spring-boot-security-jwt
JWT authentication and authorization patterns for Spring Boot 3.5.x covering token generation with JJWT, Bearer/cookie authentication, database/OAuth2 integration, and RBAC/permission-based access control using Spring Security 6.x.
Install with Tessl CLI
npx tessl i github:giuseppe-trisciuoglio/developer-kit --skill spring-boot-security-jwtOverall
score
66%
Does it follow best practices?
If you maintain this skill, you can automatically optimize it using the tessl CLI to improve its score:
npx tessl skill review --optimize ./path/to/skillValidation for skill structure
Discovery
83%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, technically specific description that clearly communicates capabilities with excellent trigger term coverage for the Spring Boot/JWT authentication domain. The main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill over others. The specificity of version numbers and technology stack provides excellent distinctiveness.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when implementing JWT auth in Spring Boot, securing REST APIs, or setting up role-based access control with Spring Security.'
Consider adding common user phrasings like 'secure API', 'login system', or 'protect endpoints' to capture more natural language triggers.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'token generation with JJWT', 'Bearer/cookie authentication', 'database/OAuth2 integration', and 'RBAC/permission-based access control'. Uses third person voice appropriately. | 3 / 3 |
Completeness | Clearly answers 'what does this do' with comprehensive capability listing, but lacks an explicit 'Use when...' clause or equivalent trigger guidance. The when is only implied through the technical domain. | 2 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: 'JWT', 'authentication', 'authorization', 'Spring Boot', 'token', 'Bearer', 'cookie', 'OAuth2', 'RBAC', 'permission', 'Spring Security'. These are terms developers naturally use when seeking help with auth. | 3 / 3 |
Distinctiveness Conflict Risk | Highly specific niche combining JWT + Spring Boot 3.5.x + Spring Security 6.x + specific auth patterns. Version numbers and technology stack create clear boundaries that distinguish it from generic auth or other framework skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides comprehensive, production-ready JWT implementation code for Spring Boot 3.5.x with excellent actionability. However, it suffers from severe verbosity with duplicated configurations, unnecessary explanations, and a monolithic structure that should be split across reference files. The workflow lacks explicit validation checkpoints for a security-critical implementation.
Suggestions
Remove duplicate SecurityConfig implementations and consolidate into a single, canonical example
Move detailed implementations (entities, permission evaluators, testing code) to reference files, keeping SKILL.md under 200 lines as an overview
Add explicit validation checkpoints: 'Verify token generation works before proceeding to filter implementation', 'Test authentication endpoint before adding authorization'
Remove explanatory text Claude already knows (e.g., 'JWT authentication enables stateless, scalable security') and trust Claude's competence
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose at 700+ lines with significant redundancy (SecurityConfig appears twice with slight variations, CORS configuration duplicated). Includes unnecessary explanations Claude already knows (what JWT is, what HTTPS is) and extensive boilerplate that could be condensed. | 1 / 3 |
Actionability | Provides fully executable, copy-paste ready code examples throughout including complete Maven/Gradle dependencies, configuration files, service implementations, controllers, entities, and tests. All code is concrete and production-ready. | 3 / 3 |
Workflow Clarity | The Quick Start section provides numbered steps but lacks explicit validation checkpoints. No feedback loops for error recovery when JWT validation fails or when security configuration is incorrect. Missing verification steps after implementing each component. | 2 / 3 |
Progressive Disclosure | References external files (references/jwt-complete-configuration.md, etc.) but the main document is monolithic with 700+ lines of inline content. Much of the detailed implementation code (entities, permission evaluators, testing) could be moved to reference files, keeping SKILL.md as a concise overview. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
56%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 16 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
skill_md_line_count | SKILL.md is long (1014 lines); consider splitting into references/ and linking | Warning |
description_trigger_hint | Description may be missing an explicit 'when to use' trigger hint (e.g., 'Use when...') | Warning |
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
metadata_version | 'metadata' field is not a dictionary | Warning |
license_field | 'license' field is missing | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
body_steps | No step-by-step structure detected (no ordered list); consider adding a simple workflow | Warning |
Total | 9 / 16 Passed | |
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.