auth-patterns
Authentication and authorization patterns — JWT, OAuth 2.0, sessions, RBAC/ABAC, password security, MFA, and vulnerability prevention. Use when implementing login flows, protecting routes, managing tokens, or auditing auth security.
Why use this skill?
Learn to implement secure JWT, OAuth 2.0, and RBAC patterns. Get expert guidance on login flows, token storage, and vulnerability prevention.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/wpank/auth-patternsWhat This Skill Does
The auth-patterns skill serves as a rigorous technical advisor for implementing secure authentication and authorization architectures. It provides expert guidance on modern identity management, covering the implementation of JWT-based stateless authentication, OAuth 2.0 delegated flows, and secure session management. The skill acts as a security auditor for your login flows, advising on industry-standard practices such as token rotation, appropriate signing algorithms (RS256 vs HS256), and secure cookie configurations (HttpOnly, SameSite=Strict). It helps developers transition from insecure practices, like storing tokens in localStorage, to hardened, production-ready patterns.
Installation
To integrate this skill into your OpenClaw agent, execute the following command in your terminal:
clawhub install openclaw/skills/skills/wpank/auth-patterns
Use Cases
- Microservices Security: Designing an architecture where an identity provider issues tokens that are verified across multiple downstream services using asymmetric signing (RS256).
- Web Security Hardening: Migrating an existing session-based application to use secure cookies to prevent XSS-based token exfiltration.
- API Governance: Implementing role-based access control (RBAC) within your JWT claims to restrict endpoint access based on user authorization levels.
- Authentication Flow Design: Selecting the correct OAuth 2.0 flow (e.g., Authorization Code with PKCE) for specific client types like mobile apps or SPAs.
Example Prompts
- "I am building a React SPA and a Node.js backend. What is the most secure way to store JWTs to prevent both XSS and CSRF?"
- "Compare HS256 and RS256 for a distributed microservices environment and explain the key rotation requirements for both."
- "My user authentication system needs to support 'Login with Google'. How do I securely handle the OAuth 2.0 callback and map the incoming claims to my internal database roles?"
Tips & Limitations
This skill is an advisory tool—it provides architectural patterns and security heuristics but does not execute the code directly. Always validate your final implementation against a security-focused library or framework. When implementing token rotation, ensure your backend handles race conditions effectively where a refresh token might be used while the new one is still in transit. Remember: security is an ongoing process, and these patterns should be reviewed during regular audits to account for evolving threat vectors.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-wpank-auth-patterns": {
"enabled": true,
"auto_update": true
}
}
}Tags(AI)
Related Skills
mermaid-diagrams
Create software diagrams using Mermaid syntax. Use when users need to create, visualize, or document software through diagrams including class diagrams, sequence diagrams, flowcharts, ERDs, C4 architecture diagrams, state diagrams, git graphs, and other diagram types. Triggers include requests to diagram, visualize, model, map out, or show the flow of a system.
api-design-principles
Skill by wpank
auto-context
Automatically read relevant context before major actions. Loads TODO.md, roadmap.md, handoffs, task plans, and other project context files so the AI operates with full situational awareness. Use when starting a task, implementing a feature, refactoring, debugging, planning, or resuming a session.
clear-writing
Write clear, concise prose for humans — documentation, READMEs, API docs, commit messages, error messages, UI text, reports, and explanations. Combines Strunk's rules for clearer prose with technical documentation patterns, structure templates, and review checklists.
track-performance
Track the performance of Uniswap LP positions over time — check which positions need attention, are out of range, or have uncollected fees. Use when the user asks how their positions are doing.