| name | toolify | ||
|---|---|---|---|
| description | When you want to integrate an external tool, API, MCP server, or service into a project — the wizard walks you through auth, config, env vars, client wrapper code, example usage, and (optionally) a smoke-test. Scoped to Next.js and Rails projects (the two primary stacks). Interactive Q&A pattern — starts with the tool name, asks structured questions until the integration is fully specified, then scaffolds files. Examples of tools to toolify — Stripe, Kit, Sanity, Notion, Neon, Supabase, Fathom, Rewardful, SavvyCal, Riverside, ScrapeCreators, Anthropic, OpenAI, Gemini, Twilio, Resend, Postmark, Vercel Blob, custom internal APIs. For MCP servers specifically, also handles the .mcp.json wiring. Triggers on "/toolify," "integrate X," "add X to this project," "wire up X," "set up the X integration," "hook up X," "connect X," "add MCP for X." Part of the -ify trifecta (skillify / toolify / loopify) for extending Claude Code. NOT for adding new SKILL.md files — that's skillify. NOT for cron/agent loops — that's loopify. | ||
| metadata |
|
Interactive wizard for adding an external tool / API / MCP into a project. Ends with working code + env vars set + a verification path.
- Primary stacks: Next.js (App Router + TypeScript) and Rails. Reason: those are the two stacks the user actually ships in; supporting every stack bloats the wizard.
- What toolify handles: auth pattern (API key, OAuth, JWT, session cookie), env var setup, official SDK vs raw fetch, client wrapper location, example usage, webhook handling (if applicable), MCP
.mcp.jsonwiring (if MCP server). - What toolify does NOT handle: writing business logic on top of the integration (that's for the human). It scaffolds the plumbing, not the feature.
Ask if not provided: "Which tool are we integrating?"
Detect category from name:
| Category | Examples | Extra steps |
|---|---|---|
| Payments | Stripe, LemonSqueezy, Paddle | Webhook signature verification, customer model, event handlers |
| Auth | NextAuth/Auth.js, Clerk, Supabase Auth, Devise | Session management, protected routes, callbacks |
| Resend, Postmark, SendGrid, Kit | From address, template setup, unsubscribe handling | |
| CMS/DB | Sanity, Prisma, Drizzle, Neon, Supabase | Schema location, migration path, client singleton pattern |
| AI/LLM | Anthropic, OpenAI, Gemini, Vercel AI SDK | Model choice, streaming vs non-streaming, rate limits |
| Analytics | Fathom, PostHog, Plausible | Script placement, event tracking API |
| Scheduling/Comms | SavvyCal, Cal.com, Twilio, Riverside | Webhook events, embed patterns |
| Scraping | ScrapeCreators, Apify, Playwright | Rate limits, response caching, retry policy |
| Affiliate/Referral | Rewardful, PartnerStack | Cookie handling, webhook events, dashboard access |
| Storage | Vercel Blob, S3, R2 | Bucket setup, signed URL pattern, presigned upload |
| MCP server | Any MCP — Sanity, Stripe, GitHub, Kit, etc. | .mcp.json entry + env vars, no client wrapper |
| Custom / other | Internal API, unknown tool | Ask more questions |
If category detection fails, ask 2 questions to place it: "Is it an API you call, a webhook receiver, or both?" / "Does it have an official SDK?"
Ask the following in order (skip questions that don't apply based on category):
- Which project? (path — infer from cwd; ask if ambiguous)
- Which stack? (Next.js / Rails — infer from
package.jsonvsGemfile; ask if both) - Auth pattern? (API key / OAuth / JWT / session cookie / signed webhooks — usually knowable from official docs)
- Official SDK exists? (check the docs; prefer SDK when good; fall back to raw fetch when SDK is bloated/abandoned)
- Env var name convention? (default:
SCREAMING_SNAKE_CASEmatching official convention — e.g.,STRIPE_SECRET_KEY,RESEND_API_KEY) - Environments? (dev / preview / prod — different keys?)
- Webhook receiver needed? (YES for Stripe/Rewardful/most payment+auth+CMS; NO for pure client-side or read-only APIs)
- Rate limits to respect? (grep official docs)
- Where does the client wrapper live? (default:
src/lib/<tool>.tsfor Next.js;app/services/<tool>_client.rbfor Rails)
Show the user the answers as a summary before scaffolding — one chance to correct before writing files.
Use WebFetch or context7:query-docs to pull the current official quickstart:
# Prefer context7 if available (fresher docs than training data)
Skill({skill: "compound-engineering:context7", ...})
# Fallback to WebFetch
WebFetch <official-quickstart-url>Read once, then work from cached content. Don't re-fetch mid-scaffold. Note the SDK version cited so package.json gets the right pin.
For a standard Next.js integration, generate:
src/lib/<tool>.ts # client singleton + typed wrappers
src/app/api/webhooks/<tool>/route.ts # webhook handler (if applicable)
src/app/api/<tool>/example/route.ts # one working example route
.env.local.example # env var template with placeholder values
For Rails:
config/initializers/<tool>.rb # SDK config
app/services/<tool>_client.rb # client wrapper
app/controllers/webhooks/<tool>_controller.rb # webhook handler if applicable
config/routes.rb # webhook route
.env.example # env vars
For an MCP server, only:
.mcp.json # add or update with the new server entry
.env.local # add the env vars the MCP needs
Every scaffolded file should have a comment at the top like:
// Scaffolded by /toolify on 2026-06-30. Official docs: <url>. SDK version: <version>.
// The client wrapper is scoped to plumbing only — business logic lives elsewhere.Apply the right auth pattern per tool category. Never invent — use the pattern the official docs specify. Common patterns:
- API key in header:
Authorization: Bearer <key>orX-<Vendor>-Key: <key>— check vendor's exact spelling - Webhook signature: use the vendor's crypto method (Stripe uses HMAC-SHA256; Rewardful uses similar). NEVER skip signature verification on webhooks — it's the #1 security bug in scaffolded integrations.
- OAuth: redirect URL setup, token storage, refresh handling. Prefer Auth.js/NextAuth for Next.js; Devise + omniauth for Rails.
- Signed URL / presigned: for uploads / temp access — set expiration explicitly, never use unbounded.
Add to the appropriate file:
- Local dev:
.env.local(Next.js) /.env(Rails) — NEVER committed - Vercel: sensitivity depends on the var. Two rules — apply the right one:
- Public / bundle-baked vars (
NEXT_PUBLIC_*) — these get inlined into the client bundle at build time and are ALREADY public. Use--no-sensitiveso you can audit them later:vercel env add NEXT_PUBLIC_APP_URL production --value "<url>" --no-sensitive --yes - Server-side secrets (API keys, webhook secrets, DB URLs) — never enter the client bundle. Use Vercel's default
--sensitivebehavior so the value is write-only via the CLI (can't be read back viavercel env pull):vercel env add STRIPE_SECRET_KEY production --value "<key>" --sensitive --yes vercel env add STRIPE_WEBHOOK_SECRET production --value "<secret>" --sensitive --yes
- The rule: only
NEXT_PUBLIC_*uses--no-sensitive. Everything else uses--sensitive. Getting this wrong means server secrets are readable viavercel env pullin someone's local terminal — same class of leak as committing them. - See
references/vercel-env-vars.mdfor the full policy + verification viavercel env pull+ brackets-check.
- Public / bundle-baked vars (
- Heroku:
heroku config:set <VAR>=<value> -a <app-name>
Also update .env.example / .env.local.example with the placeholder so teammates know the var is needed.
Generate a one-line verification the user can run:
# Example for a REST API:
curl -H "Authorization: Bearer $STRIPE_SECRET_KEY" https://api.stripe.com/v1/customers?limit=1
# Example for an SDK:
node -e "const s = require('./src/lib/stripe.ts').default; s.customers.list({limit:1}).then(console.log)"
# For MCP: restart Claude Code, run any command that touches the MCP serverShow the expected output shape. If the call fails, the wizard should be first to catch it, not the user in prod.
Report:
- Files created (paths)
- Env vars added (names only — never values in the report)
- SDK/dependency added to
package.json/Gemfile - Smoke-test command run + result
- Any TODOs the user needs to complete manually (e.g., "add webhook URL to dashboard")
Offer:
- "Set up a
loopifycron to check the webhook is still receiving events daily?" - "Save this integration recipe as a skill via
skillify from-chat?" - "Commit these changes now?"
Full recipes for common tools live in references/ (populate as they're used):
references/stripe-nextjs.md— payment integration + webhook + customer portalreferences/kit-nextjs.md— Kit (ConvertKit) MCP + subscriber APIreferences/sanity-nextjs.md— Sanity CMS + MCP + Studio embedreferences/anthropic-nextjs.md— Claude API + streaming + rate limitsreferences/scrapecreators-nextjs.md— social scraping API + retry policyreferences/rewardful-nextjs.md— referral tracking + webhook events
If a recipe doesn't exist yet, the wizard fetches the official docs, scaffolds fresh, and offers to save the recipe as ${MAKERSKILLS_CONFIG:-$HOME/.config/makerskills}/toolify/recipes/<tool>-<stack>.md for reuse (never inside the skill folder — upgrades wipe it). When looking up recipes, check both references/ (shipped) and the config recipes dir (yours).
skillify— sibling in-ifytrifecta. Useskillifywhen the goal is a new SKILL.md, not an integration.loopify— sibling. Useloopifyfor setting up cron/agent-loop patterns on top of the toolified integration (e.g., poll a webhook, sync data daily).compound-engineering:context7— fetch current SDK docs (fresher than training data).makerskills:watch-video— if the user has a Loom of an integration walkthrough, feed it in to synthesize the recipe.
- Never skip webhook signature verification. Even for internal-only endpoints. The vendor provides the crypto pattern for a reason.
- Never commit secrets.
.env.localand.envare gitignored — verify before finishing. - Never invent auth patterns. Use the vendor's official pattern verbatim. If docs are unclear, fetch again.
- SDK version matters. Pin the SDK version in
package.json/Gemfile.lock. Note the version in the file header comment. - One tool per invocation. Don't scaffold Stripe + Kit + Sanity in one run. Wizard is designed for depth per tool, not breadth.
- Prefer official SDKs unless they're bloated/abandoned. Raw fetch is fine when the SDK adds no value.
- Recipe-first for repeat tools. If integrating a tool the user has done before, load the recipe from
references/or$MAKERSKILLS_CONFIG/toolify/recipes/and adapt, don't re-derive.