- Home
- Skills
- Supercent Io
- Skills Template
- Authentication Setup
authentication-setup_skill
- Shell
24
GitHub Stars
2
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill supercent-io/skills-template --skill authentication-setup- SKILL.md20.1 KB
- SKILL.toon879 B
Overview
This skill designs and implements authentication and authorization systems for web services. It covers user login, secure password storage, JWT and session token management, OAuth/Social SSO, MFA support, and role-based access control. Use it to produce a secure, auditable auth layer aligned with best practices and environment-based secrets management.
How this skill works
I inspect project inputs (chosen auth method, framework, database, and security requirements) and produce a step-by-step implementation plan. Deliverables include database schemas, password hashing and verification, JWT generation/verification, authentication middleware, API endpoints (register/login/refresh/logout/me), and optional OAuth/MFA integration. I also provide .env templates, required configuration, and constraints to ensure secrets and sensitive data are handled correctly.
When to use it
- Adding user authentication to a new application
- Securing REST or GraphQL APIs with token-based auth
- Implementing role-based access control (RBAC) for protected routes
- Migrating an existing auth system to JWT or OAuth
- Integrating Single Sign-On (Google, GitHub, Microsoft) or MFA
Best practices
- Never store plaintext passwords; use argon2 or bcrypt with salt rounds >= 10
- Keep all secrets in environment variables and provide a .env.example
- Limit JWT payload to minimal claims (user_id, role) and avoid sensitive data
- Use short-lived access tokens (15m) and store refresh tokens server-side for revocation
- Enforce HTTPS, CORS restrictions, input validation, and rate limiting on auth endpoints
Example use cases
- Express + PostgreSQL: implement JWT access (15m) and refresh tokens (7d) with DB-stored refresh tokens for revocation
- FastAPI + PostgreSQL: use argon2-cffi for password hashing and OAuth2PasswordBearer for token flow
- Django app: integrate social login (Google/GitHub) with OAuth provider table and optional MFA via TOTP
- API protecting admin endpoints: add authenticate middleware and requireRole('admin') to return 403 for insufficient permissions
- Auth migration: plan data model changes, add new token tables, and provide migration steps to move from session to JWT
FAQ
Yes. Storing refresh tokens server-side enables explicit revocation and expiration checks, improving security.
When to choose argon2 vs bcrypt?
Use argon2 for stronger modern hashing when performance trade-offs are acceptable. Use bcrypt for wide compatibility and slightly better performance.