api-authentication

Secure API authentication with JWT, OAuth 2.0, API keys. Use for authentication systems, third-party integrations, service-to-service communication, or encountering token management, security headers, auth flow errors.

Quality

67%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Passed

No known issues

Fix and improve this skill with Tessl

tessl review fix ./plugins/api-authentication/skills/api-authentication/SKILL.md

Quality

Content

52%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The skill provides solid, executable JWT code examples and concrete security guidance, making it highly actionable. However, it lacks a clear workflow sequence for implementing authentication end-to-end, presenting isolated snippets rather than a guided process. Some content (comparison table, common mistakes) explains things Claude already knows, reducing token efficiency.

Suggestions

Add a numbered workflow sequence (e.g., 1. Configure secrets → 2. Implement token generation → 3. Add middleware → 4. Set security headers → 5. Verify with test request) with explicit validation checkpoints

Remove the 'Common Mistakes to Avoid' section — Claude already knows these security basics, and the Security Requirements section already covers the actionable guidance

Simplify the auth header validation in the middleware — the multiple checks are redundant and could be a single regex or simplified conditional

Dimension	Reasoning	Score
Conciseness	Mostly efficient but includes some unnecessary content. The authorization header validation is overly verbose (checking split length after already checking startsWith('Bearer ') is redundant). The comparison table and 'Common Mistakes to Avoid' list cover things Claude already knows well. However, the code examples and security headers are reasonably tight.	2 / 3
Actionability	Provides fully executable, copy-paste ready code for JWT token generation, auth middleware, and security headers. The code is complete with proper imports, error handling, and environment variable usage. Concrete configuration values (expiresIn, cost factor 12+) are specified.	3 / 3
Workflow Clarity	There is no clear workflow sequence for implementing authentication end-to-end. The content presents isolated code snippets and lists without sequencing them into a coherent implementation process. For a multi-faceted topic like API auth (setup secrets, implement token generation, add middleware, configure headers, test), there are no validation checkpoints or ordered steps.	1 / 3
Progressive Disclosure	References python-flask.md for additional implementations which is good structure, but no bundle files are provided to verify the reference exists. The main file includes inline content that is reasonably scoped, but the comparison table and common mistakes list could be trimmed or moved. The reference is one-level deep and clearly signaled, which is positive.	2 / 3
	Total	8 / 12 Passed

Description

82%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is a solid description that clearly communicates the domain and provides explicit trigger guidance via a 'Use for' clause with good keyword coverage. Its main weakness is that it names technologies rather than concrete actions (e.g., 'implement OAuth flows', 'generate and validate JWTs'), and some trigger terms like 'third-party integrations' are broad enough to risk overlap with other skills.

Suggestions

Replace or supplement technology names with concrete actions, e.g., 'Implements OAuth 2.0 flows, generates and validates JWTs, manages API key rotation and security headers'

Narrow broad terms like 'third-party integrations' to be more auth-specific, e.g., 'third-party OAuth integrations' to reduce conflict risk with general API/integration skills

Dimension	Reasoning	Score
Specificity	Names the domain (API authentication) and lists specific technologies (JWT, OAuth 2.0, API keys), but doesn't describe concrete actions like 'generate tokens', 'implement OAuth flows', or 'validate credentials'. The capabilities are implied rather than explicitly listed as actions.	2 / 3
Completeness	Clearly answers both 'what' (secure API authentication with JWT, OAuth 2.0, API keys) and 'when' (explicit 'Use for' clause covering authentication systems, third-party integrations, service-to-service communication, token management, security headers, auth flow errors).	3 / 3
Trigger Term Quality	Includes strong natural keywords users would say: 'JWT', 'OAuth 2.0', 'API keys', 'authentication', 'token management', 'security headers', 'auth flow errors', 'third-party integrations', 'service-to-service communication'. Good coverage of terms across different user phrasings.	3 / 3
Distinctiveness Conflict Risk	While API authentication is a reasonably specific niche, terms like 'third-party integrations' and 'service-to-service communication' are broad enough to potentially overlap with general API or integration skills. The auth-specific triggers (JWT, OAuth, token management) help but the scope could still conflict with broader security or API skills.	2 / 3
	Total	10 / 12 Passed

Validation

100%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 11 / 11 Passed

Validation for skill structure

No warnings or errors.

Repository: secondsky/claude-skills
Commit: 5e92b71

Reviewed: about 1 month ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.