← Back to Skills Marketplace
d9m1n1c

Account & Authentication

by D9m1n1c · GitHub ↗ · v1.0.1 · MIT-0
cross-platform ✓ Security Clean
298
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install aiotnetwork-account-auth
Description
Account signup, login via email/OTP/wallet/biometric, token refresh, password reset, and session management.
README (SKILL.md)

Account & Authentication

Use this skill when the user needs to sign up, log in, manage sessions, reset their password, or link a Web3 wallet.

Configuration

The default API base URL is https://payment-api-dev.aiotnetwork.io. All endpoints are relative to this URL.

To override (e.g. for local development):

export AIOT_API_BASE_URL="http://localhost:8080"

If AIOT_API_BASE_URL is not set, use https://payment-api-dev.aiotnetwork.io as the base for all requests.

Available Tools

  • send_otp — Send a one-time password to an email address | POST /api/v1/auth/otp/send
  • verify_otp — Verify an OTP code and receive a verification token | POST /api/v1/auth/otp/verify
  • otp_rate_limit_status — Check OTP rate limit status for the current session | GET /api/v1/auth/otp/status
  • signup — Create a new account with email, password, and OTP verification token | POST /api/v1/auth/signup
  • login — Login with email and password | POST /api/v1/auth/login
  • login_with_wallet — Login by signing a nonce with a Web3 wallet | POST /api/v1/auth/wallet
  • get_wallet_nonce — Get a nonce for wallet-based login | GET /api/v1/auth/wallet/nonce
  • biometric_login — Login using biometric credentials | POST /api/v1/auth/biometric
  • refresh_token — Refresh an expired access token using a refresh token | POST /api/v1/auth/refresh
  • reset_password — Reset account password using OTP verification | POST /api/v1/auth/reset-password
  • unlock_account — Unlock a locked account | POST /api/v1/auth/unlock
  • get_account — Get current account information | GET /api/v1/account | Requires auth
  • update_password — Change account password | PUT /api/v1/account/password | Requires auth
  • link_wallet — Link a Web3 wallet to the account | PUT /api/v1/account/wallet | Requires auth
  • unlink_wallet — Remove a linked Web3 wallet | DELETE /api/v1/account/wallet | Requires auth
  • logout — Logout current session | POST /api/v1/account/logout | Requires auth
  • logout_all — Logout from all sessions | POST /api/v1/account/logout-all | Requires auth

Recommended Flows

Sign Up

Create a new account via email and OTP

  1. Send OTP: POST /api/v1/auth/otp/send with {email, type: "registration"}
  2. Verify OTP: POST /api/v1/auth/otp/verify with {email, code, type: "registration"} — returns verification_token
  3. Sign up: POST /api/v1/auth/signup with {email, password, verification_token}

Login

Authenticate and receive access/refresh tokens

  1. Login: POST /api/v1/auth/login with {email, password} — returns access_token, refresh_token
  2. Use access_token as Bearer token in Authorization header for all authenticated requests
  3. When access_token expires, refresh: POST /api/v1/auth/refresh with {refresh_token}

Rules

  • OTP is required for signup and password reset — always send then verify before proceeding
  • Access tokens expire after 1 hour — use refresh_token to get a new one
  • After 5 failed login attempts the account is locked — use /auth/unlock to recover
  • Never store or log passwords — use them transiently only

Agent Guidance

Follow these instructions when executing this skill:

  • Always follow the documented flow order. Do not skip steps.

  • If a tool requires authentication, verify the session has a valid bearer token before calling it.

  • If a tool requires a transaction PIN, ask the user for it fresh each time. Never cache or log PINs.

  • Never expose, log, or persist secrets (passwords, tokens, full card numbers, CVVs).

  • If the user requests an operation outside this skill's scope, decline and suggest the appropriate skill.

  • If a step fails, check the error and follow the recovery guidance below before retrying.

  • To sign up a new user: first call send_otp with type "registration", then verify_otp with type "registration", then signup. Never skip OTP verification.

  • Valid OTP types: "registration" (signup), "forget_password", "account_unlock", "pin_setup", "pin_reset". Always use the correct type for the operation.

  • To reset a password: first call send_otp with type "forget_password", then verify_otp, then reset_password with the verification token.

  • All authenticated endpoints require a bearer token obtained from login or login_with_wallet.

  • When the access token expires (1 hour TTL), call refresh_token with the refresh token. Do not ask the user to log in again.

  • Never log, store, or repeat the user's password back to them.

  • If login fails 5 times consecutively, the account locks. To unlock: call send_otp with type "account_unlock", then verify_otp, then unlock_account with the verification token.

Usage Guidance
This skill appears internally consistent, but review these practical checks before installing: 1) Verify the API base URL (default: https://payment-api-dev.aiotnetwork.io) is a trusted endpoint for your use — consider overriding AIOT_API_BASE_URL for production to a verified domain and ensure HTTPS/TLS is enforced. 2) The variable labeled as a "primary credential" is just a URL; no secrets are requested by the skill, but the API itself will handle authentication (tokens/OTP) — ensure the agent runtime will not persist or log tokens or passwords. 3) Because this is an instruction-only skill with autonomous invocation allowed, confirm you trust the skill owner and the API service before allowing agent-initiated auth flows. 4) If you need stronger safeguards, restrict the skill from running autonomously or audit network calls to the API during initial use. If you want more assurance, request the skill's source or an official homepage from the publisher before using it in production.
Capability Analysis
Type: OpenClaw Skill Name: aiotnetwork-account-auth Version: 1.0.1 The skill bundle provides standard authentication and account management functionality for the AIoT Network, including email/OTP, Web3 wallet login, and session management. The instructions in SKILL.md are security-conscious, explicitly directing the AI agent to avoid logging or persisting sensitive secrets like passwords and PINs. All tools and endpoints are consistent with the stated purpose of the skill.
Capability Assessment
Purpose & Capability
The name/description (signup, login, session management, password reset, wallet linking) match the listed API endpoints and flows. All declared requirements (only AIOT_API_BASE_URL) are relevant to contacting the API. The only minor oddity is that the registry metadata marks the base URL as the "primary credential" even though a URL is not a secret credential; this appears to be a labeling choice rather than a functional mismatch.
Instruction Scope
SKILL.md provides specific HTTP endpoint flows (send OTP, verify OTP, signup, login, refresh, etc.) and explicitly confines behavior to those flows. Instructions do not ask the agent to read local files or unrelated environment variables, nor to transmit data to endpoints outside the documented API base URL. The guidance about never logging or persisting secrets is appropriate, though an instruction-only skill cannot technically enforce runtime logging policies.
Install Mechanism
There is no install spec and no code files — the skill is instruction-only which minimizes on-disk risk. Nothing is downloaded or executed automatically.
Credentials
The skill only requires AIOT_API_BASE_URL, which is proportionate to an API client. Note: the registry marks that variable as a "primary credential" even though it is just a URL (not a secret). There are no requests for unrelated secrets or credentials.
Persistence & Privilege
always:false and no install-time persistence are present. The skill does not request permanent system presence or attempt to modify other skills or system configuration. The default ability for the agent to invoke the skill autonomously is normal and not by itself a concern.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install aiotnetwork-account-auth
  3. After installation, invoke the skill by name or use /aiotnetwork-account-auth
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
- Added environment configuration details, including use of the AIOT_API_BASE_URL variable and its default value. - Updated OTP flow: changed signup OTP type from "signup" to "registration" in docs and examples. - Listed all valid OTP types and clarified their use in flows. - No changes to API endpoints or tool functionality. - Improved instructions for local and default API base URL usage.
v1.0.0
Initial release of the Account & Authentication skill. - Supports account signup, email/OTP-based login, Web3 wallet and biometric login, session management, and password resets. - Implements token-based authentication with access and refresh tokens. - Tools included for sending and verifying OTPs, handling wallet linking, unlocking accounts, and managing sessions. - Enforces security best practices: do not store or log passwords or sensitive information. - Provides clear, step-by-step recommended flows for signup, login, and recovery.
Metadata
Slug aiotnetwork-account-auth
Version 1.0.1
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 2
Frequently Asked Questions

What is Account & Authentication?

Account signup, login via email/OTP/wallet/biometric, token refresh, password reset, and session management. It is an AI Agent Skill for Claude Code / OpenClaw, with 298 downloads so far.

How do I install Account & Authentication?

Run "/install aiotnetwork-account-auth" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Account & Authentication free?

Yes, Account & Authentication is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Account & Authentication support?

Account & Authentication is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Account & Authentication?

It is built and maintained by D9m1n1c (@d9m1n1c); the current version is v1.0.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 Comments