What authentication flows does this skill support?

It supports standard OAuth 2.0 flows including Authorization Code with PKCE, Client Credentials, and Device Flow, as well as OpenID Connect (OIDC) and API key-based authentication.

Is it suitable for machine-to-machine security?

Absolutely. It covers service-to-service patterns including Client Credentials flows and secure API key management for internal or developer-facing APIs.

Does it provide guidance on rate limiting?

Yes, it includes strategies for rate limiting by identity, resource, or operation type to prevent abuse and unrestricted resource consumption.

Can this skill help with OWASP compliance?

Yes, it provides specific guidance and implementation patterns to address the OWASP API Security Top 10 vulnerabilities, such as Broken Object Level Authorization (BOLA) and SSRF.

How does it handle JWT security?

The skill includes a comprehensive JWT validation checklist covering signature verification, claims validation (iss, aud, exp), and common pitfalls like trusting the 'none' algorithm.

API Security Expert

Name: API Security Expert
Author: melodic-software

bymelodic-software

•

API 开发

Implements industry-standard authentication, authorization, and security patterns to protect backend services and APIs.

关于

This skill provides Claude with a comprehensive framework for designing and securing APIs against modern threats and vulnerabilities. It facilitates the implementation of complex authentication flows like OAuth 2.0 and OIDC, secure JWT validation protocols, and granular authorization models including RBAC and ABAC. By integrating best practices for API key management, rate limiting, and transport security, this skill helps developers mitigate the OWASP API Security Top 10 risks while ensuring robust and compliant service-to-service or user-to-service communication.

主要功能

12 GitHub stars
JWT generation, structure analysis, and secure validation checklists
Protection strategies for OWASP API Top 10 vulnerabilities like BOLA and SSRF
Best practices for API key management, rate limiting, and TLS configuration
Implementation of OAuth 2.0 and OpenID Connect (OIDC) authentication flows
Role-Based and Attribute-Based Access Control (RBAC/ABAC) modeling

使用场景

Auditing existing API endpoints for security gaps such as Broken Object Level Authorization (BOLA)
Designing a secure user authentication system using OAuth 2.0 with PKCE for mobile or web apps
Implementing fine-grained resource-based authorization logic for multi-tenant backend services

关于

主要功能

12 GitHub stars
JWT generation, structure analysis, and secure validation checklists
Protection strategies for OWASP API Top 10 vulnerabilities like BOLA and SSRF
Best practices for API key management, rate limiting, and TLS configuration
Implementation of OAuth 2.0 and OpenID Connect (OIDC) authentication flows
Role-Based and Attribute-Based Access Control (RBAC/ABAC) modeling

使用场景

Auditing existing API endpoints for security gaps such as Broken Object Level Authorization (BOLA)
Designing a secure user authentication system using OAuth 2.0 with PKCE for mobile or web apps
Implementing fine-grained resource-based authorization logic for multi-tenant backend services