Auth Implementation Guide
Software development skill, available on Zeplik
Auth Implementation Guide is a ready-to-run software development skill on Zeplik. Not for API shape design (use api-design-principles). Ask in plain language and Zeplik applies the skill's method for you inside the conversation, on whichever AI model you prefer.
The Auth Implementation Guide skill loads automatically when your request matches it, or you can invoke it directly by typing /auth-implementation-patterns in any chat. It works with attachments, connectors, and any model that supports the task, so you get the same expert method every time without setting anything up.
What the Auth Implementation Guide skill can do
- Design session-based or JWT authentication flows for a given stack
- Implement OAuth2 and OpenID Connect login with PKCE and state validation
- Build RBAC and resource-ownership checks enforced server-side in middleware
- Produce auth code artifacts plus config and a security test checklist
Try these prompts on Zeplik
Pick a prompt to open it in the Zeplik app. If you are not signed in yet, your prompt is waiting for you the moment you do.
How the Auth Implementation Guide skill works
/auth-implementation-patterns
Build secure, scalable authentication and authorization systems using industry-standard patterns and modern best practices. Deliver working auth code and configuration as chat artifacts in the user's stack; ask the user to paste their existing auth code and framework details when debugging.
When to Use This Skill
- Implementing user authentication systems
- Securing REST or GraphQL APIs
- Adding OAuth2/social login
- Implementing role-based access control (RBAC)
- Designing session management
- Migrating authentication systems
- Debugging auth issues
- Implementing SSO or multi-tenancy
Core Concepts
1. Authentication vs Authorization
Authentication (AuthN): Who are you?
- Verifying identity (username/password, OAuth, biometrics)
- Issuing credentials (sessions, tokens)
- Managing login/logout
Authorization (AuthZ): What can you do?
- Permission checking
- Role-based access control (RBAC)
- Resource ownership validation
- Policy enforcement
2. Authentication Strategies
Session-Based:
- Server stores session state
- Session ID in cookie
- Traditional, simple, stateful
- Revocation is trivial (delete the session); best default for server-rendered apps
Token-Based (JWT):
- Stateless, self-contained
- Scales horizontally
- Can store claims
- Pair short-lived access tokens with refresh tokens; plan a revocation strategy (denylist or token versioning)
OAuth2/OpenID Connect:
- Delegate authentication
- Social login (Google, GitHub)
- Enterprise SSO
- Use the Authorization Code flow with PKCE for public clients; validate state and nonce
3. Authorization Patterns
- RBAC: users have roles; roles grant permissions. Check permissions, not role names, at enforcement points so roles can evolve.
- Resource ownership: verify the authenticated principal owns or is granted the specific resource on every request (
WHERE user_id = ?), never trusting IDs from the client alone. - Policy enforcement: centralize checks in middleware/guards rather than scattering conditionals through handlers.
Best Practices
- Never Store Plain Passwords: always hash with bcrypt/argon2
- Use HTTPS: encrypt data in transit
- Short-Lived Access Tokens: 15-30 minutes max
- Secure Cookies: httpOnly, secure, sameSite flags
- Validate All Input: email format, password strength
- Rate Limit Auth Endpoints: prevent brute force attacks
- Implement CSRF Protection: for session-based auth
- Rotate Secrets Regularly: JWT secrets, session secrets
- Log Security Events: login attempts, failed auth
- Use MFA When Possible: extra security layer
Common Pitfalls
- Weak Passwords: enforce strong password policies
- JWT in localStorage: vulnerable to XSS; use httpOnly cookies
- No Token Expiration: tokens should expire
- Client-Side Auth Checks Only: always validate server-side
- Insecure Password Reset: use secure tokens with expiration
- No Rate Limiting: vulnerable to brute force
- Trusting Client Data: always validate on the server
Deliverables
When implementing auth in chat, produce as artifacts:
- The auth flow diagram or step list (login, refresh, logout, reset)
- Server code: registration/login handlers, middleware/guards, token or session issuance
- Configuration: cookie flags, token lifetimes, hashing parameters, environment variable names (never actual secrets)
- A test checklist covering the failure paths: expired token, revoked session, wrong role, replayed refresh token
Usage
/auth-implementation-patterns $ARGUMENTS
How to use the Auth Implementation Guide skill
Sign in to Zeplik
Create a free Zeplik account or sign in. New accounts start with free credits, so you can try the Auth Implementation Guide skill right away.
Describe your software development task
Ask in plain language, or type /auth-implementation-patterns to invoke the skill directly. Zeplik recognizes the Auth Implementation Guide skill and applies its method.
Review and refine the result
Zeplik returns a clear, structured answer. Ask follow-ups in the same chat to refine it or take the next step.
Source and credit
- Author
- wshobson
- License
- MIT
Adapted from the open-source wshobson/agents project and tuned to run natively on Zeplik. View source on GitHub.
Frequently asked questions
- What is the Auth Implementation Guide skill?
- Auth Implementation Guide is a ready-to-run software development skill on Zeplik. Not for API shape design (use api-design-principles). Ask in plain language and Zeplik applies the skill's method for you inside the conversation, on whichever AI model you prefer.
- How do I use Auth Implementation Guide on Zeplik?
- Sign in to Zeplik and ask in plain language, or type /auth-implementation-patterns in any chat to invoke it directly. The skill applies its method and returns a result you can refine in the same conversation.
- Which AI model does the Auth Implementation Guide skill use?
- Any model you choose. Zeplik works across every model in one chat, so the Auth Implementation Guide skill runs on your preferred model for the task.
- Where does the Auth Implementation Guide skill come from?
- The Auth Implementation Guide skill is adapted from the open-source wshobson/agents project (MIT) and tuned to run natively on Zeplik. The original source is linked on this page.
- How much does the Auth Implementation Guide skill cost?
- Using the skill is free to start. You only spend Zeplik credits when the assistant runs, and new accounts begin with free credits.
Related software development skills
- .NET BackendBuild ASP.NET Core 8+ backends with EF Core: auth, background jobs, production API patterns
- Advanced Git WorkflowsUse for advanced Git surgery: interactive rebase, cherry-pick, bisect, reflog recovery, and history cleanup before merging. Not for parallel worktree workflows (use using-git-worktrees).
- Adversarial Code ReviewHunt for bugs in code the user shares by assuming defects exist and attacking the code through several distinct lenses, then report severity-ranked findings with evidence. Use for "review this", "what could go wrong", "bug hunt", or pre-merge scrutiny of a change. Read-only, it reports problems and does not rewrite the code. Not for style cleanup (use simplify-code) or for writing new code.
- AI Agent FrameworksUse when building multi-agent systems or agent orchestration -- LangChain/LangGraph, agent team design, task coordination, pipelines. Not for authoring a Zeplik skill (use skill-creator).
- Algolia SearchAdd Algolia search: indexing strategies, React InstantSearch, relevance tuning, search-as-you-type
- Android CI/CDAutomate Android CI/CD to Google Play: keystore, GitHub Secrets, multi-stage release workflow for RN, Flutter, native
More on Zeplik
Try Auth Implementation Guide on Zeplik
Every model, one chat. Bring the Auth Implementation Guide skill into your next conversation and let the assistant do the work.