auth-implementation-patterns

Master authentication and authorization patterns including JWT, OAuth2, session management, and RBAC to build secure, scalable access control systems. Use when implementing auth systems, securing APIs, or debugging security issues.

1.24x

Quality

67%

Does it follow best practices?

Impact

97%

1.24x

Average score across 6 eval scenarios

Securityby

Passed

No known issues

Optimize this skill with Tessl

npx tessl skill review --optimize ./plugins/developer-essentials/skills/auth-implementation-patterns/SKILL.md

Quality

Discovery

92%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is a strong description that clearly identifies its domain (authentication and authorization), lists specific technologies and patterns, and includes an explicit 'Use when' clause with relevant triggers. The main weakness is that some trigger terms like 'debugging security issues' and 'securing APIs' are broad enough to potentially overlap with other security-focused skills. The use of 'Master' as the opening verb is slightly informal/instructional in tone but the description otherwise uses appropriate third-person framing.

Dimension	Reasoning	Score
Specificity	Lists multiple specific concrete actions and technologies: JWT, OAuth2, session management, RBAC, securing APIs, debugging security issues, and building access control systems.	3 / 3
Completeness	Clearly answers both 'what' (authentication/authorization patterns including JWT, OAuth2, session management, RBAC for secure access control) and 'when' (explicit 'Use when implementing auth systems, securing APIs, or debugging security issues').	3 / 3
Trigger Term Quality	Includes strong natural keywords users would say: 'authentication', 'authorization', 'JWT', 'OAuth2', 'session management', 'RBAC', 'auth systems', 'securing APIs', 'security issues'. These cover common variations of how users discuss auth-related tasks.	3 / 3
Distinctiveness Conflict Risk	While auth-focused, terms like 'securing APIs' and 'security issues' could overlap with broader security skills (e.g., input validation, CORS, encryption). The auth-specific terms (JWT, OAuth2, RBAC) help distinguish it, but 'debugging security issues' is quite broad and could conflict with general security or API skills.	2 / 3
	Total	11 / 12 Passed

Implementation

42%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This skill provides highly actionable, executable TypeScript code covering a comprehensive range of auth patterns, which is its primary strength. However, it is severely bloated — explaining concepts Claude already knows, inlining everything into one massive file, and lacking any progressive disclosure structure. The absence of implementation workflow sequencing and validation checkpoints weakens its utility as a guide for building auth systems step-by-step.

Suggestions

Remove the 'Core Concepts' section entirely and trim 'Best Practices' and 'Common Pitfalls' to only non-obvious, implementation-specific advice — Claude already knows what authentication vs authorization means.

Split into multiple files: keep SKILL.md as a concise overview with pattern summaries, then reference separate files like JWT.md, SESSIONS.md, OAUTH.md, RBAC.md for full implementations.

Add an implementation workflow with sequencing and validation steps, e.g., '1. Implement password hashing → 2. Add JWT auth → 3. Test with curl commands → 4. Add refresh tokens → 5. Verify token rotation works'.

Remove redundant commentary like 'Traditional, simple, stateful' and 'Stateless, self-contained' — these add no actionable value for Claude.

Dimension	Reasoning	Score
Conciseness	Extremely verbose at ~500+ lines. Explains basic concepts Claude already knows (AuthN vs AuthZ definitions, what sessions are, what OAuth is). The 'Core Concepts' section is entirely unnecessary. Best practices and common pitfalls lists are general knowledge. Multiple full implementation patterns could be condensed significantly.	1 / 3
Actionability	All code examples are fully executable TypeScript with proper imports, types, and complete implementations. Patterns cover JWT generation/verification, refresh token flows, session setup, OAuth integration, RBAC, and password hashing — all copy-paste ready.	3 / 3
Workflow Clarity	Individual patterns are well-structured, but there's no clear workflow for implementing an auth system end-to-end. No validation checkpoints (e.g., 'test your token flow before adding refresh tokens'). No guidance on sequencing which patterns to implement first or how to verify the system works correctly.	2 / 3
Progressive Disclosure	Monolithic wall of text with no references to external files. All patterns are inlined in a single massive document. Content like OAuth setup, RBAC patterns, and security best practices should be split into separate referenced files. No bundle files exist to support progressive disclosure.	1 / 3
	Total	7 / 12 Passed

Validation

90%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 10 / 11 Passed

Validation for skill structure

Criteria	Description	Result
skill_md_line_count	SKILL.md is long (639 lines); consider splitting into references/ and linking	Warning

	Total	10 / 11 Passed

Repository: wshobson/agents
Commit: 112197c

Reviewed: 1 day ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.