aiskillstore/jwt-auth
skills/awais68/jwt-auth/SKILL.md
Use when implementing JWT authentication in FastAPI or Python projects. Triggers for: token generation, verification middleware, current user extraction, access token creation, token decoding, or role-based auth. NOT for: OAuth2 provider setup, OpenID Connect, or non-Python backends.
$ install --global
skillsauthnpx skillsauth add aiskillstore/marketplace jwt-authInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Mar 30, 2026, 11:26 PM59.0s3 files scanned
SKILL.md
- name:
- jwt-auth
- description:
- |
- Triggers for:
- token generation, verification middleware, current user extraction,
- NOT for:
- OAuth2 provider setup, OpenID Connect, or non-Python backends.
JWT Authentication Skill
Expert implementation of JWT token generation, verification, and user extraction for FastAPI and Python applications.
Quick Reference
| Operation | Function | Location |
|-----------|----------|----------|
| Generate token | create_access_token(data, expires_delta=None) | auth/jwt.py |
| Verify token | verify_token(token: str) | auth/dependencies.py |
| Get current user | get_current_user(token: str) | auth/dependencies.py |
| User from payload | User.from_payload(payload) | auth/dependencies.py |
Core Workflows
1. Generate Access Token
from auth.jwt import create_access_token
# Basic token with subject
token = create_access_token(data={"sub": "[email protected]"})
# Token with custom expiry (minutes)
from datetime import timedelta
token = create_access_token(
data={"sub": "[email protected]", "roles": ["admin"]},
expires_delta=timedelta(minutes=15)
)
# Token with roles for RBAC
token = create_access_token(data={"sub": "[email protected]", "roles": ["editor", "viewer"]})
Claims structure:
sub(required): User identifier (email, ID, or username)exp(auto): Expiration timeroles(optional): List of role strings for authorization- Custom claims: Add any extra data as needed
2. Protect Endpoint with Dependency
from fastapi import APIRouter, Depends
from auth.dependencies import get_current_user
router = APIRouter()
@router.get("/protected")
def protected_route(user = Depends(get_current_user)):
return {"message": f"Hello, {user.email}"}
3. Role-Based Access Control
from auth.dependencies import get_current_user, RoleChecker
# Define role checker
admin_only = RoleChecker(allowed_roles=["admin"])
@router.delete("/admin-only")
def admin_endpoint(user = Depends(admin_only)):
return {"message": "Admin access granted"}
4. Extract User from JWT Payload
from auth.dependencies import get_current_user
# User model automatically extracted from JWT claims
@router.get("/me")
def get_me(user = Depends(get_current_user)):
return {
"email": user.email,
"roles": user.roles,
"is_active": user.is_active
}
Security Checklist
- [ ] Short expiry + refresh: Access tokens expire in 15-30 minutes; implement refresh token flow for long sessions
- [ ] No sensitive data: Never put passwords, PII, or secrets in JWT claims
- [ ] Blacklist invalid: Implement token blacklist for logout (see
revoked_tokensset) - [ ] HS256 algorithm: Use HMAC-SHA256; never use
algorithm="none" - [ ] Verify expiration: Always check
expclaim; reject expired tokens
Token Structure
Header:
{
"alg": "HS256",
"typ": "JWT"
}
Payload:
{
"sub": "[email protected]",
"roles": ["user", "editor"],
"exp": 1704067200,
"iat": 1704063600
}
Signature: HMAC-SHA256(secret, header.payload)
User Model
class User:
email: str
roles: List[str]
is_active: bool = True
@classmethod
def from_payload(cls, payload: dict) -> "User":
"""Extract User from decoded JWT payload."""
return cls(
email=payload.get("sub", ""),
roles=payload.get("roles", []),
is_active=payload.get("is_active", True)
)
Integration with @auth-integration Frontend
The backend JWT implementation pairs with the frontend auth integration skill:
- Backend:
auth/jwt.pyandauth/dependencies.py - Frontend: Use
auth-integrationskill for React/Next.js auth context - Token flow:
- Frontend stores token in memory/storage after login
- Frontend includes
Authorization: Bearer <token>header - Backend
HTTPBearer()dependency validates and extracts user - Failed verification returns 401 Unauthorized
File Outputs
| File | Purpose |
|------|---------|
| auth/jwt.py | Token creation, encoding, secret config |
| auth/dependencies.py | FastAPI dependencies for verification and user extraction |
Configuration
Set these environment variables:
JWT_SECRET_KEY: Long random string (at least 32 chars)JWT_ALGORITHM: "HS256" (default)JWT_EXPIRATION_MINUTES: 15 (recommended)
Quality Gates
Before marking complete:
- [ ] Tokens use HS256 algorithm
- [ ] Expiration set to 15-30 minutes
- [ ] No sensitive data in claims
- [ ] Blacklist mechanism implemented for logout
- [ ] Integration with
auth-integrationfrontend skill documented
Related Skills
aiskillstore/hig-components-content
development
VerifiedTrustedCommunity
Apple Human Interface Guidelines for content display components. Use this skill when the user asks about charts component, collection view, image view, web view, color well, image well, activity view, lockup, data visualization, content display, displaying images, rendering web content, color pickers, or presenting collections of items in Apple apps. Also use when the user says how should I display charts, what's the best way to show images, should I use a web view, how do I build a grid of items, what component shows media, or how do I present a share sheet. Cross-references: hig-foundations for color/typography/accessibility, hig-patterns for data visualization patterns, hig-components-layout for structural containers, hig-platforms for platform-specific component behavior.
244SKILL.mdUpdated Apr 10, 2026
aiskillstore/helpdesk-automation
tools
VerifiedTrustedCommunity
Automate HelpDesk tasks via Rube MCP (Composio): list tickets, manage views, use canned responses, and configure custom fields. Always search tools first for current schemas.
244SKILL.mdUpdated Apr 10, 2026
aiskillstore/haskell-pro
testing
VerifiedTrustedCommunity
Expert Haskell engineer specializing in advanced type systems, pure functional design, and high-reliability software. Use PROACTIVELY for type-level programming, concurrency, and architecture guidance.
244SKILL.mdUpdated Apr 10, 2026
aiskillstore/graphql
tools
VerifiedTrustedCommunity
GraphQL gives clients exactly the data they need - no more, no less. One endpoint, typed schema, introspection. But the flexibility that makes it powerful also makes it dangerous. Without proper controls, clients can craft queries that bring down your server. This skill covers schema design, resolvers, DataLoader for N+1 prevention, federation for microservices, and client integration with Apollo/urql. Key insight: GraphQL is a contract. The schema is the API documentation. Design it carefully.
244SKILL.mdUpdated Apr 10, 2026