api-authentication
Secure API authentication with JWT, OAuth 2.0, API keys. Use for authentication systems, third-party integrations, service-to-service communication, or encountering token management, security headers, auth flow errors.
82
77%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/api-authentication/skills/api-authentication/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a solid description that clearly identifies its domain and provides explicit trigger guidance via a 'Use for...' clause with relevant keywords. Its main weakness is that it names technologies rather than describing concrete actions (e.g., 'implement OAuth flows', 'generate and validate JWTs'), which limits specificity. The trigger terms are strong and natural, covering common developer vocabulary around authentication.
Suggestions
Replace or supplement the technology list with concrete actions, e.g., 'Implements OAuth 2.0 flows, generates and validates JWTs, manages API key rotation and security headers'
Narrow broader terms like 'third-party integrations' to reduce overlap with general API skills, e.g., 'third-party OAuth integrations' or 'authenticated API integrations'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (API authentication) and lists specific technologies (JWT, OAuth 2.0, API keys), but doesn't describe concrete actions like 'generate tokens', 'implement OAuth flows', or 'validate credentials' — it stays at the level of naming topics rather than listing actionable capabilities. | 2 / 3 |
Completeness | Clearly answers both 'what' (secure API authentication with JWT, OAuth 2.0, API keys) and 'when' with an explicit 'Use for...' clause listing specific trigger scenarios including authentication systems, third-party integrations, token management, and auth flow errors. | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'JWT', 'OAuth 2.0', 'API keys', 'authentication', 'token management', 'security headers', 'auth flow errors', 'third-party integrations', 'service-to-service communication'. These cover a good range of terms a developer would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | While the focus on API authentication with specific protocols (JWT, OAuth 2.0) is fairly distinct, terms like 'third-party integrations' and 'security headers' could overlap with general API development or security-focused skills. The core niche is clear but the broader trigger terms introduce some conflict risk. | 2 / 3 |
Total | 10 / 12 Passed |
Implementation
72%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a solid, actionable skill with executable code examples and good progressive disclosure. Its main weaknesses are some verbosity in areas Claude already understands (common mistakes, redundant header validation checks) and the lack of a clear end-to-end workflow showing how to wire these components together with validation steps.
Suggestions
Add a brief numbered workflow showing the sequence for implementing auth end-to-end (e.g., 1. Set up secrets, 2. Implement token generation, 3. Add middleware, 4. Test with curl command, 5. Add security headers) with a validation checkpoint.
Remove or significantly trim the 'Common Mistakes to Avoid' section—Claude already knows not to store plain-text passwords or disable HTTPS. Replace with a concise checklist if needed.
Simplify the auth header validation in the middleware—the multiple checks after startsWith('Bearer ') are redundant and add unnecessary tokens.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Mostly efficient but includes some unnecessary content. The authorization header validation is overly verbose (checking split length after already checking startsWith('Bearer ') is redundant). The comparison table and 'Common Mistakes to Avoid' list contain things Claude already knows well. | 2 / 3 |
Actionability | Provides fully executable JavaScript code for JWT token generation, auth middleware, and security headers. The code is copy-paste ready with proper imports, error handling, and environment variable usage. | 3 / 3 |
Workflow Clarity | The skill presents individual components (token generation, middleware, headers) but doesn't sequence them into a clear implementation workflow. There's no step-by-step process for setting up authentication end-to-end, and no validation checkpoints (e.g., testing token generation, verifying middleware works). | 2 / 3 |
Progressive Disclosure | Good structure with a clear overview table, focused Node.js implementation inline, and a well-signaled one-level-deep reference to python-flask.md for additional implementations. Content is appropriately split between the main file and reference material. | 3 / 3 |
Total | 10 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- secondsky/claude-skills
- Commit
88da5ff
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.