MCP.directory

building-api-authentication

by jeremylongshore
0
0
Source

Build secure API authentication systems with OAuth2, JWT, API keys, and session management. Use when implementing secure authentication flows. Trigger with phrases like "build authentication", "add API auth", or "secure the API".

Install

mkdir -p .claude/skills/building-api-authentication && curl -L -o skill.zip "https://mcp.directory/api/skills/download/6352" && unzip -o skill.zip -d .claude/skills/building-api-authentication && rm skill.zip

Installs to .claude/skills/building-api-authentication

About this skill

Building API Authentication

Overview

Build secure API authentication systems supporting JWT Bearer tokens, OAuth 2.0 authorization code and client credentials flows, API key management, and session-based authentication. Implement token issuance, validation, refresh rotation, revocation, and role-based access control (RBAC) with scoped permissions across all API endpoints.

Prerequisites

  • Cryptographic library: jsonwebtoken (Node.js), PyJWT (Python), or jjwt (Java)
  • Secure secret storage: environment variables, AWS Secrets Manager, or HashiCorp Vault for JWT signing keys
  • Database table for user credentials, refresh tokens, and API key storage
  • Bcrypt or Argon2 for password hashing (never store plaintext passwords)
  • OAuth 2.0 provider credentials for third-party auth integration (Google, GitHub, Auth0)

Instructions

  1. Examine existing authentication setup using Grep and Read, identifying current auth mechanisms, middleware placement, and any endpoints bypassing authentication.
  2. Implement JWT token issuance on successful login: sign with RS256 (asymmetric) or HS256 (symmetric), including sub (user ID), iat, exp (15-minute access token), roles, and scopes in the payload.
  3. Create authentication middleware that extracts the Bearer token from the Authorization header, verifies the signature and expiration, and injects the decoded user context into the request object.
  4. Implement refresh token rotation: issue a long-lived refresh token (30 days) alongside the access token, store a hash of the refresh token in the database, and rotate on each refresh (invalidating the previous token).
  5. Build role-based access control (RBAC) middleware that checks user.roles against endpoint-required roles, supporting both role-level (admin, user) and scope-level (read:users, write:orders) authorization.
  6. Add API key authentication as an alternative to JWT for machine-to-machine communication: generate cryptographically random keys, store hashed values, and validate against the X-API-Key header.
  7. Implement OAuth 2.0 client credentials flow for service-to-service authentication, with token caching and automatic renewal before expiration.
  8. Add brute-force protection on login endpoints: rate limit to 5 attempts per minute per IP, implement progressive lockout (15 min, 1 hour) after repeated failures, and log all authentication attempts.
  9. Write security tests covering: valid/invalid/expired tokens, refresh token rotation, role enforcement, API key validation, brute-force lockout, and token revocation.

See ${CLAUDE_SKILL_DIR}/references/implementation.md for the full implementation guide.

Output

  • ${CLAUDE_SKILL_DIR}/src/auth/jwt.js - JWT token issuance, verification, and refresh logic
  • ${CLAUDE_SKILL_DIR}/src/auth/middleware.js - Bearer token authentication middleware
  • ${CLAUDE_SKILL_DIR}/src/auth/rbac.js - Role-based and scope-based access control middleware
  • ${CLAUDE_SKILL_DIR}/src/auth/api-keys.js - API key generation, hashing, and validation
  • ${CLAUDE_SKILL_DIR}/src/auth/oauth.js - OAuth 2.0 flow implementations
  • ${CLAUDE_SKILL_DIR}/src/routes/auth.js - Login, register, refresh, and logout endpoints
  • ${CLAUDE_SKILL_DIR}/tests/auth/ - Authentication and authorization security tests

Error Handling

ErrorCauseSolution
401 Token ExpiredJWT exp claim is in the pastClient should attempt token refresh; if refresh fails, redirect to login
401 Invalid SignatureJWT signed with different key or tampered payloadVerify signing key matches between issuance and validation; check for key rotation issues
403 Insufficient ScopeAuthenticated user lacks required role/scope for endpointReturn required scope in error body; log authorization failure with user and endpoint details
Refresh token reusePreviously rotated refresh token used (possible token theft)Invalidate all user sessions immediately; alert user of potential compromise; require re-authentication
API key leakedAPI key exposed in client-side code, logs, or version controlRevoke compromised key immediately; issue replacement; scan for exposure source

Refer to ${CLAUDE_SKILL_DIR}/references/errors.md for comprehensive error patterns.

Examples

JWT with refresh rotation: Login returns {accessToken (15min), refreshToken (30d)}; client stores refresh token securely; on 401, client calls POST /auth/refresh with old refresh token, receives new pair, old refresh token is invalidated.

Multi-provider OAuth: Support "Sign in with Google" and "Sign in with GitHub" using OAuth 2.0 authorization code flow, creating local user accounts on first sign-in and linking subsequent provider connections.

API key with scoped permissions: Generate API keys with specific scopes (read:analytics, write:webhooks), stored as SHA-256 hashes, displayed to the user only once at creation, with key rotation support.

See ${CLAUDE_SKILL_DIR}/references/examples.md for additional examples.

Resources

More by jeremylongshore

View all skills by jeremylongshore

svg-icon-generator

jeremylongshore

Svg Icon Generator - Auto-activating skill for Visual Content. Triggers on: svg icon generator, svg icon generator Part of the Visual Content skill category.

6814

d2-diagram-creator

jeremylongshore

D2 Diagram Creator - Auto-activating skill for Visual Content. Triggers on: d2 diagram creator, d2 diagram creator Part of the Visual Content skill category.

2412

performing-penetration-testing

jeremylongshore

This skill enables automated penetration testing of web applications. It uses the penetration-tester plugin to identify vulnerabilities, including OWASP Top 10 threats, and suggests exploitation techniques. Use this skill when the user requests a "penetration test", "pentest", "vulnerability assessment", or asks to "exploit" a web application. It provides comprehensive reporting on identified security flaws.

379

designing-database-schemas

jeremylongshore

Design and visualize efficient database schemas, normalize data, map relationships, and generate ERD diagrams and SQL statements.

978

performing-security-audits

jeremylongshore

This skill allows Claude to conduct comprehensive security audits of code, infrastructure, and configurations. It leverages various tools within the security-pro-pack plugin, including vulnerability scanning, compliance checking, cryptography review, and infrastructure security analysis. Use this skill when a user requests a "security audit," "vulnerability assessment," "compliance review," or any task involving identifying and mitigating security risks. It helps to ensure code and systems adhere to security best practices and compliance standards.

86

django-view-generator

jeremylongshore

Generate django view generator operations. Auto-activating skill for Backend Development. Triggers on: django view generator, django view generator Part of the Backend Development skill category. Use when working with django view generator functionality. Trigger with phrases like "django view generator", "django generator", "django".

15

You might also like

flutter-development

aj-geddes

Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.

643969

drawio-diagrams-enhanced

jgtolentino

Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.

591705

ui-ux-pro-max

nextlevelbuilder

"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."

318398

godot

bfollington

This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.

339397

nano-banana-pro

garg-aayush

Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.

451339

fastapi-templates

wshobson

Create production-ready FastAPI projects with async patterns, dependency injection, and comprehensive error handling. Use when building new FastAPI applications or setting up backend API projects.

304231

Related MCP Servers

Browse all servers
File System AccessFile System Access

Enable File System Access to read and analyze local files easily, with secure API key authentication and no manual uploa

130 tools
Put.ioPut.io

Control put.io file transfers remotely with AI, supporting easy management and browser-based downloads via secure authen

110 tools
Pinata IPFSPinata IPFS

Pinata IPFS enables secure storage, upload, and retrieval of files on decentralized networks with Pinata's IPFS API inte

40 tools
NotionNotion

Enhance productivity with AI-driven Notion automation. Leverage the Notion API for secure, automated workspace managemen

4,0000 tools
Basic MemoryBasic Memory

Basic Memory is a knowledge management system that builds a persistent semantic graph in markdown, locally and securely.

2,60617 tools
ClerkClerk

Securely manage Clerk authentication, users, sessions, orgs, and authorization for seamless identity and access control.

1,6736 tools

Stay ahead of the MCP ecosystem

Get weekly updates on new skills and servers.