Run any Skill in Manus with one click

Get Started

auth-flow-designer

Stars10

Forks3

UpdatedJune 17, 2026 at 15:34

Design secure authentication and authorization flows — OAuth2, JWT, API keys, and RBAC for APIs

Installation

Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.

Run Skill in Manus

Source

UitbreidenOS

UitbreidenOS/Claudient

View GitHub Repository View Creator Repositories

Download

Run Skill in Manus

Related occupationsSOC

Based on SOC occupation classification

Software DevelopersComputer and Mathematical Occupations·SOC 15-1252

SKILL.md

readonly

name	auth-flow-designer
description	Design secure authentication and authorization flows — OAuth2, JWT, API keys, and RBAC for APIs
allowed-tools	["Read","Write","Bash","Grep"]
effort	high

When to activate

Designing authentication for new API endpoints
Implementing OAuth2 flows (authorization code, client credentials, PKCE)
Setting up JWT token generation, validation, and refresh
Designing role-based access control (RBAC) or ABAC policies
Migrating from API keys to token-based auth

When NOT to use

For frontend session management (different concern)
For SSO/SAML federation setup
For password hashing implementation details

Instructions

Identify auth requirements. Who are the consumers? (users, services, third-party apps). What data sensitivity?
Select auth method. API keys for server-to-server, OAuth2 + PKCE for user-facing apps, JWT for stateless microservices.
Design token structure. JWT claims: sub, iss, aud, exp, iat, scope. Keep payload minimal (<1KB).
Define token lifecycle. Access token: 15min expiry. Refresh token: 7-day rotation. Revocation: blacklist or token version.
Map scopes to endpoints. Document which scopes are required for each endpoint in OpenAPI spec security section.
Design error responses. 401 for missing/invalid token, 403 for insufficient scope, 429 for rate-limited auth attempts.
Security review. Verify: HTTPS only, no tokens in URLs, proper CORS, secure token storage recommendations.

Example

# OpenAPI security definition
components:
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT
    apiKeyAuth:
      type: apiKey
      in: header
      name: X-API-Key

security:
  - bearerAuth: [read:users, write:users]
  - apiKeyAuth: []

More from this repository

same repository

agent-teams

UitbreidenOS/Claudient

Orchestrate multi-agent teams in Claude Code — set up coordinated sessions with task delegation, inter-agent communication, and parallel execution

2026-06-2310

ultraplan

UitbreidenOS/Claudient

Leverage Claude Code's ultra-deep planning mode for complex architecture decisions, multi-file refactors, and system design

2026-06-2310

ultrareview

UitbreidenOS/Claudient

Deep code review using Claude Code's thorough analysis mode — security, performance, correctness, and maintainability

2026-06-2310

swarm-sandbox

UitbreidenOS/Claudient

Safe isolated testing environment for multi-agent swarm topologies before production deployment

2026-06-2210

auto-summarizer

UitbreidenOS/Claudient

Automatically summarizes the current session context to prevent token window overflow.

2026-06-2210

prune-context

UitbreidenOS/Claudient

Claude Code context pruner: slash command to summarize session and reset token bloat

2026-06-1910

name	auth-flow-designer
description	Design secure authentication and authorization flows — OAuth2, JWT, API keys, and RBAC for APIs
allowed-tools	["Read","Write","Bash","Grep"]
effort	high

When to activate

Designing authentication for new API endpoints
Implementing OAuth2 flows (authorization code, client credentials, PKCE)
Setting up JWT token generation, validation, and refresh
Designing role-based access control (RBAC) or ABAC policies
Migrating from API keys to token-based auth

When NOT to use

For frontend session management (different concern)
For SSO/SAML federation setup
For password hashing implementation details

Instructions

Identify auth requirements. Who are the consumers? (users, services, third-party apps). What data sensitivity?
Select auth method. API keys for server-to-server, OAuth2 + PKCE for user-facing apps, JWT for stateless microservices.
Design token structure. JWT claims: sub, iss, aud, exp, iat, scope. Keep payload minimal (<1KB).
Define token lifecycle. Access token: 15min expiry. Refresh token: 7-day rotation. Revocation: blacklist or token version.
Map scopes to endpoints. Document which scopes are required for each endpoint in OpenAPI spec security section.
Design error responses. 401 for missing/invalid token, 403 for insufficient scope, 429 for rate-limited auth attempts.
Security review. Verify: HTTPS only, no tokens in URLs, proper CORS, secure token storage recommendations.

Example

# OpenAPI security definition
components:
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT
    apiKeyAuth:
      type: apiKey
      in: header
      name: X-API-Key

security:
  - bearerAuth: [read:users, write:users]
  - apiKeyAuth: []