reviewing-security-architecture
Installation
SKILL.md
Authentication Architecture
Token Handling
Review these aspects of token-based authentication:
| Aspect | Secure Pattern | Anti-Pattern |
|---|---|---|
| Issuance | Short-lived tokens with refresh mechanism | Long-lived tokens that never expire |
| Validation | Validate signature, issuer, audience, and expiry on every request | Validate only the signature, or skip validation for "internal" calls |
| Storage (server) | Stateless JWT or server-side session store | Token stored in querystring or URL |
| Storage (client) | HttpOnly Secure cookies or secure platform storage | localStorage, sessionStorage, or cookies without HttpOnly/Secure flags |
| Refresh | Refresh token rotation (old refresh token invalidated on use) | Reusable refresh tokens with no rotation |
| Revocation | Token blocklist or short expiry + refresh rotation | No revocation mechanism for compromised tokens |