CtrlK
BlogDocsLog inGet started
Tessl Logo

mcollina/oauth

Implements OAuth 2.0/2.1 authorization flows in Fastify applications — configures authorization code with PKCE, client credentials, device flow, refresh token rotation, JWT validation, and token introspection/revocation endpoints. Use when setting up authentication, authorization, login flows, access tokens, API security, or securing Fastify routes with OAuth; also applies when troubleshooting token validation errors, mismatched redirect URIs, CSRF issues, scope problems, or RFC 6749/6750/7636/8252/8628 compliance questions.

94

1.40x
Quality

95%

Does it follow best practices?

Impact

93%

1.40x

Average score across 5 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

Evaluation results

95%

17%

Secure an Internal API with JWT Bearer Token Verification

Criteria
Without context
With context

exp claim validated

100%

100%

iss claim validated

100%

100%

aud claim validated

100%

100%

sub claim present

62%

100%

401 on validation failure

100%

100%

Structured error response

100%

100%

Asymmetric algorithm only

100%

100%

jwtVerify called

30%

50%

onRequest hook applied

100%

100%

token_expired error code

0%

100%

90%

-2%

Migrate a Legacy OAuth Integration to Modern Standards

Criteria
Without context
With context

Implicit flow removed

100%

100%

Authorization code flow used

100%

100%

PKCE enabled

100%

100%

localStorage eliminated

100%

100%

HttpOnly cookie

100%

100%

Secure cookie

100%

75%

SameSite=Strict cookie

0%

0%

HS256 eliminated

100%

100%

Asymmetric algorithm

100%

100%

Security notes present

100%

100%

100%

39%

Add OAuth Login to a Fastify Web App

Criteria
Without context
With context

Correct OAuth package

0%

100%

fastify-plugin wrapper

100%

100%

PKCE method S256

50%

100%

State generation with randomUUID

0%

100%

State stored in session

100%

100%

State validation in checkStateFunction

50%

100%

HTTPS-only callbackUri

100%

100%

Credentials from env vars

100%

100%

Correct token exchange method

0%

100%

No raw token logging

100%

100%

Session and cookie packages

100%

100%

96%

10%

Implement Token Refresh and Persistent Session Management

Criteria
Without context
With context

Correct refresh method

0%

71%

Refresh token replaced

100%

100%

Null refresh token fallback

100%

100%

Tokens stored in session

100%

100%

HttpOnly cookie attribute

100%

100%

Secure cookie attribute

100%

100%

SameSite=Strict cookie attribute

100%

100%

No localStorage usage

100%

100%

83%

3%

Build a Secure Internal Token Issuance Service

Criteria
Without context
With context

@fastify/oauth2 used

0%

25%

fastify-plugin wrapper

100%

100%

Rate limiting on token route

100%

100%

HTTPS enforcement

100%

100%

HTTPS-only redirect URI

100%

70%

Credentials from env vars

100%

100%

No implicit flow

100%

100%

JWT claim validation

0%

33%

Rate limit package in dependencies

100%

100%

Evaluated
Agent
codex
Model
gpt-5-codex

Table of Contents

Secure an Internal API with JWT Bearer Token VerificationMigrate a Legacy OAuth Integration to Modern StandardsAdd OAuth Login to a Fastify Web AppImplement Token Refresh and Persistent Session ManagementBuild a Secure Internal Token Issuance Service