Connection Modes: Local vs Hosted
CloudBase MCP supports two connection modes:
- Local Mode: The MCP server runs locally on your machine via
npx - Hosted Mode: The MCP server runs on Tencent Cloud, and your IDE connects over HTTP
Choose the one that fits your needs.
Local Mode (Recommended)
What it means / when to use it
- Meaning: The MCP server runs on your machine via
npx, alongside your IDE. - Pros: Full feature set, including capabilities that rely on local filesystem access.
- Requirements: Node.js installed and
npxavailable.
Configuration example
Add this to your IDE's MCP configuration (e.g. Cursor / WindSurf):
{
"mcpServers": {
"cloudbase": {
"command": "npx",
"args": ["@cloudbase/cloudbase-mcp@latest"],
"env": {}
}
}
}
Optional environment variables (Local Mode)
In Local Mode, you can control behavior via environment variables. All of the following are optional.
| Env var | Description | Default / Notes |
|---|---|---|
CLOUDBASE_ENV_ID | CloudBase environment ID (optional) | If not set, the first call will guide you through login and environment selection |
TENCENTCLOUD_SECRETID | Tencent Cloud SecretId (optional) | If not set, it will be obtained via the login flow; see CAM API keys |
TENCENTCLOUD_SECRETKEY | Tencent Cloud SecretKey (optional) | Same as above |
TENCENTCLOUD_SESSIONTOKEN | Tencent Cloud temporary token (optional) | Only needed for temporary credentials; see STS |
TCB_REGION | Tencent Cloud region, e.g. ap-shanghai (optional) | Uses SDK default if not set |
TCB_AUTH_OAUTH_ENDPOINT | Custom device-code OAuth endpoint (advanced) | If not set, uses default |
TCB_AUTH_CLIENT_ID | Custom device-code OAuth client_id (advanced) | If not set, uses default |
TCB_AUTH_OAUTH_CUSTOM | Whether the custom endpoint uses a custom response format (advanced) | Defaults to false if endpoint is not set; defaults to true when endpoint is set |
INTEGRATION_IDE | IDE identifier (e.g. Cursor, CodeBuddy) (optional) | Used for logging and capability adaptation |
CLOUDBASE_MCP_PLUGINS_ENABLED | Enabled plugin list, comma-separated (optional) | Uses default plugin set if not set |
CLOUDBASE_MCP_PLUGINS_DISABLED | Disabled plugin list, comma-separated (optional) | Similar to URL param disable_plugins |
WORKSPACE_FOLDER_PATHS / PROJECT_ROOT | Project root path (templates, remote downloads, etc.) (optional) | Defaults to current working directory; in CI you can use GITHUB_WORKSPACE, etc. |
CLOUDBASE_MCP_TELEMETRY_DISABLED | Set to true to disable telemetry (optional) | Telemetry enabled by default |
CLOUDBASE_LOG_DIR | Log directory (optional) | Defaults to ~/.cloudbase-mcp/logs |
CLOUDBASE_GUIDE_PROMPT | Set to false to disable some guide prompts (optional) | Some IDEs will show fewer hints |
Which login env vars should I set?
In most cases, you don't need to set any of these 3 variables:
TCB_AUTH_OAUTH_ENDPOINTTCB_AUTH_CLIENT_IDTCB_AUTH_OAUTH_CUSTOM
Only configure them if you need to integrate with your organization's own login middleware. See the official doc: Isolation Solution (Without CAM Sub-accounts).
- Personal dev / typical teams: use the default device-code login
- Servers / CI / remote environments: prefer
TENCENTCLOUD_SECRETID,TENCENTCLOUD_SECRETKEY,TENCENTCLOUD_SESSIONTOKEN,CLOUDBASE_ENV_ID - Enterprise login middleware: usually start with
TCB_AUTH_OAUTH_ENDPOINT
Minimal example:
TCB_AUTH_OAUTH_ENDPOINT=https://auth.your-domain.com/oauth
Notes:
TCB_AUTH_CLIENT_ID: only set if your custom auth service requires a fixedclient_idTCB_AUTH_OAUTH_CUSTOM: when using a customTCB_AUTH_OAUTH_ENDPOINT, it should typically betrue(now usually auto-handled)
Hosted Mode
What it means / when to use it
- Meaning: MCP runs on Tencent Cloud, and your IDE connects over HTTP—no need to install or run Node locally.
- Pros: No local environment dependency; it works once you provide credentials.
- Limitations: Some capabilities that require local filesystem access are unavailable (e.g. uploading local files, downloading templates into your workspace).
Configuration example
Replace <env_id>, <Tencent Cloud SecretId>, <Tencent Cloud SecretKey> with your environment ID and Tencent Cloud API keys:
{
"mcpServers": {
"cloudbase": {
"type": "http",
"url": "https://tcb-api.cloud.tencent.com/mcp/v1?env_id=<env_id>",
"headers": {
"X-TencentCloud-SecretId": "<Tencent Cloud SecretId>",
"X-TencentCloud-SecretKey": "<Tencent Cloud SecretKey>"
}
}
}
}
- Environment ID: See it in the CloudBase Console.
- SecretId / SecretKey: Create/view them in Tencent Cloud CAM API keys.
Control plugin scope via URL (Hosted Mode only)
In the url, you can control the plugin scope via query parameters:
enable_plugins: only enable specified plugins, multiple plugins use comma separation, e.g. only enableenvanddatabasedisable_plugins: disable specified plugins from the default plugin set, multiple plugins use comma separation, e.g. disableragandenv
# Only enable specified plugins
https://tcb-api.cloud.tencent.com/mcp/v1?env_id=YOUR_ENV_ID&enable_plugins=env,database
# Disable specified plugins
https://tcb-api.cloud.tencent.com/mcp/v1?env_id=YOUR_ENV_ID&disable_plugins=rag,env
The currently configurable plugin names are subject to mcp/src/server.ts; it is recommended to prioritize canonical names: env, database, functions, hosting, storage, setup, rag, download, gateway, cloudrun, app-auth, permissions, logs, agents, invite-code, capi, apps.
Environment variables (Hosted Mode)
In Hosted Mode, MCP runs in the cloud, so environment variables are configured server-side. If you host your own MCP service, you can refer to MCP Tools – Hosted MCP Configuration for the optional env var table (e.g. TENCENTCLOUD_SECRETID, TENCENTCLOUD_SECRETKEY, CLOUDBASE_ENV_ID, etc.).
If you use Tencent Cloud's hosted MCP, you can pass env_id and credentials via the URL and headers as shown above—no server-side env vars needed.
Supported Plugins
The current plugin names, default enabled set, and compatible aliases are subject to mcp/src/server.ts. The table below lists the currently supported canonical names:
| Plugin | Default Enabled | Description |
|---|---|---|
env | Yes | Environment login, environment queries, security domain management |
database | Yes | NoSQL / SQL / data models |
functions | Yes | Cloud function queries, creation, updates, invocation |
hosting | Yes | Static hosting and domain management |
storage | Yes | Cloud storage file management |
setup | Yes | Project templates, IDE rules, and configuration downloads |
rag | Yes | Knowledge base search and web search |
download | Yes | Download remote files to local |
gateway | Yes | Cloud function access entry and route management |
cloudrun | Yes | CloudBase Run service initialization, deployment, and management |
app-auth | Yes | App-side authentication configuration |
permissions | Yes | Permissions, roles, and security rules |
logs | Yes | Log service status and log search |
agents | Yes | Agent queries and management |
invite-code | Yes | AI coding incentive activation |
capi | Yes | Generic Cloud API calls |
apps | No | CloudApp application and version management |
Note: permissions is compatible with old aliases security-rule, security-rules, access-control, secret-rule, secret-rules, users; app-auth is compatible with old alias auth-config. Please prioritize using canonical names for new documentation and new examples.
If not configured, plugins with "Default Enabled" = "Yes" in the table above are enabled by default; plugin scope can be controlled via environment variables or URL parameters. The multi-value format for enable_plugins / disable_plugins and CLOUDBASE_MCP_PLUGINS_ENABLED / CLOUDBASE_MCP_PLUGINS_DISABLED is comma-separated.
Supported Tools
The number and names of tools evolve with versions. For complete parameter reference, see MCP Tools; to confirm whether a tool or plugin actually exists, please prioritize the registration results in mcp/src/server.ts and mcp/src/tools/*.ts.