CtrlK
BlogDocsLog inGet started
Tessl Logo

mcollina/oauth

Implements OAuth 2.0/2.1 authorization flows in Fastify applications — configures authorization code with PKCE, client credentials, device flow, refresh token rotation, JWT validation, and token introspection/revocation endpoints. Use when setting up authentication, authorization, login flows, access tokens, API security, or securing Fastify routes with OAuth; also applies when troubleshooting token validation errors, mismatched redirect URIs, CSRF issues, scope problems, or RFC 6749/6750/7636/8252/8628 compliance questions.

91

1.40x
Quality

90%

Does it follow best practices?

Impact

93%

1.40x

Average score across 5 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

Quality

Content

77%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a strong, actionable skill with well-sequenced steps, executable TypeScript code, and explicit validation checkpoints tied to RFC references. The security checklist and anti-patterns sections add high-value, dense information. Minor weaknesses include the redundant 'When to use' section and the lack of verifiable bundle files for the referenced advanced topics.

Suggestions

Remove or significantly trim the 'When to use' section since it largely duplicates the skill description in the frontmatter.

Provide the referenced bundle files (DEVICE_FLOW.md, TOKEN_VALIDATION.md, CLIENT_CREDENTIALS.md, MOBILE_OAUTH.md) or remove the references if they don't exist.

DimensionReasoningScore

Conciseness

The content is mostly efficient with executable code and useful tables, but includes some unnecessary elements like the 'When to use' section (which restates the skill description) and a few inline comments that explain things Claude already knows (e.g., 'never log the raw token'). The security checklist and anti-patterns sections are concise and valuable.

2 / 3

Actionability

Provides fully executable TypeScript code for each step — plugin registration, callback handling, JWT validation, route protection, and refresh token rotation. Code is copy-paste ready with real imports, types, and environment variable references. Specific npm install commands are included.

3 / 3

Workflow Clarity

The 6-step workflow is clearly sequenced from dependency installation through route protection and token rotation. Explicit validation checkpoints are called out (redirect URI matching, JWT claim verification). The security checklist serves as a final verification step with RFC references.

3 / 3

Progressive Disclosure

The 'Further implementation references' section cleanly points to four separate files for advanced topics (device flow, token validation, client credentials, mobile OAuth), which is good structure. However, no bundle files are provided, so these references are unverifiable. The main content is somewhat long (~150 lines of code+instructions) but the inline content is mostly justified for the primary auth code + PKCE flow.

2 / 3

Total

10

/

12

Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is an excellent skill description that clearly defines its scope (OAuth in Fastify), lists specific concrete capabilities, and provides comprehensive trigger terms covering both setup and troubleshooting scenarios. The explicit 'Use when...' clause with diverse trigger terms ensures Claude can accurately select this skill. The description is detailed without being padded, and uses proper third-person voice throughout.

DimensionReasoningScore

Specificity

Lists multiple specific concrete actions: configures authorization code with PKCE, client credentials, device flow, refresh token rotation, JWT validation, token introspection/revocation endpoints. Very detailed and actionable.

3 / 3

Completeness

Clearly answers both 'what' (implements OAuth flows in Fastify with specific capabilities listed) and 'when' (explicit 'Use when...' clause covering setup scenarios and troubleshooting scenarios).

3 / 3

Trigger Term Quality

Excellent coverage of natural terms users would say: 'authentication', 'authorization', 'login flows', 'access tokens', 'API security', 'OAuth', 'PKCE', 'redirect URIs', 'CSRF issues', 'scope problems', plus specific RFC numbers. Covers both beginner and expert terminology.

3 / 3

Distinctiveness Conflict Risk

Highly distinctive — scoped specifically to OAuth 2.0/2.1 in Fastify applications, with specific protocol details and RFC references. Unlikely to conflict with general auth skills or non-Fastify web framework skills.

3 / 3

Total

12

/

12

Passed

Validation

90%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation10 / 11 Passed

Validation for skill structure

CriteriaDescriptionResult

metadata_version

'metadata.version' is missing

Warning

Total

10

/

11

Passed

Reviewed

Table of Contents

DiscoveryImplementationValidation