Integrate Descope authentication into applications with support for passwordless auth, OAuth, SSO, and MFA. Uses a smart router pattern to detect your framework and provide targeted integration guidance.

Use when:

• "Add authentication to my app"
• "Implement login with Descope"
• "Set up passwordless auth"
• "Add OAuth/SSO to my application"
• "Integrate passkeys"

Frameworks supported:

• Next.js (App Router with middleware)
• React (SPA with protected routes)
• Node.js (backend session validation)
• Python (backend session validation)

Features:

• Framework detection - Automatically routes to appropriate integration guide
• Security guardrails - Prevents common authentication mistakes
• Skills.sh compliant - Follows official specification
• Copy-paste ready - All code examples use correct SDK imports

Authentication methods covered:

• OTP (Email/SMS) - Quick verification codes
• Magic Link - Passwordless email links
• Passkeys - Biometric/WebAuthn (most secure)
• OAuth - Social login (Google, GitHub, etc.)
• SSO - Enterprise SAML/OIDC
• TOTP - Authenticator app MFA
• Passwords - Traditional auth (fallback)

Framework- and vendor-agnostic static review that enumerates every route/endpoint in a codebase, builds an authorization matrix, applies a vulnerability catalog (OWASP Web + API Top 10 identity categories), and writes a triage report ready to slice into GitHub issues or PRs.

Use when:

• "/auth-review"
• "Audit authentication in my app"
• "Find authorization bugs / IDOR / BOLA"
• "Review access control"
• "Identity security review before release"

Covers:

• Broken authentication (missing auth, weak password handling, SQLi-in-login, enumeration)
• JWT / token flaws (alg:none, algorithm confusion, unverified decode, missing claim validation)
• Session management (cookie flags, fixation, logout invalidation, predictable IDs)
• Broken access control (IDOR / BOLA, BFLA, tenant crossing, client-trusted input)
• Privilege escalation & mass assignment
• OAuth / OIDC / SAML (state/PKCE, open redirect, ID-token validation, SAML XSW)
• Password reset & account recovery (predictable/non-expiring tokens, host poisoning, MFA bypass)
• MFA bypass and step-up gaps
• Rate limiting & enumeration on auth surfaces
• CSRF, CORS, identity-adjacent SSRF

Output:

• Triage report in ./auth-review/report-YYYY-MM-DD.md
• Endpoint inventory and authorization matrix
• Findings with severity (High/Medium/Low), CWE, file:line, evidence, remediation
• Pre-formatted issue bodies ready to paste into GitHub

Scope: static and read-only. Does not run the target application, make network probes, modify code, or file issues directly.

Manage Descope projects as infrastructure-as-code using the official Terraform provider. Generates valid HCL configurations for authentication methods, RBAC, connectors, and project settings.

Use when:

• "Set up Terraform for my Descope project"
• "Manage Descope authentication config as code"
• "Create roles and permissions with Terraform"
• "Add connectors to my Descope Terraform config"
• "Deploy Descope project settings across environments"

Resources managed:

• descope_project - Full project configuration (auth methods, RBAC, connectors, flows, settings)
• descope_management_key - Management keys with RBAC scoping
• descope_descoper - Console user accounts with role assignments

Covers:

• Provider setup and management key configuration
• Authentication methods (OTP, Magic Link, Passkeys, OAuth, SSO, Password, TOTP)
• Authorization (roles and permissions)
• 60+ connector types (email, SMS, HTTP, observability, fraud detection, CRM, etc.)
• Project settings, applications (OIDC/SAML), flows, JWT templates, and custom attributes

Requirements:

• Terraform CLI installed
• Paid Descope License (Pro +)
• Management Key from Company Settings

Add the marketplace and install the plugin:

/plugin marketplace add descope/skills
/plugin install descope-skills