api-authentication

Secure API authentication with JWT, OAuth 2.0, API keys. Use for authentication systems, third-party integrations, service-to-service communication, or encountering token management, security headers, auth flow errors.

Install with Tessl CLI

npx tessl i github:secondsky/claude-skills --skill api-authentication

What are skills?

Overall
score

92%

Review — 93%

Does it follow best practices?

Validation — 12 / 16 Passed

Validation for skill structure

SKILL.md

Review

Evals

API Authentication

Implement secure authentication mechanisms for APIs using modern standards and best practices.

Authentication Methods

Method	Use Case	Security Level
JWT	Stateless auth, SPAs	High
OAuth 2.0	Third-party integration	High
API Keys	Service-to-service	Medium
Session	Traditional web apps	High

JWT Implementation (Node.js)

const jwt = require('jsonwebtoken');

const generateTokens = (user) => ({
  accessToken: jwt.sign(
    { userId: user.id, role: user.role },
    process.env.JWT_SECRET,
    { expiresIn: '15m' }
  ),
  refreshToken: jwt.sign(
    { userId: user.id, type: 'refresh' },
    process.env.REFRESH_SECRET,
    { expiresIn: '7d' }
  )
});

const authMiddleware = (req, res, next) => {
  const authHeader = req.headers.authorization;

  // Validate authorization header format
  if (!authHeader || !authHeader.startsWith('Bearer ')) {
    return res.status(401).json({ error: 'Malformed authorization header' });
  }

  const parts = authHeader.split(' ');
  if (parts.length !== 2) {
    return res.status(401).json({ error: 'Malformed authorization header' });
  }

  const token = parts[1];
  if (!token) {
    return res.status(401).json({ error: 'No token provided' });
  }

  try {
    req.user = jwt.verify(token, process.env.JWT_SECRET);
    next();
  } catch (err) {
    res.status(401).json({ error: 'Invalid token' });
  }
};

Security Requirements

Always use HTTPS
Store tokens in HttpOnly cookies (not localStorage)
Hash passwords with bcrypt (cost factor 12+)
Implement rate limiting on auth endpoints
Rotate secrets regularly
Never transmit tokens in URLs

Security Headers

app.use((req, res, next) => {
  res.setHeader('X-Content-Type-Options', 'nosniff');
  res.setHeader('X-Frame-Options', 'DENY');
  res.setHeader('Strict-Transport-Security', 'max-age=31536000');
  next();
});

Additional Implementations

See references/python-flask.md for:

Flask JWT with role-based access control decorators
OAuth 2.0 Google integration with Authlib
API key authentication with secure hashing

Common Mistakes to Avoid

Storing plain-text passwords
Using weak JWT secrets
Ignoring token expiration
Disabling HTTPS in production
Logging sensitive tokens

Repository: github.com/secondsky/claude-skills
Last updated: about 1 month ago
Created: about 1 month ago

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.