Skill Security →

Auth Implementation Patterns

Master authentication and authorization patterns including JWT, OAuth2, session management…

A complete reference of battle-tested authentication and authorization patterns: JWT with refresh tokens, Redis-backed sessions, OAuth2 social login and layered RBAC. It applies least-privilege, defense-in-depth and zero-trust thinking so you ship secure, scalable access control instead of homegrown auth with hidden holes.

$15 one-time
Add to a kit →

Prices include 20% VAT. · Forged on real agency work · one-time, no lock-in

  • Type Skill
  • Category Security
  • Delivery Email · instant
  • License One-time
Run preview
forgehouse, auth-implementation-patterns

Inside the run · no black box

See the actual work before you buy it.

Auth systems fail at the edges: stale claims, weak lockouts, tokens that never die. The skill builds edge-first, from strategy choice through to revocation:

  1. Picks the authentication strategy first against the actual trade-offs: server side sessions (Redis store, httpOnly cookie), stateless JWT, or OAuth2/social login, instead of defaulting to whatever library is nearby.
  2. Implements the token layer with split lifetimes and split secrets: a 15 minute access token and a 7 day refresh token signed with separate secrets, refresh tokens hashed before they ever touch the database.
  3. Chains the middleware in order on every protected endpoint: authenticate (verify token, attach user), then requireRole or requirePermission (RBAC with role hierarchy), then requireOwnership where the resource has an owner; failures always fall to 401/403, never to partial access.
  4. Hardens the password path: bcrypt with 12 salt rounds, a Zod policy enforcing 12+ characters with mixed classes, and generic error messages so login responses never reveal whether the email or the password was wrong.
  5. Adds brute force protection where it matters: a Redis backed rate limiter capping login at 5 attempts per 15 minutes, plus a general API limiter, both before the auth logic runs.
  6. Wires the revocation lifecycle: refresh rotation on use, single token revoke on logout, revoke-all for logging out every device, and a fresh DB user fetch for critical operations instead of trusting stale JWT claims.
Use cases · what happens when you plug it in

One power source. 6 lines out.

auth-implementation-patterns · core

core active · 6 lines

  1. Implementing a new user authentication system from scratch

    ✓ implementing a new user

  2. Securing REST or GraphQL APIs with token verification

    ✓ securing rest or graphql

  3. Adding Google or GitHub social login via OAuth2

    ✓ adding google or github

  4. Building role-based and permission-based access control

    ✓ building role-based and

  5. Designing session management with secure cookies

    ✓ designing session manage…

  6. Debugging or hardening an existing auth flow

    ✓ debugging or hardening an
Benefits · what you walk away with

Yours to keep.

Drag time forward. Watch what stays.

Forever

That's what owning means.

The rented stack

ai writing tool: subscription

expired · access lost

analytics suite: subscription

expired · access lost

design platform: subscription

expired · access lost

(nothing left)

Your forge

  1. Ship access control that holds up because every layer verifies independently

    license: perpetual

  2. Stop brute-force and credential-stuffing attacks with rate limiting and MFA-ready flows

    license: perpetual

  3. Avoid the classic mistakes: JWT in localStorage, no expiry, client-side-only checks

    license: perpetual

  4. Keep tokens and secrets protected so one leak doesn't collapse your whole auth stack

    license: perpetual

subscriptions expire · deeds don't

What's included · the full manifest

Everything in the box.

Pick a piece up. Watch it work.

JWT generation, verification and a full refresh-token rotation service

part 01 of 06 · in the box

6 parts · one working system · ships instantly by email

Who it's for

This wasn't forged for everyone.

  • Not for you if you'd rather rent a tool than own one.
  • Not for you if you want someone else to run your stack.
  • Not for you if you're happy guessing.
Still here? Good.

Backend engineers building or hardening authentication who want secure, scalable patterns instead of risky DIY auth.

then this was forged for you.

Works with

Universal by design: these run in any AI. Delivered in the open Agent Skills + MCP format (native in Claude); ChatGPT, Gemini, Cursor and Copilot adapt the same files their own way.

  • Claude Native format
  • ChatGPT Adapts via open standards
  • Gemini Adapts via open standards
  • Cursor Adapts via open standards
  • Copilot Adapts via open standards
Questions · still in the air

Catch what's on your mind.

the air is clear. nothing between you and the forge.
catch a spark: the forge will answer

  1. Do I need Redis to use these patterns?

    Only if you choose the server-side session pattern, since Redis backs that one for fast lookups and revocation. The JWT-with-refresh path doesn't require it, and the reference helps you pick between them based on your revocation needs.

  2. Why implement auth myself instead of using a hosted provider?

    If a managed provider fits, use it; these patterns are for when you're building or hardening auth yourself and want it done with least-privilege and defense-in-depth instead of improvised. The point is to avoid risky DIY, not to talk you out of buying.

  3. Is this a library I install?

    No, it's a reference of proven patterns you implement: JWT refresh flows, session handling, OAuth2 login, layered RBAC. It shows you the secure shape; wiring it into your codebase is yours.

  4. How is it delivered?

    By email right after purchase: ready to run, downloaded instantly, no setup wait.

  5. One-time or subscription?

    A one-time purchase; no subscription or hidden fees. VAT (20%) is included.

  6. Can I get a refund?

    As a digital product, it can’t be refunded once downloaded. That’s why we show exactly what’s inside and who it’s for, right here.

Related products

All skills →