Add a provider recipe
Recipes are the tested fast-path. But you rarely need one โ the agent covers the long tail by authoring wizards live.
Ringtail has two ways to set up a provider, and it's worth understanding why before you write any code.
Recipes vs agent-authored wizards
- Recipes (
libs/recipes) are the fast-path โ tested, one-click, deterministic. The curated set is roughly seven:cloudflare,neon,better-auth,resend,posthog,infisical,creem. - Agent-authored wizards are the universal fallback for the infinite long tail โ any
provider, any action โ via
authorWizardplus live docs.
The net: you don't need many recipes to be useful. The agent covers everything; recipes are an optimization, not a requirement. That kills the maintenance tax โ so add a recipe only when a provider is common enough that a tested one-click path earns its keep.
The Recipe contract
Every provider ships one Recipe in libs/recipes/src/recipes/<id>.ts. Core is
provider-agnostic โ it only knows this interface:
interface Recipe {
id: string; // stable id + store key, e.g. 'cloudflare'
title: string; // display name
mode: "auto" | "guided" | "generate";
envVars: string[]; // which .env vars this recipe fills
tokenCreateUrl?: string; // deep-link to the exact token page (guided)
docsUrl?: string;
requiredScopes?: string[];
rootCredKeys?: string[]; // which keys are ROOT creds โ stored + reused across repos
mint?(): Promise<Record<string, string>>;
validate?(creds: Record<string, string>): Promise<ValidateResult>; // REAL API probe, after mint
generate?(): Record<string, string>; // mode:'generate', local, no network
autoProvision?( // mode:'auto'
creds: Record<string, string>,
ctx: ProvisionCtx,
): Promise<Record<string, string>>;
}The three modes:
autoโ the provider has a management API we can call to mint the token or resource.guidedโ the user creates the key by hand (deep-linked); we validate it.generateโ no external account; we mint the value locally (e.g. an auth secret).
Validate after mint. validate runs a real API probe against the entered or minted
credentials and reports whether they authenticated and carry every required scope. A missing
scope drives the wrong-scope state โ Ringtail refuses to provision or sync a key that
wouldn't work. Never log a secret value from autoProvision's ctx.log.
Live scope and token-URL details are pulled from Context7 at runtime, so recipes don't rot against provider changes.