Integrate Descope authentication into applications with support for passwordless auth, OAuth, SSO, and MFA. Uses a smart router pattern to detect your framework and provide targeted integration guidance.

Use when:

• "Add authentication to my app"
• "Implement login with Descope"
• "Set up passwordless auth"
• "Add OAuth/SSO to my application"
• "Integrate passkeys"

Frameworks supported:

• Next.js (App Router with middleware)
• React (SPA with protected routes)
• Node.js (backend session validation)
• Python (backend session validation)

Features:

• Framework detection - Automatically routes to appropriate integration guide
• Security guardrails - Prevents common authentication mistakes
• Skills.sh compliant - Follows official specification
• Copy-paste ready - All code examples use correct SDK imports

Authentication methods covered:

• OTP (Email/SMS) - Quick verification codes
• Magic Link - Passwordless email links
• Passkeys - Biometric/WebAuthn (most secure)
• OAuth - Social login (Google, GitHub, etc.)
• SSO - Enterprise SAML/OIDC
• TOTP - Authenticator app MFA
• Passwords - Traditional auth (fallback)

Framework- and vendor-agnostic static review that enumerates every route/endpoint in a codebase, builds an authorization matrix, applies a vulnerability catalog (OWASP Web + API Top 10 identity categories), and writes a triage report ready to slice into GitHub issues or PRs.

Use when:

• "/auth-review"
• "Audit authentication in my app"
• "Find authorization bugs / IDOR / BOLA"
• "Review access control"
• "Identity security review before release"

Covers:

• Broken authentication (missing auth, weak password handling, SQLi-in-login, enumeration)
• JWT / token flaws (alg:none, algorithm confusion, unverified decode, missing claim validation)
• Session management (cookie flags, fixation, logout invalidation, predictable IDs)
• Broken access control (IDOR / BOLA, BFLA, tenant crossing, client-trusted input)
• Privilege escalation & mass assignment
• OAuth / OIDC / SAML (state/PKCE, open redirect, ID-token validation, SAML XSW)
• Password reset & account recovery (predictable/non-expiring tokens, host poisoning, MFA bypass)
• MFA bypass and step-up gaps
• Rate limiting & enumeration on auth surfaces
• CSRF, CORS, identity-adjacent SSRF

Output:

• Triage report in ./auth-review/report-YYYY-MM-DD.md
• Endpoint inventory and authorization matrix
• Findings with severity (High/Medium/Low), CWE, file:line, evidence, remediation
• Pre-formatted issue bodies ready to paste into GitHub

Scope: static and read-only. Does not run the target application, make network probes, modify code, or file issues directly.

Manage Descope projects as infrastructure-as-code using the official Terraform provider. Generates valid HCL configurations for authentication methods, RBAC, connectors, and project settings.

Use when:

• "Set up Terraform for my Descope project"
• "Manage Descope authentication config as code"
• "Create roles and permissions with Terraform"
• "Add connectors to my Descope Terraform config"
• "Deploy Descope project settings across environments"

Resources managed:

• descope_project - Full project configuration (auth methods, RBAC, connectors, flows, settings)
• descope_management_key - Management keys with RBAC scoping
• descope_descoper - Console user accounts with role assignments

Covers:

• Provider setup and management key configuration
• Authentication methods (OTP, Magic Link, Passkeys, OAuth, SSO, Password, TOTP)
• Authorization (roles and permissions)
• 60+ connector types (email, SMS, HTTP, observability, fraud detection, CRM, etc.)
• Project settings, applications (OIDC/SAML), flows, JWT templates, and custom attributes

Requirements:

• Terraform CLI installed
• Paid Descope License (Pro +)
• Management Key from Company Settings

Guides self-service migrations from Okta Customer Identity Service (CIS) to Descope across any language or framework. Detects whether the app uses hosted/redirect login or an embedded widget and defaults to the appropriate migration path. Analyzes auth touchpoints, produces a reviewed MIGRATION-PLAN.md, then executes the migration. Uses the Descope Docs MCP when available to verify SDK method names and option shapes.

Use when:

• "Migrate my app from Okta to Descope"
• "Replace Okta CIS with Descope"
• "Our app uses okta-auth-js / @okta/okta-react / @okta/oidc-middleware / okta-jwt-verifier — switch to Descope"
• "How do Okta Sign-On Policies / Authorization Servers / Authenticators / Log Streams map to Descope?"
• "We're moving off Okta"

Covers:

• SDK replacement for all major frameworks (React, Angular, Vue, Next.js, Express, Python, Java, and more)
• OIDC compatibility path for hosted/redirect login (swap issuer config, keep redirect flow intact)
• Okta CIS feature mappings: Sign-On Policies → Flows, Authorization Servers → Resources/Inbound Apps, Authenticators → Auth Methods, Identity Providers → Tenant SSO, Log Streams → Audit Connectors
• Inbound Apps vs. Federated Apps decision (scope-enforcing vs. identity-only)
• scp → scope claim migration
• Session validation patterns and dual-token validation for phased rollouts

Output:

• MIGRATION-PLAN.md for human review before any code changes
• SDK replacement across all auth touchpoints in the codebase
• Descope Flow and Console configuration guidance

Workflow: MCP check → migration plan (human review) → execution. Never skips ahead.

Author, edit, and apply Descope FGA schemas using the ReBAC/ABAC DSL. Validates changes via dry run before applying, warns on data loss, and requires user confirmation before modifying live schema. Requires the Descope Management MCP.

Use when:

• "/descope-fga-schema"
• "Set up authorization / define roles and permissions"
• "Add team-based access control"
• "Create a new FGA schema"
• "Update my authorization model"
• "Add types/relations/permissions/conditions to my schema"

Covers:

• Full DSL grammar (model AuthZ 1.0, types, relations, permissions, conditions)
• ReBAC (relationship-based) and ABAC (attribute-based) patterns
• Dry-run validation before applying
• Data loss detection and warnings
• Reading current schema before edits

Requirements:

• Descope Management MCP installed and authorized

Translate Descope flow JSON exports into working React BYOS screens that call state.next(interactionId, form). Parses real interaction IDs, form-key name props, screen names, and subflow loaders from your exported flow JSON — so every generated component is grounded in the actual flow, not guesswork. Includes a 19-entry failure catalog covering every silent-failure mode observed in real BYOS sessions.

Use when:

• "Build custom UI over my Descope flow"
• "My BYOS button does nothing" / "session is still anonymous after sign-in"
• "no handler for screen" errors at runtime
• "passkey ceremony aborts" / "WebAuthn hangs"
• Updating a BYOS implementation after the flow changed in the Descope console
• Adding post-auth promotion subflows (e.g. passkey enrollment after login)

What the skill does:

• Asks for exported flow JSONs (main flow + every subflow) before generating anything
• Runs parse-flow.mjs to extract screen names, interaction IDs, input name props, next-rules, and subflow loaders
• Generates per-screen React components with correct state.next(interactionId, payload) signatures
• Detects shared screen-name collisions and writes router components with documented disambiguation heuristics
• References the failure catalog before diagnosing any "doesn't work" symptom

Required inputs (skill asks for these before starting):

• Flow JSON exports — main flow + every invoked subflow, including post-auth promotion subflows
• Descope Project ID + base URL
• Mount point in the React app
• Existing BYOS code paths (if modifying)

Iron rule: Ground every BYOS component in the exported flow JSON. Do not guess interaction IDs, output key names, or screen names.

Add the marketplace and install the plugin:

/plugin marketplace add descope/skills
/plugin install descope-skills