MetaClaw auth-and-authorization-patterns

Use this skill when implementing authentication (login, token issuance) or authorization (access control, permissions). Apply whenever the task involves login flows, JWT, OAuth2, session management, or RBAC.

install

source · Clone the upstream repo

git clone https://github.com/aiming-lab/MetaClaw

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/aiming-lab/MetaClaw "$T" && mkdir -p ~/.claude/skills && cp -r "$T/memory_data/skills/auth-and-authorization-patterns" ~/.claude/skills/aiming-lab-metaclaw-auth-and-authorization-patterns && rm -rf "$T"

manifest: memory_data/skills/auth-and-authorization-patterns/SKILL.md

source content

Auth & Authorization Patterns

Authentication (who are you?):

Use a battle-tested library — do not roll your own crypto.
Hash passwords with bcrypt/argon2; never MD5/SHA1 for passwords.
Use short-lived JWTs (15–60 min) with refresh tokens; store refresh tokens securely.
Implement MFA for sensitive operations.

Authorization (what can you do?):

Check authorization on every request, not just at login.
Enforce RBAC or ABAC at the service layer, not the UI.
Apply principle of least privilege: grant minimal permissions needed.

OAuth2 / OIDC:

Use the Authorization Code flow with PKCE for user-facing apps.
Validate
```
iss
```
,
```
aud
```
,
```
exp
```
, and
```
nonce
```
claims on every token.

Session management:

Regenerate session ID after login (session fixation prevention).
Set
```
HttpOnly
```
and
```
Secure
```
flags on session cookies.