API认证最佳实践指南：JWT、OAuth 2.0、API密钥安全实现与Node.js示例

api-authentication by secondsky/claude-skills

119 周安装量

102 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/secondsky/claude-skills --skill api-authentication

Node.js API 安全

🇨🇳中文介绍

API 认证

使用现代标准和最佳实践为 API 实现安全的认证机制。

认证方法

方法	使用场景	安全级别
JWT	无状态认证、单页应用	高
OAuth 2.0	第三方集成	高
API 密钥	服务间通信	中
会话	传统 Web 应用	高

JWT 实现 (Node.js)

const jwt = require('jsonwebtoken');

const generateTokens = (user) => ({
  accessToken: jwt.sign(
    { userId: user.id, role: user.role },
    process.env.JWT_SECRET,
    { expiresIn: '15m' }
  ),
  refreshToken: jwt.sign(
    { userId: user.id, type: 'refresh' },
    process.env.REFRESH_SECRET,
    { expiresIn: '7d' }
  )
});

const authMiddleware = (req, res, next) => {
  const authHeader = req.headers.authorization;

  // 验证授权头格式
  if (!authHeader || !authHeader.startsWith('Bearer ')) {
    return res.status(401).json({ error: '授权头格式错误' });
  }

  const parts = authHeader.split(' ');
  if (parts.length !== 2) {
    return res.status(401).json({ error: '授权头格式错误' });
  }

  const token = parts[1];
  if (!token) {
    return res.status(401).json({ error: '未提供令牌' });
  }

  try {
    req.user = jwt.verify(token, process.env.JWT_SECRET);
    next();
  } catch (err) {
    res.status(401).json({ error: '无效令牌' });
  }
};

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

🇺🇸English

API Authentication

Implement secure authentication mechanisms for APIs using modern standards and best practices.

Authentication Methods

Method	Use Case	Security Level
JWT	Stateless auth, SPAs	High
OAuth 2.0	Third-party integration	High
API Keys	Service-to-service	Medium
Session	Traditional web apps	High

JWT Implementation (Node.js)

const jwt = require('jsonwebtoken');

const generateTokens = (user) => ({
  accessToken: jwt.sign(
    { userId: user.id, role: user.role },
    process.env.JWT_SECRET,
    { expiresIn: '15m' }
  ),
  refreshToken: jwt.sign(
    { userId: user.id, type: 'refresh' },
    process.env.REFRESH_SECRET,
    { expiresIn: '7d' }
  )
});

const authMiddleware = (req, res, next) => {
  const authHeader = req.headers.authorization;

  // Validate authorization header format
  if (!authHeader || !authHeader.startsWith('Bearer ')) {
    return res.status(401).json({ error: 'Malformed authorization header' });
  }

  const parts = authHeader.split(' ');
  if (parts.length !== 2) {
    return res.status(401).json({ error: 'Malformed authorization header' });
  }

  const token = parts[1];
  if (!token) {
    return res.status(401).json({ error: 'No token provided' });
  }

  try {
    req.user = jwt.verify(token, process.env.JWT_SECRET);
    next();
  } catch (err) {
    res.status(401).json({ error: 'Invalid token' });
  }
};

Security Requirements

Always use HTTPS
Store tokens in HttpOnly cookies (not localStorage)
Hash passwords with bcrypt (cost factor 12+)
Implement rate limiting on auth endpoints
Rotate secrets regularly
Never transmit tokens in URLs

Security Headers

app.use((req, res, next) => {
  res.setHeader('X-Content-Type-Options', 'nosniff');
  res.setHeader('X-Frame-Options', 'DENY');
  res.setHeader('Strict-Transport-Security', 'max-age=31536000');
  next();
});

Additional Implementations

See references/python-flask.md for:

Flask JWT with role-based access control decorators
OAuth 2.0 Google integration with Authlib
API key authentication with secure hashing

Common Mistakes to Avoid

Storing plain-text passwords
Using weak JWT secrets
Ignoring token expiration
Disabling HTTPS in production
Logging sensitive tokens

Weekly Installs

Repository

secondsky/claude-skills

GitHub Stars

First Seen

Jan 22, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

Installed on

claude-code71

gemini-cli70

codex68

opencode67

cursor66

github-copilot65

API认证最佳实践指南：JWT、OAuth 2.0、API密钥安全实现与Node.js示例

🇨🇳中文介绍

API 认证

认证方法

JWT 实现 (Node.js)

相关 Skills

安全要求

安全头部

其他实现

应避免的常见错误