Skill

role-backend:auth-implementation

Implements backend auth/authorization: JWT tokens, sessions, OAuth2/OIDC flows, RBAC/ABAC, API keys, multi-tenancy isolation, SSO/SAML. For login flows, endpoint protection, permissions.

JWT

Oauth

authentication

security

npx claudepluginhub rnavarych/alpha-engineer --plugin role-backend

Popularity

Parent stars

Parent forks

Invocation

How this skill is triggered — by the user, by Claude, or both

Slash command

/role-backend:auth-implementation

User invocable

Model invocable

Inline context

Default effort

Tool Access

This skill is limited to the following tools:

ReadGrepGlobBash

Context Preview

The summary Claude sees in its skill listing — used to decide when to auto-load this skill

- Building login, logout, and token refresh flows

Supporting Files

references/jwt-sessions-oauth.mdreferences/rbac-apikeys-multitenancy-sso.md

SKILL.md

33 lines · ~504 tokens

Similar Skills

auth-patterns

Provides authentication patterns for JWT with rotation/revocation, OAuth/OIDC with PKCE, Redis sessions with CSRF protection, multi-tenant auth, RBAC/ABAC, and data isolation best practices.

5 files4 tools

billy-milligan

auth-implementation-patterns

Implements auth patterns like JWT, OAuth2, sessions, and RBAC for securing APIs. Use for user auth, API protection, social login, or debugging security issues.

developer-essentials

building-api-authentication

2.2k

Builds secure API authentication with JWT tokens, OAuth2 flows, API keys, and sessions. Implements validation, refresh rotation, RBAC, and brute-force protection for API endpoints.

3 files6 tools

api-authentication-builder

Stats

LanguageShell

Parent stars13

Parent forks1

MaintenanceGood

Last CommitMar 3, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Stats

Actions

Help us improve

Share bugs, ideas, or general feedback.

Auth Implementation

When to use

Building login, logout, and token refresh flows

Choosing between JWT and server-side sessions

Implementing OAuth2 authorization code flow with PKCE for SPAs or mobile

Setting up RBAC or ABAC permission enforcement on API endpoints

Managing API keys with hashing, rotation, and scoping

Enforcing tenant isolation in a multi-tenant system

Integrating enterprise SSO (SAML 2.0, OIDC) with JIT provisioning

Core principles

Tokens contain minimal claims — sub, roles, tenant only; nothing sensitive in JWT payload

Rotate refresh tokens on every use — reuse of an invalidated token signals theft; revoke the family

Enforce server-side at every layer — middleware, service, and data layer; frontend checks are UX only

Hash everything at rest — API keys, refresh tokens; never store plaintext secrets

Deprecated flows stay deprecated — Implicit and ROPC are gone; PKCE is the only option for public clients

Reference Files

references/jwt-sessions-oauth.md — JWT structure and token validation checklist, refresh token rotation rules, server-side session cookie flags, OAuth2 flow selection table, Authorization Code + PKCE implementation steps, and OIDC identity verification

references/rbac-apikeys-multitenancy-sso.md — RBAC role/permission model, ABAC with policy engines (Casbin, OPA, Cedar), enforcement point hierarchy, API key generation and hashing, multi-tenancy query isolation, and SSO integration (SAML 2.0, OIDC, JIT provisioning)

Auth Implementation

When to use

Building login, logout, and token refresh flows
Choosing between JWT and server-side sessions
Implementing OAuth2 authorization code flow with PKCE for SPAs or mobile
Setting up RBAC or ABAC permission enforcement on API endpoints
Managing API keys with hashing, rotation, and scoping
Enforcing tenant isolation in a multi-tenant system
Integrating enterprise SSO (SAML 2.0, OIDC) with JIT provisioning

Core principles

Tokens contain minimal claims — sub, roles, tenant only; nothing sensitive in JWT payload
Rotate refresh tokens on every use — reuse of an invalidated token signals theft; revoke the family
Enforce server-side at every layer — middleware, service, and data layer; frontend checks are UX only
Hash everything at rest — API keys, refresh tokens; never store plaintext secrets
Deprecated flows stay deprecated — Implicit and ROPC are gone; PKCE is the only option for public clients

Reference Files

references/jwt-sessions-oauth.md — JWT structure and token validation checklist, refresh token rotation rules, server-side session cookie flags, OAuth2 flow selection table, Authorization Code + PKCE implementation steps, and OIDC identity verification
references/rbac-apikeys-multitenancy-sso.md — RBAC role/permission model, ABAC with policy engines (Casbin, OPA, Cedar), enforcement point hierarchy, API key generation and hashing, multi-tenancy query isolation, and SSO integration (SAML 2.0, OIDC, JIT provisioning)

role-backend:auth-implementation

Popularity

Invocation

Tool Access

Context Preview

Supporting Files

SKILL.md

Similar Skills

Help us improve

Help us improve

Find plugins for your project

role-backend:auth-implementation

Popularity

Invocation

Tool Access

Context Preview

Supporting Files

SKILL.md

Auth Implementation

When to use

Core principles

Reference Files

Similar Skills

Help us improve

Auth Implementation

When to use

Core principles

Reference Files