Skill

role-backend:auth-implementation

Implements authentication and authorization systems including JWT token management, session handling, OAuth2 flows, OpenID Connect, RBAC/ABAC enforcement, API key management, multi-tenancy auth isolation, SSO integration, and refresh token rotation. Use when building login flows, protecting endpoints, implementing permissions, or integrating identity providers.

Install

npx claudepluginhub rnavarych/alpha-engineer --plugin role-backend

Tool Access

This skill is limited to using the following tools:

ReadGrepGlobBash

Preview

- Building login, logout, and token refresh flows

Supporting Assets

references/jwt-sessions-oauth.mdreferences/rbac-apikeys-multitenancy-sso.md

SKILL.md

Similar Skills

skill-lookup

Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.

prompts.chat

157.6k

prompt-lookup

Searches prompts.chat for AI prompt templates by keyword or category, retrieves by ID with variable handling, and improves prompts via AI. Use for discovering or enhancing prompts.

prompts.chat

157.6k

ecc-tools-cost-audit

Audits ECC Tools repo for cost burns from runaway PR creation, quota bypasses, premium-model leakage, duplicate jobs, and GitHub App spikes.

everything-claude-code

156.2k

Stats

Parent Repo Stars9

Parent Repo Forks0

Last CommitMar 3, 2026

Actions

View Source View Plugin View on GitHub View README

role-backend:auth-implementation

When to use

Building login, logout, and token refresh flows

Choosing between JWT and server-side sessions

Implementing OAuth2 authorization code flow with PKCE for SPAs or mobile

Setting up RBAC or ABAC permission enforcement on API endpoints

Managing API keys with hashing, rotation, and scoping

Enforcing tenant isolation in a multi-tenant system

Integrating enterprise SSO (SAML 2.0, OIDC) with JIT provisioning

Core principles

Tokens contain minimal claims — sub, roles, tenant only; nothing sensitive in JWT payload

Rotate refresh tokens on every use — reuse of an invalidated token signals theft; revoke the family

Enforce server-side at every layer — middleware, service, and data layer; frontend checks are UX only

Hash everything at rest — API keys, refresh tokens; never store plaintext secrets

Deprecated flows stay deprecated — Implicit and ROPC are gone; PKCE is the only option for public clients

Reference Files

references/jwt-sessions-oauth.md — JWT structure and token validation checklist, refresh token rotation rules, server-side session cookie flags, OAuth2 flow selection table, Authorization Code + PKCE implementation steps, and OIDC identity verification

references/rbac-apikeys-multitenancy-sso.md — RBAC role/permission model, ABAC with policy engines (Casbin, OPA, Cedar), enforcement point hierarchy, API key generation and hashing, multi-tenancy query isolation, and SSO integration (SAML 2.0, OIDC, JIT provisioning)

Auth Implementation

When to use

Building login, logout, and token refresh flows
Choosing between JWT and server-side sessions
Implementing OAuth2 authorization code flow with PKCE for SPAs or mobile
Setting up RBAC or ABAC permission enforcement on API endpoints
Managing API keys with hashing, rotation, and scoping
Enforcing tenant isolation in a multi-tenant system
Integrating enterprise SSO (SAML 2.0, OIDC) with JIT provisioning

Core principles

Tokens contain minimal claims — sub, roles, tenant only; nothing sensitive in JWT payload
Rotate refresh tokens on every use — reuse of an invalidated token signals theft; revoke the family
Enforce server-side at every layer — middleware, service, and data layer; frontend checks are UX only
Hash everything at rest — API keys, refresh tokens; never store plaintext secrets
Deprecated flows stay deprecated — Implicit and ROPC are gone; PKCE is the only option for public clients

Reference Files

references/jwt-sessions-oauth.md — JWT structure and token validation checklist, refresh token rotation rules, server-side session cookie flags, OAuth2 flow selection table, Authorization Code + PKCE implementation steps, and OIDC identity verification
references/rbac-apikeys-multitenancy-sso.md — RBAC role/permission model, ABAC with policy engines (Casbin, OPA, Cedar), enforcement point hierarchy, API key generation and hashing, multi-tenancy query isolation, and SSO integration (SAML 2.0, OIDC, JIT provisioning)