auth-flow-designer
Auth Flow Designer Protocol
This skill designs the authentication and authorization strategy for an API. It prevents developers from defaulting to "Just use JWTs for everything," ensuring the right security model is applied based on the consumers and the data sensitivity.
Core assumption: A leaked token is inevitable. The architecture must minimize the damage through short lifespans, refresh flows, and tight scopes.
1. Flow Selection (Static)
Analyze the consumer type to pick the right strategy:
- Server-to-Server (Internal):
mTLS(Mutual TLS) or service-specific short-livedJWTsigned by an internal KMS. - Server-to-Server (B2B/External):
API Keyswith IP whitelisting, orOAuth2 Client Credentialsflow. - Single Page App (SPA) / Frontend:
HttpOnly Cookiesholding the session ID or a short-livedJWT. NEVER store JWTs inlocalStorage. - Mobile App:
OAuth2 Authorization Code Flow with PKCE. Use a refresh token rotation strategy.
2. Token Lifecycle & Strategy
Define the rules of engagement:
- Access Token: Very short lifespan (e.g., 5-15 minutes). Contains minimal claims (
user_id,role).
More from fatih-developer/fth-skills
task-decomposer
Break down large, complex, or ambiguous tasks into independent subtasks with dependency maps, execution order, and success criteria. Plan first, then execute step by step. Triggers on 'how should I do this', 'where do I start', 'plan the project', 'break it down', 'implement' or whenever a task involves multiple phases.
24multi-brain-debate
Two-round debate protocol where perspectives challenge each other before consensus. Round 1 presents independent positions, Round 2 allows counter-arguments and rebuttals. Produces battle-tested decisions for high-stakes choices.
20context-compressor
Compress long conversation histories, large code files, research results, and documents by 70% without losing critical information. Triggers when context window fills up, when summarizing previous steps in multi-step tasks, before loading large files into context, or on 'summarize', 'compress', 'reduce context', 'save tokens'.
18multi-brain-score
Confidence scoring overlay for multi-brain decisions. Each perspective rates its own confidence (1-10) with justification. Consensus uses scores as weights, flags low-confidence areas, and surfaces uncertainty explicitly.
16checkpoint-guardian
Automatic risk assessment before every critical action in agentic workflows. Detects irreversible operations (file deletion, database writes, deployments, payments), classifies risk level, and requires confirmation before proceeding. Triggers on destructive keywords like deploy, delete, send, publish, update database, process payment.
14multi-brain
Evaluate complex requests from 3 independent perspectives (Creative, Pragmatic, Comprehensive), reach consensus, then produce complete outputs. Use for architecture decisions, creative content, analysis, and any task where multiple valid approaches exist.
14