OAuth Providers Agent Skill
Google/GitHub/Discord OAuth flows, PKCE, token refresh, and session management.
The Skill
Full content, every format. Copy it, download it, or install with one command.
---
description: Google/GitHub/Discord OAuth flows, PKCE, token refresh, and session management.
homepage: https://yepapi.com/skills/oauth-providers
metadata:
tags: [oauth, google, github, authentication]
---
# OAuth Providers
## Rules
- Use Authorization Code flow with PKCE for public clients (SPAs, mobile) — never Implicit flow
- Server-side code exchange for web apps — the client secret never leaves the server
- State parameter: generate random `state`, store in session/cookie, verify on callback — prevents CSRF
- Google OAuth: scopes `openid email profile`, use `id_token` for user info
- GitHub OAuth: scope `read:user user:email`, exchange code at `https://github.com/login/oauth/access_token`
- Discord OAuth: scope `identify email`, token endpoint at `https://discord.com/api/oauth2/token`
- Token refresh: store `refresh_token` server-side, refresh before `access_token` expires
- Session management: create app session on successful OAuth callback, don't store OAuth tokens in cookies
- Link accounts: allow users to connect multiple providers to one account via `accounts` table
## Patterns
```ts
// OAuth callback handler
export async function GET(req: Request) {
const { searchParams } = new URL(req.url);
const code = searchParams.get("code");
const state = searchParams.get("state");
// Verify state matches stored value
if (state !== cookies().get("oauth_state")?.value) {
return new Response("Invalid state", { status: 400 });
}
// Exchange code for tokens
const tokens = await exchangeCodeForTokens(code);
const userInfo = await fetchUserInfo(tokens.access_token);
// Create or link account, create session
const user = await upsertUser(userInfo);
await createSession(user.id);
return redirect("/dashboard");
}
```
## Avoid
- Storing client secrets in frontend code — always exchange tokens server-side
- Skipping the `state` parameter — CSRF attacks are real
- Storing raw OAuth tokens in cookies — use server-side sessions
- Forgetting to handle the "user already exists with that email" case when linking providersInstall
Why Use the OAuth Providers Skill?
Without this skill, your AI guesses at oauth providers patterns. It might hallucinate deprecated APIs, use outdated conventions, or miss best practices entirely. With it, your AI follows a proven ruleset — every suggestion aligns with current standards.
Drop this skill into your project and your AI instantly knows the rules. Better code suggestions, fewer errors, faster shipping.
Try These Prompts
These prompts work better with the OAuth Providers skill installed. Your AI knows the context and writes code that fits.
"Implement Google and GitHub OAuth with PKCE, token refresh, and session management"
"Create a social login flow with account linking, profile syncing, and error handling"
"Build an OAuth integration that supports multiple providers with a unified callback handler"
OAuth Providers skill — FAQ
It provides Google, GitHub, and Discord OAuth flows with PKCE, token refresh, and session management. Your AI implements OAuth correctly with proper state handling and error recovery.
Run `npx skills add YepAPI/skills --skill oauth-providers` in your project root. This copies the skill file into your repo where your AI coding tool can read it automatically.
Yes, always. PKCE prevents authorization code interception attacks and is now required by many providers. The skill enforces PKCE for all OAuth flows, even for server-side apps.