building-api-authentication
Build secure API authentication systems with OAuth2, JWT, API keys, and session management. Use when implementing secure authentication flows. Trigger with phrases like "build authentication", "add API auth", or "secure the API".
71
66%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/api-development/api-authentication-builder/skills/building-api-authentication/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a reasonably well-structured description that covers the 'what' and 'when' with explicit trigger phrases. Its main weakness is that the capability description stays at a high level ('build secure API authentication systems') without enumerating specific concrete actions like token generation, credential validation, or refresh token handling. The trigger terms are solid but the domain could be more sharply distinguished from general API security skills.
Suggestions
Add more specific concrete actions, e.g., 'Generate and validate JWT tokens, implement OAuth2 authorization code flows, manage API key rotation, handle session expiration and refresh tokens.'
Sharpen distinctiveness by clarifying boundaries, e.g., 'Does not cover general API security concerns like rate limiting, CORS, or input validation.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (API authentication) and lists technologies (OAuth2, JWT, API keys, session management), but doesn't describe concrete actions beyond 'build'. It doesn't specify what building entails—e.g., generating tokens, validating credentials, refreshing sessions, managing scopes. | 2 / 3 |
Completeness | Explicitly answers both 'what' (build secure API authentication systems with OAuth2, JWT, API keys, session management) and 'when' (implementing secure authentication flows, with explicit trigger phrases). The 'Use when' and 'Trigger with' clauses are present. | 3 / 3 |
Trigger Term Quality | Includes good natural trigger terms: 'build authentication', 'add API auth', 'secure the API', plus technology keywords like OAuth2, JWT, API keys, and session management. These cover terms users would naturally use when requesting this kind of work. | 3 / 3 |
Distinctiveness Conflict Risk | While it focuses on API authentication specifically, terms like 'secure the API' could overlap with skills about API rate limiting, input validation, or general API security hardening. The OAuth2/JWT/API keys terms help narrow it, but 'secure authentication flows' is somewhat broad. | 2 / 3 |
Total | 10 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides a comprehensive overview of API authentication implementation with good structural organization and error handling coverage. Its main weaknesses are the lack of executable code examples (relying entirely on prose descriptions of what to build) and missing validation checkpoints in a security-critical workflow. The referenced bundle files don't exist, undermining the progressive disclosure strategy.
Suggestions
Add executable code snippets for at least JWT token issuance, middleware setup, and refresh token rotation — these are the core operations and prose descriptions alone are insufficient for actionability.
Insert explicit validation checkpoints between steps, such as 'Verify token issuance works by decoding a test token before building middleware' and 'Run security tests after each auth mechanism is added.'
Create the referenced bundle files (implementation.md, errors.md, examples.md) or remove the references if they don't exist, as broken references reduce trust in the skill.
Trim the overview paragraph which largely duplicates the instruction steps, and remove explanatory asides Claude already knows (e.g., 'never store plaintext passwords').
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is moderately efficient but includes some unnecessary verbosity. The overview restates what the instructions already cover, the prerequisites explain things Claude already knows (e.g., 'never store plaintext passwords'), and the examples section describes concepts at a high level rather than providing lean, executable guidance. However, it avoids the worst padding and stays reasonably focused. | 2 / 3 |
Actionability | The instructions provide a clear sequence of what to build but lack executable code examples. Steps describe what to implement in prose rather than providing copy-paste ready code snippets. For a skill about building authentication, concrete code for JWT signing, middleware setup, and refresh rotation would significantly improve actionability. | 2 / 3 |
Workflow Clarity | Steps are numbered and logically sequenced (examine existing setup → implement JWT → middleware → refresh → RBAC → API keys → OAuth → brute-force → tests). However, there are no explicit validation checkpoints between steps. For a security-critical workflow involving cryptographic operations and database changes, the absence of verification steps (e.g., 'test token issuance before proceeding to middleware') is a notable gap. | 2 / 3 |
Progressive Disclosure | The skill references external files (implementation.md, errors.md, examples.md) for deeper content, which is good structure. However, no bundle files are provided, meaning these references point to non-existent files. The main SKILL.md also includes substantial inline content (error table, examples, full output listing) that could be better balanced with the referenced files if they existed. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
3a2d27d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.