auth-implementation-patterns
Master authentication and authorization patterns including JWT, OAuth2, session management, and RBAC to build secure, scalable access control systems. Use when implementing auth systems, securing APIs, or debugging security issues.
83
75%
Does it follow best practices?
Impact
100%
1.19xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./tests/ext_conformance/artifacts/agents-wshobson/developer-essentials/skills/auth-implementation-patterns/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly identifies its domain (authentication and authorization), lists specific technologies and patterns (JWT, OAuth2, session management, RBAC), and provides explicit trigger guidance via a 'Use when' clause. The only minor weakness is the word 'Master' at the beginning, which is slightly informal/imperative rather than third-person declarative, but the rest of the description uses appropriate voice.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions and technologies: JWT, OAuth2, session management, RBAC, securing APIs, debugging security issues, and building access control systems. | 3 / 3 |
Completeness | Clearly answers both what ('authentication and authorization patterns including JWT, OAuth2, session management, and RBAC to build secure, scalable access control systems') and when ('Use when implementing auth systems, securing APIs, or debugging security issues'). | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'authentication', 'authorization', 'JWT', 'OAuth2', 'session management', 'RBAC', 'auth systems', 'securing APIs', 'security issues'. These cover common variations of how users discuss auth-related tasks. | 3 / 3 |
Distinctiveness Conflict Risk | The description carves out a clear niche around authentication/authorization with specific technologies (JWT, OAuth2, RBAC). While 'securing APIs' could overlap with a general API security skill, the auth-specific focus makes it distinctly identifiable. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides excellent, executable code examples covering a comprehensive range of auth patterns, which is its primary strength. However, it is severely bloated — explaining fundamental concepts Claude already knows, including generic best-practices lists, and inlining hundreds of lines of code that should be in referenced files. The content would be significantly more effective at half its current length with better progressive disclosure.
Suggestions
Remove the 'Core Concepts' section entirely and trim 'Best Practices' and 'Common Pitfalls' to only non-obvious, project-specific guidance — Claude already knows what AuthN vs AuthZ means and that passwords should be hashed.
Move detailed code patterns into separate reference files (e.g., references/jwt-pattern.md, references/session-pattern.md) and keep SKILL.md as a concise overview with brief descriptions and links to each pattern.
Add an implementation workflow section with sequencing (e.g., '1. Choose auth strategy → 2. Implement basic auth → 3. Add token refresh → 4. Test auth flow → 5. Add authorization') with explicit validation checkpoints at each step.
Remove explanatory comments in code that state the obvious (e.g., '// Short-lived', '// Long-lived', '// Only admins can delete users') to reduce token usage.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose at ~500+ lines. Explains basic concepts Claude already knows (AuthN vs AuthZ definitions, what sessions are, what OAuth is). The 'Core Concepts' section is entirely unnecessary. Best practices and common pitfalls lists are generic knowledge Claude possesses. Much of this could be cut by 60%+ without losing actionable value. | 1 / 3 |
Actionability | The code examples are fully executable TypeScript with proper imports, type definitions, and complete implementations. Patterns cover JWT generation/verification, refresh token flows, session management, OAuth2 with Passport.js, RBAC, permission-based access, and password hashing — all copy-paste ready. | 3 / 3 |
Workflow Clarity | Individual patterns are clear and well-structured, but there's no overarching workflow for implementing an auth system end-to-end. No validation checkpoints (e.g., 'test your JWT flow before adding refresh tokens'), no sequencing guidance for which patterns to implement first, and no error recovery feedback loops for the overall implementation process. | 2 / 3 |
Progressive Disclosure | References to external files are listed at the bottom (references/jwt-best-practices.md, scripts/token-validator.ts, etc.), which is good. However, the main file is monolithic — all patterns are inlined rather than having the SKILL.md serve as an overview pointing to detailed pattern files. The massive code blocks for each pattern should be in separate reference files. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
skill_md_line_count | SKILL.md is long (648 lines); consider splitting into references/ and linking | Warning |
Total | 10 / 11 Passed | |
- Repository
- Dicklesworthstone/pi_agent_rust
- Commit
47823e3
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.