authentication-setup_skill

This skill helps you design and implement secure authentication and authorization systems, including JWT, OAuth, and RBAC, across your backend.
  • Shell

24

GitHub Stars

2

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill supercent-io/skills-template --skill authentication-setup

  • SKILL.md20.1 KB
  • SKILL.toon879 B

Overview

This skill designs and implements authentication and authorization systems for web services. It covers user login, secure password storage, JWT and session token management, OAuth/Social SSO, MFA support, and role-based access control. Use it to produce a secure, auditable auth layer aligned with best practices and environment-based secrets management.

How this skill works

I inspect project inputs (chosen auth method, framework, database, and security requirements) and produce a step-by-step implementation plan. Deliverables include database schemas, password hashing and verification, JWT generation/verification, authentication middleware, API endpoints (register/login/refresh/logout/me), and optional OAuth/MFA integration. I also provide .env templates, required configuration, and constraints to ensure secrets and sensitive data are handled correctly.

When to use it

  • Adding user authentication to a new application
  • Securing REST or GraphQL APIs with token-based auth
  • Implementing role-based access control (RBAC) for protected routes
  • Migrating an existing auth system to JWT or OAuth
  • Integrating Single Sign-On (Google, GitHub, Microsoft) or MFA

Best practices

  • Never store plaintext passwords; use argon2 or bcrypt with salt rounds >= 10
  • Keep all secrets in environment variables and provide a .env.example
  • Limit JWT payload to minimal claims (user_id, role) and avoid sensitive data
  • Use short-lived access tokens (15m) and store refresh tokens server-side for revocation
  • Enforce HTTPS, CORS restrictions, input validation, and rate limiting on auth endpoints

Example use cases

  • Express + PostgreSQL: implement JWT access (15m) and refresh tokens (7d) with DB-stored refresh tokens for revocation
  • FastAPI + PostgreSQL: use argon2-cffi for password hashing and OAuth2PasswordBearer for token flow
  • Django app: integrate social login (Google/GitHub) with OAuth provider table and optional MFA via TOTP
  • API protecting admin endpoints: add authenticate middleware and requireRole('admin') to return 403 for insufficient permissions
  • Auth migration: plan data model changes, add new token tables, and provide migration steps to move from session to JWT

FAQ

Yes. Storing refresh tokens server-side enables explicit revocation and expiration checks, improving security.

When to choose argon2 vs bcrypt?

Use argon2 for stronger modern hashing when performance trade-offs are acceptable. Use bcrypt for wide compatibility and slightly better performance.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
authentication-setup skill by supercent-io/skills-template | VeilStrat