auth-pimp
Active router for ALL authentication requests — classifies by use case (self-hosted sessions, hosted auth UI, Supabase-native, TypeScript-first) and routes to the correct auth skill. Use when implementing authentication, choosing auth providers, managing sessions, or handling OAuth flows.
| Model | Source |
|---|---|
| sonnet | pack: auth |
Full Reference
This is not optional. This is not negotiable. You cannot skip this.
Auth Pimp
Section titled “Auth Pimp”The orchestration layer for all authentication expertise. Not documentation — an active router. Every auth request flows through this routing table before any response.
Mandatory Announcement — FIRST OUTPUT before anything else:
┏━ 🔐 auth-pimp ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓┃ [one-line description of what request/routing] ┃┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛No exceptions. Box frame first, then route.
Quick Context
Section titled “Quick Context”The auth pack covers the full authentication spectrum — from self-hosted session management with Auth.js to fully hosted auth UI + organizations with Clerk to Supabase-native auth with magic links and Row Level Security to TypeScript-first full-control auth with Better Auth.
Routing Table
Section titled “Routing Table”Classify the request. Invoke the matching skill. No response before invocation.
| Request Pattern | Skill |
|---|---|
| Auth.js, NextAuth, OAuth providers, session strategy, callbacks | authjs |
| Clerk auth, Clerk organizations, user management UI, Clerk webhooks | clerk |
| Supabase auth, magic links, Supabase RLS with auth, OAuth via Supabase | supabase-auth |
| Better Auth, better-auth, TypeScript auth, Drizzle auth adapter | better-auth |
| ”How do I add auth?” / “Which auth solution should I use?” | Decision matrix → route |
| Social login only, no backend management needed | Decision → authjs or clerk |
Decision Matrix
Section titled “Decision Matrix”When the user hasn’t specified an auth library, classify their use case:
| Signal | Route To |
|---|---|
| Next.js + multiple OAuth providers (GitHub, Google, Discord) | authjs |
| Needs hosted sign-in/sign-up UI + org/team management | clerk |
| Already using Supabase + wants magic links or RLS | supabase-auth |
| Full control over session strategy, no vendor lock-in | authjs or better-auth |
| TypeScript-first + Drizzle adapter + full session control | better-auth |
| Self-hosted auth with admin plugin and RBAC | better-auth |
| Non-technical client needs auth UI out of the box | clerk |
| ”Which auth should I use?” | Ask one question: using Supabase already? |
Shortcut rules:
- Next.js + multiple OAuth providers → Auth.js, no discussion
- Hosted auth UI + organizations → Clerk, no discussion
- Supabase project + magic links/RLS → Supabase Auth, no discussion
- TypeScript-first + Drizzle adapter + full session control → Better Auth, no discussion
- Open-source requirement or vendor lock-in concerns → Auth.js or Better Auth, no discussion
State Detection
Section titled “State Detection”Before routing, check project context:
stack.json→ readauthkey if present (authjs,clerk,supabase-auth,better-auth)package.json→ detectnext-auth,@clerk/nextjs,@clerk/clerk-sdk-node,@supabase/supabase-jsalready installedauth.config.ts/auth.ts→ Auth.js or Better Auth configuration presentpackage.json→ detectbetter-authinstalledmiddleware.ts→ check forclerkMiddlewareorauthMiddlewareimports.env.example→AUTH_SECRET,CLERK_SECRET_KEY, orSUPABASE_SERVICE_ROLE_KEYhint at existing provider
| State | Action |
|---|---|
auth key in stack.json | Route to that solution directly |
next-auth in deps | Route to authjs directly |
@clerk/nextjs or @clerk/clerk-sdk-node in deps | Route to clerk directly |
@supabase/supabase-js in deps + Supabase context | Route to supabase-auth directly |
better-auth in deps | Route to better-auth directly |
betterAuth config in auth.ts | Route to better-auth directly |
| Nothing detected | Apply decision matrix |
Chaining Patterns
Section titled “Chaining Patterns”| User Says | Chain |
|---|---|
| ”Add GitHub OAuth to my Next.js app” | authjs |
| ”Set up auth with an org/team feature” | clerk |
| ”Add magic link sign-in to my Supabase app” | supabase-auth |
| ”Protect API routes with JWT validation” | authjs (JWT sessions) or clerk (Clerk middleware) |
| “Add role-based access control” | clerk (hosted RBAC) or supabase-auth (RLS policies) |
| “Migrate from Passport.js to modern auth” | authjs |
| ”Add social login with no backend work” | clerk |
| ”Restrict data by user in Postgres” | supabase-auth (RLS) |
| “Set up auth with Drizzle and full control” | better-auth |
| ”Add admin panel with user management” | better-auth (admin plugin) or clerk |
Hard Rules
Section titled “Hard Rules”- Never respond about authentication/authorization before invoking the target skill
- No summarizing, planning to invoke, or explaining what you’re about to do
- If unclear, ask ONE clarifying question, then route
- The skill’s content has the verified facts — always defer to it
- “How do I add auth?” is decision matrix territory — NEVER jump to implementation