Stop Breaking Auth
Ship secure authentication flows without CSRF nightmares, token leaks, or session hijacking. OWASP-compliant day one.
TL;DR
OAuth setup, JWT vs sessions, token revocation, security audits — all automated. No more Googling "how to securely store refresh tokens" at 2am.
What's Inside
security-auditor agent
Scans your auth flows for vulnerabilities. Catches CSRF holes, insecure token storage, weak session configs. Think penetration testing on autopilot.
/add-authentication-system
Scaffolds complete auth in one command. OAuth providers, email/password, magic links, session management. Choose your stack, get production-ready code.
/security-audit
Runs comprehensive security checks. OWASP Top 10 coverage, dependency scanning, configuration review. Get a report with actionable fixes, not vague warnings.
better-auth skill
Deep knowledge of Better Auth patterns. Handles complex flows: MFA, social logins, role-based access, session refresh. Answers the hard questions Claude normally fumbles.
Prompts to Try
OAuth setup for Google + GitHub
/add-authentication-system OAuth with Google and GitHub providers, Next.js 15 App Router
→ Generates OAuth config, callback routes, error handling, state validation. No more missing PKCE or redirect URI mismatches.
JWT vs sessions — which one?
Should I use JWT or sessions for my SaaS app? I need to revoke access instantly when users downgrade.
→ Security auditor explains trade-offs. Recommends sessions + Redis for instant revocation. Shows implementation with token blacklisting fallback.
Token revocation strategy
Implement refresh token rotation with automatic revocation when breach detected
→ Better Auth skill builds rotation logic, stores token families, detects reuse attempts. Includes admin dashboard for manual revocation.
Security audit before launch
/security-audit --focus=authentication
→ Checks CSRF protection, secure cookies, rate limiting, password policies, SQL injection vectors. Generates compliance checklist for SOC 2.
MFA with fallback codes
Add TOTP 2FA with backup codes and SMS fallback for account recovery
→ Scaffolds authenticator app flow, generates secure backup codes, implements SMS OTP with Twilio. Includes rate limiting to prevent brute force.
Why This Matters
Authentication is the most attacked part of your app. 81% of breaches involve stolen credentials (Verizon DBIR 2024). CSRF, session fixation, token leaks — these aren't theoretical.
Most devs copy-paste auth from Stack Overflow, skip the security review, and ship. Then wonder why they got pwned.
What you get with Auth Flow Kit:
- No more Googling "secure refresh token storage" — better-auth skill knows the answer
- OWASP compliance out of the box — A01:2021 Broken Access Control covered
- Security audits catch vulnerabilities before attackers do
- Production-ready patterns, not tutorial code that breaks at scale
Install Auth Flow Kit
Stop breaking auth. Start shipping secure.
npx vibery kit install auth-flow-kit
Includes security-auditor agent · /add-authentication-system · /security-audit · better-auth skill