secondsky/api-authentication
plugins/api-authentication/skills/api-authentication/SKILL.md
Secure API authentication with JWT, OAuth 2.0, API keys. Use for authentication systems, third-party integrations, service-to-service communication, or encountering token management, security headers, auth flow errors.
$ install --global
skillsauthnpx skillsauth add secondsky/claude-skills api-authenticationInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 15, 2026, 4:26 AM11.0s2 files scanned
SKILL.md
- name:
- api-authentication
- description:
- Secure API authentication with JWT, OAuth 2.0, API keys. Use for authentication systems, third-party integrations, service-to-service communication, or encountering token management, security headers, auth flow errors.
- license:
- MIT
API Authentication
Implement secure authentication mechanisms for APIs using modern standards and best practices.
Authentication Methods
| Method | Use Case | Security Level | |--------|----------|----------------| | JWT | Stateless auth, SPAs | High | | OAuth 2.0 | Third-party integration | High | | API Keys | Service-to-service | Medium | | Session | Traditional web apps | High |
JWT Implementation (Node.js)
const jwt = require('jsonwebtoken');
const generateTokens = (user) => ({
accessToken: jwt.sign(
{ userId: user.id, role: user.role },
process.env.JWT_SECRET,
{ expiresIn: '15m' }
),
refreshToken: jwt.sign(
{ userId: user.id, type: 'refresh' },
process.env.REFRESH_SECRET,
{ expiresIn: '7d' }
)
});
const authMiddleware = (req, res, next) => {
const authHeader = req.headers.authorization;
// Validate authorization header format
if (!authHeader || !authHeader.startsWith('Bearer ')) {
return res.status(401).json({ error: 'Malformed authorization header' });
}
const parts = authHeader.split(' ');
if (parts.length !== 2) {
return res.status(401).json({ error: 'Malformed authorization header' });
}
const token = parts[1];
if (!token) {
return res.status(401).json({ error: 'No token provided' });
}
try {
req.user = jwt.verify(token, process.env.JWT_SECRET);
next();
} catch (err) {
res.status(401).json({ error: 'Invalid token' });
}
};
Security Requirements
- Always use HTTPS
- Store tokens in HttpOnly cookies (not localStorage)
- Hash passwords with bcrypt (cost factor 12+)
- Implement rate limiting on auth endpoints
- Rotate secrets regularly
- Never transmit tokens in URLs
Security Headers
app.use((req, res, next) => {
res.setHeader('X-Content-Type-Options', 'nosniff');
res.setHeader('X-Frame-Options', 'DENY');
res.setHeader('Strict-Transport-Security', 'max-age=31536000');
next();
});
Additional Implementations
See references/python-flask.md for:
- Flask JWT with role-based access control decorators
- OAuth 2.0 Google integration with Authlib
- API key authentication with secure hashing
Common Mistakes to Avoid
- Storing plain-text passwords
- Using weak JWT secrets
- Ignoring token expiration
- Disabling HTTPS in production
- Logging sensitive tokens
Related Skills
secondsky/bun-runtime
tools
VerifiedTrustedCommunity
Use for Bun runtime, bunfig.toml, watch/hot modes, env vars, CLI flags, and module resolution.
144SKILL.mdUpdated May 15, 2026
secondsky/bun-redis
data-ai
VerifiedTrustedCommunity
Use when working with Redis in Bun (ioredis, Upstash), caching, pub/sub, session storage, or key-value operations.
144SKILL.mdUpdated May 15, 2026
secondsky/bun-react-ssr
development
VerifiedTrustedCommunity
Use when building server-rendered React with Bun, including streaming SSR, hydration, renderToString, or custom SSR without a framework.
144SKILL.mdUpdated May 15, 2026
secondsky/bun-package-manager
databases
VerifiedTrustedCommunity
Bun package manager commands (install, add, remove, update), workspaces, lockfiles, npm/yarn/pnpm migration. Use for dependency management with Bun.
144SKILL.mdUpdated May 15, 2026