[{"data":1,"prerenderedAt":471},["ShallowReactive",2],{"blog-prompts/add-api-authentication":3},{"id":4,"title":5,"body":6,"category":450,"date":451,"dateModified":452,"description":453,"draft":454,"extension":455,"faq":456,"featured":454,"headerVariant":457,"image":456,"keywords":456,"meta":458,"navigation":459,"ogDescription":460,"ogTitle":456,"path":461,"readTime":456,"schemaOrg":462,"schemaType":463,"seo":464,"sitemap":465,"stem":466,"tags":467,"twitterCard":469,"__hash__":470},"blog/blog/prompts/add-api-authentication.md","Add API Authentication with AI Prompts",{"type":7,"value":8,"toc":437},"minimark",[9,16,21,24,91,95,98,154,158,161,220,224,227,301,311,315,320,323,375,384,406,425],[10,11,12],"tldr",{},[13,14,15],"p",{},"These prompts help you add authentication to your API endpoints. They cover JWT tokens, API keys, session-based auth, and OAuth integration. Choose the right approach for your use case and implement it securely.",[17,18,20],"h2",{"id":19},"jwt-authentication","JWT Authentication",[13,22,23],{},"Use this prompt to add JWT-based authentication to your API. Your AI will generate login, refresh, and logout endpoints along with token validation middleware and secure secret management.",[25,26,28,31,34,53,56,74,77],"prompt-box",{"title":27},"JWT Authentication Setup",[13,29,30],{},"Add JWT authentication to my API.",[13,32,33],{},"Requirements:",[35,36,37,41,44,47,50],"ol",{},[38,39,40],"li",{},"Generate tokens on login with proper claims (sub, iat, exp)",[38,42,43],{},"Use a secure signing algorithm (RS256 or HS256 with strong secret)",[38,45,46],{},"Create middleware to validate tokens on protected routes",[38,48,49],{},"Handle token expiration and refresh tokens",[38,51,52],{},"Store refresh tokens securely (httpOnly cookies or database)",[13,54,55],{},"Implementation:",[57,58,59,62,65,68,71],"ul",{},[38,60,61],{},"Login endpoint that returns access + refresh tokens",[38,63,64],{},"Token refresh endpoint",[38,66,67],{},"Logout endpoint that invalidates refresh token",[38,69,70],{},"Protected route middleware",[38,72,73],{},"Error handling for expired/invalid tokens",[13,75,76],{},"Security considerations:",[57,78,79,82,85,88],{},[38,80,81],{},"Short access token expiry (15 min)",[38,83,84],{},"Longer refresh token expiry (7 days)",[38,86,87],{},"Rotate refresh tokens on use",[38,89,90],{},"Store secret in environment variable",[17,92,94],{"id":93},"api-key-authentication","API Key Authentication",[13,96,97],{},"Paste this prompt to generate a complete API key system for server-to-server communication. You'll get key generation, hashed storage, validation middleware, revocation, and scoped permissions.",[25,99,100,103,105,122,125,142],{"title":94},[13,101,102],{},"Add API key authentication for server-to-server communication.",[13,104,33],{},[35,106,107,110,113,116,119],{},[38,108,109],{},"Generate cryptographically secure API keys",[38,111,112],{},"Store hashed keys in database (not plaintext)",[38,114,115],{},"Accept keys via Authorization header or X-API-Key",[38,117,118],{},"Validate and rate limit per key",[38,120,121],{},"Track key usage (last used, request count)",[13,123,124],{},"Features needed:",[57,126,127,130,133,136,139],{},[38,128,129],{},"Key generation endpoint (admin only)",[38,131,132],{},"Key validation middleware",[38,134,135],{},"Key revocation endpoint",[38,137,138],{},"Usage statistics per key",[38,140,141],{},"Scoped permissions (read, write, admin)",[13,143,144,145,149,150,153],{},"Key format: ",[146,147,148],"span",{},"prefix","_",[146,151,152],{},"random_bytes","\nExample: sk_live_abc123def456",[17,155,157],{"id":156},"session-based-authentication","Session-Based Authentication",[13,159,160],{},"Use this prompt to set up server-side session authentication with secure cookies. Your AI will create session creation, validation middleware, CSRF protection, and secure cookie configuration.",[25,162,164,167,169,186,189,206,209],{"title":163},"Session Authentication",[13,165,166],{},"Add session-based authentication to my web application API.",[13,168,33],{},[35,170,171,174,177,180,183],{},[38,172,173],{},"Create session on successful login",[38,175,176],{},"Store session server-side (Redis or database)",[38,178,179],{},"Send session ID via httpOnly, secure cookie",[38,181,182],{},"Validate session on each request",[38,184,185],{},"Implement secure logout (destroy session)",[13,187,188],{},"Security settings:",[57,190,191,194,197,200,203],{},[38,192,193],{},"httpOnly: true (prevent XSS access)",[38,195,196],{},"secure: true (HTTPS only)",[38,198,199],{},"sameSite: 'strict' or 'lax'",[38,201,202],{},"Rotate session ID on login (prevent fixation)",[38,204,205],{},"Set reasonable expiry with sliding window",[13,207,208],{},"Also implement:",[57,210,211,214,217],{},[38,212,213],{},"Session middleware",[38,215,216],{},"CSRF protection for state-changing requests",[38,218,219],{},"Concurrent session limiting (optional)",[17,221,223],{"id":222},"oauth-integration","OAuth Integration",[13,225,226],{},"Copy this prompt to generate a full OAuth 2.0 authorization code flow for Google or GitHub. You'll get redirect endpoints, callback handlers, state parameter validation, PKCE support, and user account creation logic.",[25,228,230,233,239,241,258,261,284,287],{"title":229},"OAuth Setup",[13,231,232],{},"Add OAuth authentication (Google/GitHub) to my application.",[13,234,235,236],{},"Provider: ",[146,237,238],{},"Google / GitHub / both",[13,240,33],{},[35,242,243,246,249,252,255],{},[38,244,245],{},"Implement OAuth 2.0 authorization code flow",[38,247,248],{},"Securely handle state parameter (CSRF protection)",[38,250,251],{},"Exchange code for tokens server-side",[38,253,254],{},"Create or link user account",[38,256,257],{},"Issue application JWT/session after OAuth success",[13,259,260],{},"Implement:",[57,262,263,270,275,278,281],{},[38,264,265,266,269],{},"/auth/",[146,267,268],{},"provider"," - redirect to OAuth provider",[38,271,265,272,274],{},[146,273,268],{},"/callback - handle OAuth callback",[38,276,277],{},"State generation and validation",[38,279,280],{},"Token exchange logic",[38,282,283],{},"User creation/linking logic",[13,285,286],{},"Security:",[57,288,289,292,295,298],{},[38,290,291],{},"Validate state parameter",[38,293,294],{},"Use PKCE if supported",[38,296,297],{},"Store tokens securely (or don't store if not needed)",[38,299,300],{},"Don't expose client secret to frontend",[302,303,304],"warning-box",{},[13,305,306,310],{},[307,308,309],"strong",{},"Never trust the frontend:"," Always validate authentication server-side. Client-side tokens can be manipulated. The server must verify every request independently.",[17,312,314],{"id":313},"framework-specific-implementation","Framework-Specific Implementation",[316,317,319],"h3",{"id":318},"nextjs","Next.js",[13,321,322],{},"This prompt asks your AI to scaffold authentication for a Next.js App Router project. You'll get an auth configuration file, login/logout API routes, a session provider, and a useAuth hook or middleware for route protection.",[25,324,326,329,335,338,355,358],{"title":325},"Next.js Auth Setup",[13,327,328],{},"Add authentication to my Next.js application.",[13,330,331,332],{},"Using: ",[146,333,334],{},"NextAuth.js / custom / Clerk / Auth0",[13,336,337],{},"For App Router:",[35,339,340,343,346,349,352],{},[38,341,342],{},"Create auth configuration",[38,344,345],{},"Implement server-side session checking",[38,347,348],{},"Create protected API routes",[38,350,351],{},"Add middleware for route protection",[38,353,354],{},"Handle auth state on client",[13,356,357],{},"Create:",[57,359,360,363,366,369,372],{},[38,361,362],{},"Auth configuration file",[38,364,365],{},"Login/logout API routes",[38,367,368],{},"Session provider wrapper",[38,370,371],{},"useAuth hook or server-side helpers",[38,373,374],{},"Protected route wrapper/middleware",[376,377,378],"tip-box",{},[13,379,380,383],{},[307,381,382],{},"Pro tip:"," For user-facing apps, consider using established auth providers (NextAuth, Clerk, Auth0) rather than rolling your own. They handle edge cases you might not think of.",[385,386,387,394,400],"faq-section",{},[388,389,391],"faq-item",{"question":390},"Should I use JWT or sessions?",[13,392,393],{},"Sessions are simpler and easier to revoke. JWTs are stateless and scale better for distributed systems. For most web apps, sessions work great. For APIs with third-party clients, JWTs or API keys are better.",[388,395,397],{"question":396},"How long should tokens be valid?",[13,398,399],{},"Access tokens: 15 minutes to 1 hour. Refresh tokens: 7 to 30 days. Shorter is more secure but requires more refresh logic. Balance security with user experience.",[388,401,403],{"question":402},"Where should I store tokens on the client?",[13,404,405],{},"HttpOnly cookies are most secure against XSS. If using localStorage, ensure strict CSP. Never store tokens in sessionStorage for persistent auth.",[407,408,409,415,420],"related-articles",{},[410,411],"related-card",{"description":412,"href":413,"title":414},"JWT security best practices","/blog/prompts/secure-jwt-implementation","Secure JWT Implementation",[410,416],{"description":417,"href":418,"title":419},"Full API security","/blog/prompts/secure-api-endpoints","Secure API Endpoints",[410,421],{"description":422,"href":423,"title":424},"Harden your sessions","/blog/prompts/add-session-security","Add Session Security",[426,427,430,434],"cta-box",{"href":428,"label":429},"/","Start Free Scan",[17,431,433],{"id":432},"test-your-auth-security","Test Your Auth Security",[13,435,436],{},"Scan your authentication implementation for vulnerabilities.",{"title":438,"searchDepth":439,"depth":439,"links":440},"",2,[441,442,443,444,445,449],{"id":19,"depth":439,"text":20},{"id":93,"depth":439,"text":94},{"id":156,"depth":439,"text":157},{"id":222,"depth":439,"text":223},{"id":313,"depth":439,"text":314,"children":446},[447],{"id":318,"depth":448,"text":319},3,{"id":432,"depth":439,"text":433},"prompts","2026-02-11","2026-03-06","AI prompts to add authentication to your API. Implement JWT, API keys, session-based auth, and OAuth for secure API access.",false,"md",null,"cyan",{},true,"AI prompts to add authentication to your API endpoints.","/blog/prompts/add-api-authentication","[object Object]","BlogPosting",{"title":5,"description":453},{"loc":461},"blog/prompts/add-api-authentication",[468],"Authentication","summary_large_image","kWFeIa-vTFzIr8EEIzxmXisegDmcKIOfWK2yT982igM",1775843939081]