Claude Code Plugins

Community-maintained marketplace

Feedback

authentication

@pluginagentmarketplace/custom-plugin-backend
1
0

Backend authentication and authorization patterns. JWT, OAuth2, session management, RBAC, and secure token handling.

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name authentication
description Backend authentication and authorization patterns. JWT, OAuth2, session management, RBAC, and secure token handling.
sasmp_version 2.0.0
bonded_agent 03-api-development
bond_type SECONDARY_BOND
atomic_operations JWT_IMPLEMENTATION, OAUTH2_SETUP, SESSION_MANAGEMENT, RBAC_CONFIGURATION
parameter_validation [object Object]
retry_logic [object Object]
logging_hooks [object Object]
exit_codes [object Object]

Authentication Skill

Bonded to: api-development-agent (Secondary)

Quick Start

# Invoke authentication skill
"Implement JWT authentication for my API"
"Set up OAuth2 with Google login"
"Configure role-based access control"

Auth Methods Comparison

Method Best For Stateless Complexity
JWT APIs, microservices Yes Medium
OAuth2 Third-party login Yes High
Session Traditional web apps No Low
API Key Simple integrations Yes Low

Examples

JWT Authentication

from jose import jwt
from datetime import datetime, timedelta

SECRET_KEY = "your-secret-key"
ALGORITHM = "HS256"

def create_access_token(user_id: str, expires_delta: timedelta = timedelta(minutes=30)):
    expire = datetime.utcnow() + expires_delta
    return jwt.encode(
        {"sub": user_id, "exp": expire},
        SECRET_KEY,
        algorithm=ALGORITHM
    )

def verify_token(token: str) -> str:
    payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
    return payload.get("sub")

RBAC Implementation

from enum import Enum
from functools import wraps

class Role(Enum):
    ADMIN = "admin"
    USER = "user"
    VIEWER = "viewer"

PERMISSIONS = {
    Role.ADMIN: ["read", "write", "delete", "admin"],
    Role.USER: ["read", "write"],
    Role.VIEWER: ["read"]
}

def require_permission(permission: str):
    def decorator(func):
        @wraps(func)
        async def wrapper(user, *args, **kwargs):
            if permission not in PERMISSIONS.get(user.role, []):
                raise HTTPException(status_code=403)
            return await func(user, *args, **kwargs)
        return wrapper
    return decorator

Security Checklist

  • Use HTTPS everywhere
  • Short-lived access tokens (15-60 min)
  • Refresh token rotation
  • Secure token storage (HttpOnly cookies)
  • Rate limiting on auth endpoints
  • Account lockout after failed attempts

Troubleshooting

Issue Cause Solution
Token expired Short TTL Implement refresh tokens
Invalid signature Wrong secret Verify SECRET_KEY
401 on valid token Clock skew Sync server time

Resources