jwt

This skill provides a comprehensive framework for managing stateless authentication in full-stack applications using JWT (JSON Web Token). It is designed for software engineers and backend developers building secure systems with a Next.js frontend and a FastAPI backend. By centralizing the configuration of Better Auth on the client side and Python-based verification on the server side, it ensures consistency and security across distributed service architectures. The skill covers the entire lifecycle of a token, from initial issuance and claim structures to server-side validation and expiration handling.

• Standardizes JWT structure, including Header, Payload (claims like sub, email, iat, exp), and HS256 signature verification.

• Provides boilerplate configuration for Better Auth plugins, facilitating seamless integration with frontend authentication flows.

• Includes robust server-side Python utilities for decoding tokens and protected route implementation via FastAPI middleware or dependency injection.

• Offers systematic handling of authentication errors, such as expired or malformed tokens, using Python's PyJWT library.

• Defines clear mapping for token claims to improve interoperability between the frontend user store and backend database subjects.

• Always utilize environment variables for the secret key (BETTER_AUTH_SECRET) to prevent unauthorized token forging.

• Ensure consistent algorithm usage (HS256) across both client and server implementations to avoid validation failures.

• The skill assumes stateless authentication; therefore, manage token revocation strategies separately if immediate logout functionality is required beyond standard expiration.

• Inputs expected include raw authorization headers or bearer tokens, while outputs consist of validated user objects or standardized error responses for 401 Unauthorized states.

• Use the provided table of standard JWT claims (sub, email, name, iat, exp, iss, aud) as a reference when extending user metadata in the payload.