Ask an AI assistant for "JWT auth" and you usually get a toy endpoint: sign a token, return it, call it done. That is not enough for production code.
The missing pieces are predictable: refresh-token rotation, cookie flags, CSRF posture, revocation, rate limits, typed errors, tests, and operational notes for key rotation.
Use this prompt shape instead
Build JWT authentication for [stack] with:
- access tokens expiring in [duration]
- refresh-token rotation and reuse detection
- httpOnly secure sameSite cookies
- CSRF strategy for browser clients
- revocation table or token versioning
- rate limits on login/refresh
- typed error responses
- unit + integration tests
- key rotation notes
Return implementation files, tests, env vars, and failure modes. Do not use deprecated APIs. Do not skip edge cases.Why this works
- It forces the model to treat authentication as a system, not a snippet.
- It names the security constraints before code generation starts.
- It asks for tests and failure modes, which catches most demo-grade shortcuts.
DevPrompts Pro includes the expanded auth/security templates alongside backend, frontend, and DevOps prompt patterns.