auth-opslisted

Authentication and authorization patterns - JWT, OAuth2, sessions, RBAC, ABAC, passkeys, and MFA. Use for: authentication, authorization, jwt, oauth, oauth2, session, login, rbac, abac, passkey, mfa, totp, api key, token, auth, cookie, csrf, cors credentials, bearer token, refresh token, oidc.
0xDarkMatter/claude-mods · ★ 22 · API & Backend · score 74

Install: claude install-skill 0xDarkMatter/claude-mods

# Auth Operations Comprehensive authentication and authorization patterns for secure application development across languages and frameworks. ## Authentication Method Decision Tree Use this tree to select the right authentication strategy for your use case. ``` What are you building? │ ├─ Traditional web application (server-rendered)? │ └─ Session-based authentication │ ├─ Server stores session data (Redis/DB) │ ├─ Session ID in httpOnly cookie │ └─ Best for: monoliths, SSR apps, admin panels │ ├─ API consumed by multiple clients? │ └─ JWT (JSON Web Tokens) │ ├─ Stateless, self-contained tokens │ ├─ Access token (short-lived) + refresh token (long-lived) │ └─ Best for: microservices, mobile apps, SPAs via BFF │ ├─ Service-to-service communication? │ └─ API keys or Client Credentials (OAuth2) │ ├─ API keys: simple, scoped, rotatable │ ├─ Client Credentials: OAuth2 standard, token-based │ └─ Best for: internal services, third-party integrations │ ├─ Third-party login (Google, GitHub, etc.)? │ └─ OAuth2 / OpenID Connect │ ├─ Authorization Code + PKCE for web/mobile │ ├─ Delegate identity to trusted providers │ └─ Best for: consumer apps, social login │ └─ Passwordless authentication? └─ Passkeys (WebAuthn) or Magic Links ├─ Passkeys: phishing-resistant, biometric/hardware ├─ Magic links: email-based, time-limited └─ Best for: high-security, modern UX ``` ## JWT Quick Reference ### Structure ``` Heade