Command-line client and MCP server for Timebook — track time, manage timers, and expose your Timebook account to AI agents (Claude, Codex, Cursor, …) over the Model Context Protocol.
# one-off
npx @squidcode/timebook login
# globally
npm install -g @squidcode/timebook
timebook --helpRequires Node.js 18.17+.
timebook login opens your browser, you log into Timebook (or use an existing session) and pick a scope (which clients/projects this token can touch). The browser delivers the token back to a short-lived loopback HTTP listener, which the CLI then writes to a config file with 0600 permissions.
timebook loginThe token is stored at:
- macOS:
~/Library/Preferences/timebook/config.json - Linux:
~/.config/timebook/config.json - Windows:
%APPDATA%\timebook\Config\config.json
The token never leaves your machine after login. To revoke it server-side, visit https://usetimebook.com/settings/api-tokens.
timebook whoami
timebook projects # list projects
timebook clients # list clients
timebook start -p "Acme website" -d "Wireframes"
timebook status # show running timer
timebook stop
# manual entries
timebook log -p "Acme website" -t 1h30m -d "Code review"
timebook log -p PROJ_ID --start 2026-05-04T09:00 --end 2026-05-04T10:30
timebook entries --project "Acme website" -n 10
# edit / delete (any combination of fields; unset ones stay as-is)
timebook entries edit ENTRY_ID -t 2h -d "code review + tests"
timebook entries edit ENTRY_ID --start 2026-05-04T09:00 --end 2026-05-04T11:00
timebook entries edit ENTRY_ID -d "" # clear description
timebook entries delete ENTRY_IDDuration formats accepted: 1h, 45m, 1h30m, 1.5h, 1:30, or a bare number (interpreted as minutes — e.g. 90 → 1h 30m).
Edit / delete authorization: an API token can only modify entries it created itself. JWT sessions (the web UI) and admin tokens bypass this rule. Invoiced entries are locked for everyone via the API. A 403 with a friendly message is returned on a denied attempt — fix the entry from the web UI or with the token that created it.
The same binary speaks MCP over stdio when invoked with timebook mcp. Drop it into any MCP-aware host (Claude Code, Claude Desktop, Codex, Cursor, …):
{
"mcpServers": {
"timebook": {
"command": "npx",
"args": ["-y", "@squidcode/timebook", "mcp"]
}
}
}Or, if installed globally:
{
"mcpServers": {
"timebook": {
"command": "timebook",
"args": ["mcp"]
}
}
}The MCP server reuses the token saved by timebook login — run timebook login once in a terminal before starting the agent.
| Tool | What it does |
|---|---|
whoami |
Current authenticated user (read-only) |
list_projects |
All projects in scope (read-only) |
list_clients |
All clients in scope (read-only) |
get_active_timer |
The running timer, or null (read-only) |
start_timer |
Start a timer on a project |
stop_timer |
Stop the running timer |
log_time |
Log a manual entry (duration OR startTime+endTime) |
list_entries |
Recent entries (default 50, max 500), project + date filters |
update_entry |
Edit one or more fields on an entry (description, duration, startTime, endTime, project, rate). Token must own the entry. |
delete_entry |
Delete an entry. Token must own it. Invoiced entries are locked. |
Once the MCP server is connected, ask the model in plain English:
- "Start a timer on my Acme website project for landing-page wireframes."
- "How much time did I log on the Recycler project last week?"
- "Log 1 hour 30 minutes against ChatNexus from 9am this morning at the Software Development rate, with description 'code review of the auth refactor'."
- "What am I currently working on?" — invokes
get_active_timer. - "Stop my timer."
- "My last entry on Recycler should be 2 hours, not 1h45m. Fix it." — invokes
list_entriesthenupdate_entry. - "Delete the entry I just made by mistake." — invokes
delete_entry. Will 403 if the entry was created by a different token (web UI, another agent) — say so to the model so it doesn't keep retrying.
The model picks the right tool, asks list_projects first if it needs to disambiguate a name, and writes through start_timer / log_time / stop_timer.
Timebook CLI runs on your machine and only talks to your Timebook account.
- Authentication:
timebook loginmints a personal API token via Timebook's OAuth-style consent screen. The token is stored locally with0600permissions (~/Library/Preferences/timebook/config.jsonon macOS,~/.config/timebook/config.jsonon Linux,%APPDATA%\timebook\Config\config.jsonon Windows). It is never transmitted anywhere excepthttps://usetimebook.com(or your override) on outgoing API calls. - Telemetry: none. Neither the CLI nor the MCP server reports usage, errors, or analytics anywhere.
- MCP host data: when you use
timebook mcpfrom inside Claude / Cursor / etc., the MCP host (not Timebook) controls what the model sees. Tool inputs and outputs flow through the host's normal model-context pipeline. - Revoking access: visit https://usetimebook.com/settings/api-tokens to revoke the token at any time.
For Timebook's product-level privacy policy, see https://usetimebook.com/privacy.
Override the API/web hosts (useful for self-hosted Timebook or local dev):
TIMEBOOK_API_URL=https://api.example.com \
TIMEBOOK_WEB_URL=https://example.com \
timebook loginYou can also pass --api-url and --web-url to timebook login once; subsequent commands re-use the saved values.
If timebook login errors with State mismatch or you want to see exactly which requests reach the loopback callback, run with --debug:
timebook login --debuggit clone https://github.com/squidcode/timebook-cli
cd timebook-cli
npm install
npm run dev -- --help # tsx-powered hot-loop
npm run build # emits dist/
npm run lint && npm run typecheck && npm run testPre-commit hooks (ESLint + Prettier via lint-staged) are wired up by husky on npm install.
prepublishOnly runs lint + typecheck + tests + build, then:
npm publish --access publicMIT © Squidcode LLC. See LICENSE.