From prodsec-skills
Enforce secure token validation and storage in MCP servers. Use when implementing or reviewing token handling, JWT validation, or token storage in MCP servers.
How this skill is triggered — by the user, by Claude, or both
Slash command
/prodsec-skills:secure-token-handlingThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
MCP servers MUST implement best practices for token validation and secure token storage to prevent token-based attacks.
MCP servers MUST implement best practices for token validation and secure token storage to prevent token-based attacks.
Every incoming token MUST be validated for:
| Check | Details |
|---|---|
| Signature | Verify JWT signature against the IdP's JWKS; reject unsigned or weakly signed tokens |
Expiry (exp) | Reject expired tokens; do not allow clock skew greater than 30 seconds |
Audience (aud) | Must match the MCP server's audience identifier |
Issuer (iss) | Must match the trusted IdP issuer URL |
Not-before (nbf) | If present, reject tokens used before this time |
Token ID (jti) | Check against revocation list if token revocation is supported |
If the MCP server needs to store tokens (e.g., cached access tokens or refresh tokens for downstream services):
| Requirement | Details |
|---|---|
| Encrypt at rest | Tokens stored on disk or in databases must be encrypted |
| Memory-only when possible | Prefer in-memory token storage; avoid persisting to disk |
| Short-lived cache | Cache tokens only for the duration of their validity |
| No logging | Never log token values; log token metadata (jti, sub, exp) instead |
| Secure deletion | Clear tokens from memory when no longer needed |
# WRONG - logging the token
logger.info(f"Received token: {token}")
# WRONG - storing token in plaintext file
with open("tokens.txt", "a") as f:
f.write(token)
# CORRECT - log metadata only
logger.info(f"Token validated: sub={claims['sub']}, exp={claims['exp']}")
aud matches the MCP server's identifieriss matches the trusted IdPjti against revocation list if availablealg: none or weak signing algorithmsnpx claudepluginhub sidhpurwala-huzaifa/prodsec-skills2plugins reuse this skill
First indexed Jun 13, 2026
Enforce secure token validation and storage in MCP servers. Use when implementing or reviewing token handling, JWT validation, or token storage in MCP servers.
Validates JWT tokens and provides guidance on authentication patterns, secure coding practices, and vulnerability detection.
Implements JWT authentication with algorithm pinning, short expiry, and server-side validation to prevent token forgery and algorithm confusion attacks.