api-securityGuide to implement secure API practices including authentication, authorization, input validation, rate limiting, and protection against common API vulnerabi...
Install via ClawdBot CLI:
clawdbot install brandonwise/api-securityGrade Fair — based on market validation, documentation quality, package completeness, maintenance status, and authenticity signals.
Calls external URL not in known-safe list
https://owasp.org/www-project-api-security/Audited Apr 16, 2026 · audit v1.0
Generated Mar 20, 2026
A financial technology company needs to secure its payment processing APIs that handle sensitive customer data and transactions. This involves implementing JWT authentication with short expiration times, strict input validation for transaction amounts, and rate limiting to prevent brute force attacks on login endpoints.
A healthcare provider is building APIs to share patient records with authorized clinics while complying with regulations like HIPAA. The skill helps encrypt data in transit using TLS, implement OAuth 2.0 for fine-grained authorization, and sanitize error messages to avoid leaking personal health information.
An online retailer experiences high traffic during sales events and needs to prevent API abuse from bots. This scenario uses the skill to set up rate limiting per IP address, configure request quotas for product search endpoints, and monitor for suspicious activity like credential stuffing attacks.
A smart home company secures APIs that allow IoT devices like thermostats and cameras to communicate with a cloud backend. The skill implements API key authentication for devices, validates input from sensors to prevent command injection, and uses secure headers to mitigate cross-site scripting risks.
A software-as-a-service platform hosts multiple clients on shared APIs and must isolate data between tenants. This involves role-based access control to restrict users to their own data, input validation schemas for client configurations, and JWT tokens with tenant-specific claims to enforce authorization.
Offer this skill as part of a monthly subscription service where clients pay for ongoing API security audits, updates to authentication methods like JWT, and compliance monitoring. Revenue is generated through tiered plans based on API volume and support levels.
Provide one-time consulting services to businesses designing or securing APIs, using the skill to deliver custom implementations such as OAuth 2.0 setups, rate limiting configurations, and security reviews. Revenue comes from project-based fees and hourly rates.
Develop and sell training courses or workshops based on the skill, teaching developers how to implement secure API patterns, prevent vulnerabilities like SQL injection, and use tools like Zod for validation. Revenue is earned through course sales and corporate training packages.
💬 Integration Tip
Integrate this skill early in the API development lifecycle by adding authentication middleware and validation schemas during initial coding phases to avoid costly security fixes later.
Scored Apr 19, 2026
Use when reviewing code for security vulnerabilities, implementing authentication flows, auditing OWASP Top 10, configuring CORS/CSP headers, handling secrets, input validation, SQL injection prevention, XSS protection, or any security-related code review.
gws CLI: Shared patterns for authentication, global flags, and output formatting.
Set up Gmail API access via gog CLI with manual OAuth flow. Use when setting up Gmail integration, renewing expired OAuth tokens, or troubleshooting Gmail authentication on headless servers.
Automate OAuth login flows with user confirmation via Telegram. Supports 7 providers: Google, Apple, Microsoft, GitHub, Discord, WeChat, QQ. Features: - Auto-detect available OAuth options on login pages - Ask user to choose via Telegram when multiple options exist - Confirm before authorizing - Handle account selection and consent pages automatically
Self-hosted auth for TypeScript/Cloudflare Workers with social auth, 2FA, passkeys, organizations, RBAC, and 15+ plugins. Requires Drizzle ORM or Kysely for D1 (no direct adapter). Self-hosted alternative to Clerk/Auth.js. Use when: self-hosting auth on D1, building OAuth provider, multi-tenant SaaS, or troubleshooting D1 adapter errors, session caching, rate limits, Expo crashes, additionalFields bugs.
Implement OAuth 2.0 and OpenID Connect flows securely.