cms-tokens-authentication

Asesorar a desarrolladores sobre cómo elegir el método de autenticación y tipo de token de Contentstack adecuado para casos de uso de frontend, backend, automatización y aplicaciones de terceros.

npx skills add https://github.com/contentstack/contentstack-agent-skills --skill cms-tokens-authentication

Tokens & Authentication

Description

Advise developers on choosing the right Contentstack authentication method and token type for frontend, backend, automation, and third-party app use cases. Include security guidance, rate-limit awareness, and SSO considerations.

When to Use

Use when developers ask about authentication, token types, API keys, rate limits, SSO integration, or credential security.

User Problem

Developers need to authenticate correctly for their use case without exposing sensitive credentials or violating access rules. They need a clear recommendation for the right token type and the safest way to use it.

Success Criteria

Recommends the correct token type for the scenario. Explains what is safe for client-side versus server-side use. Includes practical security guidance and credential-handling rules. Calls out rate-limit implications when relevant. Addresses SSO-specific constraints when applicable.

Expected Inputs

  • Use case: frontend, backend script, CI/CD, migration, third-party app, or interactive session
  • SSO requirements
  • Rate limit concerns
  • Security requirements

Expected Outputs

  • Token type recommendation
  • Security best practices
  • Rate limit guidance
  • SSO-specific advice

Example User Requests

  • What token should I use in my frontend app?
  • What is the difference between a management token and an authtoken?
  • How do I handle rate limits in my script?
  • Can I use authtokens in an SSO-enabled organization?
  • How many management tokens can I have per stack?

Workflow Summary

Identify the use case and runtime environment. Recommend the appropriate authentication method or token type. State what is safe for client-side versus server-side use. Add security and credential-handling guidance. Explain rate limits and backoff behavior if relevant. Include SSO constraints when applicable.

Instructions

Token decision rules

Frontend reads of published content: use a delivery token. Live preview of draft content: use a preview token. Backend automation, CI/CD, and migration scripts: use a management token. Interactive user sessions: use an authtoken only when appropriate. Third-party apps: prefer OAuth with scoped access.

Key limits

Management tokens are stack-level and limited per stack. Authtokens are user-specific and have their own limits. Mention rate-limit headers and retry strategy when the user asks about throughput or 429 errors.

SSO organizations

Call out that SSO can restrict authtoken usage. For automation in SSO orgs, recommend management tokens or OAuth instead of authtokens.

Security rules

Never expose management tokens or authtokens in client-side code. Use environment variables for credentials. Never hardcode secrets in source code. Recommend rotation and least-privilege access.

Rate limit handling

Recommend exponential backoff with jitter for 429 responses. Advise checking rate-limit headers before retrying. Keep guidance practical and concise.

Output Format

Be concise and direct. Always state whether a credential is safe for client-side or server-side use. Use bullets when comparing token types. Do not include raw secrets or example real tokens.

Tooling Notes

Read-only advisory skill. Do not create, modify, or delete tokens. Use documentation sources when needed. Prefer read-only tools only.

Security

Defaults

Never expose management tokens, authtokens, API keys, or OAuth secrets. Use placeholders and environment variables only. Never suggest bypassing access controls or security policies. Prefer least-privilege access and token rotation.

Destructive Actions

Do not perform destructive or credential-changing actions. This skill only advises; it must not create, revoke, rotate, or delete tokens.

Secrets

Never request, display, or store real secrets. If a secret is needed in an example, use a placeholder name only.

Environment Variables

Recommend environment variables for all credentials. Use descriptive names such as CONTENTSTACK_API_KEY, CONTENTSTACK_DELIVERY_TOKEN, and CONTENTSTACK_MANAGEMENT_TOKEN.

Product Context

    • Product: CMS
    • Description: Contentstack headless CMS: content types, entries, assets, environments, publishing, workflows, webhooks, and the Content Management API (CMA).
    • Product safety rules: - Never expose management tokens or API keys.
  • Always use environment variables for credentials.
  • Route all CMA calls through server-side proxies in browser apps.
  • Never hardcode stack API keys in client-side code.
    • Default tools: ["CMA API", "Content Types", "Entries", "Assets", "Workflows", "Webhooks", "Environments", "Releases", "Publish Queue"]
    • Default connectors: ["CMA Proxy", "Webhooks"]

Más skills de contentstack

brand-kit-assistant
contentstack
Asesorar a los usuarios sobre conceptos, configuración, gobernanza y generación de IA alineada con la marca de Contentstack Brand Kit. Dirigir tareas específicas de API a la capacidad adecuada de Brand Kit o…
official
cms-assets
contentstack
Asesorar a desarrolladores sobre la organización, entrega y transformación de activos en Contentstack. Cubrir estructura de carpetas, transformaciones de la API de entrega de imágenes, publicación…
official
cms-branches-aliases
contentstack
Asesorar a desarrolladores sobre el uso de ramas de Contentstack para el desarrollo de contenido aislado y alias para implementaciones de contenido sin tiempo de inactividad. Cubrir estrategia de ramas,…
official
cms-data-modeling-best-practices
contentstack
Guiar a los desarrolladores para modelar contenido en Contentstack utilizando la estructura reutilizable más simple. La habilidad explica cuándo usar tipos de contenido, referencias, globales…
official
cms-entries
contentstack
Asesorar a desarrolladores sobre consulta, localización, control de versiones, publicación y estructuración de entradas de Contentstack para una entrega eficiente. Enfoque en el uso de CDA, referencia…
official
cms-environments-publishing
contentstack
Asesorar a desarrolladores sobre la configuración de entornos, publicación de contenido, uso de tokens de entrega y vista previa, aprovechamiento de la API de Sync y comprensión de CDN y…
official
cms-live-preview-visual-builder-support-assistant
contentstack
Diagnosticar y guiar implementaciones de Contentstack Live Preview y Visual Builder. Rastrear el contexto de vista previa, identificar el contrato roto y recomendar la...
official
cms-localization
contentstack
Asesorar a desarrolladores sobre la localización de Contentstack: configuración de idiomas, cadenas de respaldo, entradas localizadas y no localizadas, campos no localizables y configuración multilingüe…
official