auth-implementation-patterns
Master authentication and authorization patterns including JWT, OAuth2, session management, and RBAC to build secure, scalable access control systems. Use when implementing auth systems, securing APIs, or debugging security issues.
85
67%
Does it follow best practices?
Impact
97%
1.24xAverage score across 6 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/developer-essentials/skills/auth-implementation-patterns/SKILL.mdQuality
Discovery
92%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong description that clearly identifies its domain (authentication and authorization), lists specific technologies and patterns, and includes an explicit 'Use when' clause with relevant triggers. The main weakness is that some terms like 'debugging security issues' are broad enough to potentially overlap with other security-focused skills. The use of 'Master' as the opening verb is slightly informal but the description otherwise uses appropriate third-person voice.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions and technologies: JWT, OAuth2, session management, RBAC, securing APIs, debugging security issues, and building access control systems. | 3 / 3 |
Completeness | Clearly answers both 'what' (authentication/authorization patterns including JWT, OAuth2, session management, RBAC for secure access control) and 'when' (explicit 'Use when implementing auth systems, securing APIs, or debugging security issues'). | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'authentication', 'authorization', 'JWT', 'OAuth2', 'session management', 'RBAC', 'auth systems', 'securing APIs', 'security issues'. These cover common variations of how users discuss auth-related tasks. | 3 / 3 |
Distinctiveness Conflict Risk | While auth-focused, the broad scope ('securing APIs', 'debugging security issues') could overlap with general API development skills or broader security/vulnerability scanning skills. The auth-specific terms like JWT, OAuth2, RBAC help but 'security issues' is quite broad. | 2 / 3 |
Total | 11 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides comprehensive, executable code examples covering major auth patterns, which is its primary strength. However, it is severely bloated — explaining concepts Claude already knows, inlining hundreds of lines of implementation that should be in referenced files, and lacking workflow guidance for combining or sequencing these patterns. It reads more like a tutorial than a skill instruction file.
Suggestions
Remove the 'Core Concepts' section entirely and the 'Best Practices'/'Common Pitfalls' bullet lists — Claude already knows these fundamentals. This alone would cut ~40 lines of zero-value content.
Split implementation patterns into separate referenced files (e.g., JWT.md, SESSIONS.md, OAUTH.md, RBAC.md) and keep SKILL.md as a concise overview with a decision matrix for when to use each pattern.
Add a workflow section that sequences auth implementation steps with validation checkpoints (e.g., 'After implementing JWT, verify token expiration handling before adding refresh tokens; test with expired tokens before proceeding').
Add a brief decision guide at the top: 'Use sessions for server-rendered apps, JWT for APIs/SPAs, OAuth2 for third-party login' — this is more valuable than explaining what authentication means.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose at ~500+ lines. Explains basic concepts Claude already knows (AuthN vs AuthZ definitions, what sessions are, what OAuth is). The 'Core Concepts' section is entirely unnecessary. Best practices and common pitfalls lists are generic security knowledge Claude possesses. Multiple full implementation patterns could be condensed significantly. | 1 / 3 |
Actionability | The code examples are fully executable TypeScript with proper imports, type definitions, and complete endpoint implementations. Patterns cover JWT generation/verification, refresh token flows, session management, OAuth2, RBAC, and password hashing — all copy-paste ready. | 3 / 3 |
Workflow Clarity | Individual patterns are clear, but there's no guidance on how to sequence or combine them (e.g., when to choose JWT vs sessions, migration steps). No validation checkpoints for security-critical operations like token rotation or secret management. The patterns are presented as isolated blocks without integration guidance. | 2 / 3 |
Progressive Disclosure | Monolithic wall of text with no references to external files. All patterns are inlined — JWT, sessions, OAuth2, RBAC, permissions, ownership, password security, and rate limiting are all in one massive document. This content should be split into separate reference files with a concise overview in the main skill file. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
skill_md_line_count | SKILL.md is long (639 lines); consider splitting into references/ and linking | Warning |
Total | 10 / 11 Passed | |
- Repository
- wshobson/agents
- Commit
27a7ed9
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.