Gate Wallet Auth Skill
Auth domain — Manage Google OAuth login, Token refresh, and logout. 5 MCP tools.
Trigger scenarios: User mentions "login", "logout", "authentication", "sign in", or when other Skills detect no mcp_token.
Step 0: MCP Server Connection Check (Mandatory)
Before executing any operation, you must first confirm that the Gate Wallet MCP Server is available. This step cannot be skipped.
Probe call:
CallMcpTool(server="gate-wallet", toolName="chain.config", arguments={chain: "eth"})
| Result | Action |
|---|---|
| Success | MCP Server available, proceed to next steps |
server not found / unknown server | Cursor not configured → Show configuration guide (see below) |
connection refused / timeout | Remote unreachable → Prompt to check URL and network |
401 / unauthorized | API Key auth failed → Prompt to check auth configuration |
When Cursor is Not Configured
❌ Gate Wallet MCP Server Not Configured
The MCP Server named "gate-wallet" was not found in Cursor. Please configure it as follows:
Option 1: Configure via Cursor Settings (Recommended)
1. Open Cursor → Settings → MCP
2. Click "Add new MCP server"
3. Fill in:
- Name: gate-wallet
- Type: HTTP
- URL: https://your-mcp-server-domain/mcp
4. Save and retry
Option 2: Edit config file manually
Edit ~/.cursor/mcp.json and add:
{
"mcpServers": {
"gate-wallet": {
"url": "https://your-mcp-server-domain/mcp"
}
}
}
If you don't have an MCP Server URL yet, please contact your administrator.
When Remote Service is Unreachable
⚠️ Gate Wallet MCP Server Connection Failed
MCP Server configuration was found, but the remote service cannot be reached. Please check:
1. Confirm the service URL is correct (is the configured URL accessible?)
2. Check network connection (does VPN / firewall affect access?)
3. Confirm the remote service is running
When API Key Authentication Fails
🔑 Gate Wallet MCP Server Authentication Failed
MCP Server is connected but API Key validation failed. The service uses AK/SK authentication (x-api-key header).
Please contact your administrator for a valid API Key and confirm the server configuration is correct.
Authentication Overview
This Skill is the auth entry point. Executing login itself does not require mcp_token. auth.refresh_token and auth.logout require an existing token.
After successful login, the obtained mcp_token and account_id will be passed to other Skills that require authentication (portfolio, transfer, swap, dapp).
MCP Tool Call Specification
1. auth.google_login_start — Start Google OAuth Login
Initiates Google Device Flow login and returns the verification URL the user needs to visit.
| Field | Description |
|---|---|
| Tool name | auth.google_login_start |
| Parameters | None |
| Return value | { verification_url: string, flow_id: string } |
Call example:
CallMcpTool(
server="gate-wallet",
toolName="auth.google_login_start",
arguments={}
)
Return example:
{
"verification_url": "https://accounts.google.com/o/oauth2/device?user_code=ABCD-EFGH",
"flow_id": "flow_abc123"
}
Agent behavior: Display verification_url to the user and guide them to complete Google authorization in the browser.
2. auth.google_login_poll — Poll Login Status
Uses flow_id to poll Google OAuth login result and determine whether the user has completed browser-side authorization.
| Field | Description |
|---|---|
| Tool name | auth.google_login_poll |
| Parameters | { flow_id: string } |
| Return value | { status: string, mcp_token?: string, refresh_token?: string, account_id?: string } |
Call example:
CallMcpTool(
server="gate-wallet",
toolName="auth.google_login_poll",
arguments={ flow_id: "flow_abc123" }
)
status value meanings:
| status | Meaning | Next action |
|---|---|---|
pending | User has not completed authorization | Wait a few seconds and retry |
success | Login successful | Extract mcp_token, refresh_token, account_id |
expired | Login flow timed out | Prompt user to restart login |
error | Login error | Display error message |
3. auth.login_google_wallet — Google Authorization Code Login
Uses Google OAuth authorization code to log in directly (for scenarios where a code is already available).
| Field | Description |
|---|---|
| Tool name | auth.login_google_wallet |
| Parameters | { code: string, redirect_url: string } |
| Return value | MCPLoginResponse (includes mcp_token, refresh_token, account_id) |
Call example:
CallMcpTool(
server="gate-wallet",
toolName="auth.login_google_wallet",
arguments={ code: "4/0AX4XfW...", redirect_url: "http://localhost:8080/callback" }
)
4. auth.refresh_token — Refresh Token
When mcp_token expires, use refresh_token to obtain a new valid token.
| Field | Description |
|---|---|
| Tool name | auth.refresh_token |
| Parameters | { refresh_token: string } |
| Return value | RefreshTokenResponse (includes new mcp_token, new refresh_token) |
Call example:
CallMcpTool(
server="gate-wallet",
toolName="auth.refresh_token",
arguments={ refresh_token: "rt_xyz789..." }
)
Agent behavior: After successful refresh, silently update the internally held mcp_token; user is unaware.
5. auth.logout — Logout
Revokes the current session and invalidates mcp_token.
| Field | Description |
|---|---|
| Tool name | auth.logout |
| Parameters | { mcp_token: string } |
| Return value | "session revoked" |
Call example:
CallMcpTool(
server="gate-wallet",
toolName="auth.logout",
arguments={ mcp_token: "<current_mcp_token>" }
)
Skill Routing
After authentication completes, route to the corresponding Skill based on the user's original intent:
| User intent | Route target |
|---|---|
| Check balance, assets, address | gate-dex-mcpwallet |
| Transfer, send tokens | gate-dex-mcptransfer |
| Swap, exchange tokens | gate-dex-mcpswap |
| DApp interaction, sign messages | gate-dex-mcpdapp |
| Check market, token info | gate-dex-mcpmarket |
When other Skills detect missing or expired mcp_token, they also route to this Skill for authentication before returning to the original operation.
Operation Flows
Flow A: Google Device Flow Login (Primary)
Step 0: MCP Server pre-check
↓ Success
Step 1: Intent recognition
Agent determines user needs to log in (direct login request, or redirected by another Skill)
↓
Step 2: Initiate login
Call auth.google_login_start → Get verification_url + flow_id
↓
Step 3: Guide user authorization
Display verification link to user, ask them to complete Google authorization in browser:
────────────────────────────
Please open the following link in your browser to complete Google login:
{verification_url}
After completing, please tell me and I will confirm the login status.
────────────────────────────
↓
Step 4: Poll login result
After user confirms authorization is complete, call auth.google_login_poll({ flow_id })
- status == "pending" → Prompt user to confirm if complete, poll again later (max 10 retries, 3 sec interval)
- status == "success" → Extract mcp_token, refresh_token, account_id, proceed to Step 5
- status == "expired" → Prompt timeout, suggest restarting login
- status == "error" → Display error message
↓
Step 5: Login success
Store mcp_token, refresh_token, account_id internally (do not show token plaintext to user)
Confirm login success to user:
────────────────────────────
✅ Login successful!
Account: {account_id} (masked display)
You can now:
- View wallet balance and assets
- Transfer and send tokens
- Swap and exchange tokens
- Interact with DApps
- View market data
What would you like to do?
────────────────────────────
↓
Step 6: Route to user's original intent
Guide to the corresponding Skill based on user's initial request or follow-up instruction
Flow B: Token Refresh (Auto-triggered)
Trigger: Other Skill's MCP tool call returns token expired error
↓
Step 1: Auto refresh
Call auth.refresh_token({ refresh_token })
↓
Step 2a: Refresh success
Silently update mcp_token, retry original operation; user unaware
↓
Step 2b: Refresh failed
refresh_token also expired → Guide user to re-login (Flow A)
────────────────────────────
⚠️ Session has expired. Please log in again.
Initiating Google login for you...
────────────────────────────
Flow C: Logout
Step 0: MCP Server pre-check
↓ Success
Step 1: Intent recognition
User requests logout / sign out
↓
Step 2: Execute logout
Call auth.logout({ mcp_token })
↓
Step 3: Clear state
Clear internally held mcp_token, refresh_token, account_id
↓
Step 4: Confirm logout
────────────────────────────
✅ Successfully logged out.
To use wallet features again, please log in.
────────────────────────────
Flow D: Authorization Code Login (Alternative)
Step 0: MCP Server pre-check
↓ Success
Step 1: User provides Google authorization code
↓
Step 2: Execute login
Call auth.login_google_wallet({ code, redirect_url })
↓
Step 3: Login success
Extract mcp_token, refresh_token, account_id → Same as Flow A Step 5
Cross-Skill Workflow
Called by Other Skills (Auth Pre-requisite)
All Skills that require mcp_token should route to this Skill when they detect unauthenticated state:
Any Skill operation (requires mcp_token)
→ Detect no mcp_token or token expired
→ Auto try auth.refresh_token (if refresh_token exists)
→ Refresh success → Return to original Skill to continue
→ Refresh failed → gate-dex-mcpauth Flow A (login)
→ Login success → Return to original Skill to continue
Typical Post-Login Workflow
gate-dex-mcpauth (login)
→ gate-dex-mcpwallet (check balance/assets) # Most common follow-up
→ gate-dex-mcptransfer (transfer) # User explicitly wants transfer
→ gate-dex-mcpswap (Swap) # User explicitly wants swap
→ gate-dex-mcpdapp (DApp interaction) # User explicitly wants DApp interaction
Edge Cases and Error Handling
| Scenario | Handling |
|---|---|
| MCP Server not configured | Abort all operations, show Cursor configuration guide |
| MCP Server unreachable | Abort all operations, show network check prompt |
auth.google_login_start failed | Display error, suggest retry later or check MCP Server status |
| User did not complete authorization in browser | Poll returns pending, prompt user to complete browser-side step first |
Login flow timeout (expired) | Prompt timeout, auto re-call auth.google_login_start to start new flow |
auth.google_login_poll repeated failures | Max 10 retries (3 sec interval), then prompt user to check network or retry |
auth.refresh_token failed | refresh_token expired or invalid → Guide to full login flow |
auth.logout failed | Display error, still clear locally held token state |
| User logs in again | If already holding valid mcp_token, prompt that already logged in, ask if need to switch account |
Invalid code for auth.login_google_wallet | Display error, suggest user re-obtain authorization code or use Device Flow |
| Network interruption | Display network error, suggest checking network and retrying |
Security Rules
mcp_tokenconfidentiality: Never displaymcp_tokenorrefresh_tokenin plaintext to the user; use placeholder<mcp_token>in conversation only.account_idmasking: When displaying, show only partial characters (e.g.acc_12...89).- Token auto-refresh: When
mcp_tokenexpires, try silent refresh first; only require re-login if refresh fails. - No silent login retries: After login failure, clearly show error to user; do not retry repeatedly in background.
- No operations when MCP Server not configured or unreachable: If Step 0 connection check fails, abort all subsequent steps.
- Single session, single account: Maintain only one active
mcp_tokenat a time; switching accounts requires logout first. - MCP Server error transparency: All MCP Server error messages are shown to the user as-is; do not hide or alter them.