api-authentication

Implement secure authentication mechanisms for APIs using modern standards and best practices.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "api-authentication" with this command: npx skills add secondsky/claude-skills/secondsky-claude-skills-api-authentication

API Authentication

Implement secure authentication mechanisms for APIs using modern standards and best practices.

Authentication Methods

Method Use Case Security Level

JWT Stateless auth, SPAs High

OAuth 2.0 Third-party integration High

API Keys Service-to-service Medium

Session Traditional web apps High

JWT Implementation (Node.js)

const jwt = require('jsonwebtoken');

const generateTokens = (user) => ({ accessToken: jwt.sign( { userId: user.id, role: user.role }, process.env.JWT_SECRET, { expiresIn: '15m' } ), refreshToken: jwt.sign( { userId: user.id, type: 'refresh' }, process.env.REFRESH_SECRET, { expiresIn: '7d' } ) });

const authMiddleware = (req, res, next) => { const authHeader = req.headers.authorization;

// Validate authorization header format if (!authHeader || !authHeader.startsWith('Bearer ')) { return res.status(401).json({ error: 'Malformed authorization header' }); }

const parts = authHeader.split(' '); if (parts.length !== 2) { return res.status(401).json({ error: 'Malformed authorization header' }); }

const token = parts[1]; if (!token) { return res.status(401).json({ error: 'No token provided' }); }

try { req.user = jwt.verify(token, process.env.JWT_SECRET); next(); } catch (err) { res.status(401).json({ error: 'Invalid token' }); } };

Security Requirements

  • Always use HTTPS

  • Store tokens in HttpOnly cookies (not localStorage)

  • Hash passwords with bcrypt (cost factor 12+)

  • Implement rate limiting on auth endpoints

  • Rotate secrets regularly

  • Never transmit tokens in URLs

Security Headers

app.use((req, res, next) => { res.setHeader('X-Content-Type-Options', 'nosniff'); res.setHeader('X-Frame-Options', 'DENY'); res.setHeader('Strict-Transport-Security', 'max-age=31536000'); next(); });

Additional Implementations

See references/python-flask.md for:

  • Flask JWT with role-based access control decorators

  • OAuth 2.0 Google integration with Authlib

  • API key authentication with secure hashing

Common Mistakes to Avoid

  • Storing plain-text passwords

  • Using weak JWT secrets

  • Ignoring token expiration

  • Disabling HTTPS in production

  • Logging sensitive tokens

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

General

tailwind-v4-shadcn

No summary provided by upstream source.

Repository SourceNeeds Review
-361
secondsky
General

aceternity-ui

No summary provided by upstream source.

Repository SourceNeeds Review
-312
secondsky
General

playwright

No summary provided by upstream source.

Repository SourceNeeds Review
-226
secondsky