White-label Mode
Provide AI development environments for employees or external users. Users do NOT need Tencent Cloud accounts, nor do they need to directly log in to the Tencent Cloud console — they only interact with the enterprise/platform's own domain, with zero awareness of Tencent Cloud. Can integrate with existing SSO/LDAP systems or self-owned account systems to achieve unified login. Supports a massive number of users with horizontal scaling capability, suitable for medium-to-large enterprises and ToC products.
Solution Overview
This solution integrates the CloudBase login flow with the self-owned identity system by using the enterprise/internal system as an authorization middleware layer, eliminating the need to create Tencent Cloud accounts for each user:
- Users log in with self-owned accounts (e.g., employee ID, enterprise email, platform account) without needing Tencent Cloud accounts
- Users can be internal employees or external users/customers of the platform
- All authorization flows are completed under the self-owned domain (
auth.your-domain.com) - The system is responsible for maintaining the mapping between users and CloudBase environments
- A dedicated CloudBase environment is automatically created for users upon first login
Quickly Build an AI Development Platform
If you need to build an AI development platform similar to Lovable, Bolt.new, or Vercel v0, you can quickly set it up based on our open-source project. The project has built-in core capabilities such as multi-tenant isolation and CloudBase environment management. For details, see Vibe Coding Platform Solution.
Overall Architecture
Login Process
Configure MCP and Skill
White-label mode supports two connection methods. After selecting, follow the instructions in the Tab to proceed.
- Custom Auth Code (Recommended)
- Temporary Credentials
Recommended approach. The enterprise's self-built authorization page proxies the device code flow. Users complete login entirely under the self-owned domain without perceiving Tencent Cloud.
Custom Authorization Page
The enterprise internal system needs to implement a custom authorization page to proxy the device code authorization flow:
- Proxy device code request: When the AI tool initiates login, the enterprise system forwards the device code request to the CloudBase API
- Rewrite auth link: Rewrite the authorization link returned by CloudBase to the self-owned domain (e.g.,
auth.your-domain.com/authorize?code=xxx) - Self-owned auth page: Users open the rewritten link and log in with their enterprise/platform account
- Environment selection and authorization: After login, display the list of environments available to the user, and complete device code authorization after user selection
- Obtain temporary credentials: After authorization is completed, the AI tool polls for temporary credentials via the device code
Automatic Environment Creation on First Login
When a user logs in for the first time, the enterprise system should automatically create a dedicated CloudBase environment:
- Call
CreateEnvto create the environment - Record the mapping between user ID and environment ID in the database
- Locate the user's environment directly based on the mapping for subsequent logins
Permission Strategy
After user verification, the authorization service calls STS GetFederationToken to issue temporary credentials with policy restrictions, without needing to create sub-accounts. See the complete policy template and placeholder descriptions below. See cloudbase-cli-auth-endpoint for the reference implementation, and Enterprise Self-built Device Code Authorization Service Integration for the integration guide.
MCP Configuration
After setting a custom authorization endpoint, the MCP device code authorization flow will redirect to the address you specified (e.g., https://auth.your-domain.com) instead of the Tencent Cloud default authorization page. If not set, the Tencent Cloud default authorization page will be used.
Configure your AI tool to connect with CloudBase capabilities. Supports local and hosted connection. See connection modes.
Step 1: Install / Configure CloudBase
Install in one click:
Add to CursorOr manual configuration:
Or add this configuration to .cursor/mcp.json:
1{2 "mcpServers": {3 "cloudbase": {4 "command": "npx",5 "args": [6 "@cloudbase/cloudbase-mcp@latest"7 ],8 "env": {9 "INTEGRATION_IDE": "Cursor",10 "TCB_AUTH_OAUTH_ENDPOINT": "<custom authorization endpoint, e.g. https://auth.your-domain.com>"11 }12 }13 }14}Step 2: Chat with AI
Enter the following in your AI chat in order:
Install CloudBase Skills: run npx skills add tencentcloudbase/cloudbase-skills -yUse CloudBase Skills: Connect to my environment using CloudBase, authorization endpoint is https://auth.your-domain.comObtain temporary credentials with policy restrictions via Tencent Cloud STS GetFederationToken API, suitable for scenarios where the server needs to control credential lifecycle.
Permission Strategy
The enterprise system calls GetFederationToken, passing the policy inline, to issue temporary credentials that can only access the specified environment:
const tencentcloud = require("tencentcloud-sdk-nodejs-sts");
const StsClient = tencentcloud.sts.v20180813.Client;
const stsClient = new StsClient({
credential: {
secretId: process.env.TENCENTCLOUD_SECRETID,
secretKey: process.env.TENCENTCLOUD_SECRETKEY,
},
region: "ap-shanghai",
profile: { httpProfile: { endpoint: "sts.tencentcloudapi.com" } },
});
// Build inline policy (reuse the policy template below, replace placeholders and pass in)
const policy = {
version: "2.0",
statement: [
{
effect: "allow",
action: ["tcb:CheckTcbService", "tcb:DescribePackages" /* ...other global allowed actions */],
resource: ["*"],
},
{
effect: "allow",
action: ["tcb:*"],
resource: [`qcs::tcb:${region}:uin/${uin}:env/${envId}`],
},
{
effect: "allow",
action: ["tcbr:*"],
resource: [`qcs::tcbr:${region}:uin/${uin}:env/${envId}`],
},
{
effect: "allow",
action: ["lowcode:*"],
resource: [`qcs::lowcode::uin/${uin}:env/${envId}`],
},
{
effect: "allow",
action: ["scf:*"],
resource: [`qcs::scf:${region}:uin/${uin}:namespace/${envId}/function/*`],
},
{
effect: "allow",
action: ["cos:*"],
resource: [
`qcs::cos:${region}:uid/${appId}:${cosBucket}/*`,
`qcs::cos:${region}:uid/${appId}:${staticBucket}/*`,
],
},
],
};
// Issue temporary credentials (valid for 30 minutes, adjustable as needed)
const { Credentials } = await stsClient.GetFederationToken({
Name: `user-${userId}`,
Policy: JSON.stringify(policy),
DurationSeconds: 1800,
});
// Configure Credentials.TmpSecretId / TmpSecretKey / Token to MCP
See the complete policy template and placeholder descriptions below.
MCP Configuration
Configure your AI tool to connect with CloudBase capabilities. Supports local and hosted connection. See connection modes.
Step 1: Install / Configure CloudBase
Install in one click:
Add to CursorOr manual configuration:
Or add this configuration to .cursor/mcp.json:
1{2 "mcpServers": {3 "cloudbase": {4 "command": "npx",5 "args": [6 "@cloudbase/cloudbase-mcp@latest"7 ],8 "env": {9 "INTEGRATION_IDE": "Cursor",10 "CLOUDBASE_ENV_ID": "<user's environment ID>",11 "TENCENTCLOUD_SECRETID": "<temporary SecretId>",12 "TENCENTCLOUD_SECRETKEY": "<temporary SecretKey>",13 "TENCENTCLOUD_SESSIONTOKEN": "<temporary SessionToken>"14 }15 }16 }17}Step 2: Chat with AI
Enter the following in your AI chat in order:
Install CloudBase Skills: run npx skills add tencentcloudbase/cloudbase-skills -yUse CloudBase Skills: Use CloudBase to operate the environment, temporary credentials configured via MCPTemporary credentials have a validity period (default 30 minutes, configured via DurationSeconds). After expiration, re-issuance is required.
Large-scale / ToC Scenarios (Pay-as-you-go)
In addition to the "one environment per user (¥19.9/month)" plan, the White-label Mode also supports pay-as-you-go billing, which is more suitable for ToC products or scenarios with a large number of users:
- No per-user fee: No need to purchase the ¥19.9/month CloudBase Personal plan for each user
- Environment isolation still effective: Even with pay-as-you-go billing, each user's environment remains fully isolated
- Billed by actual usage: Only pay for actual database reads/writes, cloud function invocations, storage, traffic, etc.
- Extremely low cost: Low-activity users generate almost no cost, making it suitable for ToC products
The pay-as-you-go mode requires contacting the CloudBase product team to enable. Please contact us via the CloudBase Console or through business development channels.
Responsibilities of All Parties
| Role | Responsibilities |
|---|---|
| Enterprise/Platform System | User identity authentication, maintain user↔environment mapping, proxy device code request and rewrite auth link to self-owned domain, create environment on first login, configure permission policies |
| Agent | As the user operation entry point, initiate login flow on behalf of the user, display auth link and login result |
| Tencent Cloud CloudBase | Provide capabilities such as environment creation, device code authorization, and temporary credential issuance |
Verify Isolation Effect
After configuration is complete, verify that isolation is effective:
- Call
DescribeEnvswith the temporary credentials, confirm that only the environment corresponding to the user can be seen - Try to access resources of other environments, should return insufficient permission error
- After the temporary credentials expire, confirm that cloud resources can no longer be operated