playbooks

home / skills / jeremylongshore / claude-code-plugins-plus-skills / building-api-authentication

building-api-authentication skill

/plugins/api-development/api-authentication-builder/skills/building-api-authentication

This skill helps you design and implement secure API authentication using OAuth2, JWT, API keys, and session management.

npx playbooks add skill jeremylongshore/claude-code-plugins-plus-skills --skill building-api-authentication

Review the files below or copy the command above to add this skill to your agents.

Files (4)
SKILL.md
2.4 KB
---
name: building-api-authentication
description: |
  Build secure API authentication systems with OAuth2, JWT, API keys, and session management.
  Use when implementing secure authentication flows.
  Trigger with phrases like "build authentication", "add API auth", or "secure the API".
  
allowed-tools: Read, Write, Edit, Grep, Glob, Bash(api:auth-*)
version: 1.0.0
author: Jeremy Longshore <[email protected]>
license: MIT
---

# Building Api Authentication

## Overview


This skill provides automated assistance for api authentication builder tasks.
This skill provides automated assistance for the described functionality.

## Prerequisites

Before using this skill, ensure you have:
- API design specifications or requirements documented
- Development environment with necessary frameworks installed
- Database or backend services accessible for integration
- Authentication and authorization strategies defined
- Testing tools and environments configured

## Instructions

1. Use Read tool to examine existing API specifications from {baseDir}/api-specs/
2. Define resource models, endpoints, and HTTP methods
3. Document request/response schemas and data types
4. Identify authentication and authorization requirements
5. Plan error handling and validation strategies
1. Generate boilerplate code using Bash(api:auth-*) with framework scaffolding
2. Implement endpoint handlers with business logic
3. Add input validation and schema enforcement
4. Integrate authentication and authorization middleware
5. Configure database connections and ORM models
1. Write integration tests covering all endpoints


See `{baseDir}/references/implementation.md` for detailed implementation guide.

## Output

- `{baseDir}/src/routes/` - Endpoint route definitions
- `{baseDir}/src/controllers/` - Business logic handlers
- `{baseDir}/src/models/` - Data models and schemas
- `{baseDir}/src/middleware/` - Authentication, validation, logging
- `{baseDir}/src/config/` - Configuration and environment variables
- OpenAPI 3.0 specification with complete endpoint definitions

## Error Handling

See `{baseDir}/references/errors.md` for comprehensive error handling.

## Examples

See `{baseDir}/references/examples.md` for detailed examples.

## Resources

- Express.js and Fastify for Node.js APIs
- Flask and FastAPI for Python APIs
- Spring Boot for Java APIs
- Gin and Echo for Go APIs
- OpenAPI Specification 3.0+ for API documentation

Overview

This skill automates designing and implementing secure API authentication systems using OAuth2, JWTs, API keys, and session management. It guides you from threat-informed requirements to middleware, token handling, and test coverage. The goal is practical, production-ready auth layers that integrate with common frameworks and OpenAPI documentation.

How this skill works

The skill inspects API surface and authentication requirements, then scaffolds endpoint auth flows, middleware, token issuance, validation, and revocation patterns. It generates or suggests code for bearer token handling, API key verification, OAuth2/OIDC flows (including PKCE), session stores, and integration points for databases and identity providers. It also recommends OpenAPI artifacts and test scenarios to validate auth behavior.

When to use it

  • Adding authentication to a new or existing API
  • Choosing between OAuth2, JWT, API keys, or session approaches
  • Implementing token issuance, refresh, and revocation logic
  • Securing microservice-to-microservice calls and service accounts
  • Preparing compliance-ready auth controls (audit logs, rotation, expiry)

Best practices

  • Follow least-privilege and scope-based authorization, issuing tokens with minimal permissions.
  • Use short-lived access tokens and refresh tokens; enforce token revocation and rotation.
  • Always transmit credentials and tokens over TLS; use secure cookie attributes for session cookies.
  • Validate tokens server-side (signature, issuer, audience, expiry) and check revocation lists for critical flows.
  • Log auth events, monitor failed attempts and rate-limit endpoints to mitigate brute force attacks.

Example use cases

  • Public REST API: issue and validate API keys for rate-limited client tiers.
  • Single-page or mobile apps: implement OAuth2 Authorization Code with PKCE and short-lived JWT access tokens.
  • Backend services: use signed JWTs or mTLS for service-to-service authentication with scoped permissions.
  • Legacy web apps: migrate session stores to secure, HttpOnly cookies and add CSRF protections.
  • Hybrid setups: combine API keys for machine clients and OAuth2 for user-driven flows, centralizing token validation.

FAQ

How do I choose between JWTs, API keys, and sessions?

Choose based on client type and threat model: use OAuth2/JWT for scalable stateless user auth and delegated access, API keys for simple machine-to-machine identification, and server-side sessions when you need easy revocation and browser-friendly controls.

What tests should I run to validate authentication?

Run unit tests for token issuance/validation, integration tests for full auth flows (login, refresh, revoke), negative tests for expired/invalid tokens, and end-to-end tests enforcing scopes and rate limits.