This guide shows how to set up the GitLab Code Review Agent as a GitLab OAuth application that users can easily install and configure.
- Go to GitLab.com → User Settings → Applications
- Create a new application with:
- Name:
Code Review Agent - Redirect URI:
https://your-domain.com/gitlab/callback - Scopes:
api(full API access for webhook management and code review) - Trusted: Check this box for seamless authorization
- Name:
- Save the Application ID and Secret
# Server Configuration
APP_BASE_URL=https://your-id.ngrok-free.app
SERVER_PORT=5052
SERVER_DEBUG=true
# GitLab OAuth Configuration
GITLAB_BASE_URL=https://gitlab.com
GITLAB_CLIENT_ID=your_gitlab_app_client_id
GITLAB_CLIENT_SECRET=your_gitlab_app_client_secret
GITLAB_REDIRECT_URI=https://your-id.ngrok-free.app/gitlab/callback
# Amp & MCP Configuration
AMP_SERVER_URL=https://ampcode.com
AMP_TIMEOUT=300
MCP_AUTH_TOKEN=your_mcp_secret
CRA_PUBLIC_URL=https://your-id.ngrok-free.app
# Optional: Personal Access Token (for webhook-only mode)
GITLAB_TOKEN=your_gitlab_patOption A: Docker (Recommended)
docker build -t gitlab-cra .
docker run -p 5052:5052 --env-file .env gitlab-craOption B: Docker Compose
docker-compose up -dOption C: Railway/Heroku
git push railway main
# or
git push heroku mainOption D: VPS/Server
npm install
npm run build
npm startUsers can now install your app by visiting:
https://your-domain.com/gitlab/install
- User clicks "Install App"
- Redirected to GitLab authorization
- User authorizes the app
- Redirected back with setup instructions
- User can auto-configure projects via web UI
- OAuth-based installation: Users authorize via GitLab OAuth flow
- Per-user token storage: Each installation has its own access/refresh tokens
- Automatic webhook configuration: Webhooks created via API during setup
- Multi-tenant support: Multiple users and organizations supported
- Token refresh: Automatic refresh token handling for expired tokens
- Webhook-only mode: Still supports traditional personal access token setup
- Dual operation: Both OAuth and webhook modes can run simultaneously
- Gradual migration: Existing webhook users can migrate at their own pace
✅ OAuth 2.0 Integration - Secure token-based authentication
✅ Multi-tenant - Supports multiple GitLab users/organizations
✅ Automatic Setup - Web UI for easy project configuration
✅ Token Management - Handles token refresh automatically
✅ Backward Compatible - Still works with personal access tokens
GET /gitlab/install- Start OAuth installation flowGET /gitlab/callback- Handle OAuth authorization callbackGET /gitlab/setup/:installationId- Project configuration page (HTML form)POST /gitlab/setup- Process project setup and create webhooks
POST /gitlab/webhook- Multi-tenant webhook receiverGET /queue/status- Review queue status and metricsGET /jobs/:jobId- Individual review job status
GET /mcp/health- MCP service health checkGET /mcp/tools/list- List available review tools (get_mr_info, leave_general_comment, leave_inline_comment, post_commit_status, trigger_review, get_mr_comments)POST /mcp/tools/call- Execute review toolsPOST /mcp/- JSON-RPC protocol endpoint
Installations are stored in JSON format:
{
"id": "uuid",
"gitlabUserId": 12345,
"gitlabUsername": "user",
"accessToken": "oauth_token",
"refreshToken": "refresh_token",
"scopes": ["api"],
"installedAt": "2025-01-01T00:00:00Z",
"webhookId": 67890,
"projectId": 123
}- Database: Replace file-based storage with PostgreSQL/MySQL for installations
- Redis: Use Redis for job queue and session management
- HTTPS: Always use HTTPS in production (required for OAuth)
- Load Balancing: Use reverse proxy (nginx/cloudflare) for high availability
- Rate Limiting: Implement rate limiting for webhook and OAuth endpoints
- Monitoring: Add health checks, metrics, and alerting (
/health,/queue/status,/mcp/health) - Logging: Structured logging with log aggregation
- Secrets Management: Use environment-specific secret management (MCP_AUTH_TOKEN, OAuth secrets)
- Queue Scaling: Scale review workers based on queue depth (max 20 workers, 100 queue size)
- Token Refresh: Implement robust token refresh and retry logic
To submit to GitLab marketplace:
-
Prepare Assets:
- App icon (512x512 PNG)
- Screenshots
- Description and documentation
-
Create Listing:
- Go to GitLab Partner Portal
- Submit application for review
- Provide OAuth app details
-
Review Process:
- GitLab reviews security and functionality
- May require additional documentation
- Approval typically takes 2-4 weeks
Phase 1: Parallel Operation
- Deploy OAuth app alongside existing webhook service
- Both modes supported simultaneously
- No disruption to existing users
Phase 2: User Communication
- Notify users about OAuth app benefits
- Provide migration documentation
- Offer migration assistance
Phase 3: Gradual Migration
- Users migrate at their own pace
- Support both modes indefinitely
- Monitor adoption metrics
- ✅ Easier Setup: One-click installation vs manual webhook configuration
- ✅ Better Security: OAuth tokens vs long-lived personal access tokens
- ✅ Auto-Updates: Webhooks managed automatically
- ✅ Multi-Project: Easy setup across multiple projects
"Installation not found"
- User needs to complete OAuth flow first
- Check installation storage and file permissions
- Verify
APP_BASE_URLmatches deployment URL
"OAuth error"
- Verify redirect URI matches exactly (
https://your-domain.com/gitlab/callback) - Check client ID/secret configuration
- Ensure HTTPS is enabled in production
"Webhook creation failed"
- Verify user has Maintainer/Owner permissions on the project
- Check project ID is correct and accessible
- Ensure GitLab API is reachable from deployment
"Review not triggered"
- Check webhook events include "Merge request events"
- Verify webhook URL is accessible from GitLab
- Check server logs for webhook delivery errors
"MCP tools not working"
- Verify
MCP_AUTH_TOKENis set and matches client - Check
CRA_PUBLIC_URLis accessible externally - Test
/mcp/healthendpoint directly