Stats
Actions
Tags
From be
Use when implementing token-based authentication (JWT), deciding how to revoke tokens on logout, or choosing where to store tokens on the client. Stack-agnostic flow, secret handling, blocklist revocation, and client storage rules, with Java/Spring examples as a resource.
How this skill is triggered — by the user, by Claude, or both
Slash command
/be:be-jwt-auth-patternsThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Universal token-based authentication patterns for any backend + frontend
Universal token-based authentication patterns for any backend + frontend project. Use when implementing authentication, configuring the auth middleware/filter chain, or deciding where and how to store tokens on the client.
[Client] → POST /api/auth/login {credentials}
↓
[Auth service]
1. Verify credentials (password hash — see sec-secrets-management)
2. Generate JWT with a unique JTI (UUID) claim
3. Return {token, expiresIn}
↓
[Client] → sends token on each request: Authorization: Bearer <token>
↓
[Auth middleware/filter] (on each protected request)
1. Extract token from header
2. Validate signature and expiration
3. Check that the JTI is not in the blocked-tokens store
4. Populate the request's security context
sec-secrets-management).openssl rand -hex 32.Stateless JWTs cannot be invalidated by themselves. To support real logout:
blocked_tokens store
(jti, expires_at).expires_at < now() periodically — the table stays small
because entries only need to live until the token would expire anyway.| Option | Survives F5? | Survives tab close? | Recommendation |
|---|---|---|---|
sessionStorage | ✅ | ❌ | ✅ Default for SPAs |
localStorage | ✅ | ✅ | ❌ Avoid — exposed to any XSS |
| Memory (variable) | ❌ | ❌ | Very short sessions only |
HttpOnly cookie | ✅ | configurable | ✅ Best for SSR; immune to XSS reads (mind CSRF) |
Rule: never localStorage. Use sessionStorage for SPAs, HttpOnly +
Secure + SameSite cookies for SSR.
| Mistake | Cause | Solution |
|---|---|---|
| Signing secret in code | Hardcoded secret | Environment variable / secrets manager |
| Token without expiration | Expiration not configured | Always define expiration |
| Logout does not invalidate the token | No revocation mechanism | Implement the JTI blocklist |
| Token in localStorage | XSS exfiltration risk | sessionStorage or HttpOnly cookie |
npx claudepluginhub barcelosvinicius/basic-engineering --plugin beGuides creation, editing, and verification of skills for AI coding agents using test-driven development with subagent scenarios. Use when authoring or debugging skills.