11 KiB
11 KiB
Multiple Accounts Configuration 🔐
Overview
This project supports multiple accounts for the same service:
- Multiple GitHub accounts (personal, work, alt)
- Multiple Cloudflare accounts (prod, staging, dev)
- Multiple GitLab instances (internal, external)
Each account is:
- Bound to a unique environment variable name, and
- Exposed as a separate MCP server in
opencode.jsonc.
🔒 Security Note: Never commit tokens to git. Keep them in your shell environment, a
.envfile that is.gitignored, or a secrets manager.
1. Export Tokens with Unique Variable Names
Use descriptive names that encode both service and purpose.
Pattern:
<SERVICE>_<RESOURCE>_<ENV or PURPOSE>
Examples:
GITHUB_TOKEN_WORKCLOUDFLARE_API_TOKEN_PRODUCTIONGITLAB_TOKEN_INTERNAL
Shell Export (for session-based or profile)
# GitHub – multiple accounts
export GITHUB_TOKEN_SECONDARY="ghp_another_token_here"
export GITHUB_TOKEN_WORK="ghp_work_account_token"
export GITHUB_TOKEN_PERSONAL="ghp_personal_account_token"
# Cloudflare – multiple accounts
export CLOUDFLARE_API_TOKEN_PRODUCTION="prod_token_here"
export CLOUDFLARE_ACCOUNT_ID_PRODUCTION="prod_account_id"
export CLOUDFLARE_API_TOKEN_STAGING="staging_token_here"
export CLOUDFLARE_ACCOUNT_ID_STAGING="staging_account_id"
# GitLab – multiple instances
export GITLAB_TOKEN_INTERNAL="glpat_internal_token"
export GITLAB_URL_INTERNAL="https://gitlab.internal.company.com"
export GITLAB_TOKEN_EXTERNAL="glpat_external_token"
export GITLAB_URL_EXTERNAL="https://gitlab.com"
.env File (recommended for project isolation)
# .env (remember to add this to .gitignore)
CLOUDFLARE_API_TOKEN_PRODUCTION=prod_token
CLOUDFLARE_ACCOUNT_ID_PRODUCTION=prod_account_id
CLOUDFLARE_API_TOKEN_STAGING=staging_token
CLOUDFLARE_ACCOUNT_ID_STAGING=staging_account_id
Then load in shell:
set -a
source .env
set +a
2. Add MCP Entries in opencode.jsonc
Each account becomes its own MCP entry, wired to its own env vars:
// Secondary GitHub account
"github_secondary": {
"type": "local",
"command": ["npx", "-y", "@modelcontextprotocol/server-github"],
"environment": {
"GITHUB_PERSONAL_ACCESS_TOKEN": "{env:GITHUB_TOKEN_SECONDARY}"
},
"enabled": false
},
// Production Cloudflare account
"cloudflare_prod": {
"type": "local",
"command": ["python3", "-m", "mcp.cloudflare_safe"],
"environment": {
"CLOUDFLARE_API_TOKEN": "{env:CLOUDFLARE_API_TOKEN_PRODUCTION}",
"CLOUDFLARE_ACCOUNT_ID": "{env:CLOUDFLARE_ACCOUNT_ID_PRODUCTION}"
},
"enabled": false
},
// Staging Cloudflare account
"cloudflare_staging": {
"type": "local",
"command": ["python3", "-m", "mcp.cloudflare_safe"],
"environment": {
"CLOUDFLARE_API_TOKEN": "{env:CLOUDFLARE_API_TOKEN_STAGING}",
"CLOUDFLARE_ACCOUNT_ID": "{env:CLOUDFLARE_ACCOUNT_ID_STAGING}"
},
"enabled": false
},
// Internal GitLab instance
"gitlab_internal": {
"type": "local",
"command": ["npx", "-y", "@modelcontextprotocol/server-gitlab"],
"environment": {
"GITLAB_TOKEN": "{env:GITLAB_TOKEN_INTERNAL}",
"GITLAB_URL": "{env:GITLAB_URL_INTERNAL}"
},
"enabled": false
}
3. Enable Per-Agent (Recommended) or Globally
Recommended: Enable accounts per agent for isolation.
"agents": {
"cloudflare-ops": {
"tools": {
"cloudflare_prod": true, // Production account
"cloudflare_staging": true, // Staging account
"github_secondary": true, // Secondary GitHub
"gitlab_internal": true // Internal GitLab
}
},
"security-audit": {
"tools": {
"cloudflare_prod": true, // Only production for audits
"github_secondary": false // Disable secondary for security
}
}
}
Global enable (less strict, use sparingly):
"tools": {
"cloudflare_prod": true,
"github_secondary": true
}
🔑 Principle: Production credentials should only be wired into a few, tightly-scoped agents (e.g.,
cloudflare-ops,security-audit), not "playground" agents.
4. Best Practices
Naming Conventions
Use suffixes that make intent obvious:
_PRODUCTION/_PROD– Production environment_STAGING/_STAGE– Staging environment_DEVELOPMENT/_DEV– Development environment_INTERNAL– Internal/private instance_EXTERNAL– External/public instance_WORK/_PERSONAL– Work vs personal identity_SECONDARY/_BACKUP– Secondary/backup account
Security Isolation
- Per-agent configuration – Only give each agent the accounts it truly needs
- Environment separation – Different tokens per environment (prod / stage / dev)
- Least privilege – Grant minimal scopes to each token
- Token rotation – Rotate regularly, especially production
⚠️ Golden Rule: Never give production tokens to "exploratory" or "play" agents; only to audited / narrow-scope agents (e.g.,
security-audit,cloudflare-ops).
Example: Multi-Environment Setup
# .env file
# Production
export CLOUDFLARE_API_TOKEN_PRODUCTION="prod_token"
export CLOUDFLARE_ACCOUNT_ID_PRODUCTION="prod_account_id"
# Staging
export CLOUDFLARE_API_TOKEN_STAGING="staging_token"
export CLOUDFLARE_ACCOUNT_ID_STAGING="staging_account_id"
# Development
export CLOUDFLARE_API_TOKEN_DEVELOPMENT="dev_token"
export CLOUDFLARE_ACCOUNT_ID_DEVELOPMENT="dev_account_id"
// opencode.jsonc
"cloudflare_prod": {
"environment": {
"CLOUDFLARE_API_TOKEN": "{env:CLOUDFLARE_API_TOKEN_PRODUCTION}",
"CLOUDFLARE_ACCOUNT_ID": "{env:CLOUDFLARE_ACCOUNT_ID_PRODUCTION}"
}
},
"cloudflare_staging": {
"environment": {
"CLOUDFLARE_API_TOKEN": "{env:CLOUDFLARE_API_TOKEN_STAGING}",
"CLOUDFLARE_ACCOUNT_ID": "{env:CLOUDFLARE_ACCOUNT_ID_STAGING}"
}
},
"cloudflare_dev": {
"environment": {
"CLOUDFLARE_API_TOKEN": "{env:CLOUDFLARE_API_TOKEN_DEVELOPMENT}",
"CLOUDFLARE_ACCOUNT_ID": "{env:CLOUDFLARE_ACCOUNT_ID_DEVELOPMENT}"
}
}
Cursor IDE Integration
How Cursor Agent Works with Multiple Accounts
Cursor IDE itself uses a single account (your Cursor subscription), but Cursor Agent can access unlimited external service accounts via:
- Environment Variables (loaded from
.env) - MCP Servers (configured in
~/.cursor/mcp.jsonor project-specific) - Workspace-Specific Config (each project folder can have different credentials)
Configuring MCP in Cursor
File: ~/.cursor/mcp.json
{
"mcpServers": {
"github_work": {
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-github"],
"env": {
"GITHUB_PERSONAL_ACCESS_TOKEN": "ghp_work_token_here"
}
},
"github_personal": {
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-github"],
"env": {
"GITHUB_PERSONAL_ACCESS_TOKEN": "ghp_personal_token_here"
}
},
"cloudflare_prod": {
"command": "python3",
"args": ["-m", "mcp.cloudflare_safe"],
"env": {
"CLOUDFLARE_API_TOKEN": "prod_token",
"CLOUDFLARE_ACCOUNT_ID": "prod_account_id"
}
}
}
}
Using Multiple Accounts in Cursor
Once configured, Cursor Agent can:
# In Cursor chat/command bar:
"Check production Cloudflare for drift"
→ Uses cloudflare_prod MCP
"Search my work GitHub for similar implementations"
→ Uses github_work MCP
"Compare personal and work repos for this pattern"
→ Uses both github_personal and github_work MCPs
Workspace-Specific .env
Each project can have its own .env:
# /Users/sovereign/Desktop/CLOUDFLARE/.env
export CLOUDFLARE_API_TOKEN="client_a_token"
export GITLAB_TOKEN="client_a_gitlab_token"
# /Users/sovereign/Desktop/CLIENT_B/.env
export CLOUDFLARE_API_TOKEN="client_b_token"
export GITLAB_TOKEN="client_b_gitlab_token"
Cursor loads the appropriate .env when you switch workspaces.
5. Usage Examples
Launching with Multiple Accounts
# Set tokens before launching
export GITHUB_TOKEN_SECONDARY="ghp_..."
export CLOUDFLARE_API_TOKEN_PRODUCTION="prod_..."
# Launch OpenCode
opencode
/init
Inside OpenCode:
/use github_secondary
Search for issues in my secondary GitHub account
/use cloudflare_prod
List all zones in the production Cloudflare account
Agent-Specific Access
/agent cloudflare-ops
# Has: cloudflare_prod, cloudflare_staging, github_secondary
/agent security-audit
# Has: cloudflare_prod only (no staging, no personal GitHub)
Cross-Account Validation
/agent cloudflare-ops
Compare configuration between production and staging accounts:
1. Query cloudflare_prod for all WAF rules
2. Query cloudflare_staging for all WAF rules
3. Show differences
4. Validate staging matches production baseline
6. Troubleshooting
Token Not Working
-
Verify the environment variable is set:
echo "$GITHUB_TOKEN_SECONDARY" -
Check MCP configuration in
opencode.jsonc:- Variable names match
{env:VARIABLE_NAME}syntax is correct
-
Restart OpenCode after exporting tokens
MCP Not Loading
-
Check MCP status inside OpenCode:
/mcp list /mcp status github_secondary -
Validate token format:
- GitHub: usually
ghp_... - GitLab: usually
glpat_...
- GitHub: usually
-
Confirm agent config:
- MCP is enabled for that agent in
agents[...].tools - Or globally enabled in
"tools"
- MCP is enabled for that agent in
7. Security Considerations
Token Storage
✅ DO:
- Store tokens in
.env(gitignored) - Use environment variables for credentials
- Rotate tokens every 90 days
- Use separate tokens for prod/staging/dev
❌ DON'T:
- Commit tokens to git
- Hardcode tokens in config files
- Share tokens via chat/email
- Use same token across environments
Audit Trail
Log all multi-account operations:
# Enable audit logging in .env
export AUDIT_LOG_ENABLED=true
export AUDIT_LOG_PATH="./observatory/audit.log"
Operations using multiple accounts will be logged with account identifiers.
Token Rotation
💡 Future Enhancement: Could integrate with
playbooks/TUNNEL-ROTATION-PROTOCOL.mdfor automated token rotation policies.
8. Related Docs
- AGENTS.md – Agent configuration and usage
- MCP_GUIDE.md – Full MCP reference
- GITLAB_CLOUDFLARE_AUTH.md – Auth setup
- .env.example – Environment variable examples
- COGNITION_FLOW.md – How multi-account fits into cognition flow
9. Summary
To add another account:
-
Create a unique env var for the token
- e.g.,
GITHUB_TOKEN_SECONDARY,CLOUDFLARE_API_TOKEN_STAGING
- e.g.,
-
Add an MCP entry in
opencode.jsoncthat uses{env:...} -
Enable it per-agent (recommended) or globally
-
Keep naming and scopes clear so you always know which token is doing what
🔐 Key Point:
One account = one env var = one MCP entry.
From there, agents decide which identities they're allowed to wield.
Next Steps:
- See GITLAB_CLOUDFLARE_AUTH.md for detailed token creation
- See AGENTS.md for agent-specific tool configuration
- See .env.example for complete environment template