linked provider. The cabinet enforces this check — you cannot lock yourself out.

Authorized third-party apps

Apps that you granted access to your CMDOP account via OAuth (not to be confused with linked sign-in providers above):

  • App name — e.g. Cursor MCP, Custom CI bot.
  • Scope — what data and actions the app can take.
  • Last used — most recent request signed by this app’s token.
  • Revoke — invalidates the app’s token.

Revoke any app you no longer use; treat unfamiliar entries as a security incident.

OAuth and the agent

A separate concern: the CMDOP agent also uses OAuth tokens to sign in to the relay. Those tokens are per-machine and live in ~/.cmdop/token_<mode>.json, not here. Agent OAuth is managed via cmdop login on each host.

MCP integrations like Claude Desktop or Cursor authenticate via cmdop mcp stdio, which uses your local CLI tokens — not the OAuth apps listed here.

Where this data lives

Backed by the Django profiles app (oauth providers, authorized_apps); rendered by apps/my/.../private/profile/.

Last updated on
What is CMDOP