Skills auth-implementation-patterns
🔐

auth-implementation-patterns

Safe 🌐 Network access⚙️ External commands🔑 Env variables

Implement secure authentication patterns

You need clear guidance for secure authentication and authorization choices. This skill provides proven patterns and examples you can adapt quickly for JWT, OAuth2, and session management.

Supports: Claude Codex Code(CC)
📊 69 Adequate
1

Download the skill ZIP

2

Upload in Claude

Go to Settings → Capabilities → Skills → Upload skill

3

Toggle on and start using

Test it

Using "auth-implementation-patterns". Design a secure JWT auth flow with refresh tokens for a REST API.

Expected outcome:

  • Use short-lived access tokens and long-lived refresh tokens stored hashed in the database
  • Verify refresh tokens on each rotation and revoke on logout
  • Attach user claims to the request after verification
  • Return 401 on expired or invalid tokens with clear error messages

Using "auth-implementation-patterns". How do I add Google OAuth2 login to my Express app?

Expected outcome:

  • Configure Passport Google Strategy with client ID and secret from environment variables
  • Set up callback URL to handle the OAuth redirect and generate JWT tokens
  • Store or find user by Google ID, creating new user if not found
  • Redirect to frontend with access token attached

Security Audit

Safe
v4 • 1/17/2026

Pure documentation skill containing authentication code examples. All code is illustrative TypeScript demonstrating secure patterns (bcrypt with 12 rounds, JWT, proper cookie flags). No executable code, shell commands, network calls, or file system access beyond reading its own files. Static findings are false positives triggered by markdown code block backticks, environment variable references in examples, and security library mentions. The previous audit correctly identified this as safe.

2
Files scanned
810
Lines analyzed
3
findings
4
Total audits

Risk Factors

🌐 Network access (1)
skill-report.json:6
⚙️ External commands (18)
SKILL.md:57-123 SKILL.md:123-127 SKILL.md:127-218 SKILL.md:218-224 SKILL.md:224-290 SKILL.md:290-296 SKILL.md:296-345 SKILL.md:345-348 SKILL.md:348-354 SKILL.md:354-396 SKILL.md:396-400 SKILL.md:400-450 SKILL.md:450-454 SKILL.md:454-502 SKILL.md:502-508 SKILL.md:508-571 SKILL.md:571-575 SKILL.md:575-602
🔑 Env variables (23)
SKILL.md:74 SKILL.md:80 SKILL.md:90 SKILL.md:153 SKILL.md:181 SKILL.md:231 SKILL.md:238 SKILL.md:242 SKILL.md:305 SKILL.md:306 SKILL.md:345 SKILL.md:74 SKILL.md:80 SKILL.md:90 SKILL.md:153 SKILL.md:181 SKILL.md:231 SKILL.md:238 SKILL.md:242 SKILL.md:305 SKILL.md:306 SKILL.md:345 SKILL.md:231
Audited by: claude View Audit History →

Quality Score

38
Architecture
100
Maintainability
85
Content
20
Community
100
Security
87
Spec Compliance

What You Can Build

Secure an API

Choose and implement JWT or session auth with proper middleware and token handling.

Add social login

Integrate OAuth2 flows and redirect handling with clear examples.

Audit auth design

Check role and permission enforcement patterns against common pitfalls.

Try These Prompts

Pick an auth approach 
Recommend session or JWT auth for a small SaaS app. Include tradeoffs and a suggested default.
Design refresh tokens 
Provide a safe refresh token flow and storage guidance for a Node API.
Add RBAC 
Draft RBAC middleware and role hierarchy for users, moderators, and admins.
Harden login security 
List concrete steps to secure login, including rate limiting and password policy.

Best Practices

  • Keep access tokens short-lived and rotate refresh tokens with secure storage
  • Enforce strong password policies with bcrypt or argon2 hashing
  • Apply rate limits on authentication endpoints to prevent brute force attacks

Avoid

  • Storing JWTs in localStorage without XSS protections
  • Skipping token expiration or refresh token rotation
  • Authorizing requests only on the client side without server validation

Frequently Asked Questions

Is this skill compatible with Node and Express apps?
Yes, examples target Node and Express patterns, but concepts map to other stacks.
What are the limits of the examples?
They are illustrative snippets and not a complete application or framework.
Can I integrate this with existing auth providers?
Yes, the OAuth2 section shows provider-based flows you can adapt.
Does this skill collect or store user data?
No, it is documentation only and does not execute or transmit data.
What should I check if tokens are rejected?
Verify secrets match, token expiry, clock skew, and middleware parsing logic.
How does this compare to a full auth library?
It explains patterns and tradeoffs, while libraries provide ready-to-use implementations.

Developer Details

Author

wshobson

License

MIT

Repository

https://github.com/wshobson/agents/tree/main/plugins/developer-essentials/skills/auth-implementation-patterns

Ref

main

File structure

📄 SKILL.md