insforge/insforge-integrations
skills/insforge-integrations/SKILL.md
Use when wiring an external auth provider (Clerk, Auth0, WorkOS, Kinde, Stytch, Better Auth) into InsForge for JWT-based RLS, or when adding the OKX x402 payment facilitator for onchain pay-per-use billing.
$ install --global
skillsauthnpx skillsauth add insforge/agent-skills insforge-integrationsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 9, 2026, 8:22 AM123.5s8 files scanned
SKILL.md
- name:
- insforge-integrations
- description:
- >-
- license:
- MIT
- author:
- insforge
- version:
- 1.2.0
- organization:
- InsForge
- date:
- April 2026
InsForge Integrations
This skill covers integrating third-party providers with InsForge. Currently two categories are supported: auth providers (RLS via JWT claims) and payment facilitators (x402 HTTP payment protocol). Each provider has its own guide under this directory.
Auth Providers
| Provider | Guide | When to use |
|----------|-------|-------------|
| Clerk | Clerk JWT Templates + InsForge RLS | Clerk signs tokens directly via JWT Template — no server-side signing needed |
| Auth0 | Auth0 Actions + InsForge RLS | Auth0 uses a post-login Action to embed claims into the access token |
| WorkOS | WorkOS AuthKit + InsForge RLS | WorkOS AuthKit middleware + server-side JWT signing with jsonwebtoken |
| Kinde | Kinde + InsForge RLS | Kinde token customization for InsForge integration |
| Stytch | Stytch + InsForge RLS | Stytch session tokens for InsForge integration |
| Better Auth | Better Auth + InsForge RLS | Self-hosted auth running in your InsForge Postgres — no third-party SaaS, no per-MAU cost |
Payment Facilitators
| Provider | Guide | When to use | |----------|-------|-------------| | OKX x402 | OKX as x402 facilitator (USDG on X Layer) | Pay-per-use HTTP endpoints settled onchain with zero gas for the payer |
Common Patterns
Auth providers
- Provider signs or issues a JWT containing the user's ID
- JWT is passed to InsForge via
edgeFunctionTokenincreateClient() - InsForge exposes claims through
auth.jwt()in SQL - RLS policies use a
requesting_user_id()function to enforce row-level security
Payment facilitators (x402)
- Server returns
402 Payment Requiredwith a JSON challenge base64-encoded inPAYMENT-REQUIREDheader - Client signs an EIP-3009 authorization using the stablecoin's EIP-712 domain
- Server forwards the signed payload to the facilitator's
/verify+/settleendpoints - Server records the settled payment in an InsForge table with a realtime trigger for live dashboards
Choosing a Provider
Auth
- Clerk — Simplest setup; JWT Template handles signing, no server code needed
- Auth0 — Flexible; uses post-login Actions for claim injection
- WorkOS — Enterprise-focused; AuthKit middleware + server-side JWT signing
- Kinde — Developer-friendly; built-in token customization
- Stytch — API-first; session-based token flow
- Better Auth — Self-hosted in your Postgres; no SaaS vendor; you own the user table. Pairs cleanly with InsForge's Postgres via a connection string + a small bridge route. Requires a one-time
REVOKEafter migrate to seal PostgREST exposure.
Payment facilitators
- OKX x402 — Onchain pay-per-use via USDG on X Layer; zero gas for the payer
Setup
- Identify which provider the project uses
- Read the corresponding reference guide from the tables above
- Follow the provider-specific setup steps
Usage Examples
Each provider guide includes full code examples for:
- Provider dashboard configuration (API keys, application settings, etc.)
- Server and client code (JWT utilities for auth; facilitator client + signing utilities for payments)
- Database setup (RLS for auth; payment table + realtime trigger for payments)
- Environment variable setup
Refer to the specific references/<provider>.md file for complete examples.
Best Practices
Auth
- All auth provider user IDs are strings (not UUIDs) — always use
TEXTcolumns foruser_id - Use
requesting_user_id()instead ofauth.uid()for RLS policies - Set
edgeFunctionTokenas an async function (Clerk) or server-signed JWT (Auth0, WorkOS, Kinde, Stytch) - Always get the JWT secret via
npx @insforge/cli secrets get JWT_SECRET
Payment facilitators (x402)
- Always check the result of the database
insert(...)after settlement — settlement takes money onchain before the insert runs; a silent DB failure loses the record - Add
UNIQUEto thetx_hashcolumn to prevent duplicate records from retries - Verify EIP-712 domain (
name,version) against the token contract's on-chainDOMAIN_SEPARATOR— wrong values produceInvalid Authorityerrors - Use a
MOCK_OKX_FACILITATORenv flag for local dev so the full flow can be exercised without real funds
Common Mistakes
Auth
| Mistake | Solution |
|---------|----------|
| Using auth.uid() for RLS | Use requesting_user_id() — third-party IDs are strings, not UUIDs |
| Using UUID columns for user_id | Use TEXT — all supported providers use string-format IDs |
| Hardcoding the JWT secret | Always retrieve via npx @insforge/cli secrets get JWT_SECRET |
| Missing requesting_user_id() function | Must be created before RLS policies will work |
Payments (x402)
| Mistake | Solution |
|---------|----------|
| Using an OKX exchange trading API key | Create a separate Web3 API key at web3.okx.com/onchainos/dev-portal |
| Wrong EIP-712 domain values | Read the token contract's DOMAIN_SEPARATOR — for USDG on X Layer use name: "Global Dollar", version: "1" |
| Ignoring DB insert error after settlement | Always destructure { error } and log/handle it — money has already moved |
| MOCK_OKX_FACILITATOR=true in production | Mock mode is demo-only; it returns fake tx hashes and bypasses verification |
Related Skills
insforge/insforge
tools
VerifiedTrustedCommunity
Use this skill when writing app code with InsForge or @insforge/sdk: database CRUD, auth, storage uploads/storage RLS, functions, OpenRouter AI, realtime, emails, Stripe or Razorpay payments, or pointing S3-compatible tooling (aws CLI, AWS SDKs, rclone, Terraform, boto3) at InsForge Storage. Trigger on requests like add auth, fetch data, upload files, make a bucket public, add checkout, sell subscriptions, or send email. For infrastructure, SQL migrations, CLI commands, or payment provider setup, use insforge-cli instead.
28SKILL.mdUpdated Apr 19, 2026
insforge/insforge-debug
development
VerifiedTrustedCommunity
Use when diagnosing problems in an InsForge project — reactive failures (SDK error object, HTTP 4xx/5xx, gateway timeout 502/503/504, edge function failure or timeout, login/OAuth/auth errors, RLS denial, realtime channel issues, slow query on one endpoint, edge function or Vercel deploy failure), proactive audits (security/RLS review, performance/index review, system health check, pre-launch readiness), or when the user has an error but doesn't know where to start.
28SKILL.mdUpdated Apr 19, 2026
insforge/insforge-cli
tools
VerifiedTrustedCommunity
Use this skill whenever someone needs a backend, or a task touches InsForge backend or cloud infrastructure through the InsForge CLI: projects, SQL, migrations, RLS policies, functions, storage, deployments, compute, secrets, config, schedules, logs, diagnostics, import/export, AI/OpenRouter setup, Stripe/Razorpay payments, backend branches, or CLI docs. For app code with InsForge or @insforge/sdk, use the insforge app-integration skill instead.
28SKILL.mdUpdated Apr 19, 2026
insforge/insforge-backend-advisor
development
VerifiedTrustedCommunity
Use this skill for proactive backend health audits in an InsForge project — security misconfigurations, performance regressions, and system health issues surfaced by `diagnose advisor`, plus the backend-side deep-dives that pair with each advisor issue. Also use this skill when a user reports backend-wide performance degradation (high CPU/memory, all responses slow, connection pool exhaustion, lock contention) without a single failing request. Trigger on requests like "health check", "audit my backend", "review security", "check RLS policies", "find slow queries", "backend performance review", "high CPU/memory", "everything is slow", "EC2/database/system health", or pre-launch readiness audits. For reactive runtime errors with a single concrete failing request (SDK error objects, HTTP 4xx/5xx, function failures, deploy failures), use `insforge-debug` instead.
21SKILL.mdUpdated May 16, 2026