pikkujs/pikku-jose
packages/cli/skills/pikku-jose/SKILL.md
Use when setting up JWT authentication with the jose library in a Pikku app. Covers JoseJWTService constructor, secret rotation, token encoding/decoding/verification. TRIGGER when: code uses JoseJWTService, user asks about JWT setup, token signing, token verification, or @pikku/jose. DO NOT TRIGGER when: user asks about session middleware (use pikku-security) or general service setup (use pikku-services).
$ install --global
skillsauthnpx skillsauth add pikkujs/pikku pikku-joseInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 4, 2026, 6:07 AM233.2s1 file scanned
SKILL.md
- name:
- pikku-jose
- description:
- Use when setting up JWT authentication with the jose library in a Pikku app. Covers JoseJWTService constructor, secret rotation, token encoding/decoding/verification.
- TRIGGER when:
- code uses JoseJWTService, user asks about JWT setup, token signing, token verification, or @pikku/jose.
- DO NOT TRIGGER when:
- user asks about session middleware (use pikku-security) or general service setup (use pikku-services).
Pikku Jose (JWT Service)
Agent Operating Procedure
Use this skill as an execution checklist, not reference material.
- Discover before editing. Prefer OpenCode tools such as
pikku-metawhen available; otherwise run the relevantpikku meta ... --jsoncommand and inspect only the focused output you need. - Identify the source files that own the behavior. Do not start by reading generated output,
.pikku,node_modules, vendored packages, or broad build artifacts. - Make the smallest source change that satisfies the task. Keep generated files generated, and avoid hand-editing SDKs, schema output, or typegen.
- Validate with the narrowest relevant command first, then run
pikku-verifyorpikku allwhen functions, wirings, schemas, or generated clients may have changed. - If validation fails, fix the source cause and rerun validation. Do not paper over generated errors by editing generated files.
@pikku/jose provides JWT signing, verification, and decoding using the jose library. Implements the JWTService interface from @pikku/core.
Installation
yarn add @pikku/jose
API Reference
JoseJWTService
import { JoseJWTService } from '@pikku/jose'
const jwt = new JoseJWTService(
getSecrets: () => Promise<Array<{ id: string; value: string }>>,
logger?: Logger
)
await jwt.init()
Constructor Parameters:
getSecrets— Async function returning an array of{ id, value }key pairs. First key is used for signing; all keys are tried for verification (supports rotation).logger— Optional logger instance.
Methods:
init(): Promise<void>— Fetch and cache secrets. Call at startup.encode<T>(expiresIn: RelativeTimeInput, payload: T): Promise<string>— Create a signed JWT.decode<T>(token: string): Promise<T>— Decode a JWT payload without verification.verify(token: string): Promise<void>— Verify a JWT signature and expiry.
Usage Patterns
Basic Setup
import { JoseJWTService } from '@pikku/jose'
const jwt = new JoseJWTService(
async () => [{ id: 'key-1', value: process.env.JWT_SECRET! }],
logger
)
await jwt.init()
Secret Rotation
Supply multiple keys. The first is used for signing; all are tried for verification:
const jwt = new JoseJWTService(async () => [
{ id: 'key-2', value: NEW_SECRET }, // signs with this
{ id: 'key-1', value: OLD_SECRET }, // still verifies tokens signed with this
])
With Pikku Services
const createSingletonServices = pikkuServices(async (config) => {
const logger = new ConsoleLogger()
const jwt = new JoseJWTService(
async () => [{ id: 'my-key', value: config.jwtSecret }],
logger
)
await jwt.init()
return { config, logger, jwt }
})
Encoding & Verifying Tokens
const token = await jwt.encode('1h', { userId: 'abc', role: 'admin' })
await jwt.verify(token) // throws if invalid/expired
const payload = await jwt.decode<{ userId: string; role: string }>(token)
Related Skills
pikkujs/pikku-template-clone
documentation
VerifiedTrustedCommunity
Standard cleanup to run right after a Pikku template is cloned or scaffolded into a new project. TRIGGER when: a Pikku template was just cloned/scaffolded (via `pikku create`, `git clone <template>`, or the user says "I cloned the kanban template / starter / template"), or the working tree still looks like an untouched template (template README, placeholder `@project/*` name in package.json). DO NOT TRIGGER when: working in an established project mid-feature, or editing the template repo itself.
56SKILL.mdUpdated Jun 4, 2026
pikkujs/pikku-rtl
development
VerifiedTrustedCommunity
Make a Pikku frontend work in both English (LTR) and Arabic / right-to-left languages. Direction is derived from the active locale, applied once at the document root, and the layout mirrors itself — but only if styling is written flow-relative (margin-inline-start, text-align: start, Mantine ms/me) instead of left/right. TRIGGER when: adding Arabic (or Hebrew/Farsi/Urdu), asked to "support RTL / right-to-left / bidi / mirror the layout", or writing layout styles in an app that may run RTL. Builds on pikku-i18n (an RTL language is just another locale file). DO NOT TRIGGER for backend functions or for LTR-only copy changes.
56SKILL.mdUpdated Jun 4, 2026
pikkujs/pikku-i18n
development
VerifiedTrustedCommunity
Wire i18n into a Pikku frontend (Vite SPA, Vite SSR, or Next.js app-router) with react-i18next + i18next. English by default, every user-facing string goes through a `t()` token, and additional languages are served under `/de` `/es` URL prefixes. TRIGGER when: scaffolding or editing a frontend and writing user-facing text, adding a second language, or asked to "make this translatable / use tokens / add i18n". DO NOT TRIGGER for backend functions, error messages thrown from functions, or log output.
56SKILL.mdUpdated Jun 4, 2026
pikkujs/pikku-n8n-code-translate
development
VerifiedTrustedCommunity
Use when translating an n8n Code node body into a real Pikku function body. Triggered when the user opens or points at a stub generated by @pikku/n8n-import (look for `STUB — generated from n8n Code node` in the file's JSDoc), or when the user says 'translate this n8n code', 'port this n8n code node', 'finish the codeStub__... function', etc. The stub file is a `pikkuSessionlessFunc` with a Zod input/output, a JSDoc preserving the original n8n JavaScript verbatim, and a `throw new Error('… — implement me')` body.
56SKILL.mdUpdated May 21, 2026