Authentication

Name: Authentication
Author: dpearson2699

dpearson2699/swift-ios-skills

Implement Apple passkey and WebAuthn sign-in on iOS with the right AuthenticationServices providers, AutoFill, and server verification checklist.

Install

npx skills add https://github.com/dpearson2699/swift-ios-skills --skill authentication

What is this skill?

Passkey checklist: webcredentials associated domains and relying-party identifier alignment
ASAuthorizationPlatformPublicKeyCredentialProvider for platform passkey register and assert flows
Server-minted challenges with mandatory server-side verification before session issuance
performAutoFillAssistedRequests with username fields using .username for inline passkey suggestions
ASAuthorizationSecurityKeyPublicKeyCredentialProvider reserved for physical security-key fallback only

Adoption & trust: 1.7k installs on skills.sh; 713 GitHub stars; 2/3 security scanners passed (skills.sh audits).

Recommended Skills

Vercel React Native Skillsvercel-labs/agent-skills

Agent-oriented React Native performance playbook spanning core rendering, list optimization, and incremental tuning for …137k installs·27.7k stars

Firebase Basicsfirebase/agent-skills

Firebase-basics is an agent skill that walks solo builders through standing up Firebase for an Android application using…76.3k installs·345 stars

Building Native Uiexpo/skills

building-native-ui is an Expo-oriented agent skill that steers solo builders toward React Native Reanimated v4 for anima…46.9k installs·2k stars

Firebase Ai Logic Basicsfirebase/agent-skills

firebase-ai-logic-basics is a Firebase agent skill for solo builders shipping Flutter apps who want Google Gemini throug…39.7k installs·345 stars

Native Data Fetchingexpo/skills

Native Data Fetching is an Expo agent skill that governs how solo builders implement and troubleshoot every network requ…37.2k installs·2k stars

Firebase Firestorefirebase/agent-skills

Firebase-firestore is a narrow Firebase agent skill for solo builders shipping Android apps in Kotlin who need Cloud Fir…37k installs·345 stars

Journey fit

Primary fit

BuildIntegrations & version control

Passwordless auth is wired during product build when mobile clients connect to a relying-party backend. Fits integrations because it spans Associated Domains, AuthenticationServices APIs, and server challenge/verification contracts.

Common Questions / FAQ

Is Authentication safe to install?

skills.sh reports 2 of 3 security scanners passed. Review the Security Audits panel on this page before installing in production.

SKILL.md

READMESKILL.md - Authentication

{
  "skill_name": "authentication",
  "evals": [
    {
      "id": 0,
      "name": "passkey-registration-and-signin",
      "prompt": "We're adding passwordless sign-in to our iOS app for accounts on example.com. The server can mint WebAuthn challenges, and product wants passkeys first, a physical security key fallback, and inline suggestions in the username field. What should the implementation checklist and core AuthenticationServices flow look like?",
      "expected_output": "A passkey implementation checklist that covers associated domains, platform passkey registration/assertion, AutoFill-assisted requests, physical security key boundaries, and server-side verification.",
      "files": [],
      "expectations": [
        "Names the Associated Domains requirement with the `webcredentials:` service for the relying-party domain.",
        "Uses `ASAuthorizationPlatformPublicKeyCredentialProvider(relyingPartyIdentifier:)` for platform passkeys and distinguishes registration from assertion requests.",
        "States that registration and assertion challenges come from the relying-party server and that passkey results must be verified server-side before issuing a session.",
        "Mentions `performAutoFillAssistedRequests()` with a username text field using `.username` for inline passkey suggestions.",
        "Uses `ASAuthorizationSecurityKeyPublicKeyCredentialProvider` only for physical security key fallback, not as the default platform passkey provider."
      ]
    },
    {
      "id": 1,
      "name": "sign-in-with-apple-oauth-review",
      "prompt": "Review this iOS login plan before implementation: Sign in with Apple for new accounts, saved password suggestions for returning users, GitHub OAuth, cached account profile data, local Face ID re-auth before account deletion, and token storage. What are the must-have AuthenticationServices and LocalAuthentication checks?",
      "expected_output": "A review checklist that covers Sign in with Apple setup, credential handling, existing account flows, OAuth session presentation, biometric re-auth boundaries, and secure token storage.",
      "files": [],
      "expectations": [
        "Requires the Sign in with Apple capability plus `ASAuthorizationControllerPresentationContextProviding` for authorization UI.",
        "Explains that `email` and `fullName` must be cached during first authorization and handled as optional later.",
        "Requires Apple ID credential state checks with `getCredentialState(forUserID:completion:)` and handling credential revocation notifications.",
        "Sends `identityToken` and `authorizationCode` to the server for validation instead of trusting them only on device.",
        "Uses `ASWebAuthenticationSession` for GitHub OAuth, avoids `WKWebView`, and returns a real active presentation anchor.",
        "Stores secrets in Keychain and treats `LAContext.evaluatePolicy` as local re-authentication rather than standalone proof for releasing stored secrets."
      ]
    },
    {
      "id": 2,
      "name": "security-boundary-routing",
      "prompt": "A team asks the authentication skill to design the whole account security layer: Sign in with Apple, passkeys, refresh-token storage, CryptoKit encryption, certificate pinning, biometric unlock, and OWASP MASVS mapping. Give a concise scope review that says what this skill should cover and what belongs in sibling security work.",
      "expected_output": "A boundary-aware scope review that keeps AuthenticationServices auth flows in scope while routing deep Keychain, CryptoKit, certificate trust, and compliance work to the security skill.",
      "files": [],
      "expectations": [
        "Keeps Sign in with Apple, passkeys, Password AutoFill, ASAuthorizationController flows, ASWebAuthenticationSession OAuth, and local biometric re-authentication in the authentication skill scope.",
        "Routes detailed Keychain architecture, CryptoKit encryption, Secure Enclave, certificate pinning, and

What is this skill?

Passkey checklist: webcredentials associated domains and relying-party identifier alignment

ASAuthorizationPlatformPublicKeyCredentialProvider for platform passkey register and assert flows

Server-minted challenges with mandatory server-side verification before session issuance

performAutoFillAssistedRequests with username fields using .username for inline passkey suggestions

ASAuthorizationSecurityKeyPublicKeyCredentialProvider reserved for physical security-key fallback only

Adoption & trust: 1.7k installs on skills.sh; 713 GitHub stars; 2/3 security scanners passed (skills.sh audits).

Journey fit

Primary fit

BuildIntegrations & version control

SKILL.md

READMESKILL.md - Authentication

{
  "skill_name": "authentication",
  "evals": [
    {
      "id": 0,
      "name": "passkey-registration-and-signin",
      "prompt": "We're adding passwordless sign-in to our iOS app for accounts on example.com. The server can mint WebAuthn challenges, and product wants passkeys first, a physical security key fallback, and inline suggestions in the username field. What should the implementation checklist and core AuthenticationServices flow look like?",
      "expected_output": "A passkey implementation checklist that covers associated domains, platform passkey registration/assertion, AutoFill-assisted requests, physical security key boundaries, and server-side verification.",
      "files": [],
      "expectations": [
        "Names the Associated Domains requirement with the `webcredentials:` service for the relying-party domain.",
        "Uses `ASAuthorizationPlatformPublicKeyCredentialProvider(relyingPartyIdentifier:)` for platform passkeys and distinguishes registration from assertion requests.",
        "States that registration and assertion challenges come from the relying-party server and that passkey results must be verified server-side before issuing a session.",
        "Mentions `performAutoFillAssistedRequests()` with a username text field using `.username` for inline passkey suggestions.",
        "Uses `ASAuthorizationSecurityKeyPublicKeyCredentialProvider` only for physical security key fallback, not as the default platform passkey provider."
      ]
    },
    {
      "id": 1,
      "name": "sign-in-with-apple-oauth-review",
      "prompt": "Review this iOS login plan before implementation: Sign in with Apple for new accounts, saved password suggestions for returning users, GitHub OAuth, cached account profile data, local Face ID re-auth before account deletion, and token storage. What are the must-have AuthenticationServices and LocalAuthentication checks?",
      "expected_output": "A review checklist that covers Sign in with Apple setup, credential handling, existing account flows, OAuth session presentation, biometric re-auth boundaries, and secure token storage.",
      "files": [],
      "expectations": [
        "Requires the Sign in with Apple capability plus `ASAuthorizationControllerPresentationContextProviding` for authorization UI.",
        "Explains that `email` and `fullName` must be cached during first authorization and handled as optional later.",
        "Requires Apple ID credential state checks with `getCredentialState(forUserID:completion:)` and handling credential revocation notifications.",
        "Sends `identityToken` and `authorizationCode` to the server for validation instead of trusting them only on device.",
        "Uses `ASWebAuthenticationSession` for GitHub OAuth, avoids `WKWebView`, and returns a real active presentation anchor.",
        "Stores secrets in Keychain and treats `LAContext.evaluatePolicy` as local re-authentication rather than standalone proof for releasing stored secrets."
      ]
    },
    {
      "id": 2,
      "name": "security-boundary-routing",
      "prompt": "A team asks the authentication skill to design the whole account security layer: Sign in with Apple, passkeys, refresh-token storage, CryptoKit encryption, certificate pinning, biometric unlock, and OWASP MASVS mapping. Give a concise scope review that says what this skill should cover and what belongs in sibling security work.",
      "expected_output": "A boundary-aware scope review that keeps AuthenticationServices auth flows in scope while routing deep Keychain, CryptoKit, certificate trust, and compliance work to the security skill.",
      "files": [],
      "expectations": [
        "Keeps Sign in with Apple, passkeys, Password AutoFill, ASAuthorizationController flows, ASWebAuthenticationSession OAuth, and local biometric re-authentication in the authentication skill scope.",
        "Routes detailed Keychain architecture, CryptoKit encryption, Secure Enclave, certificate pinning, and

Install

What is this skill?

Recommended Skills

Journey fit

Is Authentication safe to install?

SKILL.md

This week for builders

Install

What is this skill?

Recommended Skills

Journey fit

Is Authentication safe to install?

SKILL.md