jwt-auth-skill

Implement JWT-based authentication with access + refresh token pairs, token rotation, middleware/guard pattern, payload structure, expiration handling, httpOnly cookies vs Authorization header, and revocation strategies.

Quality

66%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Passed

No known issues

Fix and improve this skill with Tessl

tessl review fix ./auth/jwt-auth-skill/SKILL.md

Quality

Content

64%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a solid, actionable JWT authentication skill with comprehensive, executable code examples covering both Node.js and Python implementations. The main weaknesses are the monolithic structure that could benefit from progressive disclosure into separate files, and the lack of explicit implementation workflows with validation checkpoints for developers setting up auth from scratch.

Suggestions

Add an explicit step-by-step implementation workflow at the top (e.g., '1. Set up secrets → 2. Implement JWT utils → 3. Create auth service → 4. Add middleware → 5. Test with curl commands') with validation checkpoints

Split the Python/FastAPI variant into a separate PYTHON.md file and link to it from the main skill

Add explicit validation steps for common failure modes (e.g., 'Verify your JWT_ACCESS_SECRET is set before starting the server')

Dimension	Reasoning	Score
Conciseness	The skill is mostly efficient with good code examples, but includes some unnecessary explanations (e.g., explaining what httpOnly cookies are, basic OAuth2 context) and could be tightened in places like the Integration Notes section.	2 / 3
Actionability	Provides fully executable, copy-paste ready code for both Node.js/Express and Python/FastAPI. Includes complete implementations for token generation, verification, middleware, guards, and controllers with proper imports and types.	3 / 3
Workflow Clarity	The skill presents components clearly but lacks explicit validation checkpoints and feedback loops. For example, there's no step-by-step workflow for implementing auth from scratch, and the refresh token cleanup is mentioned as a comment rather than an explicit validation step.	2 / 3
Progressive Disclosure	Content is well-organized with clear sections, but it's a monolithic file with ~300 lines of code that could benefit from splitting into separate reference files (e.g., PYTHON.md, TESTING.md). References to other skills (oauth2-skill) are mentioned but not linked.	2 / 3
	Total	9 / 12 Passed

Description

67%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This description excels at specificity with a comprehensive list of JWT authentication implementation details, making it highly distinctive. However, it lacks explicit trigger guidance ('Use when...') which is critical for skill selection, and could benefit from more natural user-facing keywords beyond technical jargon.

Suggestions

Add a 'Use when...' clause with trigger scenarios like 'Use when implementing user authentication, login systems, API security, or when the user mentions JWT, tokens, or session management'

Include common user-facing variations like 'auth', 'login', 'secure API', 'bearer token', 'session tokens' to improve trigger term coverage

Dimension	Reasoning	Score
Specificity	Lists multiple specific concrete actions: JWT-based authentication, access + refresh token pairs, token rotation, middleware/guard pattern, payload structure, expiration handling, httpOnly cookies vs Authorization header, and revocation strategies.	3 / 3
Completeness	Clearly answers 'what does this do' with comprehensive implementation details, but lacks an explicit 'Use when...' clause or equivalent trigger guidance to indicate when Claude should select this skill.	2 / 3
Trigger Term Quality	Contains good technical terms like 'JWT', 'authentication', 'access token', 'refresh token', 'httpOnly cookies', 'Authorization header' that developers would use, but missing common variations like 'auth', 'login', 'session management', 'bearer token', or 'secure authentication'.	2 / 3
Distinctiveness Conflict Risk	Very specific niche focused on JWT authentication with detailed implementation aspects; unlikely to conflict with general auth skills or other security-related skills due to the specific JWT focus and detailed scope.	3 / 3
	Total	10 / 12 Passed

Validation

90%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 10 / 11 Passed

Validation for skill structure

Criteria	Description	Result
frontmatter_unknown_keys	Unknown frontmatter key(s) found; consider removing or moving to metadata	Warning

	Total	10 / 11 Passed

Repository: achreftlili/deep-dev-skills
Commit: 181fcbc

Reviewed: 4 months ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.