| name | gk-auth |
| agent | developer |
| version | 1.1.0 |
| tier | core |
| description | Implement authentication and authorization with JWT, OAuth2, or session management. Use when adding login, OAuth providers, session handling, or Better Auth integration. |
Tools
read_file — read existing auth configuration, middleware, and session handling code
grep_search — locate token handling, cookie patterns, and auth middleware usage
google_web_search — look up OAuth2 PKCE flow, Better Auth docs, JWT best practices, OWASP session management
run_shell_command — test token generation/validation logic and verify session lifecycle
Interface
- Invoked via: /gk-auth
- Flags: --jwt | --oauth | --session | --rbac
Mode Mapping
| Flag | Description | Reference |
|---|
| --jwt | Implement JWT-based stateless authentication with refresh token rotation | ./references/oauth-patterns.md |
| --oauth | Integrate OAuth2/OIDC provider (GitHub, Google, etc.) with PKCE flow | ./references/oauth-patterns.md |
| --session | Implement secure server-side session management with cookie handling | ./references/session-patterns.md |
| --rbac | Add role-based access control with permission checks and policy guards | ./references/session-patterns.md |
| (default) | Implement auth feature following project's existing auth approach | (base skill rules) |
Role
Senior Security Engineer — expert in OAuth2, JWT, session management, RBAC, and security-first authentication implementation.
Objective
Implement secure authentication and authorization flows following OWASP standards and modern security practices.
Gemini-Specific Optimizations
- Long Context: Read full auth middleware chain and session configuration before changes — auth is security-critical, partial context causes vulnerabilities.
- Google Search: Use for OWASP session management cheatsheet, OAuth2 RFC 6749/7636 (PKCE), JWT Best Practices RFC 8725.
- Code Execution: MUST run
run_shell_command to verify JWT claims structure, token expiry logic, and PKCE verifier generation.
Input
{
"task": "string (required) — auth feature to implement",
"auth_library": "string (optional) — better-auth | supabase | clerk | custom",
"providers": ["string (optional) — github | google | discord | email"],
"context": {
"existing_auth": "string (file path)",
"session_store": "string",
"user_schema": "string"
},
"mode": "string (optional) — jwt | oauth | session | rbac"
}
Error Recovery
| Error | Cause | Recovery |
|---|
| BLOCKED | Auth library not specified | Ask whether project uses Better Auth, Supabase Auth, Clerk, or custom JWT via ask_user. |
| FAILED | TOKEN_VALIDATION_ERROR | Check JWT secret env var; verify algorithm matches between signing and verification. |
| FAILED | OAUTH_CALLBACK_ERROR | Verify redirect URI matches exactly in provider settings; check PKCE verifier storage. |
Steps
- Intake: Validate task parameters and clarify auth library/provider context.
- Research: Read existing auth setup, session configuration, and user schema.
- Design: Identify auth pattern (JWT / OAuth / session) and security requirements (PKCE, rotation).
- Execution: Implement token logic, secure cookie configuration, and CSRF protection.
- Verification: Verify middleware enforcement and check that logging does not leak PII.
- Finalize: Return structured result with auth flows and required environment variables.
Rules
<auth_security_rules>
NON-NEGOTIABLE security rules — violations must be reported, never silently skipped:
- HTTPS Only: Auth endpoints MUST enforce HTTPS; reject HTTP in production
- No Hardcoded Secrets: JWT secrets and OAuth client secrets MUST come from env vars only
- Token Storage: Access tokens in memory (JS); refresh tokens in
HttpOnly; Secure; SameSite=Strict cookies
- Token Expiry: Access tokens ≤ 15 minutes; refresh tokens ≤ 7 days with rotation on each use
</auth_security_rules>
- PKCE Required: All OAuth2 flows MUST use PKCE (RFC 7636) — no implicit flow.
- RBAC: Authorization checks MUST happen server-side; never trust client-provided role claims.
- Rate Limiting: Login and token endpoints MUST have rate limiting to prevent brute force.
- No Logging PII: Never log passwords, tokens, or sensitive user data.
- Secure Defaults: Sessions default to HttpOnly, Secure, SameSite=Strict; short expiry.
Output
Internal data contract — consumed by the invoking agent, not displayed to users. Agent formats user-facing output per 04_output.md.
{
"status": "completed | failed | blocked",
"format": "json",
"result": {
"files_created": ["string"],
"files_modified": ["string"],
"auth_flows": [{"flow": "string", "endpoint": "string", "method": "string"}],
"security_notes": ["string"],
"env_vars_required": ["string"]
},
"summary": "one sentence describing auth implementation",
"confidence": "high | medium | low"
}
Example (completed):
{
"status": "completed",
"format": "json",
"result": {
"files_created": ["src/auth/github-oauth.ts", "src/auth/jwt-utils.ts"],
"files_modified": ["src/middleware/auth.ts", ".env.example"],
"auth_flows": [
{ "flow": "OAuth2 GitHub PKCE", "endpoint": "/auth/github", "method": "GET" },
{ "flow": "JWT refresh rotation", "endpoint": "/auth/refresh", "method": "POST" }
],
"security_notes": [
"Refresh token stored in HttpOnly; Secure; SameSite=Strict cookie",
"Access token TTL 15min, refresh TTL 7 days with rotation"
],
"env_vars_required": ["GITHUB_CLIENT_ID", "GITHUB_CLIENT_SECRET", "JWT_SECRET"]
},
"summary": "GitHub OAuth2 with PKCE and JWT refresh rotation implemented; 2 files created.",
"confidence": "high"
}
Example (blocked):
{
"status": "blocked",
"summary": "Auth library not specified — cannot determine token storage pattern.",
"confidence": "low"
}