jwt-auth-skill
Implement JWT-based authentication with access + refresh token pairs, token rotation, middleware/guard pattern, payload structure, expiration handling, httpOnly cookies vs Authorization header, and revocation strategies.
72
66%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./auth/jwt-auth-skill/SKILL.mdQuality
Discovery
67%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description excels at specificity with a comprehensive list of JWT authentication implementation details, making it highly distinctive. However, it lacks explicit trigger guidance ('Use when...') which is critical for skill selection, and could benefit from more natural user-facing keywords beyond technical jargon.
Suggestions
Add a 'Use when...' clause with trigger scenarios like 'Use when implementing user authentication, login systems, API security, or when the user mentions JWT, tokens, or session management'
Include common user-facing variations like 'auth', 'login', 'secure API', 'bearer token', 'session tokens' to improve trigger term coverage
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: JWT-based authentication, access + refresh token pairs, token rotation, middleware/guard pattern, payload structure, expiration handling, httpOnly cookies vs Authorization header, and revocation strategies. | 3 / 3 |
Completeness | Clearly answers 'what does this do' with comprehensive implementation details, but lacks an explicit 'Use when...' clause or equivalent trigger guidance to indicate when Claude should select this skill. | 2 / 3 |
Trigger Term Quality | Contains good technical terms like 'JWT', 'authentication', 'access token', 'refresh token', 'httpOnly cookies', 'Authorization header' that developers would use, but missing common variations like 'auth', 'login', 'session management', 'bearer token', or 'secure authentication'. | 2 / 3 |
Distinctiveness Conflict Risk | Very specific niche focused on JWT authentication with detailed implementation aspects; unlikely to conflict with general auth skills or other security-related skills due to the specific JWT focus and detailed scope. | 3 / 3 |
Total | 10 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a solid, actionable JWT authentication skill with comprehensive, executable code examples covering both Node.js and Python implementations. The main weaknesses are the monolithic structure that could benefit from progressive disclosure into separate files, and the lack of explicit implementation workflows with validation checkpoints for developers setting up auth from scratch.
Suggestions
Add an explicit step-by-step implementation workflow at the top (e.g., '1. Set up secrets → 2. Implement JWT utils → 3. Create auth service → 4. Add middleware → 5. Test with curl commands') with validation checkpoints
Split the Python/FastAPI variant into a separate PYTHON.md file and link to it from the main skill
Add explicit validation steps for common failure modes (e.g., 'Verify your JWT_ACCESS_SECRET is set before starting the server')
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is mostly efficient with good code examples, but includes some unnecessary explanations (e.g., explaining what httpOnly cookies are, basic OAuth2 context) and could be tightened in places like the Integration Notes section. | 2 / 3 |
Actionability | Provides fully executable, copy-paste ready code for both Node.js/Express and Python/FastAPI. Includes complete implementations for token generation, verification, middleware, guards, and controllers with proper imports and types. | 3 / 3 |
Workflow Clarity | The skill presents components clearly but lacks explicit validation checkpoints and feedback loops. For example, there's no step-by-step workflow for implementing auth from scratch, and the refresh token cleanup is mentioned as a comment rather than an explicit validation step. | 2 / 3 |
Progressive Disclosure | Content is well-organized with clear sections, but it's a monolithic file with ~300 lines of code that could benefit from splitting into separate reference files (e.g., PYTHON.md, TESTING.md). References to other skills (oauth2-skill) are mentioned but not linked. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- achreftlili/deep-dev-skills
- Commit
181fcbc
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.