playbooks

home / skills / willsigmon / sigstack / knack-auth

knack-auth skill

/archive/knack-auth

This skill manages Knack API keys and user tokens, handling session creation, refresh, and credential validation for secure API access.

npx playbooks add skill willsigmon/sigstack --skill knack-auth

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
3.4 KB
---
name: Knack Auth
description: Handles API key and user token authentication for secure Knack API access. Manages session creation, refresh, and credential validation.
allowed-tools: Read
---

# Knack Auth

## Purpose
Handles API key and user token authentication for secure Knack API access. Manages session creation, refresh, and credential validation.

## Authentication Methods

### 1. API Key Authentication (Server-Side)
**Use**: Backend operations, automated reporting, data sync

**Headers**:
```javascript
{
  "X-Knack-Application-Id": process.env.KNACK_APP_ID,
  "X-Knack-REST-API-Key": process.env.KNACK_API_KEY
}
```

**Permissions**: Full read/write access to all objects

### 2. User Token Authentication (User-Specific)
**Use**: Dashboard views with user-level permissions

**Headers**:
```javascript
{
  "X-Knack-Application-Id": process.env.KNACK_APP_ID,
  "Authorization": user_token
}
```

## Core Functions

### login_user
**Endpoint**: `POST /v1/applications/{app_id}/session`

**Payload**:
```json
{
  "email": "[email protected]",
  "password": "secure_password"
}
```

**Response**:
```json
{
  "session": {
    "user": {
      "id": "user_123",
      "token": "abc123xyz..."
    }
  }
}
```

**Example**:
```javascript
const session = await login_user({
  email: "[email protected]",
  password: process.env.ADMIN_PASSWORD
});

const user_token = session.session.user.token;
```

### refresh_token
**Purpose**: Renew expired user sessions automatically

**Logic**:
- User tokens expire after 24 hours
- Monitor token age
- Auto-refresh before expiration
- Store refreshed token securely

**Example**:
```javascript
if (isTokenExpired(current_token)) {
  const new_token = await refresh_token(current_token);
  updateStoredToken(new_token);
}
```

### validate_credentials
**Purpose**: Verify API key and app ID before operations

**Check**:
```javascript
const isValid = await validate_credentials({
  app_id: process.env.KNACK_APP_ID,
  api_key: process.env.KNACK_API_KEY
});
```

## Environment Variables

Required in `.env`:
```bash
KNACK_APP_ID=your_app_id
KNACK_API_KEY=your_api_key
[email protected]
ADMIN_PASSWORD=secure_password
```

## Security Best Practices

1. **Never commit credentials** to version control
2. **Use environment variables** for all secrets
3. **Rotate API keys** quarterly (align with QAR schedule)
4. **Limit user token lifespan** to 24 hours
5. **Log authentication failures** for audit trail

## HTI-Specific Roles

### Admin Users
- Full CRUD access
- Grant reporting permissions
- Donor management

### Volunteer Users
- Read-only access to training materials
- Event check-in capabilities

### Public Dashboard
- API key auth only
- No user-specific data

## Error Handling

```javascript
try {
  const token = await login_user(credentials);
} catch (error) {
  if (error.status === 401) {
    console.error("Invalid credentials");
  } else if (error.status === 429) {
    console.error("Rate limit exceeded - retry after delay");
  }
}
```

## Integration Points

- **knack_reader**: Provides auth headers
- **knack_realtime**: Maintains user sessions for webhooks
- **knack_reporting_sync**: Admin-level access for report generation
- **knack_devops**: Manages credential rotation in CI/CD

## Grant Compliance
- Audit logs required for NCDIT reporting
- Track all admin access to donation/device data
- Maintain separation between operational and financial data access

Overview

This skill manages API key and user token authentication for secure access to Knack APIs. It creates and refreshes sessions, validates credentials, and exposes headers required for server-side and user-specific requests. The implementation focuses on secure storage and automatic token lifecycle management.

How this skill works

It supports two authentication modes: server-side API key headers for full read/write operations and user-token headers for user-scoped access. The skill implements login_user to obtain a session, refresh_token to renew tokens before expiry, and validate_credentials to confirm app ID and API key validity. It monitors token age, auto-refreshes within the 24-hour token lifetime, and returns canonical auth headers for downstream components.

When to use it

  • Backend jobs, reporting, and data sync that require full access via API keys
  • User-facing dashboards and webhooks needing per-user permissions via user tokens
  • CI/CD jobs that rotate or validate credentials
  • Integrations that must validate app_id and api_key before heavy operations
  • Real-time session management for webhook or realtime components

Best practices

  • Store KNACK_APP_ID, KNACK_API_KEY, ADMIN_EMAIL, and ADMIN_PASSWORD in environment variables only
  • Never commit credentials to version control and use secret stores in CI/CD
  • Rotate API keys regularly (quarterly recommended) and audit rotations
  • Monitor token age and refresh user tokens before the 24-hour expiry window
  • Log authentication failures and rate-limit responses for audit and debugging

Example use cases

  • Generate server-side auth headers for nightly reporting jobs using KNACK_API_KEY
  • Authenticate a dashboard user with login_user and attach their token to requests
  • Auto-refresh user tokens in a realtime session manager to keep webhooks active
  • Validate credentials during startup to fail fast if app_id or api_key are misconfigured
  • Rotate API keys from a devops pipeline and update dependent services via knack_devops

FAQ

What headers should I send for server-side operations?

Include X-Knack-Application-Id and X-Knack-REST-API-Key with values from environment variables.

How often do user tokens expire and how are they renewed?

User tokens expire after 24 hours. The skill monitors token age and calls refresh_token to renew tokens before expiry, then securely persists the refreshed token.