auth-flow-designer
Installation
SKILL.md
Auth Flow Designer Protocol
This skill designs the authentication and authorization strategy for an API. It prevents developers from defaulting to "Just use JWTs for everything," ensuring the right security model is applied based on the consumers and the data sensitivity.
Core assumption: A leaked token is inevitable. The architecture must minimize the damage through short lifespans, refresh flows, and tight scopes.
1. Flow Selection (Static)
Analyze the consumer type to pick the right strategy:
- Server-to-Server (Internal):
mTLS(Mutual TLS) or service-specific short-livedJWTsigned by an internal KMS. - Server-to-Server (B2B/External):
API Keyswith IP whitelisting, orOAuth2 Client Credentialsflow. - Single Page App (SPA) / Frontend:
HttpOnly Cookiesholding the session ID or a short-livedJWT. NEVER store JWTs inlocalStorage. - Mobile App:
OAuth2 Authorization Code Flow with PKCE. Use a refresh token rotation strategy.