Skip to main content

White-label Mode

Applicable Scenarios

Provide AI development environments for employees or external users. Users only interact with the enterprise/platform's own domain, with no awareness of Tencent Cloud. Can integrate with existing SSO/LDAP systems or self-owned account systems to achieve unified login.

Solution Overview

This solution integrates the CloudBase login flow with the self-owned identity system by using the enterprise/internal system as an authorization middleware layer, eliminating the need to create Tencent Cloud accounts for each user:

  • Users log in with self-owned accounts (e.g., employee ID, enterprise email, platform account) without needing Tencent Cloud accounts
  • Users can be internal employees or external users/customers of the platform
  • All authorization flows are completed under the self-owned domain (auth.your-domain.com)
  • The system is responsible for maintaining the mapping between users and CloudBase environments
  • A dedicated CloudBase environment is automatically created for users upon first login

Overall Architecture

Login Process

Configure MCP and Skill

White-label mode supports two connection methods. After selecting, follow the instructions in the Tab to proceed.

Recommended approach. The enterprise's self-built authorization page proxies the device code flow. Users complete login entirely under the self-owned domain without perceiving Tencent Cloud.

Custom Authorization Page

The enterprise internal system needs to implement a custom authorization page to proxy the device code authorization flow:

  1. Proxy device code request: When the AI tool initiates login, the enterprise system forwards the device code request to the CloudBase API
  2. Rewrite auth link: Rewrite the authorization link returned by CloudBase to the self-owned domain (e.g., auth.your-domain.com/authorize?code=xxx)
  3. Self-owned auth page: Users open the rewritten link and log in with their enterprise/platform account
  4. Environment selection and authorization: After login, display the list of environments available to the user, and complete device code authorization after user selection
  5. Obtain temporary credentials: After authorization is completed, the AI tool polls for temporary credentials via the device code

Automatic Environment Creation on First Login

When a user logs in for the first time, the enterprise system should automatically create a dedicated CloudBase environment:

  1. Call CreateEnv to create the environment
  2. Record the mapping between user ID and environment ID in the database
  3. Locate the user's environment directly based on the mapping for subsequent logins

Permission Strategy

After user verification, the authorization service calls STS GetFederationToken to issue temporary credentials with policy restrictions, without needing to create sub-accounts. See Permission Policy Reference for the complete policy template and placeholder descriptions. See cloudbase-cli-auth-endpoint for the reference implementation, and Enterprise Self-built Device Code Authorization Service Integration for the integration guide.

MCP Configuration

TCB_AUTH_OAUTH_ENDPOINT

After setting a custom authorization endpoint, the MCP device code authorization flow will redirect to the address you specified (e.g., https://auth.your-domain.com) instead of the Tencent Cloud default authorization page. If not set, the Tencent Cloud default authorization page will be used.

Client

Configure your AI tool to connect with CloudBase capabilities. Supports local and hosted connection. See connection modes.

Step 1: Install / Configure CloudBase

Use project template (recommended) - Template includes MCP configuration and AI rulesView templates

Install in one click:

Add to Cursor

Or manual configuration:

Or add this configuration to .cursor/mcp.json:

json
1{
2  "mcpServers": {
3    "cloudbase": {
4      "command": "npx",
5      "args": [
6        "@cloudbase/cloudbase-mcp@latest"
7      ],
8      "env": {
9        "INTEGRATION_IDE": "Cursor",
10        "TCB_AUTH_OAUTH_ENDPOINT": "<custom authorization endpoint, e.g. https://auth.your-domain.com>"
11      }
12    }
13  }
14}
Need help?View Cursor docs

Step 2: Chat with AI

Enter the following in your AI chat in order:

prompt
Install CloudBase Skills: run npx skills add tencentcloudbase/cloudbase-skills -y
Use CloudBase Skills: Connect to my environment using CloudBase, authorization endpoint is https://auth.your-domain.com

Responsibilities of All Parties

RoleResponsibilities
Enterprise/Platform SystemUser identity authentication, maintain user↔environment mapping, proxy device code request and rewrite auth link to self-owned domain, automatically create environment on first login, automatically configure permission policies via API
OpenClawAs the user operation entry point, initiate login flow on behalf of the user, display auth link and login result
Tencent Cloud CloudBaseProvide capabilities such as environment creation, device code authorization, and temporary credential issuance

Verify Isolation Effect

After configuration is complete, verify that isolation is effective:

  1. Call DescribeEnvs with the temporary credentials, confirm that only the environment corresponding to the user can be seen
  2. Try to access resources of other environments, should return insufficient permission error
  3. After the temporary credentials expire, confirm that cloud resources can no longer be operated