KS
Killer-Skills

exchange-security — how to use exchange-security how to use exchange-security, exchange-security setup guide, what is exchange-security, exchange-security alternative, exchange-security vs OAuth, implementing JWT tokens with exchange-security, exchange-security authentication flow, secure digital currency transactions with exchange-security, exchange-security install, exchange-security tutorial

v1.0.0
GitHub

About this Skill

Ideal for Financial Agents requiring advanced digital currency transaction security with secure authentication flows and JWT token handling. exchange-security is a security specialist skill for the Exchange Platform, focusing on secure authentication flows and JWT token implementation.

Features

Implements authentication flows using /auth/* endpoints
Generates JWT tokens with RS256 encryption
Supports secure client authentication
Provides security architecture for digital currency transactions
Utilizes secure token validation for transaction authentication
Enables secure data exchange between clients and the Exchange Platform

# Core Topics

how to use exchange-security exchange-security setup guide what is exchange-security exchange-security alternative exchange-security vs OAuth implementing JWT tokens with exchange-security
RennAraujo RennAraujo
[0]
[0]
Updated: 3/5/2026

Quality Score

Top 5%
57
Excellent
Based on code quality & docs
Installation
SYS Universal Install (Auto-Detect)
Cursor IDE Windsurf IDE VS Code IDE
> npx killer-skills add RennAraujo/Trenvus/exchange-security

Agent Capability Analysis

The exchange-security MCP Server by RennAraujo is an open-source Categories.community integration for Claude and other AI agents, enabling seamless task automation and capability expansion. Optimized for how to use exchange-security, exchange-security setup guide, what is exchange-security.

Ideal Agent Persona

Ideal for Financial Agents requiring advanced digital currency transaction security with secure authentication flows and JWT token handling.

Core Value

Empowers agents to secure digital currency transactions with RS256 JWT tokens, implementing robust authentication flows and ensuring the integrity of financial data through secure Exchange Platform interactions.

Capabilities Granted for exchange-security MCP Server

Authenticating client requests with secure JWT tokens
Validating digital currency transactions for secure Exchange Platform operations
Implementing secure authentication flows for financial applications

! Prerequisites & Limits

  • Requires knowledge of JWT token implementation (RS256)
  • Specific to Exchange Platform security architecture
  • Dependent on secure authentication flow endpoints (/auth/*)
Project
SKILL.md
6.3 KB
.cursorrules
1.2 KB
package.json
240 B
Ready
UTF-8

# Tags

[No tags]
SKILL.md
Readonly

Exchange Security Engineer

Security specialist for the Exchange Platform - a financial application handling digital currency transactions.

Security Architecture

Authentication Flow

┌──────────┐     ┌─────────────┐     ┌────────────┐
│  Client  │────▶│  /auth/*    │────▶│  JWT Token │
│          │◀────│  endpoints  │◀────│  (RS256)   │
└──────────┘     └─────────────┘     └────────────┘
       │                                   │
       │  ┌────────────────────────────────┘
       │  │  Access Token (short-lived)
       │  │  Refresh Token (long-lived)
       ▼  ▼
┌─────────────────────────────────────────────┐
│         Protected Endpoints (/api/*)        │
│         JWT Validation + Role Checks        │
└─────────────────────────────────────────────┘

JWT Configuration

  • Algorithm: RS256 (RSA asymmetric)
  • Key Size: 2048 bits minimum
  • Access Token TTL: 15-60 minutes
  • Refresh Token TTL: 30 days
  • Token Type: Bearer

Claims Structure

json
1{
2  "sub": "123",           // User ID
3  "email": "user@test.com",
4  "nickname": "user1",    // Optional
5  "roles": ["USER"],
6  "iat": 1708450000,
7  "exp": 1708453600,
8  "iss": "trenvus"
9}

JWT Key Management

Generating Keys

bash
1# Generate private key
2openssl genrsa -out private.pem 2048
3
4# Extract public key
5openssl rsa -in private.pem -pubout -out public.pem
6
7# Base64 encode for env vars
8base64 -w 0 private.pem  # JWT_PRIVATE_KEY_B64
9base64 -w 0 public.pem   # JWT_PUBLIC_KEY_B64

Environment Variables

bash
1JWT_PRIVATE_KEY_B64=<base64-encoded-private-key>
2JWT_PUBLIC_KEY_B64=<base64-encoded-public-key>
3JWT_ISSUER=trenvus
4JWT_ACCESS_TTL_SECONDS=3600
5JWT_REFRESH_TTL_SECONDS=2592000

Security Configuration

Public Endpoints (permitAll)

java
1/auth/register          // User registration
2/auth/login             // User login
3/auth/test-login        // Test account login
4/auth/admin-login       // Admin login
5/auth/refresh           // Token refresh
6/auth/logout            // Logout
7/swagger-ui/**          // API docs
8/v3/api-docs/**         // OpenAPI spec

Protected Endpoints (authenticated)

java
1/wallet                 // View wallet
2/wallet/deposit         // Deposit funds
3/exchange/convert       // Currency conversion
4/transfer/trv          // P2P transfers
5/invoices/**            // QR code payments
6/transactions/**        // Transaction history
7/me/**                  // User profile

Admin Endpoints (ROLE_ADMIN)

java
1/admin/users            // List users
2/admin/users/{id}/wallet // Manage user wallets
3/admin/users/{id}/role   // Change user roles

CORS Configuration

java
1@Bean
2public CorsConfigurationSource corsConfigurationSource() {
3    var config = new CorsConfiguration();
4    config.setAllowedOrigins(List.of(
5        "http://localhost:3000",
6        "http://localhost:5173",
7        "https://yourdomain.com"
8    ));
9    config.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE", "OPTIONS"));
10    config.setAllowedHeaders(List.of("*"));
11    config.setAllowCredentials(true);
12    return new UrlBasedCorsConfigurationSource();
13}

Password Security

Hashing

  • Algorithm: BCrypt
  • Strength: 10 (default)
  • Library: BCryptPasswordEncoder
java
1@Bean
2public PasswordEncoder passwordEncoder() {
3    return new BCryptPasswordEncoder();
4}

Storage

  • Never store plaintext passwords
  • Never store passwords in logs
  • Password hash stored in users.password_hash

Token Security

Refresh Token Best Practices

  1. Hash before storage - SHA-256
  2. One-time use - Rotate on refresh
  3. Revocation support - Store revocation timestamp
  4. Device binding - Optional IP/user-agent

Token Rotation

Client              Server
  │  Access (expired) │
  │──────────────────▶│ 401 Unauthorized
  │                   │
  │ Refresh Token     │
  │──────────────────▶│ Validate
  │                   │ Revoke old
  │ New Access+Refresh│ Issue new
  │◀──────────────────│

Authorization

Role-Based Access Control (RBAC)

java
1public enum UserRole {
2    USER,   // Standard user
3    ADMIN   // Full admin access
4}

Method-Level Security

java
1@PreAuthorize("hasRole('ADMIN')")
2@GetMapping("/admin/users")
3public List<User> listUsers() { ... }

Security Headers

Enable in Spring Security:

java
1http.headers(headers -> headers
2    .frameOptions(HeadersConfigurer.FrameOptionsConfig::deny)
3    .xssProtection(HeadersConfigurer.XXssConfig::disable)
4    .contentSecurityPolicy(csp -> 
5        csp.policyDirectives("default-src 'self'")
6    )
7);

Common Vulnerabilities

Preventing

  1. SQL Injection - Use JPA/Hibernate (parameterized queries)
  2. XSS - Validate input, escape output
  3. CSRF - Disabled (stateless JWT)
  4. IDOR - Verify resource ownership
  5. Race Conditions - Optimistic locking on wallets

Input Validation

java
1@NotBlank @Email String email,
2@NotBlank @Size(min=6) String password,
3@Positive BigDecimal amount

Security Checklist

  • JWT keys are RSA 2048+ bits
  • Keys rotated regularly
  • Passwords hashed with BCrypt
  • CORS origins restricted
  • No sensitive data in logs
  • Rate limiting enabled
  • HTTPS in production
  • Security headers configured
  • Input validation on all endpoints
  • Authorization checks on admin endpoints

Testing Security

bash
1# Check JWT signature
2curl -H "Authorization: Bearer TOKEN" http://localhost:8080/me
3
4# Test CORS
5curl -H "Origin: http://evil.com" http://localhost:8080/auth/login
6
7# SQL injection attempt
8curl -X POST http://localhost:8080/auth/login \
9  -d '{"email":"test@test.com\' OR 1=1--","password":"test"}'

Related Skills

Looking for an alternative to exchange-security or building a Categories.community AI Agent? Explore these related open-source MCP Servers.

View All

widget-generator

Logo of f
f

widget-generator is an open-source AI agent skill for creating widget plugins that are injected into prompt feeds on prompts.chat. It supports two rendering modes: standard prompt widgets using default PromptCard styling and custom render widgets built as full React components.

149.6k
0
Design

chat-sdk

Logo of lobehub
lobehub

chat-sdk is a unified TypeScript SDK for building chat bots across multiple platforms, providing a single interface for deploying bot logic.

73.0k
0
Communication

zustand

Logo of lobehub
lobehub

The ultimate space for work and life — to find, build, and collaborate with agent teammates that grow with you. We are taking agent harness to the next level — enabling multi-agent collaboration, effortless agent team design, and introducing agents as the unit of work interaction.

72.8k
0
Communication

data-fetching

Logo of lobehub
lobehub

The ultimate space for work and life — to find, build, and collaborate with agent teammates that grow with you. We are taking agent harness to the next level — enabling multi-agent collaboration, effortless agent team design, and introducing agents as the unit of work interaction.

72.8k
0
Communication