console.ggui.ai

Coming soon

This page describes the managed hosted path (mcp.ggui.ai / console.ggui.ai), which is not yet live — it is not part of GGUI Preview 0.1.0. The self-hosted path is available today — start with the Quickstart. This page is kept as a preview of the managed path and goes live when hosted ggui ships.

console.ggui.ai is the user-facing dashboard for the mcp.ggui.ai hosted MCP server. Sign in with email + password (Cognito). The left-sidebar nav surfaces seven top-level screens; three more screens are deep-linked into by the OAuth ceremony, the CLI device flow, and org-invite emails.

Screen	Path	What lives here
Apps	/apps	Per-app surfaces — keys, blueprints, theme, marketplace, settings.
Orgs	/orgs	Organizations you belong to; org-scoped wallets, invites, members.
Connector keys	/keys/connector	Mint, list, and revoke ggui_user_* API keys.
Connected apps	/connections	OAuth clients that have access to your account (placeholder today).
Credits	/credits	Balance, transaction log, coupon redeem. (Stripe top-up: coming soon.)
Provider keys	/keys/providers	BYOK — paste your Anthropic / OpenAI / Google / OpenRouter keys.
Account	/account	Email, default app, sign out.
OAuth consent	/oauth/consent	Approval landing for MCP-Apps-aware clients (Claude Desktop, etc.).
CLI sign-in	/cli-confirm/[code]	Approval landing for the ggui CLI’s device flow.
Org invite	/invites/[inviteId]	Auto-accept landing for an org-invite email link.

The home path / redirects to /apps — apps are the primary primitive in the current IA (post-2026-05 apps pivot). You don’t visit /oauth/consent or /cli-confirm/* directly — the MCP host or the CLI navigates you there at the right moment.

Note

The console is the end-user surface for ggui (the protocol, hosted at mcp.ggui.ai). guuey is the separate agent-hosting platform — a distinct product built on the same protocol underneath.

Also available as an MCP route

Every action available in the console UI is also exposed as an ops MCP tool at mcp.ggui.ai/ops. See Ops MCP route — useful for operator agents and automation.

Apps (/apps)

Apps are the primary primitive. Each app is a scope that owns its own blueprints, theme, marketplace installs, and per-app API keys. New accounts land here with a single default app already provisioned; create more from this page.

Per-app sub-routes (under /apps/[appId]/):

• Keys (/keys) — per-app connector keys (ggui_user_* rows bound to this appId, so the pod locks the session to this app) and per-app BYOK provider-key overrides (precedence over the user-pool BYOK keys for renders bound to this app).
• Blueprints (/blueprints) — the app’s blueprint library: view source, rename, edit metadata, delete.
• Marketplace (/marketplace) — browse + install published blueprints.
• Theme (/theme) — per-app theme overrides.
• Settings (/settings) — app-level config.

Blueprints are matched during ggui_handshake, before any generation. Curated app blueprints match deterministically when the agent’s declared tools cover the blueprint’s dataTools (instant, zero-LLM); other cached blueprints are reused by contract similarity. Either way, a hit renders with zero generation cost. See the generation pipeline for the matching flow and Marketplace for authoring + distribution.

Orgs (/orgs)

Organizations you belong to. Each org has its own credit wallet, member list, and invite flow. Coupons can be redeemed into an org wallet from the Credits page (next section). Per-org detail lives under /orgs/[orgId]. Invite-email links land at /invites/[inviteId] and auto-accept once you’re signed in (lookup is by Cognito email, so a newly-signed-up invitee sees every pending invite at /invites).

Org-scoped agent infrastructure (production hosting, shared dashboards) is the domain of the separate guuey platform — same protocol underneath.

Connector keys (/keys/connector)

The connector-keys table. One row per active key: prefix, name, status, last-used timestamp, Revoke action.

Mint opens a dialog with one optional field (a friendly label). Submit, the key reveals exactly once — copy it before dismissing the dialog. Lose it and you mint a new one; there’s no recovery.

Every authentication path lands here as one row:

• The console UI mint dialog → row labelled whatever you typed.
• An OAuth ceremony from Claude Desktop / claude.ai / Goose / VS Code → row labelled MCP — <shortClientId> — <date> by default (with an <appName> — prefix when the host requested per-app scope via RFC 8707 resource); the consent screen’s optional Key name field overrides the default before approval.
• The ggui keys create CLI command → row labelled with whatever --name you passed.

This unification is deliberate. The keys list IS the authoritative list of “things that can talk to ggui as you” — there’s no separate “connected clients” surface. Revoke a row and the corresponding client’s next request returns 401.

Connected apps (/connections)

OAuth clients (Claude Desktop, claude.ai, Goose, …) that have registered against your account via Dynamic Client Registration. Currently a placeholder — the full client list + per-row revoke is planned. For now, run the in-Claude ggui_status tool to see connected apps from inside your MCP host.

Credits (/credits)

Balance, transaction log, and coupon redemption.

New accounts get $5 of free credit (Anthropic-pool) on first sign-in. Each ggui_render burns credit proportional to the LLM call (prompt tokens × model rate) plus a small render-storage allocation. Blueprint-matched renders skip the LLM and cost ~nothing. The transaction log shows every charge with model + token breakdown.

Top up: the button is present but currently disabled with a “coming soon” badge — Stripe top-up is post-launch. Until then, top up via the Redeem coupon card (codes can be applied to your personal wallet or to any org wallet you’re a member of).

To bypass the credit pool entirely, paste a provider key at /keys/providers (next section). When a BYOK key is on file for the model the request would have used, ggui calls the model on your tab and only charges credit for orchestration overhead.

Provider keys / BYOK (/keys/providers)

Paste your own provider API keys to bypass the credit pool for model calls. The four supported providers, with the get-a-key link the dialog surfaces:

• Anthropic — Claude models. Get a key at console.anthropic.com → Settings → API Keys.
• OpenAI — GPT models. Get a key at platform.openai.com → API Keys.
• Google — Gemini models. Get a key at aistudio.google.com → Get API key.
• OpenRouter — multi-provider routing. Get a key at openrouter.ai → Settings → Keys.

Keys are KMS-encrypted at rest and only decrypted in-memory in the per-request Lambda. The console only ever shows the key prefix once it’s been saved — submit the form once, the plaintext is consumed.

Resolution at request time is per-provider: Anthropic call → check Anthropic BYOK key → if present, use it; if not, fall back to credit pool. Mixing is fine — you can BYOK Anthropic and pay-as-you-go for everything else.

Revoke at any time. The next request that would have used the key falls back to the credit pool.

Account (/account)

Email, default app selection (used by legacy redirects like /blueprints → /apps/{defaultAppId}/blueprints), and sign out.

OAuth consent (/oauth/consent)

The browser landing for MCP-Apps-aware clients running through the OAuth ceremony. When Claude Desktop (or any compatible host) asks mcp.ggui.ai to authorize, the server 302s the browser here with the OAuth params.

You see:

• The requesting client’s name (from DCR client_name).
• The scope being requested (mcp).
• Two buttons: Approve / Cancel.

Approve mints a fresh ggui_user_* key (default label MCP — <shortClientId> — <date>, editable via the Key-name field; per-app flows that carried an RFC 8707 resource get the appId bound on the row so the session locks to that app) and posts it back to the MCP server through a cross-origin form POST. The server completes the OAuth flow and the client’s next /mcp request authenticates with the new key.

Cancel redirects back to the client with error=access_denied per RFC 6749 §4.1.2.1. The MCP server is never contacted; nothing is minted.

You don’t visit this URL directly — the MCP host sends you here at OAuth time.

CLI sign-in (/cli-confirm/[user_code])

The browser landing for the ggui login device flow. The CLI prints a URL like:

https://console.ggui.ai/cli-confirm/AB12-CD34

Open it, sign in if you aren’t already, confirm the codes match, click Approve. The CLI’s polling on /v1/auth/poll flips to approved and tokens land at ~/.ggui/auth.json.

Same trust model as the OAuth consent screen — confirm the code matches what the CLI printed before approving.

Account model

One Cognito user owns one ggui account. User-scoped data on the dashboard (your keys, your blueprints, your personal credit balance, your provider keys) is visible only to you via owner-auth on every model. Org-scoped data (org wallet, org members, org-scoped blueprints) is gated by org membership.