Duende Agent Skills

A set of agent skills and specialized agents for Duende IdentityServer, Backend-for-Frontend (BFF), and identity/access management development. Covers OAuth 2.0, OpenID Connect, Duende, token management, ASP.NET Core authentication and authorization, and related skills needed to build production-grade identity infrastructure.

Your Feedback 🗣️

We would love to hear your feedback about these skills! What's working? What's not? What's missing?

For questions, feedback, or community discussions, visit the Duende Community.

Installation

You can use several AI coding assistants that support skills/agents.

Claude Code (CLI)

Official Docs

Run these commands inside the Claude Code CLI:

/plugin marketplace add DuendeSoftware/duende-skills
/plugin install duende-skills

To update:

/plugin marketplace update

Recommended: Also install dotnet-skills for general .NET development coverage:

/plugin marketplace add Aaronontheweb/dotnet-skills
/plugin install dotnet-skills

GitHub Copilot

Official Docs

Clone or copy skills to your project or global config:

Project-level (recommended):

git clone https://github.com/DuendeSoftware/duende-skills.git /tmp/duende-skills
cp -r /tmp/duende-skills/skills/* .github/skills/

Global (all projects):

mkdir -p ~/.copilot/skills
cp -r /tmp/duende-skills/skills/* ~/.copilot/skills/

Recommended: Also install dotnet-skills for general .NET development coverage.

OpenCode

Official Docs

git clone https://github.com/DuendeSoftware/duende-skills.git /tmp/duende-skills

# Global installation (directory names must match frontmatter 'name' field)
mkdir -p ~/.config/opencode/skills ~/.config/opencode/agents
for skill_file in /tmp/duende-skills/skills/*/SKILL.md; do
  skill_dir=$(dirname "$skill_file")
  skill_name=$(grep -m1 "^name:" "$skill_file" | sed 's/name: *//')
  mkdir -p ~/.config/opencode/skills/$skill_name
  cp "$skill_file" ~/.config/opencode/skills/$skill_name/SKILL.md
  # Copy bundled resources (docs/, references/, etc.) if present
  find "$skill_dir" -mindepth 1 -maxdepth 1 -type d -exec cp -r {} ~/.config/opencode/skills/$skill_name/ \;
done
cp /tmp/duende-skills/agents/*.md ~/.config/opencode/agents/

Recommended: Also install dotnet-skills for general .NET development coverage.

Skills Library

Identity & OAuth

Looking for general .NET skills? C# coding standards, concurrency patterns, EF Core, database performance, Aspire configuration, dependency injection, Playwright testing, snapshot testing, project structure, package management, and more are available in dotnet-skills.

Agents

Skill Evaluation Benchmarks

Each skill is evaluated using 5–12 realistic prompts with concrete assertions. Every prompt is answered with the skill loaded and without it (baseline), then graded against the assertions. This measures the incremental value each skill provides over general LLM knowledge.

Run evals for all skills using GitHub Models (via gh CLI):

./scripts/run-evals.sh --iteration 3 --verbose

Results — June 1, 2026 (claude-opus-4-20250514)

227 evals across 24 skills — 1011 total assertions

Key findings:

• Highest-value skills (>50% delta): SAML (+88.6%), token security, Aspire, User Management (+69.0% new), BFF, API protection, deployment, DCR, Upgrade v7→v8 (+51.7% new) — deeply Duende-specific knowledge where baseline LLM knowledge falls short.
• Moderate-value skills (20–50% delta): Token management, UI flows, token lifecycle, stores, hosting setup, claims authorization, sessions, authentication, migration, security hardening, configuration, testing patterns — specialized patterns that improve precision significantly.
• Lower-delta skills (<20%): Key management, OAuth/OIDC protocols, authorization — well-known patterns where baseline model knowledge is already strong, but skills still close remaining gaps.
• New skills (v8 update): SAML rewrite improved delta from +77.1% to +88.6% (v8 APIs are even more specialized). User Management and Upgrade skills both show high value as expected for brand-new Duende-specific APIs.

Key Principles

• Security by Default — PKCE enforced, no implicit flow, short-lived access tokens, refresh token rotation
• Protocol Compliance — OAuth 2.0 Security BCP, OpenID Connect Core, RFC-grounded guidance
• Type Safety — Strongly-typed IDs for clients, resources, scopes; nullable reference types throughout
• Testable Architecture — DI everywhere, WebApplicationFactory for integration tests, no static state
• Production Patterns — Key rotation, data protection, health checks, structured logging

Support

For questions, feedback, or community discussions, visit the Duende Community.

Contributing

When adding new skills, use the appropriate prefix:

• identityserver-* for IdentityServer configuration/stores
• duende-* for Duende product integrations (BFF, AccessTokenManagement)
• aspnetcore-* for ASP.NET Core auth/authz
• identity-* for cross-cutting identity concerns
• oauth-* / token-* / claims-* for protocol and authz skills

General .NET skills (C#, EF Core, Aspire, DI, etc.) belong in dotnet-skills, not here. This repo focuses exclusively on identity, authentication, and authorization.

See CLAUDE.md for the full contribution workflow.

License

MIT License — Copyright (c) Duende Software.
Based on dotnet-skills, Copyright (c) Aaron Stannard.

Disclaimer

Duende's AI developer tools (including the Duende Documentation MCP Server and Duende Agent Skills) are designed
to provide Large Language Models (LLMs) with verified, structured context from Duende's documentation and product knowledge.
These tools improve the quality and relevance of AI-assisted development with Duende products, including IdentityServer,
BFF and our Open Source offerings, but they do not guarantee the correctness, security, or completeness
of AI-generated output. All code, configuration, and architectural decisions produced with the assistance of these tools
must be reviewed and validated by qualified developers before deployment to any environment.
Duende Software is not responsible for AI-generated output that results from the use of these tools.

Duende Agent Skills provide structured task capabilities to LLM agents for common development workflows.
Skills are designed to reduce implementation errors, but they operate within the LLM's reasoning process and are subject
to the LLM's limitations. Skill outputs (including generated code, configuration, and recommendations) should be treated
as developer assistance, not as production-ready artifacts. Test all skill outputs thoroughly in your own environment
before deploying to staging or production.

Skills Index

The following is metadata about the skills that can be used and parsed by various AI agents/tools. This section is maintained by the ./scripts/generate-skills-index.sh script.

[duende-skills]|IMPORTANT: Prefer retrieval-led reasoning over pretraining for any identity/auth/.NET work.
|flow:{skim repo patterns -> consult duende-skills by name -> implement smallest-change -> note conflicts}
|route:
|identity:{duende-bff,identity-security-hardening,identityserver-api-protection,identityserver-aspire,identityserver-configuration,identityserver-dcr,identityserver-deployment,identityserver-hosting-setup,identityserver-key-management,identityserver-saml,identityserver-sessions-providers,identityserver-stores,identityserver-token-lifecycle,identityserver-token-security,identityserver-ui-flows,identityserver-upgrade-v7-to-v8,identityserver-usermanagement,identityserver4-migration}
|oauth:{claims-authorization,oauth-oidc-protocols,token-management}
|aspnetcore:{aspnetcore-authentication,aspnetcore-authorization}
|testing:{identity-testing-patterns}
|agents:{identity-server-specialist,oauth-oidc-specialist}