Fastify Best Practices

Name: Fastify Best Practices
Author: ilteoood

ilteoood/harness

Implement Fastify JWT login, route protection, and refresh-token patterns with copy-paste-ready TypeScript examples.

Overview

fastify-best-practices is an agent skill most often used in Build (also Ship security) that implements Fastify JWT authentication and protected-route patterns.

Install

npx skills add https://github.com/ilteoood/harness --skill fastify-best-practices

What is this skill?

@fastify/jwt registration with sign options and request.jwtVerify guard
authenticate onRequest hook pattern for protected routes
JSON schema validation on login body (email + password)
Refresh token flow patterns beyond access-token sign
Metadata tags: auth, jwt, session, oauth, security, authorization

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 1 installs on skills.sh; 2 GitHub stars; 3/3 security scanners passed (skills.sh audits); trending (+100% hot-view momentum).

What problem does it solve?

You are shipping a Fastify API but lack a consistent JWT login, verification, and protected-route setup your agent can apply without security mistakes.

Who is it for?

Solo builders creating TypeScript Fastify APIs who want JWT auth scaffolding before adding business routes.

Skip if: Greenfield teams choosing auth providers (Auth0, Clerk) with no self-hosted JWT, or non-Node HTTP frameworks.

When should I use this skill?

User asks for Fastify authentication, JWT, authorization, session, or OAuth patterns on a Node API.

What do I get? / Deliverables

Your Fastify app gains documented register/decorate auth hooks, schema-validated login, and protected route examples—then you add secrets handling and refresh-token storage in your own code.

JWT plugin registration and authenticate decorator
Login and protected route handler examples with JSON schema

Recommended Skills

Entra App Registrationmicrosoft/azure-skills

Walkthrough for Microsoft Entra ID app registration, OAuth configuration, and MSAL-based authentication setup.374k installs·1.2k stars

Azure Aigatewaymicrosoft/azure-skills

Quick reference for building and operating Azure API Management as an AI gateway using ARM .NET SDK and policy best prac…373k installs·1.2k stars

Lark Openapi Explorerlarksuite/cli

Escalation path for uncovered Lark/Feishu APIs: browse official OpenAPI docs and execute via lark-cli.208k installs·13.7k stars

Supabasesupabase/agent-skills

Authoritative Supabase agent skill for database, auth, edge functions, and client SSR with emphasis on up-to-date docs, …111k installs·2.2k stars

Firebase Auth Basicsfirebase/agent-skills

firebase-auth-basics is a guided agent skill for solo builders implementing Firebase Authentication in web or mobile-bac…75.7k installs·345 stars

Firebase Data Connectfirebase/agent-skills

Firebase Data Connect is an agent skill that equips solo builders to design relational data layers on Firebase using Gra…73.2k installs·345 stars

Journey fit

Spans multiple journey phases - primary shelf plus alternate fits below.

Primary fit

BuildBackend, data & payments

Authentication routes and plugins are core backend work when you are building the API surface of a solo SaaS. The skill’s examples center on @fastify/jwt decorators, login POST, and protected GET handlers—classic backend API concerns.

Also useful

ShipSecurity

Where it fits

Example use

BuildBackend, data & payments

Example use

ShipSecurity

Audit JWT expiry, refresh rotation, and 401 responses on protected handlers before production deploy.

How it compares

Opinionated Fastify JWT recipe skill—not a generic OpenAPI generator or a full OAuth provider integration.

Common Questions / FAQ

Who is fastify-best-practices for?

Indie and solo backend devs on Fastify who need JWT authentication and route guards without reading the entire Fastify ecosystem docs first.

When should I use fastify-best-practices?

In Build when adding auth plugins and login routes; in Ship/security when reviewing JWT expiry, refresh tokens, and 401 handling before launch.

Is fastify-best-practices safe to install?

Examples use environment-backed secrets and standard verify flows—review the Security Audits panel on this page and never commit JWT_SECRET or paste real credentials into prompts.

SKILL.md

READMESKILL.md - Fastify Best Practices

# Authentication and Authorization

## JWT Authentication with @fastify/jwt

Use `@fastify/jwt` for JSON Web Token authentication:

```typescript
import Fastify from 'fastify';
import fastifyJwt from '@fastify/jwt';

const app = Fastify();

app.register(fastifyJwt, {
  secret: process.env.JWT_SECRET,
  sign: {
    expiresIn: '1h',
  },
});

// Decorate request with authentication method
app.decorate('authenticate', async function (request, reply) {
  try {
    await request.jwtVerify();
  } catch (err) {
    reply.code(401).send({ error: 'Unauthorized' });
  }
});

// Login route
app.post('/login', {
  schema: {
    body: {
      type: 'object',
      properties: {
        email: { type: 'string', format: 'email' },
        password: { type: 'string' },
      },
      required: ['email', 'password'],
    },
  },
}, async (request, reply) => {
  const { email, password } = request.body;
  const user = await validateCredentials(email, password);

  if (!user) {
    return reply.code(401).send({ error: 'Invalid credentials' });
  }

  const token = app.jwt.sign({
    id: user.id,
    email: user.email,
    role: user.role,
  });

  return { token };
});

// Protected route
app.get('/profile', {
  onRequest: [app.authenticate],
}, async (request) => {
  return { user: request.user };
});
```

## Refresh Tokens

Implement refresh token rotation:

```typescript
import fastifyJwt from '@fastify/jwt';
import { randomBytes } from 'node:crypto';

app.register(fastifyJwt, {
  secret: process.env.JWT_SECRET,
  sign: {
    expiresIn: '15m', // Short-lived access tokens
  },
});

// Store refresh tokens (use Redis in production)
const refreshTokens = new Map<string, { userId: string; expires: number }>();

app.post('/auth/login', async (request, reply) => {
  const { email, password } = request.body;
  const user = await validateCredentials(email, password);

  if (!user) {
    return reply.code(401).send({ error: 'Invalid credentials' });
  }

  const accessToken = app.jwt.sign({ id: user.id, role: user.role });
  const refreshToken = randomBytes(32).toString('hex');

  refreshTokens.set(refreshToken, {
    userId: user.id,
    expires: Date.now() + 7 * 24 * 60 * 60 * 1000, // 7 days
  });

  return { accessToken, refreshToken };
});

app.post('/auth/refresh', async (request, reply) => {
  const { refreshToken } = request.body;
  const stored = refreshTokens.get(refreshToken);

  if (!stored || stored.expires < Date.now()) {
    refreshTokens.delete(refreshToken);
    return reply.code(401).send({ error: 'Invalid refresh token' });
  }

  // Delete old token (rotation)
  refreshTokens.delete(refreshToken);

  const user = await db.users.findById(stored.userId);
  const accessToken = app.jwt.sign({ id: user.id, role: user.role });
  const newRefreshToken = randomBytes(32).toString('hex');

  refreshTokens.set(newRefreshToken, {
    userId: user.id,
    expires: Date.now() + 7 * 24 * 60 * 60 * 1000,
  });

  return { accessToken, refreshToken: newRefreshToken };
});

app.post('/auth/logout', async (request, reply) => {
  const { refreshToken } = request.body;
  refreshTokens.delete(refreshToken);
  return { success: true };
});
```

## Role-Based Access Control

Implement RBAC with decorators:

```typescript
type Role = 'admin' | 'user' | 'moderator';

// Create authorization decorator
app.decorate('authorize', function (...allowedRoles: Role[]) {
  return async (request, reply) => {
    await request.jwtVerify();

    const userRole = request.user.role as Role;
    if (!allowedRoles.includes(userRole)) {
      return reply.code(403).send({
        error: 'Forbidden',
        message: `Role '${userRole}' is not authorized for this resource`,
      });
    }
  };
});

// Admin only route
app.get('/admin/users', {
  onRequest: [app.authorize('admin')],
}, async (request) => {
  ret

What is this skill?

@fastify/jwt registration with sign options and request.jwtVerify guard

authenticate onRequest hook pattern for protected routes

JSON schema validation on login body (email + password)

Refresh token flow patterns beyond access-token sign

Metadata tags: auth, jwt, session, oauth, security, authorization

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 1 installs on skills.sh; 2 GitHub stars; 3/3 security scanners passed (skills.sh audits); trending (+100% hot-view momentum).

What do I get? / Deliverables

Your Fastify app gains documented register/decorate auth hooks, schema-validated login, and protected route examples—then you add secrets handling and refresh-token storage in your own code.

JWT plugin registration and authenticate decorator

Journey fit

Spans multiple journey phases - primary shelf plus alternate fits below.

Primary fit

BuildBackend, data & payments

Also useful

ShipSecurity

Where it fits

Example use

BuildBackend, data & payments

Example use

ShipSecurity

Audit JWT expiry, refresh rotation, and 401 responses on protected handlers before production deploy.

SKILL.md

READMESKILL.md - Fastify Best Practices

# Authentication and Authorization

## JWT Authentication with @fastify/jwt

Use `@fastify/jwt` for JSON Web Token authentication:

```typescript
import Fastify from 'fastify';
import fastifyJwt from '@fastify/jwt';

const app = Fastify();

app.register(fastifyJwt, {
  secret: process.env.JWT_SECRET,
  sign: {
    expiresIn: '1h',
  },
});

// Decorate request with authentication method
app.decorate('authenticate', async function (request, reply) {
  try {
    await request.jwtVerify();
  } catch (err) {
    reply.code(401).send({ error: 'Unauthorized' });
  }
});

// Login route
app.post('/login', {
  schema: {
    body: {
      type: 'object',
      properties: {
        email: { type: 'string', format: 'email' },
        password: { type: 'string' },
      },
      required: ['email', 'password'],
    },
  },
}, async (request, reply) => {
  const { email, password } = request.body;
  const user = await validateCredentials(email, password);

  if (!user) {
    return reply.code(401).send({ error: 'Invalid credentials' });
  }

  const token = app.jwt.sign({
    id: user.id,
    email: user.email,
    role: user.role,
  });

  return { token };
});

// Protected route
app.get('/profile', {
  onRequest: [app.authenticate],
}, async (request) => {
  return { user: request.user };
});
```

## Refresh Tokens

Implement refresh token rotation:

```typescript
import fastifyJwt from '@fastify/jwt';
import { randomBytes } from 'node:crypto';

app.register(fastifyJwt, {
  secret: process.env.JWT_SECRET,
  sign: {
    expiresIn: '15m', // Short-lived access tokens
  },
});

// Store refresh tokens (use Redis in production)
const refreshTokens = new Map<string, { userId: string; expires: number }>();

app.post('/auth/login', async (request, reply) => {
  const { email, password } = request.body;
  const user = await validateCredentials(email, password);

  if (!user) {
    return reply.code(401).send({ error: 'Invalid credentials' });
  }

  const accessToken = app.jwt.sign({ id: user.id, role: user.role });
  const refreshToken = randomBytes(32).toString('hex');

  refreshTokens.set(refreshToken, {
    userId: user.id,
    expires: Date.now() + 7 * 24 * 60 * 60 * 1000, // 7 days
  });

  return { accessToken, refreshToken };
});

app.post('/auth/refresh', async (request, reply) => {
  const { refreshToken } = request.body;
  const stored = refreshTokens.get(refreshToken);

  if (!stored || stored.expires < Date.now()) {
    refreshTokens.delete(refreshToken);
    return reply.code(401).send({ error: 'Invalid refresh token' });
  }

  // Delete old token (rotation)
  refreshTokens.delete(refreshToken);

  const user = await db.users.findById(stored.userId);
  const accessToken = app.jwt.sign({ id: user.id, role: user.role });
  const newRefreshToken = randomBytes(32).toString('hex');

  refreshTokens.set(newRefreshToken, {
    userId: user.id,
    expires: Date.now() + 7 * 24 * 60 * 60 * 1000,
  });

  return { accessToken, refreshToken: newRefreshToken };
});

app.post('/auth/logout', async (request, reply) => {
  const { refreshToken } = request.body;
  refreshTokens.delete(refreshToken);
  return { success: true };
});
```

## Role-Based Access Control

Implement RBAC with decorators:

```typescript
type Role = 'admin' | 'user' | 'moderator';

// Create authorization decorator
app.decorate('authorize', function (...allowedRoles: Role[]) {
  return async (request, reply) => {
    await request.jwtVerify();

    const userRole = request.user.role as Role;
    if (!allowedRoles.includes(userRole)) {
      return reply.code(403).send({
        error: 'Forbidden',
        message: `Role '${userRole}' is not authorized for this resource`,
      });
    }
  };
});

// Admin only route
app.get('/admin/users', {
  onRequest: [app.authorize('admin')],
}, async (request) => {
  ret

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Where it fits

Who is fastify-best-practices for?

When should I use fastify-best-practices?

Is fastify-best-practices safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Where it fits

Who is fastify-best-practices for?

When should I use fastify-best-practices?

Is fastify-best-practices safe to install?

SKILL.md