auth-implementation-patterns
Master authentication and authorization patterns including JWT, OAuth2, session management, and RBAC to build secure, scalable access control systems. Use when implementing auth systems, securing APIs, or debugging security issues.
86
71%
Does it follow best practices?
Impact
97%
1.24xAverage score across 6 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/developer-essentials/skills/auth-implementation-patterns/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly identifies its domain (authentication and authorization), lists specific technologies and patterns (JWT, OAuth2, session management, RBAC), and provides explicit trigger guidance with a 'Use when...' clause. The only minor weakness is the word 'Master' at the beginning which is slightly informal/imperative rather than third-person declarative, but the rest uses appropriate voice.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions and technologies: JWT, OAuth2, session management, RBAC, securing APIs, debugging security issues, and building access control systems. | 3 / 3 |
Completeness | Clearly answers both what ('authentication and authorization patterns including JWT, OAuth2, session management, and RBAC to build secure, scalable access control systems') and when ('Use when implementing auth systems, securing APIs, or debugging security issues'). | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'authentication', 'authorization', 'JWT', 'OAuth2', 'session management', 'RBAC', 'auth systems', 'securing APIs', 'security issues'. These cover common variations of how users would describe auth-related tasks. | 3 / 3 |
Distinctiveness Conflict Risk | The description carves out a clear niche around authentication/authorization with specific technologies (JWT, OAuth2, RBAC). While 'securing APIs' could overlap with a general API security skill, the auth-specific focus makes it distinctly identifiable. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides comprehensive, executable code examples covering major auth patterns, which is its primary strength. However, it is severely bloated — explaining concepts Claude already knows, inlining everything into one massive file, and lacking workflow guidance for combining patterns. It reads more like a tutorial for junior developers than a concise skill reference for an AI assistant.
Suggestions
Remove the 'Core Concepts' section entirely and trim 'Best Practices' and 'Common Pitfalls' to only non-obvious, project-specific guidance — Claude already knows standard security advice.
Split into separate reference files (e.g., JWT.md, SESSIONS.md, OAUTH.md, RBAC.md) and make SKILL.md a concise overview with links to each pattern file.
Add a decision workflow at the top: 'Session-based → when X; JWT → when Y; OAuth → when Z' with a clear sequence for implementing a complete auth system including validation checkpoints.
Reduce code examples to the minimal differentiating patterns — e.g., the refresh token flow is valuable, but the basic Express session setup is boilerplate Claude can generate without guidance.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose at ~500+ lines. Explains basic concepts Claude already knows (AuthN vs AuthZ definitions, what sessions are, what OAuth is). The 'Core Concepts' section is entirely unnecessary. Best practices and common pitfalls lists are generic security knowledge Claude already possesses. Multiple complete implementation patterns could be condensed significantly. | 1 / 3 |
Actionability | All code examples are fully executable TypeScript with proper imports, types, and complete implementations. Patterns cover JWT generation/verification, refresh token flows, session setup, OAuth integration, RBAC, and password hashing — all copy-paste ready with realistic usage examples. | 3 / 3 |
Workflow Clarity | Individual patterns are clear and well-structured, but there's no guidance on how to sequence or combine these patterns into a complete auth system. No validation checkpoints (e.g., 'verify token generation works before implementing refresh flow'). No decision framework for choosing between session-based vs JWT vs OAuth approaches. | 2 / 3 |
Progressive Disclosure | Monolithic wall of content with no references to external files. All patterns are inlined in a single massive document. This would benefit enormously from splitting into separate files (JWT.md, SESSIONS.md, OAUTH.md, RBAC.md) with a concise overview linking to each. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
skill_md_line_count | SKILL.md is long (639 lines); consider splitting into references/ and linking | Warning |
Total | 10 / 11 Passed | |
- Repository
- wshobson/agents
- Commit
70444e5
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.