authentication_skill

This skill helps you implement authentication security best practices across OAuth2, JWT, MFA, and session management for production systems.
  • Python

13

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill williamzujkowski/standards --skill authentication

  • SKILL.md25.2 KB

Overview

This skill codifies production-ready authentication security standards for modern applications. It covers OAuth2 flows (authorization code with PKCE and client credentials), JWT best practices (RS256, short expirations, refresh rotation), MFA options (TOTP and WebAuthn), session management, and mapping to NIST 800-63B controls for compliance.

How this skill works

The skill inspects authentication architecture and provides concrete implementation patterns and code snippets to enforce standards: PKCE for public clients, RS256-signed JWTs with strict audience/issuer checks, short-lived access tokens and rotating refresh tokens, and secure cookie-based sessions. It also includes MFA setup (TOTP provisioning, recovery codes) and WebAuthn registration/verification flows, plus session controls like absolute timeouts and concurrent session limits.

When to use it

  • When bootstrapping a new service that requires secure user authentication
  • When hardening an existing auth system for production or compliance (NIST 800-63B)
  • When implementing OAuth2 for SPAs, mobile apps, or service-to-service auth
  • When designing token strategies: access token lifetimes, refresh rotation, and JWT validation
  • When adding MFA (TOTP or hardware-backed WebAuthn) and secure session handling

Best practices

  • Always require MFA for sensitive operations and privileged accounts (TOTP or WebAuthn)
  • Sign JWTs using RS256 asymmetric keys; validate issuer, audience, algorithms, and expirations
  • Keep access tokens short (≈15 minutes) and use rotating refresh tokens stored in httpOnly, secure cookies
  • Use Authorization Code flow with PKCE for public clients; use client credentials for service-to-service
  • Configure session cookies with secure=true, httpOnly=true, sameSite=strict and enforce absolute session timeouts and lockouts after repeated failures

Example use cases

  • Implementing an OAuth2 login for a single-page application using PKCE and short access tokens
  • Issuing RS256 JWT access and refresh tokens with server-side rotation and audit logging
  • Adding TOTP-based MFA with QR provisioning and recovery code generation
  • Deploying WebAuthn to support hardware keys for phishing-resistant second factors
  • Enforcing session limits and absolute timeouts with a Redis-backed session store for web apps

FAQ

RS256 uses asymmetric keys so private signing keys stay on the auth server while public keys can be distributed to resource servers, avoiding shared secret leaks common with HS256.

How short should access tokens be?

Aim for about 10–15 minutes for access tokens and use refresh tokens with rotation and secure storage (httpOnly cookies) to balance UX and security.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
authentication skill by williamzujkowski/standards | VeilStrat