From 9e9915b2fa68db136b64ad8cbe93e43e419da984 Mon Sep 17 00:00:00 2001
From: Jacob Magar <jmagar@gmail.com>
Date: Mon, 16 Mar 2026 10:48:38 -0400
Subject: [PATCH] docs(auth): document Google OAuth setup in CLAUDE.md

---
 CLAUDE.md | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/CLAUDE.md b/CLAUDE.md
index b483858..783e9b6 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -61,6 +61,25 @@ docker compose down
   - `UNRAID_MCP_PORT`: Server port (default: 6970)
   - `UNRAID_MCP_HOST`: Server host (default: 0.0.0.0)
 
+### Google OAuth (Optional — protects the HTTP server)
+
+When `GOOGLE_CLIENT_ID`, `GOOGLE_CLIENT_SECRET`, and `UNRAID_MCP_BASE_URL` are all set,
+the MCP server requires Google login before any tool call.
+
+| Env Var | Required | Purpose |
+|---------|----------|---------|
+| `GOOGLE_CLIENT_ID` | For OAuth | Google OAuth 2.0 Client ID |
+| `GOOGLE_CLIENT_SECRET` | For OAuth | Google OAuth 2.0 Client Secret |
+| `UNRAID_MCP_BASE_URL` | For OAuth | Public URL of this server (e.g. `http://10.1.0.2:6970`) |
+| `UNRAID_MCP_JWT_SIGNING_KEY` | Recommended | Stable 32+ char secret — prevents token invalidation on restart |
+
+**Google Cloud Console setup:**
+1. APIs & Services → Credentials → Create OAuth 2.0 Client ID (Web application)
+2. Authorized redirect URIs: `<UNRAID_MCP_BASE_URL>/auth/callback`
+3. Copy Client ID + Secret to `~/.unraid-mcp/.env`
+
+**Omit `GOOGLE_CLIENT_ID` to run without auth** (default — preserves existing behaviour).
+
 ## Architecture
 
 ### Core Components