ClawHub

Nm Leyline Authentication Patterns

v1.0.0

Authentication patterns for external services: API keys, OAuth, token management, verification. authentication, API keys, OAuth, token management, credentials.

0· 68·1 current·1 all-time
by@athola
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the content: the files document API-key, OAuth, and token flows and give shell/python patterns for verification and caching. One minor mismatch: the metadata declares a required config path (night-market.error-patterns) that is not explained in the description or modules and appears unrelated to core auth functionality.
Instruction Scope
SKILL.md and modules instruct the agent/workflow to read environment variables, prompt for secrets, run local CLIs (gh, glab, aws, gcloud, arbitrary <service> binaries via subprocess), and store tokens in ~/.cache/claude-auth/. Those behaviors are coherent for an authentication helper, but they do grant the skill the ability to run arbitrary local commands (dependent on the 'service' value) and to persist secrets to disk — both of which the user should be aware of.
Install Mechanism
Instruction-only skill with no install spec and no code files to write to disk. Low install-surface risk.
Credentials
The skill declares no required env vars but its instructions and examples read and suggest setting many sensitive environment variables (GITHUB_TOKEN, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, GOOGLE_APPLICATION_CREDENTIALS, etc.). This is proportionate to an auth helper, but the metadata omission (no required envs) means the skill will attempt to access secrets at runtime without having declared them up front.
Persistence & Privilege
The documentation instructs caching tokens and session files under ~/.cache/claude-auth and references token storage locations under ~/.config/{service}. This is expected for convenience but results in persistent sensitive data on disk; the skill does not request always:true and does not modify other skills.
Assessment
This is a documentation-only skill that outlines patterns for API keys, OAuth, token refresh, and an interactive shell helper that caches tokens locally. Before installing or using it: 1) Understand it expects and may prompt you to enter sensitive credentials (GitHub/GitLab/AWS/GCP tokens) and will cache them under ~/.cache/claude-auth or standard CLI config paths — use ephemeral tokens where possible and inspect/delete caches after use. 2) It runs local CLIs (gh, glab, aws, gcloud and arbitrary binaries named by a 'service' parameter) — ensure those CLIs are trusted and present; malicious or misconfigured binaries with the same name could be invoked. 3) The skill references a script path to source (plugins/leyline/scripts/interactive_auth.sh) that is not included here; review or provide the actual script before sourcing. 4) In CI use secrets management (GitHub Actions secrets, etc.) rather than interactive credential entry. If you need higher assurance, ask the author for the interactive_auth.sh script and for explicit explanation of the declared config path (night-market.error-patterns) and confirm where on disk tokens are stored and how they are secured/rotated.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🦞 Clawdis
Confignight-market.error-patterns
latestvk9746cdwe0njg4gfnnrhf5keex84rj00
68downloads
0stars
1versions
Updated 6d ago
v1.0.0
MIT-0
@athola
latest
Download

Night Market Skill — ported from claude-night-market/leyline. For the full experience with agents, hooks, and commands, install the Claude Code plugin.

Table of Contents

Authentication Patterns

Overview

Common authentication patterns for integrating with external services. Provides consistent approaches to credential management, verification, and error handling.

When To Use

  • Integrating with external APIs
  • Need credential verification
  • Managing multiple auth methods
  • Handling auth failures gracefully

When NOT To Use

  • Project doesn't use the leyline infrastructure patterns
  • Simple scripts without service architecture needs

Authentication Methods

MethodBest ForEnvironment Variable
API KeySimple integrations{SERVICE}_API_KEY
OAuthUser-authenticatedBrowser-based flow
TokenSession-based{SERVICE}_TOKEN
NonePublic APIsN/A

Quick Start

Verify Authentication

from leyline.auth import verify_auth, AuthMethod

# API Key verification
status = verify_auth(
    service="gemini",
    method=AuthMethod.API_KEY,
    env_var="GEMINI_API_KEY"
)

if not status.authenticated:
    print(f"Auth failed: {status.message}")
    print(f"Action: {status.suggested_action}")

Verification: Run the command with --help flag to verify availability.

Smoke Test

def verify_with_smoke_test(service: str) -> bool:
    """Verify auth with simple request."""
    result = execute_simple_request(service, "ping")
    return result.success

Verification: Run pytest -v to verify tests pass.

Standard Flow

Step 1: Check Environment

def check_credentials(service: str, env_var: str) -> bool:
    value = os.getenv(env_var)
    if not value:
        print(f"Missing {env_var}")
        return False
    return True

Verification: Run the command with --help flag to verify availability.

Step 2: Verify with Service

def verify_with_service(service: str) -> AuthStatus:
    result = subprocess.run(
        [service, "auth", "status"],
        capture_output=True
    )
    return AuthStatus(
        authenticated=(result.returncode == 0),
        message=result.stdout.decode()
    )

Verification: Run the command with --help flag to verify availability.

Step 3: Handle Failures

def handle_auth_failure(service: str, method: AuthMethod) -> str:
    actions = {
        AuthMethod.API_KEY: f"Set {service.upper()}_API_KEY environment variable",
        AuthMethod.OAUTH: f"Run '{service} auth login' for browser auth",
        AuthMethod.TOKEN: f"Refresh token with '{service} token refresh'"
    }
    return actions[method]

Verification: Run the command with --help flag to verify availability.

Integration Pattern

# In your skill's frontmatter
dependencies: [leyline:authentication-patterns]

Verification: Run the command with --help flag to verify availability.

Interactive Authentication (Shell)

For workflows requiring interactive authentication with token caching and session management:

# Source the interactive auth script
source plugins/leyline/scripts/interactive_auth.sh

# Ensure authentication before proceeding
ensure_auth github || exit 1
ensure_auth gitlab || exit 1
ensure_auth aws || exit 1

# Continue with authenticated operations
gh pr view 123
glab issue list
aws s3 ls

Features:

  • ✅ Interactive OAuth flows for GitHub, GitLab, AWS, and more
  • ✅ Token caching (5-minute TTL)
  • ✅ Session persistence (24-hour TTL)
  • ✅ CI/CD compatible (auto-detects non-interactive environments)
  • ✅ Multi-service support

See modules/interactive-auth.md for complete documentation.

Detailed Resources

  • Auth Methods: See modules/auth-methods.md for method details
  • Verification: See modules/verification-patterns.md for testing patterns
  • Interactive: See modules/interactive-auth.md for shell-based auth flows

Exit Criteria

  • Credentials verified or clear failure message
  • Suggested action for auth failures
  • Smoke test confirms working auth

Troubleshooting

Common Issues

Command not found Ensure all dependencies are installed and in PATH

Permission errors Check file permissions and run with appropriate privileges

Unexpected behavior Enable verbose logging with --verbose flag

Comments

Loading comments...