CtrlK
BlogDocsLog inGet started
Tessl Logo

building-api-authentication

Build secure API authentication systems with OAuth2, JWT, API keys, and session management. Use when implementing secure authentication flows. Trigger with phrases like "build authentication", "add API auth", or "secure the API".

64

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

57%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

A well-organized, properly progressive-disclosed body that sequences the work clearly and offloads detail to real reference files. Its main weakness is actionability: specific guidance without executable code, and a workflow lacking inline validation feedback loops.

Suggestions

Add a short copy-paste-ready code snippet (e.g., a minimal JWT signing/verification example) in the body or a clearly linked Quick Start so the core flow is executable without opening references.

Insert an explicit validation checkpoint after implementing middleware and RBAC (e.g., 'verify token validation and role enforcement with the security tests before adding OAuth flows') to create a fix-retry feedback loop.

Trim the Overview and Examples sections to remove overlap with the Instructions and the description, improving token efficiency.

DimensionReasoningScore

Conciseness

Mostly efficient with no concept explanations Claude already knows, but the Overview restates the description and the Examples section overlaps the Instructions, so it could be tightened.

2 / 3

Actionability

Instructions give concrete technical details (RS256/HS256, 15-min expiry, 5 attempts/min) but contain no executable code — implementation is deferred to references, fitting the 'specific but incomplete' anchor.

2 / 3

Workflow Clarity

Nine steps are clearly sequenced, but verification is a single terminal testing step (step 9) with no inline validation checkpoints or fix-retry feedback loops for credential-sensitive operations.

2 / 3

Progressive Disclosure

The body is an overview with well-signaled, one-level-deep references to real files (implementation.md, errors.md, examples.md, all present), keeping detail appropriately split.

3 / 3

Total

9

/

12

Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

A strong, third-person description that concisely states concrete capabilities, includes an explicit 'Use when' trigger, and supplies natural trigger phrases. It does not pad with buzzwords or over-claim.

DimensionReasoningScore

Specificity

Names multiple concrete mechanisms — 'OAuth2, JWT, API keys, and session management' — rather than vague abstractions, matching the 'lists multiple specific concrete actions' anchor.

3 / 3

Completeness

Explicitly answers both 'what' (build secure API auth systems with the listed mechanisms) and 'when' (an explicit 'Use when implementing secure authentication flows' clause plus trigger phrases).

3 / 3

Trigger Term Quality

Provides natural phrases a user would actually say ('build authentication', 'add API auth', 'secure the API'), giving good coverage of common variations.

3 / 3

Distinctiveness Conflict Risk

Targets a clear niche (API authentication) with distinct, specific triggers, making it unlikely to fire for unrelated skills.

3 / 3

Total

12

/

12

Passed

Validation

87%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation14 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

allowed_tools_field

'allowed-tools' contains unusual tool name(s)

Warning

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

14

/

16

Passed

Repository
jeremylongshore/claude-code-plugins-plus-skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.