OneSignal Cursor Plugin

OneSignal workflows for Cursor. This plugin packages:

• The hosted OneSignal MCP server.
• OneSignal skills for messages, segments, templates, Journeys, custom events, and mobile SDK setup.
• A setup skill for Cursor/MCP authentication.
• Safety rules for sends, writes, production apps, and secrets.
• Commands for setup, test notification planning, and delivery debugging.

Requirements

• Cursor with plugin support.
• A OneSignal app.
• A OneSignal REST API key for that app.

This first version uses API-key authentication. OAuth can be added later after the OneSignal MCP OAuth route is verified end to end in Cursor.

Configure Authentication

Set the REST API key in the environment before opening Cursor:

export ONESIGNAL_REST_API_KEY=replace-with-your-rest-api-key

Do not commit real API keys. Do not paste real keys into chat.

The plugin MCP config sends the key as an api_key header to:

https://mcp.onesignal.com/mcp

Local Install for Testing

Symlink this repo into Cursor's local plugin folder:

mkdir -p ~/.cursor/plugins/local
ln -s /path/to/onesignal-cursor-plugin ~/.cursor/plugins/local/onesignal

Then restart Cursor or run Developer: Reload Window.

Verify:

1. Cursor sees the OneSignal plugin.
2. Cursor lists the OneSignal MCP server under MCP settings.
3. Read-only tools such as onesignal_health, onesignal_config, or onesignal_reference_overview work.
4. Domain skills appear and trigger for OneSignal setup, messaging, segments, templates, Journeys, custom events, and mobile SDK questions.

Validate Before Publishing

Run:

npm run validate

The validator checks:

• .cursor-plugin/plugin.json
• mcp.json
• relative component paths
• skill/rule/command frontmatter
• absence of committed REST API key values

Included Skills

• onesignal-setup
• onesignal-messages
• onesignal-segments
• onesignal-templates
• onesignal-journeys
• onesignal-custom-events
• onesignal-mobile-sdk-setup

Included Commands

• setup-onesignal
• send-onesignal-test-notification
• debug-onesignal-delivery

Safety Model

The plugin includes an always-on OneSignal safety rule:

• Use environment variables for secrets.
• Prefer read-only checks before writes.
• Require explicit approval before sends, mutations, deletes, exports, transfers, or production actions.
• Ask for extra confirmation before large-audience or production blasts.
• Show app id, channel, audience, content, schedule, and expected effect before any send.

Cursor may also show MCP tool approval prompts. Do not bypass them.

Marketplace Submission

Before submitting:

1. Run npm run validate.
2. Test local install from ~/.cursor/plugins/local/onesignal.
3. Test with a non-production OneSignal app first.
4. Confirm README setup instructions are current.
5. Commit all files, including assets/logo.svg.
6. Push to a public GitHub repo.
7. Submit the repo at https://cursor.com/marketplace/publish.

Recommended repository:

https://github.com/OneSignal/onesignal-cursor-plugin

OAuth Roadmap

The OneSignal MCP service has an OAuth route at:

https://mcp.onesignal.com/mcp/oauth

Do not switch this plugin to OAuth until the Cursor OAuth flow has been tested end to end with the hosted route and OneSignal auth proxy. The likely future shape is a plugin update that changes mcp.json to use the OAuth route and Cursor MCP auth configuration.