exchange-security — implementing JWT tokens with exchange-security exchange-security, Trenvus, community, implementing JWT tokens with exchange-security, ide skills, exchange-security authentication flow, exchange-security install, Claude Code, Cursor, Windsurf

v1.0.0
GitHub

About this Skill

Ideal for Financial Agents requiring advanced digital currency transaction security with secure authentication flows and JWT token handling. exchange-security is a security specialist skill for the Exchange Platform, focusing on secure authentication flows and JWT token implementation.

Features

Implements authentication flows using /auth/* endpoints
Generates JWT tokens with RS256 encryption
Supports secure client authentication
Provides security architecture for digital currency transactions
Utilizes secure token validation for transaction authentication
Enables secure data exchange between clients and the Exchange Platform

# Core Topics

implementing JWT tokens with exchange-security exchange-security authentication flow exchange-security install
RennAraujo RennAraujo
[0]
[0]
Updated: 3/7/2026

Agent Capability Analysis

The exchange-security skill by RennAraujo is an open-source community AI agent skill for Claude Code and other IDE workflows, helping agents execute tasks with better context, repeatability, and domain-specific guidance. Optimized for implementing JWT tokens with exchange-security, exchange-security authentication flow, exchange-security install.

Ideal Agent Persona

Ideal for Financial Agents requiring advanced digital currency transaction security with secure authentication flows and JWT token handling.

Core Value

Empowers agents to secure digital currency transactions with RS256 JWT tokens, implementing robust authentication flows and ensuring the integrity of financial data through secure Exchange Platform interactions.

Capabilities Granted for exchange-security

Authenticating client requests with secure JWT tokens
Validating digital currency transactions for secure Exchange Platform operations
Implementing secure authentication flows for financial applications

! Prerequisites & Limits

  • Requires knowledge of JWT token implementation (RS256)
  • Specific to Exchange Platform security architecture
  • Dependent on secure authentication flow endpoints (/auth/*)
Labs Demo

Browser Sandbox Environment

⚡️ Ready to unleash?

Experience this Agent in a zero-setup browser environment powered by WebContainers. No installation required.

Boot Container Sandbox

exchange-security

Install exchange-security, an AI agent skill for AI agent workflows and automation. Works with Claude Code, Cursor, and Windsurf with one-command setup.

SKILL.md
Readonly

Exchange Security Engineer

Security specialist for the Exchange Platform - a financial application handling digital currency transactions.

Security Architecture

Authentication Flow

┌──────────┐     ┌─────────────┐     ┌────────────┐
│  Client  │────▶│  /auth/*    │────▶│  JWT Token │
│          │◀────│  endpoints  │◀────│  (RS256)   │
└──────────┘     └─────────────┘     └────────────┘
       │                                   │
       │  ┌────────────────────────────────┘
       │  │  Access Token (short-lived)
       │  │  Refresh Token (long-lived)
       ▼  ▼
┌─────────────────────────────────────────────┐
│         Protected Endpoints (/api/*)        │
│         JWT Validation + Role Checks        │
└─────────────────────────────────────────────┘

JWT Configuration

  • Algorithm: RS256 (RSA asymmetric)
  • Key Size: 2048 bits minimum
  • Access Token TTL: 15-60 minutes
  • Refresh Token TTL: 30 days
  • Token Type: Bearer

Claims Structure

json
1{
2  "sub": "123",           // User ID
3  "email": "user@test.com",
4  "nickname": "user1",    // Optional
5  "roles": ["USER"],
6  "iat": 1708450000,
7  "exp": 1708453600,
8  "iss": "trenvus"
9}

JWT Key Management

Generating Keys

bash
1# Generate private key
2openssl genrsa -out private.pem 2048
3
4# Extract public key
5openssl rsa -in private.pem -pubout -out public.pem
6
7# Base64 encode for env vars
8base64 -w 0 private.pem  # JWT_PRIVATE_KEY_B64
9base64 -w 0 public.pem   # JWT_PUBLIC_KEY_B64

Environment Variables

bash
1JWT_PRIVATE_KEY_B64=<base64-encoded-private-key>
2JWT_PUBLIC_KEY_B64=<base64-encoded-public-key>
3JWT_ISSUER=trenvus
4JWT_ACCESS_TTL_SECONDS=3600
5JWT_REFRESH_TTL_SECONDS=2592000

Security Configuration

Public Endpoints (permitAll)

java
1/auth/register          // User registration
2/auth/login             // User login
3/auth/test-login        // Test account login
4/auth/admin-login       // Admin login
5/auth/refresh           // Token refresh
6/auth/logout            // Logout
7/swagger-ui/**          // API docs
8/v3/api-docs/**         // OpenAPI spec

Protected Endpoints (authenticated)

java
1/wallet                 // View wallet
2/wallet/deposit         // Deposit funds
3/exchange/convert       // Currency conversion
4/transfer/trv          // P2P transfers
5/invoices/**            // QR code payments
6/transactions/**        // Transaction history
7/me/**                  // User profile

Admin Endpoints (ROLE_ADMIN)

java
1/admin/users            // List users
2/admin/users/{id}/wallet // Manage user wallets
3/admin/users/{id}/role   // Change user roles

CORS Configuration

java
1@Bean
2public CorsConfigurationSource corsConfigurationSource() {
3    var config = new CorsConfiguration();
4    config.setAllowedOrigins(List.of(
5        "http://localhost:3000",
6        "http://localhost:5173",
7        "https://yourdomain.com"
8    ));
9    config.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE", "OPTIONS"));
10    config.setAllowedHeaders(List.of("*"));
11    config.setAllowCredentials(true);
12    return new UrlBasedCorsConfigurationSource();
13}

Password Security

Hashing

  • Algorithm: BCrypt
  • Strength: 10 (default)
  • Library: BCryptPasswordEncoder
java
1@Bean
2public PasswordEncoder passwordEncoder() {
3    return new BCryptPasswordEncoder();
4}

Storage

  • Never store plaintext passwords
  • Never store passwords in logs
  • Password hash stored in users.password_hash

Token Security

Refresh Token Best Practices

  1. Hash before storage - SHA-256
  2. One-time use - Rotate on refresh
  3. Revocation support - Store revocation timestamp
  4. Device binding - Optional IP/user-agent

Token Rotation

Client              Server
  │  Access (expired) │
  │──────────────────▶│ 401 Unauthorized
  │                   │
  │ Refresh Token     │
  │──────────────────▶│ Validate
  │                   │ Revoke old
  │ New Access+Refresh│ Issue new
  │◀──────────────────│

Authorization

Role-Based Access Control (RBAC)

java
1public enum UserRole {
2    USER,   // Standard user
3    ADMIN   // Full admin access
4}

Method-Level Security

java
1@PreAuthorize("hasRole('ADMIN')")
2@GetMapping("/admin/users")
3public List<User> listUsers() { ... }

Security Headers

Enable in Spring Security:

java
1http.headers(headers -> headers
2    .frameOptions(HeadersConfigurer.FrameOptionsConfig::deny)
3    .xssProtection(HeadersConfigurer.XXssConfig::disable)
4    .contentSecurityPolicy(csp -> 
5        csp.policyDirectives("default-src 'self'")
6    )
7);

Common Vulnerabilities

Preventing

  1. SQL Injection - Use JPA/Hibernate (parameterized queries)
  2. XSS - Validate input, escape output
  3. CSRF - Disabled (stateless JWT)
  4. IDOR - Verify resource ownership
  5. Race Conditions - Optimistic locking on wallets

Input Validation

java
1@NotBlank @Email String email,
2@NotBlank @Size(min=6) String password,
3@Positive BigDecimal amount

Security Checklist

  • JWT keys are RSA 2048+ bits
  • Keys rotated regularly
  • Passwords hashed with BCrypt
  • CORS origins restricted
  • No sensitive data in logs
  • Rate limiting enabled
  • HTTPS in production
  • Security headers configured
  • Input validation on all endpoints
  • Authorization checks on admin endpoints

Testing Security

bash
1# Check JWT signature
2curl -H "Authorization: Bearer TOKEN" http://localhost:8080/me
3
4# Test CORS
5curl -H "Origin: http://evil.com" http://localhost:8080/auth/login
6
7# SQL injection attempt
8curl -X POST http://localhost:8080/auth/login \
9  -d '{"email":"test@test.com\' OR 1=1--","password":"test"}'

FAQ & Installation Steps

These questions and steps mirror the structured data on this page for better search understanding.

? Frequently Asked Questions

What is exchange-security?

Ideal for Financial Agents requiring advanced digital currency transaction security with secure authentication flows and JWT token handling. exchange-security is a security specialist skill for the Exchange Platform, focusing on secure authentication flows and JWT token implementation.

How do I install exchange-security?

Run the command: npx killer-skills add RennAraujo/Trenvus/exchange-security. It works with Cursor, Windsurf, VS Code, Claude Code, and 19+ other IDEs.

What are the use cases for exchange-security?

Key use cases include: Authenticating client requests with secure JWT tokens, Validating digital currency transactions for secure Exchange Platform operations, Implementing secure authentication flows for financial applications.

Which IDEs are compatible with exchange-security?

This skill is compatible with Cursor, Windsurf, VS Code, Trae, Claude Code, OpenClaw, Aider, Codex, OpenCode, Goose, Cline, Roo Code, Kiro, Augment Code, Continue, GitHub Copilot, Sourcegraph Cody, and Amazon Q Developer. Use the Killer-Skills CLI for universal one-command installation.

Are there any limitations for exchange-security?

Requires knowledge of JWT token implementation (RS256). Specific to Exchange Platform security architecture. Dependent on secure authentication flow endpoints (/auth/*).

How To Install

  1. 1. Open your terminal

    Open the terminal or command line in your project directory.

  2. 2. Run the install command

    Run: npx killer-skills add RennAraujo/Trenvus/exchange-security. The CLI will automatically detect your IDE or AI agent and configure the skill.

  3. 3. Start using the skill

    The skill is now active. Your AI agent can use exchange-security immediately in the current project.

Related Skills

Looking for an alternative to exchange-security or another community skill for your workflow? Explore these related open-source skills.

View All

widget-generator

Logo of f
f

f.k.a. Awesome ChatGPT Prompts. Share, discover, and collect prompts from the community. Free and open source — self-host for your organization with complete privacy.

149.6k
0
AI

flags

Logo of vercel
vercel

flags is a Next.js feature management skill that enables developers to efficiently add or modify framework feature flags, streamlining React application development.

138.4k
0
Browser

zustand

Logo of lobehub
lobehub

The ultimate space for work and life — to find, build, and collaborate with agent teammates that grow with you. We are taking agent harness to the next level — enabling multi-agent collaboration, effortless agent team design, and introducing agents as the unit of work interaction.

72.8k
0
AI

data-fetching

Logo of lobehub
lobehub

The ultimate space for work and life — to find, build, and collaborate with agent teammates that grow with you. We are taking agent harness to the next level — enabling multi-agent collaboration, effortless agent team design, and introducing agents as the unit of work interaction.

72.8k
0
AI