Does it handle token expiration and refresh logic?

Yes, the skill provides specific patterns for short-lived access tokens and secure refresh token rotation to maintain long-lived sessions safely.

Can I use this for both REST and GraphQL?

Absolutely. The authentication strategies provided, such as JWT and session management, are protocol-agnostic and can be applied to any backend API architecture.

Does this skill support social login?

Yes, it includes comprehensive implementation patterns for OAuth2 and social providers like Google and GitHub using the Passport.js ecosystem.

How does it handle user permissions?

It includes patterns for both Role-Based Access Control (RBAC) with role hierarchies and more granular Permission-Based Access Control (PBAC) for specific resource actions.

Secure Auth & Access Control Patterns

Name: Secure Auth & Access Control Patterns
Author: HermeticOrmus

byHermeticOrmus

•

Security & Testing

Implements secure authentication and authorization systems using JWT, OAuth2, and role-based access control (RBAC) patterns.

About

This skill empowers Claude to design and implement industry-standard security architectures for modern web applications. It provides ready-to-use patterns for token-based authentication (JWT), stateful session management with Redis, social login via OAuth2, and granular access control strategies like RBAC and permission-based logic. Whether you are building a new API from scratch, migrating from legacy sessions to stateless tokens, or debugging complex security vulnerabilities, this skill ensures your access control logic is scalable, secure, and follows current security best practices.

Key Features

JWT implementation with secure refresh token rotation flows
Hierarchical Role-Based Access Control (RBAC) middleware
Fine-grained Permission-Based Access Control (PBAC) logic
Stateful session management integration using Express and Redis
Social login and OAuth2 strategies via Passport.js
2 GitHub stars

Use Cases

Securing REST or GraphQL APIs with stateless token-based authentication
Implementing multi-provider social login for streamlined user onboarding
Designing administrative dashboards with complex hierarchical permissions

About

Key Features

JWT implementation with secure refresh token rotation flows
Hierarchical Role-Based Access Control (RBAC) middleware
Fine-grained Permission-Based Access Control (PBAC) logic
Stateful session management integration using Express and Redis
Social login and OAuth2 strategies via Passport.js
2 GitHub stars

Use Cases

Securing REST or GraphQL APIs with stateless token-based authentication
Implementing multi-provider social login for streamlined user onboarding
Designing administrative dashboards with complex hierarchical permissions