Agent skill

auth-and-authorization-patterns

Use this skill when implementing authentication (login, token issuance) or authorization (access control, permissions). Apply whenever the task involves login flows, JWT, OAuth2, session management, or RBAC.

View SKILL.md on GitHub Repository
Stars 3,371
Forks 398

Install this agent skill to your Project

npx add-skill https://github.com/aiming-lab/MetaClaw/tree/main/memory_data/skills/auth-and-authorization-patterns

SKILL.md

Auth & Authorization Patterns

Authentication (who are you?):

  • Use a battle-tested library — do not roll your own crypto.
  • Hash passwords with bcrypt/argon2; never MD5/SHA1 for passwords.
  • Use short-lived JWTs (15–60 min) with refresh tokens; store refresh tokens securely.
  • Implement MFA for sensitive operations.

Authorization (what can you do?):

  • Check authorization on every request, not just at login.
  • Enforce RBAC or ABAC at the service layer, not the UI.
  • Apply principle of least privilege: grant minimal permissions needed.

OAuth2 / OIDC:

  • Use the Authorization Code flow with PKCE for user-facing apps.
  • Validate iss, aud, exp, and nonce claims on every token.

Session management:

  • Regenerate session ID after login (session fixation prevention).
  • Set HttpOnly and Secure flags on session cookies.

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

aiming-lab/MetaClaw

structured-progress-update

Use this skill when summarizing progress on an ongoing project or multi-step task. Give a clear, scannable status report whenever asked for an update or at the end of a work session.

3,371 398
Explore
aiming-lab/MetaClaw

async-communication-etiquette

Use this skill when writing messages in async channels (Slack, GitHub issues, email threads) where the reader may not have context and cannot ask follow-up questions immediately.

3,371 398
Explore
aiming-lab/MetaClaw

idempotent-script-design

Use this skill when writing scripts, cron jobs, data pipelines, or any automated process that may be run multiple times. Design every operation to be safely re-runnable without side effects.

3,371 398
Explore
aiming-lab/MetaClaw

secrets-management

Use this skill when handling API keys, passwords, tokens, private keys, or any sensitive credential. Never hardcode secrets in source code — apply this whenever the word "key", "token", "password", or "secret" appears in the task.

3,371 398
Explore
aiming-lab/MetaClaw

input-validation-and-sanitization

Use this skill when implementing any endpoint, form handler, CLI tool, or function that accepts external input. Validate and sanitize all untrusted data before processing — never assume input is safe.

3,371 398
Explore
aiming-lab/MetaClaw

graceful-error-recovery

Use this skill when a tool call, command, or API request fails. Diagnose the root cause systematically before retrying or changing approach. Do not retry the same failing call without first understanding why it failed.

3,371 398
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results