# Send Auth to your agent
Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.
## Fast path
- Download the package from Yavira.
- Extract it into a folder your agent can access.
- Paste one of the prompts below and point your agent at the extracted folder.
## Suggested prompts
### New install

```text
I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete.
```
### Upgrade existing

```text
I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run.
```
## Machine-readable fields
```json
{
  "schemaVersion": "1.0",
  "item": {
    "slug": "auth",
    "name": "Auth",
    "source": "tencent",
    "type": "skill",
    "category": "安全合规",
    "sourceUrl": "https://clawhub.ai/ivangdavila/auth",
    "canonicalUrl": "https://clawhub.ai/ivangdavila/auth",
    "targetPlatform": "OpenClaw"
  },
  "install": {
    "downloadUrl": "/downloads/auth",
    "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=auth",
    "sourcePlatform": "tencent",
    "targetPlatform": "OpenClaw",
    "packageFormat": "ZIP package",
    "primaryDoc": "SKILL.md",
    "includedAssets": [
      "SKILL.md",
      "mfa.md",
      "middleware.md",
      "oauth.md",
      "passwords.md",
      "strategies.md"
    ],
    "downloadMode": "redirect",
    "sourceHealth": {
      "source": "tencent",
      "slug": "auth",
      "status": "healthy",
      "reason": "direct_download_ok",
      "recommendedAction": "download",
      "checkedAt": "2026-04-29T03:06:32.265Z",
      "expiresAt": "2026-05-06T03:06:32.265Z",
      "httpStatus": 200,
      "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=auth",
      "contentType": "application/zip",
      "probeMethod": "head",
      "details": {
        "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=auth",
        "contentDisposition": "attachment; filename=\"auth-1.3.0.zip\"",
        "redirectLocation": null,
        "bodySnippet": null,
        "slug": "auth"
      },
      "scope": "item",
      "summary": "Item download looks usable.",
      "detail": "Yavira can redirect you to the upstream package for this item.",
      "primaryActionLabel": "Download for OpenClaw",
      "primaryActionHref": "/downloads/auth"
    },
    "validation": {
      "installChecklist": [
        "Use the Yavira download entry.",
        "Review SKILL.md after the package is downloaded.",
        "Confirm the extracted package contains the expected setup assets."
      ],
      "postInstallChecks": [
        "Confirm the extracted package includes the expected docs or setup files.",
        "Validate the skill or prompts are available in your target agent workspace.",
        "Capture any manual follow-up steps the agent could not complete."
      ]
    }
  },
  "links": {
    "detailUrl": "https://openagent3.xyz/skills/auth",
    "downloadUrl": "https://openagent3.xyz/downloads/auth",
    "agentUrl": "https://openagent3.xyz/skills/auth/agent",
    "manifestUrl": "https://openagent3.xyz/skills/auth/agent.json",
    "briefUrl": "https://openagent3.xyz/skills/auth/agent.md"
  }
}
```
## Documentation

### Documentation-Only Skill

This skill is a reference guide. It contains code examples that demonstrate authentication patterns.

Important: The code examples in this skill:

Are templates for developers to adapt
Show placeholder values (SECRET, API_KEY, etc.)
Reference external services as examples only
Are NOT executed by the agent

The agent provides guidance. The developer implements in their own project.

### When to Use

User needs guidance on implementing authentication. Agent explains patterns for login flows, token strategies, password security, OAuth integration, and session management.

### Quick Reference

TopicFileSession vs JWT strategiesstrategies.mdPassword handlingpasswords.mdMFA implementationmfa.mdOAuth and social loginoauth.mdFramework middlewaremiddleware.md

### Scope

This skill ONLY:

Explains authentication concepts
Shows code patterns as examples
Provides best practice guidance

This skill NEVER:

Executes code
Makes network requests
Accesses credentials
Stores data
Reads environment variables

### Note on Code Examples

Code examples in auxiliary files show:

Environment variables like process.env.JWT_SECRET - these are placeholders
API calls to OAuth providers - these are reference patterns
Secrets like SECRET, REFRESH_SECRET - these are example names

The agent does not have access to these values. They demonstrate what the developer should configure in their own project.

### 1. Auth vs Authorization

Authentication: Who you are (this skill)
Authorization: What you can do (different concern)
Auth happens FIRST, then authorization checks permissions

### 2. Choose the Right Strategy

Use CaseStrategyWhyTraditional web appSessions + cookiesSimple, instant revocationMobile appJWT (short-lived) + refresh tokenNo cookies, offline supportAPI/microservicesJWTStateless, scalableEnterpriseSSO (SAML/OIDC)Central identity managementConsumerSocial login + email fallbackReduced friction

### 3. Never Roll Your Own Crypto

Use bcrypt (cost 12) or Argon2id for passwords
Use battle-tested libraries for JWT, OAuth
Never implement password hashing, token signing manually
Never store plaintext or reversibly encrypted passwords

### 4. Defense in Depth

Rate limiting -> CAPTCHA -> Account lockout -> MFA -> Audit logging

### 5. Secure by Default

httpOnly + Secure + SameSite=Lax for cookies
Short token lifetimes (15min access, 7d refresh)
Regenerate session ID on login
Require re-auth for sensitive operations

### 6. Fail Securely

// Bad - reveals if email exists
if (!user) return { error: 'User not found' };

// Good - same error for both cases
if (!user || !validPassword) {
  return { error: 'Invalid credentials' };
}

### 7. Log Everything (Except Secrets)

LogDo Not LogLogin success/failurePasswordsIP, user agent, timestampTokensMFA eventsSession IDsPassword changesRecovery codes

### Common Traps

Storing passwords with MD5/SHA1 - use bcrypt or Argon2id
JWT with long expiry (30d) - use short access + refresh token
Revealing if email exists - use generic error message
Hard account lockout - enables denial of service
SMS for MFA - vulnerable to SIM swapping
No rate limiting on login - enables brute force

### Feedback

If useful: clawhub star auth
Stay updated: clawhub sync
## Trust
- Source: tencent
- Verification: Indexed source record
- Publisher: ivangdavila
- Version: 1.3.0
## Source health
- Status: healthy
- Item download looks usable.
- Yavira can redirect you to the upstream package for this item.
- Health scope: item
- Reason: direct_download_ok
- Checked at: 2026-04-29T03:06:32.265Z
- Expires at: 2026-05-06T03:06:32.265Z
- Recommended action: Download for OpenClaw
## Links
- [Detail page](https://openagent3.xyz/skills/auth)
- [Send to Agent page](https://openagent3.xyz/skills/auth/agent)
- [JSON manifest](https://openagent3.xyz/skills/auth/agent.json)
- [Markdown brief](https://openagent3.xyz/skills/auth/agent.md)
- [Download page](https://openagent3.xyz/downloads/auth)