Authentication, authorization, and API security implementation. Use when building user systems, protecting APIs, or implementing access control. Covers OAuth 2.1/OIDC, JWT patterns, sessions, Passkeys/WebAuthn, RBAC/ABAC/ReBAC, policy engines (OPA, Casbin, SpiceDB), managed auth (Clerk, Auth0), self-hosted (Keycloak, Ory), and API security best practices.
View on GitHubskills/securing-authentication/SKILL.md
February 1, 2026
Select agents to install to:
npx add-skill https://github.com/ancoleman/ai-design-components/blob/main/skills/securing-authentication/SKILL.md -a claude-code --skill securing-authenticationInstallation paths:
.claude/skills/securing-authentication/# Authentication & Security Implement modern authentication, authorization, and API security across Python, Rust, Go, and TypeScript. ## When to Use This Skill Use this skill when: - Building user authentication systems (login, signup, SSO) - Implementing authorization (roles, permissions, access control) - Securing APIs (JWT validation, rate limiting) - Adding passwordless auth (Passkeys/WebAuthn) - Migrating from password-based to modern auth - Integrating enterprise SSO (SAML, OIDC) - Implementing fine-grained permissions (RBAC, ABAC, ReBAC) ## OAuth 2.1 Mandatory Requirements (2025 Standard) ``` ┌─────────────────────────────────────────────────────────────┐ │ OAuth 2.1 MANDATORY REQUIREMENTS │ │ (RFC 9798 - 2025) │ ├─────────────────────────────────────────────────────────────┤ │ │ │ ✅ REQUIRED (Breaking Changes from OAuth 2.0) │ │ ├─ PKCE (Proof Key for Code Exchange) MANDATORY │ │ │ └─ S256 method (SHA-256), minimum entropy 43 chars │ │ ├─ Exact redirect URI matching │ │ │ └─ No wildcard matching, no substring matching │ │ ├─ Authorization code flow ONLY for public clients │ │ │ └─ All other flows require confidential client │ │ └─ TLS 1.2+ required for all endpoints │ │ │ │ ❌ REMOVED (No Longer Supported) │ │ ├─ Implicit grant (security vulnerabilities) │ │ ├─ Resource Owner Password Credentials grant │ │ │ └─ Use OAuth 2.0 Device Flow (RFC 8628) instead │ │ └─ Bearer token in query parameters │ │ └─ Must use Authorization header or POST body │ │ │ └─────────────────────────────────────────────────────────────┘ ```