--- title: console.ggui.ai description: User dashboard for the hosted mcp.ggui.ai server — apps, orgs, connector keys, blueprints, credits, BYOK provider keys, and OAuth/CLI consent. --- :::caution[Coming soon] This page describes the **managed hosted path** (`mcp.ggui.ai` / `console.ggui.ai`), which is **not yet live** — it is not part of GGUI Preview 0.1.0. The self-hosted path is available today — start with the [Quickstart](/oss-quickstart/). This page is kept as a preview of the managed path and goes live when hosted ggui ships. ::: [`console.ggui.ai`](https://console.ggui.ai) is the user-facing dashboard for the [`mcp.ggui.ai`](/clients/claude-desktop/) hosted MCP server. Sign in with email + password (Cognito). The left-sidebar nav surfaces seven top-level screens; three more screens are deep-linked into by the OAuth ceremony, the CLI device flow, and org-invite emails. | Screen | Path | What lives here | | -------------- | --------------------- | ---------------------------------------------------------------------- | | Apps | `/apps` | Per-app surfaces — keys, blueprints, theme, marketplace, settings. | | Orgs | `/orgs` | Organizations you belong to; org-scoped wallets, invites, members. | | Connector keys | `/keys/connector` | Mint, list, and revoke `ggui_user_*` API keys. | | Connected apps | `/connections` | OAuth clients that have access to your account (placeholder today). | | Credits | `/credits` | Balance, transaction log, coupon redeem. (Stripe top-up: coming soon.) | | Provider keys | `/keys/providers` | BYOK — paste your Anthropic / OpenAI / Google / OpenRouter keys. | | Account | `/account` | Email, default app, sign out. | | OAuth consent | `/oauth/consent` | Approval landing for MCP-Apps-aware clients (Claude Desktop, etc.). | | CLI sign-in | `/cli-confirm/[code]` | Approval landing for the [`ggui` CLI's](/cli/login/) device flow. | | Org invite | `/invites/[inviteId]` | Auto-accept landing for an org-invite email link. | The home path `/` redirects to `/apps` — apps are the primary primitive in the current IA (post-2026-05 apps pivot). You don't visit `/oauth/consent` or `/cli-confirm/*` directly — the MCP host or the CLI navigates you there at the right moment. :::note The console is the end-user surface for **ggui** (the protocol, hosted at `mcp.ggui.ai`). **guuey** is the separate agent-hosting platform — a distinct product built on the same protocol underneath. ::: :::tip[Also available as an MCP route] Every action available in the console UI is also exposed as an `ops` MCP tool at `mcp.ggui.ai/ops`. See [Ops MCP route](/api/ops-mcp/) — useful for operator agents and automation. ::: ## Apps (`/apps`) Apps are the primary primitive. Each app is a scope that owns its own blueprints, theme, marketplace installs, and per-app API keys. New accounts land here with a single default app already provisioned; create more from this page. Per-app sub-routes (under `/apps/[appId]/`): - **Keys** (`/keys`) — per-app connector keys (`ggui_user_*` rows bound to this `appId`, so the pod locks the session to this app) **and** per-app BYOK provider-key overrides (precedence over the user-pool BYOK keys for renders bound to this app). - **Blueprints** (`/blueprints`) — the app's blueprint library: view source, rename, edit metadata, delete. - **Marketplace** (`/marketplace`) — browse + install published blueprints. - **Theme** (`/theme`) — per-app theme overrides. - **Settings** (`/settings`) — app-level config. Blueprints are matched during `ggui_handshake`, before any generation. Curated app blueprints match deterministically when the agent's declared tools cover the blueprint's `dataTools` (instant, zero-LLM); other cached blueprints are reused by contract similarity. Either way, a hit renders with zero generation cost. See the [generation pipeline](/architecture/overview/#generation-pipeline) for the matching flow and [Marketplace](/sdk/marketplace/) for authoring + distribution. ## Orgs (`/orgs`) Organizations you belong to. Each org has its own credit wallet, member list, and invite flow. Coupons can be redeemed into an org wallet from the Credits page (next section). Per-org detail lives under `/orgs/[orgId]`. Invite-email links land at `/invites/[inviteId]` and auto-accept once you're signed in (lookup is by Cognito email, so a newly-signed-up invitee sees every pending invite at `/invites`). Org-scoped agent infrastructure (production hosting, shared dashboards) is the domain of the separate **guuey** platform — same protocol underneath. ## Connector keys (`/keys/connector`) The connector-keys table. One row per active key: prefix, name, status, last-used timestamp, **Revoke** action. **Mint** opens a dialog with one optional field (a friendly label). Submit, the key reveals exactly once — copy it before dismissing the dialog. Lose it and you mint a new one; there's no recovery. Every authentication path lands here as one row: - The console UI mint dialog → row labelled whatever you typed. - An OAuth ceremony from Claude Desktop / claude.ai / Goose / VS Code → row labelled `MCP — ` by default (with an ` — ` prefix when the host requested per-app scope via RFC 8707 `resource`); the consent screen's optional **Key name** field overrides the default before approval. - The [`ggui keys create`](/cli/login/#manage-keys) CLI command → row labelled with whatever `--name` you passed. This unification is deliberate. The keys list IS the authoritative list of "things that can talk to ggui as you" — there's no separate "connected clients" surface. Revoke a row and the corresponding client's next request returns `401`. ## Connected apps (`/connections`) OAuth clients (Claude Desktop, claude.ai, Goose, …) that have registered against your account via Dynamic Client Registration. Currently a placeholder — the full client list + per-row revoke is planned. For now, run the in-Claude `ggui_status` tool to see connected apps from inside your MCP host. ## Credits (`/credits`) Balance, transaction log, and coupon redemption. New accounts get **\$5 of free credit** (Anthropic-pool) on first sign-in. Each `ggui_render` burns credit proportional to the LLM call (prompt tokens × model rate) plus a small render-storage allocation. Blueprint-matched renders skip the LLM and cost ~nothing. The transaction log shows every charge with model + token breakdown. **Top up:** the button is present but currently disabled with a "coming soon" badge — Stripe top-up is post-launch. Until then, top up via the **Redeem coupon** card (codes can be applied to your personal wallet or to any org wallet you're a member of). To bypass the credit pool entirely, paste a **provider key** at `/keys/providers` (next section). When a BYOK key is on file for the model the request would have used, ggui calls the model on your tab and only charges credit for orchestration overhead. ## Provider keys / BYOK (`/keys/providers`) Paste your own provider API keys to bypass the credit pool for model calls. The four supported providers, with the get-a-key link the dialog surfaces: - **Anthropic** — Claude models. Get a key at `console.anthropic.com` → Settings → API Keys. - **OpenAI** — GPT models. Get a key at `platform.openai.com` → API Keys. - **Google** — Gemini models. Get a key at `aistudio.google.com` → Get API key. - **OpenRouter** — multi-provider routing. Get a key at `openrouter.ai` → Settings → Keys. Keys are KMS-encrypted at rest and only decrypted in-memory in the per-request Lambda. The console only ever shows the key prefix once it's been saved — submit the form once, the plaintext is consumed. Resolution at request time is per-provider: Anthropic call → check Anthropic BYOK key → if present, use it; if not, fall back to credit pool. Mixing is fine — you can BYOK Anthropic and pay-as-you-go for everything else. Revoke at any time. The next request that would have used the key falls back to the credit pool. ## Account (`/account`) Email, default app selection (used by legacy redirects like `/blueprints` → `/apps/{defaultAppId}/blueprints`), and sign out. ## OAuth consent (`/oauth/consent`) The browser landing for MCP-Apps-aware clients running through the [OAuth ceremony](/api/oauth/). When Claude Desktop (or any compatible host) asks `mcp.ggui.ai` to authorize, the server 302s the browser here with the OAuth params. You see: - The requesting client's name (from DCR `client_name`). - The scope being requested (`mcp`). - Two buttons: **Approve** / **Cancel**. **Approve** mints a fresh `ggui_user_*` key (default label `MCP — `, editable via the Key-name field; per-app flows that carried an RFC 8707 `resource` get the `appId` bound on the row so the session locks to that app) and posts it back to the MCP server through a cross-origin form POST. The server completes the OAuth flow and the client's next `/mcp` request authenticates with the new key. **Cancel** redirects back to the client with `error=access_denied` per [RFC 6749 §4.1.2.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1). The MCP server is never contacted; nothing is minted. You don't visit this URL directly — the MCP host sends you here at OAuth time. ## CLI sign-in (`/cli-confirm/[user_code]`) The browser landing for the [`ggui login`](/cli/login/) device flow. The CLI prints a URL like: ``` https://console.ggui.ai/cli-confirm/AB12-CD34 ``` Open it, sign in if you aren't already, confirm the codes match, click **Approve**. The CLI's polling on `/v1/auth/poll` flips to `approved` and tokens land at `~/.ggui/auth.json`. Same trust model as the OAuth consent screen — confirm the code matches what the CLI printed before approving. ## Account model One Cognito user owns one ggui account. User-scoped data on the dashboard (your keys, your blueprints, your personal credit balance, your provider keys) is visible only to you via owner-auth on every model. Org-scoped data (org wallet, org members, org-scoped blueprints) is gated by org membership.