Auth Implementation Guide

Software development skill, available on Zeplik

Auth Implementation Guide is a ready-to-run software development skill on Zeplik. Not for API shape design (use api-design-principles). Ask in plain language and Zeplik applies the skill's method for you inside the conversation, on whichever AI model you prefer.

The Auth Implementation Guide skill loads automatically when your request matches it, or you can invoke it directly by typing /auth-implementation-patterns in any chat. It works with attachments, connectors, and any model that supports the task, so you get the same expert method every time without setting anything up.

What the Auth Implementation Guide skill can do

Try these prompts on Zeplik

Pick a prompt to open it in the Zeplik app. If you are not signed in yet, your prompt is waiting for you the moment you do.

How the Auth Implementation Guide skill works

/auth-implementation-patterns

Build secure, scalable authentication and authorization systems using industry-standard patterns and modern best practices. Deliver working auth code and configuration as chat artifacts in the user's stack; ask the user to paste their existing auth code and framework details when debugging.

When to Use This Skill

  • Implementing user authentication systems
  • Securing REST or GraphQL APIs
  • Adding OAuth2/social login
  • Implementing role-based access control (RBAC)
  • Designing session management
  • Migrating authentication systems
  • Debugging auth issues
  • Implementing SSO or multi-tenancy

Core Concepts

1. Authentication vs Authorization

Authentication (AuthN): Who are you?

  • Verifying identity (username/password, OAuth, biometrics)
  • Issuing credentials (sessions, tokens)
  • Managing login/logout

Authorization (AuthZ): What can you do?

  • Permission checking
  • Role-based access control (RBAC)
  • Resource ownership validation
  • Policy enforcement

2. Authentication Strategies

Session-Based:

  • Server stores session state
  • Session ID in cookie
  • Traditional, simple, stateful
  • Revocation is trivial (delete the session); best default for server-rendered apps

Token-Based (JWT):

  • Stateless, self-contained
  • Scales horizontally
  • Can store claims
  • Pair short-lived access tokens with refresh tokens; plan a revocation strategy (denylist or token versioning)

OAuth2/OpenID Connect:

  • Delegate authentication
  • Social login (Google, GitHub)
  • Enterprise SSO
  • Use the Authorization Code flow with PKCE for public clients; validate state and nonce

3. Authorization Patterns

  • RBAC: users have roles; roles grant permissions. Check permissions, not role names, at enforcement points so roles can evolve.
  • Resource ownership: verify the authenticated principal owns or is granted the specific resource on every request (WHERE user_id = ?), never trusting IDs from the client alone.
  • Policy enforcement: centralize checks in middleware/guards rather than scattering conditionals through handlers.

Best Practices

  1. Never Store Plain Passwords: always hash with bcrypt/argon2
  2. Use HTTPS: encrypt data in transit
  3. Short-Lived Access Tokens: 15-30 minutes max
  4. Secure Cookies: httpOnly, secure, sameSite flags
  5. Validate All Input: email format, password strength
  6. Rate Limit Auth Endpoints: prevent brute force attacks
  7. Implement CSRF Protection: for session-based auth
  8. Rotate Secrets Regularly: JWT secrets, session secrets
  9. Log Security Events: login attempts, failed auth
  10. Use MFA When Possible: extra security layer

Common Pitfalls

  • Weak Passwords: enforce strong password policies
  • JWT in localStorage: vulnerable to XSS; use httpOnly cookies
  • No Token Expiration: tokens should expire
  • Client-Side Auth Checks Only: always validate server-side
  • Insecure Password Reset: use secure tokens with expiration
  • No Rate Limiting: vulnerable to brute force
  • Trusting Client Data: always validate on the server

Deliverables

When implementing auth in chat, produce as artifacts:

  • The auth flow diagram or step list (login, refresh, logout, reset)
  • Server code: registration/login handlers, middleware/guards, token or session issuance
  • Configuration: cookie flags, token lifetimes, hashing parameters, environment variable names (never actual secrets)
  • A test checklist covering the failure paths: expired token, revoked session, wrong role, replayed refresh token

Usage

/auth-implementation-patterns $ARGUMENTS

How to use the Auth Implementation Guide skill

  1. Sign in to Zeplik

    Create a free Zeplik account or sign in. New accounts start with free credits, so you can try the Auth Implementation Guide skill right away.

  2. Describe your software development task

    Ask in plain language, or type /auth-implementation-patterns to invoke the skill directly. Zeplik recognizes the Auth Implementation Guide skill and applies its method.

  3. Review and refine the result

    Zeplik returns a clear, structured answer. Ask follow-ups in the same chat to refine it or take the next step.

Source and credit

Author
wshobson
License
MIT

Adapted from the open-source wshobson/agents project and tuned to run natively on Zeplik. View source on GitHub.

Frequently asked questions

What is the Auth Implementation Guide skill?
Auth Implementation Guide is a ready-to-run software development skill on Zeplik. Not for API shape design (use api-design-principles). Ask in plain language and Zeplik applies the skill's method for you inside the conversation, on whichever AI model you prefer.
How do I use Auth Implementation Guide on Zeplik?
Sign in to Zeplik and ask in plain language, or type /auth-implementation-patterns in any chat to invoke it directly. The skill applies its method and returns a result you can refine in the same conversation.
Which AI model does the Auth Implementation Guide skill use?
Any model you choose. Zeplik works across every model in one chat, so the Auth Implementation Guide skill runs on your preferred model for the task.
Where does the Auth Implementation Guide skill come from?
The Auth Implementation Guide skill is adapted from the open-source wshobson/agents project (MIT) and tuned to run natively on Zeplik. The original source is linked on this page.
How much does the Auth Implementation Guide skill cost?
Using the skill is free to start. You only spend Zeplik credits when the assistant runs, and new accounts begin with free credits.

Related software development skills

More on Zeplik

Try Auth Implementation Guide on Zeplik

Every model, one chat. Bring the Auth Implementation Guide skill into your next conversation and let the assistant do the work.

Browse all skills
Auth Implementation Guide - Software development skill for Zeplik AI | Zeplik Chat