markus41/Linear OAuth + Actor Authorization
plugins/linear-orchestrator/skills/linear-oauth/SKILL.md
This skill should be used when implementing Linear OAuth 2.0, OAuth actor authorization, or file-storage authentication. Activates on "linear oauth", "linear auth", "actor token", "linear-actor-token", "file storage".
$ install --global
skillsauthnpx skillsauth add markus41/claude Linear OAuth + Actor AuthorizationInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 7, 2026, 7:40 AM136.3s1 file scanned
SKILL.md
- name:
- Linear OAuth + Actor Authorization
- description:
- This skill should be used when implementing Linear OAuth 2.0, OAuth actor authorization, or file-storage authentication. Activates on "linear oauth", "linear auth", "actor token", "linear-actor-token", "file storage".
- version:
- 1.0.0
Linear OAuth + Actor Authorization
References:
- OAuth 2.0: https://linear.app/developers/oauth-2-0-authentication
- Actor authorization: https://linear.app/developers/oauth-actor-authorization
- File storage: https://linear.app/developers/file-storage-authentication
OAuth 2.0 Flow
1. Register app
Settings → API → Applications → New application. Capture:
LINEAR_OAUTH_CLIENT_IDLINEAR_OAUTH_CLIENT_SECRET- Redirect URI
2. Authorization redirect
https://linear.app/oauth/authorize?
client_id=<id>&
redirect_uri=<uri>&
response_type=code&
scope=read,write,issues:create,comments:create,admin&
state=<csrf>&
actor=user # optional — request actor mode
3. Token exchange
POST https://api.linear.app/oauth/token
Content-Type: application/x-www-form-urlencoded
code=<code>&redirect_uri=<uri>&client_id=<id>&client_secret=<secret>&grant_type=authorization_code
Returns:
{
"access_token": "lin_oauth_...",
"token_type": "Bearer",
"expires_in": 315360000,
"scope": "read,write"
}
Linear OAuth tokens are long-lived (10 years!). Refresh tokens are not issued — re-auth on revoke.
Actor Authorization
For agents acting on behalf of users:
- Include
actor=userin the authorize URL - After exchange, the OAuth token is owned by the user, not the app
- All API calls made with this token appear in Linear UI as performed by the user
- For mixed flows (some calls "as the app", some "as a user"), use the
Linear-Actor-Tokenheader per-call
POST /graphql
Authorization: Bearer <app_oauth_token>
Linear-Actor-Token: <user_actor_token>
The actor token is a short-lived (5 min) JWT minted by your backend after verifying the user. The lib/auth.ts mintActorToken(userId) helper handles signing.
File-Storage Authentication
Linear's file storage (S3-backed) uses pre-signed URLs:
- Upload: call
fileUploadmutation → receiveuploadUrl+headers - PUT bytes to
uploadUrlwith the returned headers (don't add your Linear token there) - Download: GET the asset URL with the same Linear token in
Authorizationheader
const res = await fetch(assetUrl, {
headers: { Authorization: `Bearer ${apiKey}` }
});
If you proxy assets to end users, mint a short-lived signed URL on your side rather than handing out your Linear token.
Rotation
- API keys: rotate quarterly
- OAuth client secret: rotate yearly or on suspected leak
- Actor tokens: never persist beyond 5 min
- On rotation, support old + new key for 24h overlap to avoid race conditions
Scope selection guide
| Scope | Required for |
|-------|--------------|
| read | All read queries |
| write | All mutations except admin |
| issues:create | Narrow scope: only creating issues |
| comments:create | Narrow scope: comments only |
| admin | Workflow / team / webhook config |
| agents:create | Register Linear agent apps |
| agents:signal | Emit agent signals |
Related Skills
markus41/writing-plans-enhanced
development
VerifiedTrustedCommunity
Enhanced plan-authoring skill with Pre-Writing context gathering, task metadata, non-TDD templates, Red Flags, telemetry, and an automated plan linter. Use when you have a spec or requirements for a multi-step task, before touching code.
13SKILL.mdUpdated Apr 25, 2026
markus41/plugins/scrapin-aint-easy
tools
VerifiedTrustedCommunity
Documentation intelligence engine with graph-based API docs, algorithm library, and drift detection
13SKILL.mdUpdated Apr 17, 2026
markus41/ultraplan
tools
VerifiedTrustedCommunity
Ultraplan cloud planning — kick off a plan in the cloud from your terminal, review and revise in the browser, then execute remotely or send back to CLI
13SKILL.mdUpdated Apr 17, 2026
markus41/plugins/claude-code-expert/skills/mcp
tools
VerifiedTrustedCommunity
--- name: mcp description: Configure MCP servers for Claude Code — stdio vs HTTP, authentication, Tools/Resources/Prompts distinction, channels (CI webhook, mobile relay, Discord bridge, fakechat), and cost of always-loaded tools. Use this skill whenever adding an MCP server, debugging connection issues, choosing between MCP Tools vs Prompts vs Resources, installing channel servers, or managing .mcp.json. Triggers on: "MCP server", "mcp config", "add Obsidian MCP", "install context7", "channels"
13SKILL.mdUpdated Apr 17, 2026