Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

ranbot-ai/api-security-best-practices

Name: api-security-best-practices
Author: ranbot-ai

skills/api-security-best-practices/SKILL.md

npx skillsauth add ranbot-ai/awesome-skills api-security-best-practices

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

API Security Best Practices

Overview

Guide developers in building secure APIs by implementing authentication, authorization, input validation, rate limiting, and protection against common vulnerabilities. This skill covers security patterns for REST, GraphQL, and WebSocket APIs.

When to Use This Skill

Use when designing new API endpoints
Use when securing existing APIs
Use when implementing authentication and authorization
Use when protecting against API attacks (injection, DDoS, etc.)
Use when conducting API security reviews
Use when preparing for security audits
Use when implementing rate limiting and throttling
Use when handling sensitive data in APIs

How It Works

Step 1: Authentication & Authorization

I'll help you implement secure authentication:

Choose authentication method (JWT, OAuth 2.0, API keys)
Implement token-based authentication
Set up role-based access control (RBAC)
Secure session management
Implement multi-factor authentication (MFA)

Step 2: Input Validation & Sanitization

Protect against injection attacks:

Validate all input data
Sanitize user inputs
Use parameterized queries
Implement request schema validation
Prevent SQL injection, XSS, and command injection

Step 3: Rate Limiting & Throttling

Prevent abuse and DDoS attacks:

Implement rate limiting per user/IP
Set up API throttling
Configure request quotas
Handle rate limit errors gracefully
Monitor for suspicious activity

Step 4: Data Protection

Secure sensitive data:

Encrypt data in transit (HTTPS/TLS)
Encrypt sensitive data at rest
Implement proper error handling (no data leaks)
Sanitize error messages
Use secure headers

Step 5: API Security Testing

Verify security implementation:

Test authentication and authorization
Perform penetration testing
Check for common vulnerabilities (OWASP API Top 10)
Validate input handling
Test rate limiting

Examples

Example 1: Implementing JWT Authentication

## Secure JWT Authentication Implementation

### Authentication Flow

1. User logs in with credentials
2. Server validates credentials
3. Server generates JWT token
4. Client stores token securely
5. Client sends token with each request
6. Server validates token

### Implementation

#### 1. Generate Secure JWT Tokens

\`\`\`javascript
// auth.js
const jwt = require('jsonwebtoken');
const bcrypt = require('bcrypt');

// Login endpoint
app.post('/api/auth/login', async (req, res) => {
  try {
    const { email, password } = req.body;
    
    // Validate input
    if (!email || !password) {
      return res.status(400).json({ 
        error: 'Email and password are required' 
      });
    }
    
    // Find user
    const user = await db.user.findUnique({ 
      where: { email } 
    });
    
    if (!user) {
      // Don't reveal if user exists
      return res.status(401).json({ 
        error: 'Invalid credentials' 
      });
    }
    
    // Verify password
    const validPassword = await bcrypt.compare(
      password, 
      user.passwordHash
    );
    
    if (!validPassword) {
      return res.status(401).json({ 
        error: 'Invalid credentials' 
      });
    }
    
    // Generate JWT token
    const token = jwt.sign(
      { 
        userId: user.id,
        email: user.email,
        role: user.role
      },
      process.env.JWT_SECRET,
      { 
        expiresIn: '1h',
        issuer: 'your-app',
        audience: 'your-app-users'
      }
    );
    
    // Generate refresh token
    const refreshToken = jwt.sign(
      { userId: user.id },
      process.env.JWT_REFRESH_SECRET,
      { expiresIn: '7d' }
    );
    
    // Store refresh token in database
    await db.refreshToken.create({
      data: {
        token: refreshToken,
        userId: user.id,
        expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000)
      }
    });
    
    res.json({
      token,
      refreshToken,
      expiresIn: 3600
    });
    
  } catch (error) {
    console.error('Login error:', error);
    res.status(500).json({ 
      error: 'An error occurred during login' 
    });
  }
});
\`\`\`

#### 2. Verify JWT Tokens (Middleware)

\`\`\`javascript
// middleware/auth.js
const jwt = require('jsonwebtoken');

function authenticateToken(req, res, next) {
  // Get token from header
  const authHeader = req.headers['authorization'];
  const token = authHeader && authHeader.split(' ')[1]; // Bearer TOKEN
  
  if (!token) {
    return res.status(401).json({ 
      error: 'Access token required' 
    });
  }
  
  // Verify token
  jwt.verify(
    token, 
    process.env.JWT_SECRET,
    { 
      issuer: 'your-app',
      audience: 'your-app-users'
    },
    (err, user) => {
      if (err) {
        if (err.name === 'TokenExpiredError') {
          return res.status(401).json({ 
            error: 'Token expired' 
          });
        }
        return res.status(403).json({ 
          error: 'Invalid token' 
        });

ranbot-ai/api-security-best-practices

skills/api-security-best-practices/SKILL.md

Implement secure API design patterns including authentication, authorization, input validation, rate limiting, and protection against common API vulnerabilities

4 stars

development

Updated Apr 18, 2026

$ install --global

skillsauth

npx skillsauth add ranbot-ai/awesome-skills api-security-best-practices

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 18, 2026, 4:37 AM50.7s1 file scanned

SKILL.md

name:: api-security-best-practices
description:: Implement secure API design patterns including authentication, authorization, input validation, rate limiting, and protection against common API vulnerabilities
category:: Security & Systems
source:: antigravity
tags:: [javascript, node, markdown, api, ai, workflow, design, document, security, hacking]
url:: https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/api-security-best-practices

API Security Best Practices

Overview

When to Use This Skill

Use when designing new API endpoints
Use when securing existing APIs
Use when implementing authentication and authorization
Use when protecting against API attacks (injection, DDoS, etc.)
Use when conducting API security reviews
Use when preparing for security audits
Use when implementing rate limiting and throttling
Use when handling sensitive data in APIs

How It Works

Step 1: Authentication & Authorization

I'll help you implement secure authentication:

Choose authentication method (JWT, OAuth 2.0, API keys)
Implement token-based authentication
Set up role-based access control (RBAC)
Secure session management
Implement multi-factor authentication (MFA)

Step 2: Input Validation & Sanitization

Protect against injection attacks:

Validate all input data
Sanitize user inputs
Use parameterized queries
Implement request schema validation
Prevent SQL injection, XSS, and command injection

Step 3: Rate Limiting & Throttling

Prevent abuse and DDoS attacks:

Implement rate limiting per user/IP
Set up API throttling
Configure request quotas
Handle rate limit errors gracefully
Monitor for suspicious activity

Step 4: Data Protection

Secure sensitive data:

Encrypt data in transit (HTTPS/TLS)
Encrypt sensitive data at rest
Implement proper error handling (no data leaks)
Sanitize error messages
Use secure headers

Step 5: API Security Testing

Verify security implementation:

Test authentication and authorization
Perform penetration testing
Check for common vulnerabilities (OWASP API Top 10)
Validate input handling
Test rate limiting

Examples

Example 1: Implementing JWT Authentication

## Secure JWT Authentication Implementation

### Authentication Flow

1. User logs in with credentials
2. Server validates credentials
3. Server generates JWT token
4. Client stores token securely
5. Client sends token with each request
6. Server validates token

### Implementation

#### 1. Generate Secure JWT Tokens

\`\`\`javascript
// auth.js
const jwt = require('jsonwebtoken');
const bcrypt = require('bcrypt');

// Login endpoint
app.post('/api/auth/login', async (req, res) => {
  try {
    const { email, password } = req.body;
    
    // Validate input
    if (!email || !password) {
      return res.status(400).json({ 
        error: 'Email and password are required' 
      });
    }
    
    // Find user
    const user = await db.user.findUnique({ 
      where: { email } 
    });
    
    if (!user) {
      // Don't reveal if user exists
      return res.status(401).json({ 
        error: 'Invalid credentials' 
      });
    }
    
    // Verify password
    const validPassword = await bcrypt.compare(
      password, 
      user.passwordHash
    );
    
    if (!validPassword) {
      return res.status(401).json({ 
        error: 'Invalid credentials' 
      });
    }
    
    // Generate JWT token
    const token = jwt.sign(
      { 
        userId: user.id,
        email: user.email,
        role: user.role
      },
      process.env.JWT_SECRET,
      { 
        expiresIn: '1h',
        issuer: 'your-app',
        audience: 'your-app-users'
      }
    );
    
    // Generate refresh token
    const refreshToken = jwt.sign(
      { userId: user.id },
      process.env.JWT_REFRESH_SECRET,
      { expiresIn: '7d' }
    );
    
    // Store refresh token in database
    await db.refreshToken.create({
      data: {
        token: refreshToken,
        userId: user.id,
        expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000)
      }
    });
    
    res.json({
      token,
      refreshToken,
      expiresIn: 3600
    });
    
  } catch (error) {
    console.error('Login error:', error);
    res.status(500).json({ 
      error: 'An error occurred during login' 
    });
  }
});
\`\`\`

#### 2. Verify JWT Tokens (Middleware)

\`\`\`javascript
// middleware/auth.js
const jwt = require('jsonwebtoken');

function authenticateToken(req, res, next) {
  // Get token from header
  const authHeader = req.headers['authorization'];
  const token = authHeader && authHeader.split(' ')[1]; // Bearer TOKEN
  
  if (!token) {
    return res.status(401).json({ 
      error: 'Access token required' 
    });
  }
  
  // Verify token
  jwt.verify(
    token, 
    process.env.JWT_SECRET,
    { 
      issuer: 'your-app',
      audience: 'your-app-users'
    },
    (err, user) => {
      if (err) {
        if (err.name === 'TokenExpiredError') {
          return res.status(401).json({ 
            error: 'Token expired' 
          });
        }
        return res.status(403).json({ 
          error: 'Invalid token' 
        });

Related Skills

ranbot-ai/nextjs-seo-indexing

testing

VerifiedTrustedCommunity

Fix SEO indexing issues, crawl budget problems, and Search Console coverage errors for Next.js apps. Covers canonical tags, noindex audits, sitemap health, static rendering, and internal linking.

5SKILL.mdUpdated Jun 2, 2026

ranbot-ai/nextjs-seo-indexing

ranbot-ai/moatmri

data-ai

VerifiedTrustedCommunity

Analyze AI disruption pressure across a business, map competitive exposure, and produce a 90-day defensive action plan.

5SKILL.mdUpdated Jun 2, 2026

ranbot-ai/skills/longbridge

tools

VerifiedTrustedCommunity

--- name: longbridge description: 125+ agent skills for Longbridge Securities — real-time quotes, charts, fundamentals, portfolio analysis, options, and more for HK/US/A-share/SG markets. Trilingual: Simplified Chinese, Traditional category: AI & Agents source: antigravity tags: [api, mcp, claude, ai, agent, security, cro] url: https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/longbridge --- # Longbridge ## Overview Longbridge is the official skill collection for Longbr

5SKILL.mdUpdated Jun 2, 2026

ranbot-ai/skills/longbridge

ranbot-ai/github-actions-advanced

tools

VerifiedTrustedCommunity

Design, debug, and harden GitHub Actions CI/CD workflows, including reusable workflows, matrix builds, self-hosted runners, OIDC authentication, caching, environments, secrets, and release automation.

5SKILL.mdUpdated Jun 2, 2026

ranbot-ai/github-actions-advanced

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/ranbot-ai/awesome-skills.git

# Copy into Claude Code skills folder (global)
cp -r awesome-skills/skills/api-security-best-practices ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

ranbot-ai/awesome-skills

4 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT