authBuild secure authentication with sessions, JWT, OAuth, passwordless, MFA, and SSO for web and mobile apps.
Install via ClawdBot CLI:
clawdbot install ivangdavila/authThis skill is a reference guide. It contains code examples that demonstrate authentication patterns.
Important: The code examples in this skill:
The agent provides guidance. The developer implements in their own project.
User needs guidance on implementing authentication. Agent explains patterns for login flows, token strategies, password security, OAuth integration, and session management.
| Topic | File |
|-------|------|
| Session vs JWT strategies | strategies.md |
| Password handling | passwords.md |
| MFA implementation | mfa.md |
| OAuth and social login | oauth.md |
| Framework middleware | middleware.md |
This skill ONLY:
This skill NEVER:
Code examples in auxiliary files show:
process.env.JWT_SECRET - these are placeholdersSECRET, REFRESH_SECRET - these are example namesThe agent does not have access to these values. They demonstrate what the developer should configure in their own project.
| Use Case | Strategy | Why |
|----------|----------|-----|
| Traditional web app | Sessions + cookies | Simple, instant revocation |
| Mobile app | JWT (short-lived) + refresh token | No cookies, offline support |
| API/microservices | JWT | Stateless, scalable |
| Enterprise | SSO (SAML/OIDC) | Central identity management |
| Consumer | Social login + email fallback | Reduced friction |
Rate limiting -> CAPTCHA -> Account lockout -> MFA -> Audit logging// Bad - reveals if email exists
if (!user) return { error: 'User not found' };
// Good - same error for both cases
if (!user || !validPassword) {
return { error: 'Invalid credentials' };
}| Log | Do Not Log |
|-----|------------|
| Login success/failure | Passwords |
| IP, user agent, timestamp | Tokens |
| MFA events | Session IDs |
| Password changes | Recovery codes |
clawhub star authclawhub syncGenerated Mar 1, 2026
A retail website needs secure user login with sessions and cookies for traditional web browsing, plus social login options like OAuth with Google or Facebook to reduce signup friction. It must handle password security with bcrypt and implement MFA for high-value transactions to prevent account takeover.
A financial app requires JWT-based authentication for stateless API calls, short-lived tokens for security, and refresh tokens for offline access. It should include MFA via authenticator apps to avoid SMS vulnerabilities and audit logging for compliance without storing sensitive data like passwords.
A patient portal uses SSO with OIDC for enterprise integration across clinics, ensuring centralized identity management. It enforces strict session management with secure cookies and requires re-authentication for sensitive operations like viewing medical records, following HIPAA guidelines.
A B2B software service implements JWT for scalable microservices, with rate limiting and CAPTCHA on login to prevent brute force attacks. It offers passwordless email login options and logs all authentication events except secrets to monitor for suspicious activity.
Companies charge monthly or annual fees for access to software, requiring robust authentication to protect user data and prevent unauthorized access. This model benefits from JWT for stateless scaling and social login to streamline user onboarding and retention.
Platforms facilitate transactions between buyers and sellers, relying on secure authentication to build trust and prevent fraud. Sessions with cookies enhance user experience for web shoppers, while MFA and audit logging help secure financial transactions and comply with regulations.
Firms provide specialized tools or consulting to other businesses, often using SSO for seamless integration with client systems. Authentication strategies like OIDC support centralized management, and defense-in-depth measures like rate limiting protect against attacks on sensitive corporate data.
💬 Integration Tip
Use this skill as a reference to adapt code examples into your project, ensuring to replace placeholders like SECRET with actual environment variables and implement libraries for crypto instead of custom solutions.
Drift detection + baseline integrity guard for agent workspace files with automatic alerting support
Guardian Angel gives AI agents a moral conscience rooted in Thomistic virtue ethics. Rather than relying solely on rule lists, it cultivates stable virtuous...
Core identity and personality for Molt, the transformative AI assistant
Gentle reminders to stay human while using AI. Reflection, not restriction.
Post to X (Twitter) using the official OAuth 1.0a API. Free tier compatible.
Implement OAuth 2.0 and OpenID Connect flows securely.