auth-implementation-patterns
Master authentication and authorization patterns including JWT, OAuth2, session management, and RBAC to build secure, scalable access control systems. Use when implementing auth systems, securing APIs, or debugging security issues.
44
44%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/developer-essentials/skills/auth-implementation-patterns/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a solid description that clearly communicates both what the skill does and when to use it, with good trigger term coverage across authentication and authorization concepts. Its main weaknesses are slightly vague action descriptions (using 'master' and 'build' rather than listing concrete operations) and some potential overlap with broader security-related skills due to phrases like 'securing APIs' and 'debugging security issues'.
Suggestions
Replace vague verbs like 'Master' and 'build' with specific concrete actions such as 'Generate JWT tokens, configure OAuth2 flows, implement session-based auth, define role-based access control policies'.
Narrow the 'securing APIs' and 'debugging security issues' triggers to be more auth-specific, e.g., 'debugging login flows, token validation errors, or permission denials' to reduce conflict risk with general security skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (authentication/authorization) and lists relevant technologies (JWT, OAuth2, session management, RBAC), but the actual actions are vague — 'build secure, scalable access control systems' is more of a goal than a concrete action list. It doesn't specify discrete actions like 'generate JWT tokens, configure OAuth2 flows, set up role-based permissions'. | 2 / 3 |
Completeness | Clearly answers both 'what' (authentication and authorization patterns including JWT, OAuth2, session management, RBAC) and 'when' with an explicit 'Use when implementing auth systems, securing APIs, or debugging security issues' clause. | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'authentication', 'authorization', 'JWT', 'OAuth2', 'session management', 'RBAC', 'auth systems', 'securing APIs', 'security issues'. These cover a good range of terms a user would naturally use when needing this skill. | 3 / 3 |
Distinctiveness Conflict Risk | While auth-specific terms like JWT, OAuth2, and RBAC create a reasonably distinct niche, the broad phrases 'securing APIs' and 'debugging security issues' could overlap with general API security or security auditing skills. It's somewhat specific but not fully distinct. | 2 / 3 |
Total | 10 / 12 Passed |
Implementation
7%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads like a high-level overview or study guide for authentication concepts rather than an actionable skill for Claude. It spends most of its token budget explaining concepts Claude already knows (AuthN vs AuthZ, what JWT is, what OAuth2 is) while providing zero executable code examples. The referenced details file doesn't exist in the bundle, leaving the skill with no concrete implementation guidance.
Suggestions
Replace the 'Core Concepts' section with concrete, executable code examples for each auth pattern (e.g., JWT generation/validation with a specific library, bcrypt password hashing, session middleware setup).
Add step-by-step workflows with validation checkpoints for common auth implementation tasks (e.g., 'Implementing JWT auth: 1. Set up middleware → 2. Create token generation → 3. Validate with test request → 4. Add refresh token flow').
Remove or drastically condense the 'Best Practices' and 'Common Pitfalls' sections—Claude already knows these security fundamentals. Instead, encode them as constraints within the code examples.
Either include the referenced `references/details.md` file in the bundle with worked examples, or inline the most critical patterns directly in the SKILL.md.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill extensively explains concepts Claude already knows well—authentication vs authorization definitions, what sessions are, what JWT is, what OAuth2 is. The 'Core Concepts' section is entirely redundant for Claude. The 'Best Practices' and 'Common Pitfalls' sections are generic security advice that Claude already possesses. Very little here adds novel, actionable knowledge. | 1 / 3 |
Actionability | There is no executable code, no concrete commands, no specific examples, and no copy-paste ready snippets anywhere in the skill. Everything is abstract description—'Always hash with bcrypt/argon2' without showing how, 'Use httpOnly cookies' without demonstrating implementation. The detailed patterns are deferred to a reference file that doesn't exist in the bundle. | 1 / 3 |
Workflow Clarity | There are no sequenced multi-step workflows for implementing any auth pattern. No validation checkpoints, no feedback loops, no step-by-step process for building an auth system. The content is a collection of bullet points and lists without any procedural guidance. | 1 / 3 |
Progressive Disclosure | The skill references `references/details.md` for detailed patterns, which is a reasonable structural choice. However, the bundle has no files, so the reference is broken. The main file itself contains too much generic conceptual content that should either be omitted (since Claude knows it) or replaced with actionable content, while the actual useful detailed patterns are entirely absent. | 2 / 3 |
Total | 5 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- wshobson/agents
- Commit
cf6059d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.