Stop AI agents from fumbling with login forms. This prompt helps you create development-only endpoints that let browser automation tools authenticate instantly.
When using AI agents with browser automation (agent-browser, Playwright MCP, Claude's computer use, Cursor's browser mode), they hit login walls and waste time filling out forms, handling redirects, and losing session state.
Create development-only auth shortcuts. After setup:
# One command to authenticate
agent-browser open "http://localhost:3000/dev-login?email=demo@test.com&password=demo"
# Now browse authenticated
agent-browser open http://localhost:3000/dashboard- Copy the prompt below
- Open a fresh Claude Code session (or any AI coding assistant) in your project
- Paste the prompt and let it run
Works with any stack: Node, Python, Ruby, Go, etc. / Next.js, Django, Rails, Flask, etc. / Supabase, NextAuth, Clerk, Firebase, custom auth, etc.
Copy the text block below and paste it into Claude Code (or any AI coding assistant):
Set up development authentication shortcuts for browser automation tools. Follow these phases:
Phase 1: Environment Validation
Verify this codebase has:
1. A way to detect development/local mode. Look for:
- Environment variables: NODE_ENV, RAILS_ENV, FLASK_ENV, APP_ENV, DEBUG, ENVIRONMENT, etc.
- Config files that distinguish dev from prod
- Build flags or conditional compilation
2. An existing authentication system. Look for:
- Auth-related directories: auth/, authentication/, identity/
- Auth libraries in dependencies (check package.json, requirements.txt, Gemfile, go.mod, Cargo.toml, etc.)
- Middleware or decorators that check auth
- Login routes or handlers
EXIT CONDITIONS:
- If no dev mode detection exists: Stop and tell me "Could not find a way to detect development mode. Add environment-based detection first to ensure auth shortcuts are never exposed in production."
- If no auth system exists: Stop and tell me "No authentication system found. Set up authentication first."
Phase 2: Find Development Credentials
Search for existing dev/test credentials in:
- Seed/fixture files: seed.*, fixtures/, test-data/, mock/
- Scripts directory for user management tools
- Database migrations or seeders
- Documentation mentioning test accounts (README, CLAUDE.md, etc.)
Search patterns: username, password, testuser, demo, admin@, test@, seed, fixture
EXIT CONDITION:
- If no credentials found: Stop and tell me "No development credentials found. Create test users first (via seed script, admin panel, or auth provider dashboard), then run this again."
Document what you find - list the credentials with their roles.
Phase 3: Analyze Authentication
Discover:
1. How auth works in this codebase:
- Token-based (JWT, API keys, Bearer tokens)
- Session/cookie-based
- Both (common in apps with API + web frontend)
2. What auth library/framework is used:
- Identify from dependencies and imports
- Understand how to programmatically authenticate a user
- Understand how sessions/tokens are created and validated
3. What apps/services exist:
- Web frontends (any framework)
- Admin interfaces
- API servers
- List each with its path and auth pattern
Phase 4: User Selection
If AskUserQuestion tool is available, ask which apps should have dev auth shortcuts.
If unavailable, create shortcuts for all discovered apps.
Phase 5: Create Shortcuts
Create authentication shortcuts appropriate for the codebase's language, framework, and auth system.
For token-based auth: A script/command that outputs a valid auth token given credentials.
For cookie/session auth: An endpoint that authenticates and sets the session, accessible only in development.
Guidelines:
1. Follow existing patterns - Match the codebase's style, conventions, and directory structure
2. Use the existing auth system - Don't reinvent; call the same auth functions the app uses
3. Guard with dev-only checks - The shortcut must refuse to work in production
4. Keep it simple - Minimal code that does one thing
Token Generator Pattern - Create a script that:
- Accepts credentials (with sensible dev defaults)
- Calls the existing auth system to get a token
- Outputs only the token to stdout (for easy scripting)
- Example usage: TOKEN=$(./scripts/get-token) && curl -H "Authorization: Bearer $TOKEN" http://localhost:8000/api/...
Dev Login Endpoint Pattern - Create an endpoint that:
- Accepts credentials via query params or JSON body
- Calls the existing auth system
- Sets session cookies
- Returns 404 in production (not an error - completely hidden)
- Example usage: agent-browser open "http://localhost:3000/dev-login?user=demo&pass=demo"
Security Requirements:
- Check for development mode BEFORE doing anything
- Return 404 or equivalent in production (not an error message that reveals the endpoint exists)
- Never log credentials
- Consider also checking for localhost/127.0.0.1 if appropriate
Phase 6: Update Documentation
Find where this project stores documentation or agent instructions:
- CLAUDE.md, AGENTS.md, GEMINI.md, CURSOR.md
- README.md, CONTRIBUTING.md
- docs/ directory
- .claude/, .cursor/, or similar
Add a section documenting:
- The dev auth shortcuts that were created
- How to use them with browser automation
- The test credentials available
- Example commands
Format the documentation to match the existing style.
Phase 7: Summary
Report:
- What was created (with file paths)
- How to use each shortcut
- Security measures in place
- Test credentials reference
These are examples for inspiration. The AI will adapt to your actual stack.
// scripts/get-token.ts
async function main() {
const [user, pass] = process.argv.slice(2);
const { token } = await yourAuthLib.signIn(
user || 'demo@test.com',
pass || 'demo'
);
console.log(token);
}
main();// Wherever your app puts API routes
export async function GET(req: Request) {
if (process.env.NODE_ENV !== 'development') {
return new Response('Not found', { status: 404 });
}
const url = new URL(req.url);
await yourAuth.signIn(url.searchParams.get('email'), url.searchParams.get('password'));
return Response.json({ ok: true });
}from django.conf import settings
from django.http import Http404, JsonResponse
from django.contrib.auth import authenticate, login
def dev_login(request):
if not settings.DEBUG:
raise Http404()
user = authenticate(username=request.GET.get('user'), password=request.GET.get('pass'))
if user:
login(request, user)
return JsonResponse({'ok': True})
return JsonResponse({'error': 'Invalid'}, status=401)class DevSessionsController < ApplicationController
skip_before_action :verify_authenticity_token
def create
raise ActionController::RoutingError, 'Not Found' unless Rails.env.development?
user = User.find_by(email: params[:email])
if user&.authenticate(params[:password])
session[:user_id] = user.id
render json: { ok: true }
else
render json: { error: 'Invalid' }, status: 401
end
end
end@app.route('/dev-login')
def dev_login():
if not current_app.debug:
abort(404)
user = authenticate(request.args.get('email'), request.args.get('password'))
if user:
session['user_id'] = user.id
return jsonify(ok=True)
return jsonify(error='Invalid'), 401func DevLogin(w http.ResponseWriter, r *http.Request) {
if os.Getenv("ENV") != "development" {
http.NotFound(w, r)
return
}
user, err := auth.Authenticate(r.URL.Query().Get("email"), r.URL.Query().Get("password"))
if err != nil {
http.Error(w, "Unauthorized", 401)
return
}
session.Set(r, w, user)
json.NewEncoder(w).Encode(map[string]bool{"ok": true})
}MIT