Stats

Actions

Tags

Help us improve

Share bugs, ideas, or general feedback.

api-authentication | api-authentication

Skill

api-authentication

From api-authentication

Implements secure API authentication with JWT middleware in Node.js, OAuth 2.0, API keys; includes Flask refs, security headers, and pitfalls. For auth systems and token issues.

$

npx claudepluginhub secondsky/claude-skills --plugin api-authentication

Popularity

Parent stars

149

Parent forks

23

Invocation

How this skill is triggered — by the user, by Claude, or both

Slash command

/api-authentication:api-authentication

User invocable

Model invocable

Inline context

Default effort

Context Preview

The summary Claude sees in its skill listing — used to decide when to auto-load this skill

Implement secure authentication mechanisms for APIs using modern standards and best practices.

Supporting Files

references/python-flask.md

SKILL.md

99 lines · ~666 tokens

Similar Skills

building-api-authentication

2.2k

Builds secure API authentication with JWT tokens, OAuth2 flows, API keys, and sessions. Implements validation, refresh rotation, RBAC, and brute-force protection for API endpoints.

3 files6 tools

api-authentication-builder

auth-and-api-keys

12

Designs API authentication with prefixed keys (e.g., Stripe sk_live_), OAuth 2.0 flows, JWT tokens, Bearer auth, key rotation, and permission scoping.

2 files

api-design-principles

api-security

67

Guides API authentication, authorization, and security patterns including OAuth 2.0 flows with PKCE, OIDC, JWT, API keys, rate limiting, and common vulnerabilities.

3 tools

Stats

LanguageTypeScript

Parent stars149

Parent forks23

MaintenanceGood

Last CommitApr 2, 2026

Actions

View Source View Plugin View on GitHub View README

Tags

api-authentication

auth-middleware

security-headers

Help us improve

Share bugs, ideas, or general feedback.

API Authentication

Implement secure authentication mechanisms for APIs using modern standards and best practices.

Authentication Methods

Method	Use Case	Security Level
JWT	Stateless auth, SPAs	High
OAuth 2.0	Third-party integration	High
API Keys	Service-to-service	Medium
Session	Traditional web apps	High

JWT Implementation (Node.js)

const jwt = require('jsonwebtoken');

const generateTokens = (user) => ({
  accessToken: jwt.sign(
    { userId: user.id, role: user.role },
    process.env.JWT_SECRET,
    { expiresIn: '15m' }
  ),
  refreshToken: jwt.sign(
    { userId: user.id, type: 'refresh' },
    process.env.REFRESH_SECRET,
    { expiresIn: '7d' }
  )
});

const authMiddleware = (req, res, next) => {
  const authHeader = req.headers.authorization;

  // Validate authorization header format
  if (!authHeader || !authHeader.startsWith('Bearer ')) {
    return res.status(401).json({ error: 'Malformed authorization header' });
  }

  const parts = authHeader.split(' ');
  if (parts.length !== 2) {
    return res.status(401).json({ error: 'Malformed authorization header' });
  }

  const token = parts[1];
  if (!token) {
    return res.status(401).json({ error: 'No token provided' });
  }

  try {
    req.user = jwt.verify(token, process.env.JWT_SECRET);
    next();
  } catch (err) {
    res.status(401).json({ error: 'Invalid token' });
  }
};

Security Requirements

Always use HTTPS
Store tokens in HttpOnly cookies (not localStorage)
Hash passwords with bcrypt (cost factor 12+)
Implement rate limiting on auth endpoints
Rotate secrets regularly
Never transmit tokens in URLs

Security Headers

app.use((req, res, next) => {
  res.setHeader('X-Content-Type-Options', 'nosniff');
  res.setHeader('X-Frame-Options', 'DENY');
  res.setHeader('Strict-Transport-Security', 'max-age=31536000');
  next();
});

Additional Implementations

See references/python-flask.md for:

Flask JWT with role-based access control decorators
OAuth 2.0 Google integration with Authlib
API key authentication with secure hashing

Common Mistakes to Avoid

Storing plain-text passwords
Using weak JWT secrets
Ignoring token expiration
Disabling HTTPS in production
Logging sensitive tokens