Auth0 security specialist covering attack protection, multi-factor authentication, token security, sender constraining, and compliance. Use when implementing Auth0 security features, configuring attack defenses, setting up MFA, or meeting regulatory requirements.
/plugin marketplace add modu-ai/claude-plugins/plugin install modu-ai-moai-security-plugins-moai-security@modu-ai/claude-pluginsThis skill is limited to using the following tools:
modules/access-tokens.mdmodules/adaptive-mfa.mdmodules/akamai-integration.mdmodules/application-credentials.mdmodules/attack-protection-log-events.mdmodules/attack-protection-overview.mdmodules/bot-detection.mdmodules/breached-password-detection.mdmodules/brute-force-protection.mdmodules/certifications.mdmodules/compliance-overview.mdmodules/continuous-session-protection.mdmodules/customer-managed-keys.mdmodules/customize-mfa.mdmodules/delegation-tokens.mdmodules/dpop-implementation.mdmodules/fapi-implementation.mdmodules/gdpr-compliance.mdmodules/guardian-configuration.mdmodules/highly-regulated-identity.mdComprehensive security skill for Auth0 implementations covering attack protection, multi-factor authentication, token security, sender constraining (DPoP/mTLS), and regulatory compliance (FAPI, GDPR, HIPAA).
Attack Protection:
Multi-Factor Authentication:
Token Security:
Sender Constraining:
Compliance: FAPI, GDPR, HIPAA/HITECH, PCI DSS, ISO 27001, SOC 2
Attack Protection: Dashboard > Security > Attack Protection MFA Configuration: Dashboard > Security > Multi-factor Auth Security Center: Dashboard > Security > Security Center
Bot Detection: Navigate to Dashboard > Security > Attack Protection > Bot Detection. Configure sensitivity (Low/Medium/High) and response type (Auth Challenge recommended, Simple CAPTCHA, or third-party). IP AllowList supports up to 100 addresses/CIDR ranges.
Supported flows: Universal Login, Classic Login, Lock.js v12.4.0+, native apps. Unsupported: Enterprise connections, social login, cross-origin authentication.
Breached Password Detection: Enable for signup and login. Response actions include blocking compromised credentials and user/admin notifications. Standard Detection has 7-13 months detection time; Credential Guard (Enterprise) reduces to 12-36 hours. Test with passwords starting with AUTH0-TEST-.
Brute Force Protection: Default threshold is 10 failed attempts (configurable 1-100). Protection mechanisms include IP-based blocking and account lockout. Blocks remove after 30 days, password change, admin removal, or user unblock link.
Suspicious IP Throttling: Velocity-based detection for high-volume attacks. Responds with HTTP 429. Configure separate thresholds for login (daily) and signup (per minute) attempts.
For details: modules/attack-protection-overview.md
Factor Configuration: Navigate to Dashboard > Security > Multi-factor Auth.
Independent Factors (at least one required):
Dependent Factors: WebAuthn Biometrics, Email, Recovery codes
MFA Policies: Never, Use Adaptive MFA (Enterprise), Always
WebAuthn: Provides passwordless MFA with security keys or biometrics. Single interaction for multi-factor authentication, phishing-resistant.
Adaptive MFA (Enterprise): Evaluates risk signals per transaction:
High-risk transactions require verification regardless of existing MFA sessions.
Step-Up Authentication: Enhanced verification for sensitive operations. APIs use scopes; web apps verify ID token claims.
For details: modules/mfa-overview.md, modules/adaptive-mfa.md
JWT Fundamentals: RFC 7519 standard. Auth0 issues signed JWTs (JWS). Structure includes Header, Payload (claims), and Signature. Always validate signatures, never store sensitive data in payloads, use HTTPS only.
Access Tokens: Authorize API access with scopes. Types: Opaque (require introspection) and JWT (self-contained). Key claims: iss, sub, aud, scope, exp. Default lifetime: 86400 seconds (24 hours).
Refresh Tokens: Enable session continuity. Maximum 200 active per user per application. Security features: Rotation (invalidates predecessor), expiring tokens (idle/absolute), revocation via Management API.
Best Practices:
For details: modules/tokens-overview.md, modules/token-best-practices.md
DPoP (Application Layer): Binds tokens to client-generated asymmetric key pairs.
Steps: Generate key pair (ES256 recommended), create DPoP Proof JWT, send via DPoP header, include updated proof with each API request.
Proof JWT Structure:
Public clients must handle use_dpop_nonce errors.
mTLS (Transport Layer): Binds tokens to X.509 certificates.
Process: Client establishes mTLS connection, Auth0 calculates certificate SHA-256 thumbprint, embeds in token cnf claim as x5t#S256. Resource server validates thumbprint.
Requirements: Confidential clients only, Enterprise Plan with HRI add-on, PKI infrastructure.
For details: modules/dpop-implementation.md, modules/mtls-sender-constraining.md
Highly Regulated Identity (Enterprise + HRI add-on):
GDPR Compliance:
Certifications: ISO 27001/27017/27018, SOC 2 Type 2, CSA STAR, FAPI 1 Advanced OP, HIPAA BAA available, PCI DSS compliant models
For details: modules/highly-regulated-identity.md, modules/gdpr-compliance.md
Access from Dashboard > Security > Security Center.
Threat Categories:
Filtering: Time period (up to 14 days), applications, connections. Auto-aggregation by minute/hour/day.
Metrics: Bot detection counts, IP throttling events, brute force triggers, breached password alerts, MFA success/failure rates.
Client Secret (Default): Symmetric, simple but vulnerable to interception.
Private Key JWT (Enterprise): Asymmetric key pairs, private key never transmitted, short-lived assertions. Recommended for enhanced security.
mTLS for OAuth (HRI): X.509 certificates, strongest protection.
Key Management: Register up to two public keys for zero-downtime rotation. Algorithms: RS256, RS384, PS256.
Use Auth0 Actions for session context during token refresh events.
Capabilities: IP/ASN monitoring, device tracking, expiration management, anomaly detection.
Dynamic management: Customize lifetimes by user attributes, organization, or role.
Attack Protection:
MFA:
Tokens:
Sender Constraining:
Compliance:
Security Operations:
This skill provides comprehensive Auth0 security guidance. Use it for:
For comprehensive security reviews, use the expert-security agent included in this plugin.
Official Documentation:
Creating algorithmic art using p5.js with seeded randomness and interactive parameter exploration. Use this when users request creating art using code, generative art, algorithmic art, flow fields, or particle systems. Create original algorithmic art rather than copying existing artists' work to avoid copyright violations.
Applies Anthropic's official brand colors and typography to any sort of artifact that may benefit from having Anthropic's look-and-feel. Use it when brand colors or style guidelines, visual formatting, or company design standards apply.
Create beautiful visual art in .png and .pdf documents using design philosophy. You should use this skill when the user asks to create a poster, piece of art, design, or other static piece. Create original visual designs, never copying existing artists' work to avoid copyright violations.