cometchat-production
Purpose
This skill teaches Claude how to harden a CometChat integration for production. It covers two critical areas:
- Token-based authentication — replacing client-side
authKeywith server-side token generation - User management — server-side CRUD for CometChat users (create on signup, update on profile change, delete on account deletion)
The cometchat-core skill's provider pattern supports both dev mode (login(uid)) and production mode (loginWithAuthToken(token)). This skill provides the server-side half: the token endpoint and user management endpoints.
1. Why production auth matters
In development mode, CometChatUIKit.login(uid) uses the authKey configured via UIKitSettingsBuilder.setAuthKey(). This key is embedded in your client-side JavaScript bundle. Anyone can open browser DevTools, find the auth key, and use it to log in as ANY user in your CometChat app. They can read private messages, send messages as other users, and access every conversation.
Production deployments MUST use server-side token generation. The auth key stays on your server. Clients receive short-lived tokens scoped to a single user. If a token leaks, the blast radius is one user session, not your entire app.