Django Expert

Name: Django Expert
Author: jeffallan

jeffallan/claude-skills

Wire Django REST Framework APIs with SimpleJWT access/refresh tokens, custom claims, and object-level permissions without guessing settings patterns.

Overview

django-expert is an agent skill for the Build phase that configures Django REST Framework SimpleJWT authentication, token endpoints, custom claims, and permission class patterns.

Install

npx skills add https://github.com/jeffallan/claude-skills --skill django-expert

What is this skill?

Copy-paste SimpleJWT settings with 15-minute access, 7-day refresh, rotation, and post-rotation blacklist
Token obtain/refresh URL wiring for TokenObtainPairView and TokenRefreshView
Custom TokenObtainPairSerializer pattern for email and role claims on JWT payload
IsOwnerOrReadOnly BasePermission starter for object-level write restrictions

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 2.3k installs on skills.sh; 9.7k GitHub stars; 3/3 security scanners passed (skills.sh audits).

What problem does it solve?

You are standing up a Django API but keep re-deriving SimpleJWT settings, refresh rotation, and custom permission stubs from fragmented docs.

Who is it for?

Solo builders shipping a DRF backend who want JWT auth and owner-scoped permissions wired consistently on day one.

Skip if: Teams that already maintain a standardized internal auth package, or apps that need OAuth-only or session-cookie auth without JWT.

When should I use this skill?

You are implementing or fixing Django API authentication with JWT, custom claims, or object-level DRF permissions.

What do I get? / Deliverables

After the skill runs, your agent can produce aligned INSTALLED_APPS, REST_FRAMEWORK, SIMPLE_JWT, urls, serializer overrides, and permission skeletons ready to adapt to your User model.

settings.py REST_FRAMEWORK and SIMPLE_JWT blocks
urls.py token routes
Custom token serializer and permission class stubs

Recommended Skills

Entra App Registrationmicrosoft/azure-skills

Walkthrough for Microsoft Entra ID app registration, OAuth configuration, and MSAL-based authentication setup.374k installs·1.2k stars

Azure Aigatewaymicrosoft/azure-skills

Quick reference for building and operating Azure API Management as an AI gateway using ARM .NET SDK and policy best prac…373k installs·1.2k stars

Lark Openapi Explorerlarksuite/cli

Escalation path for uncovered Lark/Feishu APIs: browse official OpenAPI docs and execute via lark-cli.208k installs·13.7k stars

Supabasesupabase/agent-skills

Authoritative Supabase agent skill for database, auth, edge functions, and client SSR with emphasis on up-to-date docs, …111k installs·2.2k stars

Firebase Auth Basicsfirebase/agent-skills

firebase-auth-basics is a guided agent skill for solo builders implementing Firebase Authentication in web or mobile-bac…75.7k installs·345 stars

Firebase Data Connectfirebase/agent-skills

Firebase Data Connect is an agent skill that equips solo builders to design relational data layers on Firebase using Gra…73.2k installs·345 stars

Journey fit

Primary fit

BuildBackend, data & payments

Authentication, JWT lifetimes, and DRF permission classes are implemented during backend API construction—the canonical Build shelf for server-side auth. Backend subphase covers REST auth endpoints, serializers, and permission hooks that protect routes before Ship security review.

Also useful

ShipSecurity

How it compares

Use instead of asking the agent for generic Django auth snippets that omit rotation, blacklist, and DRF class wiring.

Common Questions / FAQ

Who is django-expert for?

Indie and solo developers building Django REST APIs who want JWT login, refresh flows, and permission templates without hunting multiple framework docs.

When should I use django-expert?

Use it in Build when adding user accounts and protected endpoints, or when refactoring auth to SimpleJWT with rotated refresh tokens and custom claims like email and role.

Is django-expert safe to install?

Review the Security Audits panel on this Prism page and treat generated auth code as a starting point—validate secrets, token lifetimes, and permission logic before production.

SKILL.md

READMESKILL.md - Django Expert

# Authentication

## SimpleJWT Setup

```python
# settings.py
INSTALLED_APPS = [
    ...
    'rest_framework_simplejwt',
]

REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': [
        'rest_framework_simplejwt.authentication.JWTAuthentication',
    ],
}

from datetime import timedelta

SIMPLE_JWT = {
    'ACCESS_TOKEN_LIFETIME': timedelta(minutes=15),
    'REFRESH_TOKEN_LIFETIME': timedelta(days=7),
    'ROTATE_REFRESH_TOKENS': True,
    'BLACKLIST_AFTER_ROTATION': True,
    'AUTH_HEADER_TYPES': ('Bearer',),
}

# urls.py
from rest_framework_simplejwt.views import (
    TokenObtainPairView,
    TokenRefreshView,
)

urlpatterns = [
    path('api/token/', TokenObtainPairView.as_view(), name='token_obtain_pair'),
    path('api/token/refresh/', TokenRefreshView.as_view(), name='token_refresh'),
]
```

## Custom Token Claims

```python
from rest_framework_simplejwt.serializers import TokenObtainPairSerializer
from rest_framework_simplejwt.views import TokenObtainPairView

class CustomTokenObtainPairSerializer(TokenObtainPairSerializer):
    @classmethod
    def get_token(cls, user):
        token = super().get_token(user)
        # Add custom claims
        token['email'] = user.email
        token['role'] = user.role
        return token

class CustomTokenObtainPairView(TokenObtainPairView):
    serializer_class = CustomTokenObtainPairSerializer
```

## Custom Permissions

```python
from rest_framework import permissions

class IsOwnerOrReadOnly(permissions.BasePermission):
    def has_object_permission(self, request, view, obj):
        if request.method in permissions.SAFE_METHODS:
            return True
        return obj.created_by == request.user

class IsAdminOrReadOnly(permissions.BasePermission):
    def has_permission(self, request, view):
        if request.method in permissions.SAFE_METHODS:
            return True
        return request.user.is_staff

class HasAPIKey(permissions.BasePermission):
    def has_permission(self, request, view):
        api_key = request.headers.get('X-API-Key')
        return api_key == settings.API_KEY
```

## Permission Classes on ViewSet

```python
class ProductViewSet(viewsets.ModelViewSet):
    permission_classes = [IsAuthenticatedOrReadOnly, IsOwnerOrReadOnly]

    def get_permissions(self):
        if self.action == 'destroy':
            return [permissions.IsAdminUser()]
        if self.action in ['create', 'update', 'partial_update']:
            return [permissions.IsAuthenticated()]
        return [permissions.AllowAny()]
```

## User Registration

```python
class RegisterSerializer(serializers.ModelSerializer):
    password = serializers.CharField(write_only=True, min_length=8)
    password_confirm = serializers.CharField(write_only=True)

    class Meta:
        model = User
        fields = ['email', 'username', 'password', 'password_confirm']

    def validate(self, attrs):
        if attrs['password'] != attrs['password_confirm']:
            raise serializers.ValidationError("Passwords don't match")
        return attrs

    def create(self, validated_data):
        validated_data.pop('password_confirm')
        return User.objects.create_user(**validated_data)

class RegisterView(generics.CreateAPIView):
    serializer_class = RegisterSerializer
    permission_classes = [permissions.AllowAny]
```

## Current User Endpoint

```python
class CurrentUserView(generics.RetrieveUpdateAPIView):
    serializer_class = UserSerializer
    permission_classes = [permissions.IsAuthenticated]

    def get_object(self):
        return self.request.user
```

## Quick Reference

| Permission | Access |
|------------|--------|
| `AllowAny` | Everyone |
| `IsAuthenticated` | Logged in users |
| `IsAdminUser` | Staff users |
| `IsAuthenticatedOrReadOnly` | Auth for write |

| JWT Endpoint | Purpose |
|--------------|---------|
| `/token/` | Get access + refresh |
| `/token/refresh/` | New access from refresh |
| `/token/verify/` | Validate token |


# DRF Serializers

## ModelSerialize

What is this skill?

Copy-paste SimpleJWT settings with 15-minute access, 7-day refresh, rotation, and post-rotation blacklist

Token obtain/refresh URL wiring for TokenObtainPairView and TokenRefreshView

Custom TokenObtainPairSerializer pattern for email and role claims on JWT payload

IsOwnerOrReadOnly BasePermission starter for object-level write restrictions

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 2.3k installs on skills.sh; 9.7k GitHub stars; 3/3 security scanners passed (skills.sh audits).

What do I get? / Deliverables

After the skill runs, your agent can produce aligned INSTALLED_APPS, REST_FRAMEWORK, SIMPLE_JWT, urls, serializer overrides, and permission skeletons ready to adapt to your User model.

settings.py REST_FRAMEWORK and SIMPLE_JWT blocks

urls.py token routes

Custom token serializer and permission class stubs

Journey fit

Primary fit

BuildBackend, data & payments

Also useful

ShipSecurity

SKILL.md

READMESKILL.md - Django Expert

# Authentication

## SimpleJWT Setup

```python
# settings.py
INSTALLED_APPS = [
    ...
    'rest_framework_simplejwt',
]

REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': [
        'rest_framework_simplejwt.authentication.JWTAuthentication',
    ],
}

from datetime import timedelta

SIMPLE_JWT = {
    'ACCESS_TOKEN_LIFETIME': timedelta(minutes=15),
    'REFRESH_TOKEN_LIFETIME': timedelta(days=7),
    'ROTATE_REFRESH_TOKENS': True,
    'BLACKLIST_AFTER_ROTATION': True,
    'AUTH_HEADER_TYPES': ('Bearer',),
}

# urls.py
from rest_framework_simplejwt.views import (
    TokenObtainPairView,
    TokenRefreshView,
)

urlpatterns = [
    path('api/token/', TokenObtainPairView.as_view(), name='token_obtain_pair'),
    path('api/token/refresh/', TokenRefreshView.as_view(), name='token_refresh'),
]
```

## Custom Token Claims

```python
from rest_framework_simplejwt.serializers import TokenObtainPairSerializer
from rest_framework_simplejwt.views import TokenObtainPairView

class CustomTokenObtainPairSerializer(TokenObtainPairSerializer):
    @classmethod
    def get_token(cls, user):
        token = super().get_token(user)
        # Add custom claims
        token['email'] = user.email
        token['role'] = user.role
        return token

class CustomTokenObtainPairView(TokenObtainPairView):
    serializer_class = CustomTokenObtainPairSerializer
```

## Custom Permissions

```python
from rest_framework import permissions

class IsOwnerOrReadOnly(permissions.BasePermission):
    def has_object_permission(self, request, view, obj):
        if request.method in permissions.SAFE_METHODS:
            return True
        return obj.created_by == request.user

class IsAdminOrReadOnly(permissions.BasePermission):
    def has_permission(self, request, view):
        if request.method in permissions.SAFE_METHODS:
            return True
        return request.user.is_staff

class HasAPIKey(permissions.BasePermission):
    def has_permission(self, request, view):
        api_key = request.headers.get('X-API-Key')
        return api_key == settings.API_KEY
```

## Permission Classes on ViewSet

```python
class ProductViewSet(viewsets.ModelViewSet):
    permission_classes = [IsAuthenticatedOrReadOnly, IsOwnerOrReadOnly]

    def get_permissions(self):
        if self.action == 'destroy':
            return [permissions.IsAdminUser()]
        if self.action in ['create', 'update', 'partial_update']:
            return [permissions.IsAuthenticated()]
        return [permissions.AllowAny()]
```

## User Registration

```python
class RegisterSerializer(serializers.ModelSerializer):
    password = serializers.CharField(write_only=True, min_length=8)
    password_confirm = serializers.CharField(write_only=True)

    class Meta:
        model = User
        fields = ['email', 'username', 'password', 'password_confirm']

    def validate(self, attrs):
        if attrs['password'] != attrs['password_confirm']:
            raise serializers.ValidationError("Passwords don't match")
        return attrs

    def create(self, validated_data):
        validated_data.pop('password_confirm')
        return User.objects.create_user(**validated_data)

class RegisterView(generics.CreateAPIView):
    serializer_class = RegisterSerializer
    permission_classes = [permissions.AllowAny]
```

## Current User Endpoint

```python
class CurrentUserView(generics.RetrieveUpdateAPIView):
    serializer_class = UserSerializer
    permission_classes = [permissions.IsAuthenticated]

    def get_object(self):
        return self.request.user
```

## Quick Reference

| Permission | Access |
|------------|--------|
| `AllowAny` | Everyone |
| `IsAuthenticated` | Logged in users |
| `IsAdminUser` | Staff users |
| `IsAuthenticatedOrReadOnly` | Auth for write |

| JWT Endpoint | Purpose |
|--------------|---------|
| `/token/` | Get access + refresh |
| `/token/refresh/` | New access from refresh |
| `/token/verify/` | Validate token |


# DRF Serializers

## ModelSerialize

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is django-expert for?

When should I use django-expert?

Is django-expert safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is django-expert for?

When should I use django-expert?

Is django-expert safe to install?

SKILL.md