MCP.directory

building-api-authentication

by jeremylongshore
0
1
Source

Build secure API authentication systems with OAuth2, JWT, API keys, and session management. Use when implementing secure authentication flows. Trigger with phrases like "build authentication", "add API auth", or "secure the API".

Install

mkdir -p .claude/skills/building-api-authentication && curl -L -o skill.zip "https://mcp.directory/api/skills/download/6352" && unzip -o skill.zip -d .claude/skills/building-api-authentication && rm skill.zip

Installs to .claude/skills/building-api-authentication

About this skill

Building API Authentication

Overview

Build secure API authentication systems supporting JWT Bearer tokens, OAuth 2.0 authorization code and client credentials flows, API key management, and session-based authentication. Implement token issuance, validation, refresh rotation, revocation, and role-based access control (RBAC) with scoped permissions across all API endpoints.

Prerequisites

  • Cryptographic library: jsonwebtoken (Node.js), PyJWT (Python), or jjwt (Java)
  • Secure secret storage: environment variables, AWS Secrets Manager, or HashiCorp Vault for JWT signing keys
  • Database table for user credentials, refresh tokens, and API key storage
  • Bcrypt or Argon2 for password hashing (never store plaintext passwords)
  • OAuth 2.0 provider credentials for third-party auth integration (Google, GitHub, Auth0)

Instructions

  1. Examine existing authentication setup using Grep and Read, identifying current auth mechanisms, middleware placement, and any endpoints bypassing authentication.
  2. Implement JWT token issuance on successful login: sign with RS256 (asymmetric) or HS256 (symmetric), including sub (user ID), iat, exp (15-minute access token), roles, and scopes in the payload.
  3. Create authentication middleware that extracts the Bearer token from the Authorization header, verifies the signature and expiration, and injects the decoded user context into the request object.
  4. Implement refresh token rotation: issue a long-lived refresh token (30 days) alongside the access token, store a hash of the refresh token in the database, and rotate on each refresh (invalidating the previous token).
  5. Build role-based access control (RBAC) middleware that checks user.roles against endpoint-required roles, supporting both role-level (admin, user) and scope-level (read:users, write:orders) authorization.
  6. Add API key authentication as an alternative to JWT for machine-to-machine communication: generate cryptographically random keys, store hashed values, and validate against the X-API-Key header.
  7. Implement OAuth 2.0 client credentials flow for service-to-service authentication, with token caching and automatic renewal before expiration.
  8. Add brute-force protection on login endpoints: rate limit to 5 attempts per minute per IP, implement progressive lockout (15 min, 1 hour) after repeated failures, and log all authentication attempts.
  9. Write security tests covering: valid/invalid/expired tokens, refresh token rotation, role enforcement, API key validation, brute-force lockout, and token revocation.

See ${CLAUDE_SKILL_DIR}/references/implementation.md for the full implementation guide.

Output

  • ${CLAUDE_SKILL_DIR}/src/auth/jwt.js - JWT token issuance, verification, and refresh logic
  • ${CLAUDE_SKILL_DIR}/src/auth/middleware.js - Bearer token authentication middleware
  • ${CLAUDE_SKILL_DIR}/src/auth/rbac.js - Role-based and scope-based access control middleware
  • ${CLAUDE_SKILL_DIR}/src/auth/api-keys.js - API key generation, hashing, and validation
  • ${CLAUDE_SKILL_DIR}/src/auth/oauth.js - OAuth 2.0 flow implementations
  • ${CLAUDE_SKILL_DIR}/src/routes/auth.js - Login, register, refresh, and logout endpoints
  • ${CLAUDE_SKILL_DIR}/tests/auth/ - Authentication and authorization security tests

Error Handling

ErrorCauseSolution
401 Token ExpiredJWT exp claim is in the pastClient should attempt token refresh; if refresh fails, redirect to login
401 Invalid SignatureJWT signed with different key or tampered payloadVerify signing key matches between issuance and validation; check for key rotation issues
403 Insufficient ScopeAuthenticated user lacks required role/scope for endpointReturn required scope in error body; log authorization failure with user and endpoint details
Refresh token reusePreviously rotated refresh token used (possible token theft)Invalidate all user sessions immediately; alert user of potential compromise; require re-authentication
API key leakedAPI key exposed in client-side code, logs, or version controlRevoke compromised key immediately; issue replacement; scan for exposure source

Refer to ${CLAUDE_SKILL_DIR}/references/errors.md for comprehensive error patterns.

Examples

JWT with refresh rotation: Login returns {accessToken (15min), refreshToken (30d)}; client stores refresh token securely; on 401, client calls POST /auth/refresh with old refresh token, receives new pair, old refresh token is invalidated.

Multi-provider OAuth: Support "Sign in with Google" and "Sign in with GitHub" using OAuth 2.0 authorization code flow, creating local user accounts on first sign-in and linking subsequent provider connections.

API key with scoped permissions: Generate API keys with specific scopes (read:analytics, write:webhooks), stored as SHA-256 hashes, displayed to the user only once at creation, with key rotation support.

See ${CLAUDE_SKILL_DIR}/references/examples.md for additional examples.

Resources

More by jeremylongshore

View all skills by jeremylongshore

svg-icon-generator

jeremylongshore

Svg Icon Generator - Auto-activating skill for Visual Content. Triggers on: svg icon generator, svg icon generator Part of the Visual Content skill category.

10735

d2-diagram-creator

jeremylongshore

D2 Diagram Creator - Auto-activating skill for Visual Content. Triggers on: d2 diagram creator, d2 diagram creator Part of the Visual Content skill category.

8833

automating-mobile-app-testing

jeremylongshore

This skill enables automated testing of mobile applications on iOS and Android platforms using frameworks like Appium, Detox, XCUITest, and Espresso. It generates end-to-end tests, sets up page object models, and handles platform-specific elements. Use this skill when the user requests mobile app testing, test automation for iOS or Android, or needs assistance with setting up device farms and simulators. The skill is triggered by terms like "mobile testing", "appium", "detox", "xcuitest", "espresso", "android test", "ios test".

18728

performing-penetration-testing

jeremylongshore

This skill enables automated penetration testing of web applications. It uses the penetration-tester plugin to identify vulnerabilities, including OWASP Top 10 threats, and suggests exploitation techniques. Use this skill when the user requests a "penetration test", "pentest", "vulnerability assessment", or asks to "exploit" a web application. It provides comprehensive reporting on identified security flaws.

5519

designing-database-schemas

jeremylongshore

Design and visualize efficient database schemas, normalize data, map relationships, and generate ERD diagrams and SQL statements.

12516

optimizing-sql-queries

jeremylongshore

This skill analyzes and optimizes SQL queries for improved performance. It identifies potential bottlenecks, suggests optimal indexes, and proposes query rewrites. Use this when the user mentions "optimize SQL query", "improve SQL performance", "SQL query optimization", "slow SQL query", or asks for help with "SQL indexing". The skill helps enhance database efficiency by analyzing query structure, recommending indexes, and reviewing execution plans.

5513

You might also like

flutter-development

aj-geddes

Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.

1,6771,424

ui-ux-pro-max

nextlevelbuilder

"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."

1,2521,313

drawio-diagrams-enhanced

jgtolentino

Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.

1,5221,142

godot

bfollington

This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.

1,345805

nano-banana-pro

garg-aayush

Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.

1,257725

pdf-to-markdown

aliceisjustplaying

Convert entire PDF documents to clean, structured Markdown for full context loading. Use this skill when the user wants to extract ALL text from a PDF into context (not grep/search), when discussing or analyzing PDF content in full, when the user mentions "load the whole PDF", "bring the PDF into context", "read the entire PDF", or when partial extraction/grepping would miss important context. This is the preferred method for PDF text extraction over page-by-page or grep approaches.

1,464673

Related MCP Servers

Browse all servers
File System AccessFile System Access

Enable File System Access to read and analyze local files easily, with secure API key authentication and no manual uploa

130 tools
Put.ioPut.io

Control put.io file transfers remotely with AI, supporting easy management and browser-based downloads via secure authen

110 tools
Pinata IPFSPinata IPFS

Pinata IPFS enables secure storage, upload, and retrieval of files on decentralized networks with Pinata's IPFS API inte

40 tools
NotionNotion

Enhance productivity with AI-driven Notion automation. Leverage the Notion API for secure, automated workspace managemen

4,0000 tools
Basic MemoryBasic Memory

Basic Memory is a knowledge management system that builds a persistent semantic graph in markdown, locally and securely.

2,60617 tools
ClerkClerk

Securely manage Clerk authentication, users, sessions, orgs, and authorization for seamless identity and access control.

1,6736 tools