AuthN / AuthZ
Separate who you are from what you can do—RBAC/ABAC, sessions, JWT, mTLS—choices follow the threat model.
Category · Identity & API
Identity & API
5 skills Category 8 of 20
This category connects “who can do what” with machine-readable contracts: authentication vs. authorization, OAuth/OIDC flows, OpenAPI drafts and evolution, and GraphQL depth/N+1 limits. It is the cross-stack hinge with server-side development and frontend & UI.
In the hub it sits in the “APIs & full-stack” band. The five entries match the main hub.
Quick links
In depth
OAuth / OIDC
Authorization code flow, refresh rotation, aud/iss checks, JWKS caching—mind confidential vs. public client storage constraints.
API contract draft
Derive resources and verbs from use cases; unify error envelopes and pagination—contract before implementation enables mocks and parallel work.
OpenAPI design
Path/field versioning, deprecation policy, compatibility tests—keep SDKs, docs, and gateway routes in sync.
GraphQL schema
Cursor pagination, DataLoader for N+1, depth/complexity limits—subscriptions need their own backpressure story.