workos · nicknisi · Mar 4, 2026 · Mar 4, 2026 · Mar 4, 2026 · Mar 4, 2026
diff --git a/skills/workos-authkit-nextjs/SKILL.md b/skills/workos-authkit-nextjs/SKILL.md
@@ -9,7 +9,7 @@ description: Integrate WorkOS AuthKit with Next.js App Router (13+). Server-side
 
 **STOP. Do not proceed until complete.**
 
-WebFetch: `https://github.com/workos/authkit-nextjs/blob/main/README.md`
+WebFetch: `https://raw.githubusercontent.com/workos/authkit-nextjs/main/README.md`
 
 The README is the source of truth. If this skill conflicts with README, follow README.
 

diff --git a/skills/workos-authkit-react-router/SKILL.md b/skills/workos-authkit-react-router/SKILL.md
@@ -18,7 +18,7 @@ description: Integrate WorkOS AuthKit with React Router applications. Supports v
 
 **STOP - Do not write any code until this completes.**
 
-WebFetch: `https://github.com/workos/authkit-react-router/blob/main/README.md`
+WebFetch: `https://raw.githubusercontent.com/workos/authkit-react-router/main/README.md`
 
 The README is the source of truth. If this skill conflicts with README, **follow the README**.
 
@@ -69,15 +69,25 @@ Required in `.env` or `.env.local`:
 - `WORKOS_REDIRECT_URI` - full URL (e.g., `http://localhost:3000/auth/callback`)
 - `WORKOS_COOKIE_PASSWORD` - 32+ chars (server modes only)
 
-## Verification Checklist
+## Verification Checklist (ALL MUST PASS)
 
-After implementation, verify:
+Run these commands to confirm integration. **Do not mark complete until all pass:**
 
-- [ ] SDK installed in node_modules (package name from README)
-- [ ] Callback route path matches `WORKOS_REDIRECT_URI` path segment
-- [ ] Auth loader/provider on root route (not just child routes)
-- [ ] Build succeeds: `npm run build` exits 0
-- [ ] Correct mode pattern applied (loaders vs hooks)
+```bash
+# 1. Check SDK installed
+ls node_modules/@workos-inc/authkit-react-router 2>/dev/null || echo "FAIL: SDK not installed"
+
+# 2. Check callback route exists and matches WORKOS_REDIRECT_URI
+grep -r "authLoader\|handleCallbackRoute" src/ app/ 2>/dev/null
+
+# 3. Check auth loader/provider on root route
+grep -r "authkitLoader\|AuthKitProvider" src/ app/ 2>/dev/null
+
+# 4. Build succeeds
+npm run build
+```
+
+**If check #2 fails:** Callback route path must match WORKOS_REDIRECT_URI exactly. Use authLoader (not authkitLoader) for the callback route.
 
 ## Error Recovery
 

diff --git a/skills/workos-authkit-react/SKILL.md b/skills/workos-authkit-react/SKILL.md
@@ -11,7 +11,7 @@ description: Integrate WorkOS AuthKit with React single-page applications. Clien
 START
   │
   ├─► Fetch README (BLOCKING)
-  │   github.com/workos/authkit-react/blob/main/README.md
+  │   raw.githubusercontent.com/workos/authkit-react/main/README.md
   │   README is source of truth. Stop if fetch fails.
   │
   ├─► Detect Build Tool
@@ -53,16 +53,25 @@ Just ensure redirect URI env var matches WorkOS Dashboard exactly.
 
 No `WORKOS_API_KEY` needed. Client-side only SDK.
 
-## Verification Checklist
+## Verification Checklist (ALL MUST PASS)
 
-- [ ] README fetched and read
-- [ ] Build tool detected correctly
-- [ ] Env var prefix matches build tool
-- [ ] `.env` or `.env.local` has required vars
-- [ ] No `next` dependency (wrong skill)
-- [ ] No `react-router` dependency (wrong skill)
-- [ ] AuthKitProvider wraps app root
-- [ ] `pnpm build` exits 0
+Run these commands to confirm integration. **Do not mark complete until all pass:**
+
+```bash
+# 1. Check env var prefix matches build tool
+grep -E "VITE_WORKOS_CLIENT_ID|REACT_APP_WORKOS_CLIENT_ID" .env .env.local 2>/dev/null
+
+# 2. Check AuthKitProvider wraps app root
+grep "AuthKitProvider" src/main.tsx src/index.tsx 2>/dev/null || echo "FAIL: AuthKitProvider missing"
+
+# 3. Check no server framework present (wrong skill if found)
+grep -E '"next"|"react-router"' package.json && echo "WARN: Server framework detected"
+
+# 4. Build succeeds
+pnpm build
+```
+
+**If check #2 fails:** AuthKitProvider must wrap the app root in main.tsx/index.tsx. This is required for useAuth() to work.
 
 ## Error Recovery
 

diff --git a/skills/workos-authkit-sveltekit/SKILL.md b/skills/workos-authkit-sveltekit/SKILL.md
@@ -9,7 +9,7 @@ description: Integrate WorkOS AuthKit with SvelteKit. Server-side authentication
 
 **STOP. Do not proceed until complete.**
 
-WebFetch: `https://github.com/workos/authkit-sveltekit/blob/main/README.md`
+WebFetch: `https://raw.githubusercontent.com/workos/authkit-sveltekit/main/README.md`
 
 The README is the source of truth. If this skill conflicts with README, follow README.
 
@@ -32,15 +32,63 @@ Check `.env` or `.env.local` for:
 
 SvelteKit uses `$env/static/private` and `$env/dynamic/private` natively. The agent should write env vars to `.env` (SvelteKit's default) or `.env.local`.
 
+## Step 2b: Partial Install Recovery
+
+Before installing the SDK, check if a previous AuthKit attempt already exists:
+
+1. Check if `@workos/authkit-sveltekit` is already in `package.json`
+2. Check for incomplete setup signals:
+   - `src/hooks.server.ts` has commented-out `authkitHandle` import or exports a passthrough handle
+   - `src/routes/+layout.server.ts` has TODO comments about loading the session
+   - No callback `+server.ts` route exists in `src/routes/`
+   - No `WORKOS_COOKIE_PASSWORD` in `.env`
+3. If partial install detected:
+   - Do NOT reinstall the SDK (it's already there)
+   - Read existing files to understand what's done vs missing
+   - Complete the integration by filling gaps rather than starting fresh
+   - The most common gap is the missing callback route — create it
+   - Wire up `authkitHandle` in hooks.server.ts properly (use `sequence()` if other hooks exist)
+   - Complete the layout load function
+   - Ensure `WORKOS_COOKIE_PASSWORD` is set in `.env`
+
+## Step 2c: Existing Auth System Detection
+
+Check for existing authentication before integrating:
+
+```
+package.json has 'lucia'?              → Lucia v3 session auth
+package.json has '@auth0/auth0-spa-js'? → Auth0 SPA auth
+package.json has '@auth/sveltekit'?    → Auth.js SvelteKit
+src/hooks.server.ts handles cookies?   → Custom session middleware
+```
+
+If existing auth detected (Lucia is most common in SvelteKit):
+
+- Do NOT remove or disable the existing auth system
+- Use `sequence()` from `@sveltejs/kit/hooks` to compose handles:
+
+  ```typescript
+  import { sequence } from '@sveltejs/kit/hooks';
+  import { authkitHandle } from '@workos/authkit-sveltekit';
+
+  // Keep existing handle, compose with AuthKit
+  export const handle = sequence(authkitHandle, existingHandle);
+  ```
+
+- AuthKit handle should come FIRST in `sequence()` so it runs before other middleware
+- Create separate WorkOS routes if `/login` or `/callback` are already taken (e.g., use `/auth/callback`)
+- Ensure existing auth routes, form actions, and session cookies continue to work unchanged
+- Document in code comments how to migrate fully to WorkOS AuthKit later
+
 ## Step 3: Install SDK
 
 Detect package manager, install SDK package from README.
 
 ```
-pnpm-lock.yaml? → pnpm add @workos-inc/authkit-sveltekit
-yarn.lock? → yarn add @workos-inc/authkit-sveltekit
-bun.lockb? → bun add @workos-inc/authkit-sveltekit
-else → npm install @workos-inc/authkit-sveltekit
+pnpm-lock.yaml? → pnpm add @workos/authkit-sveltekit
+yarn.lock? → yarn add @workos/authkit-sveltekit
+bun.lockb? → bun add @workos/authkit-sveltekit
+else → npm install @workos/authkit-sveltekit
 ```
 
 **Verify:** SDK package exists in node_modules before continuing.
@@ -57,7 +105,7 @@ If `src/hooks.server.ts` already exists with custom logic, use SvelteKit's `sequ
 
 ```typescript
 import { sequence } from '@sveltejs/kit/hooks';
-import { authkitHandle } from '@workos-inc/authkit-sveltekit'; // Check README for exact export
+import { authkitHandle } from '@workos/authkit-sveltekit'; // Check README for exact export
 
 export const handle = sequence(authkitHandle, yourExistingHandle);
 ```
@@ -126,7 +174,7 @@ pnpm build || npm run build
 
 ## Error Recovery
 
-### "Cannot find module '@workos-inc/authkit-sveltekit'"
+### "Cannot find module '@workos/authkit-sveltekit'"
 
 - Check: SDK installed before writing imports
 - Check: SDK package directory exists in node_modules

diff --git a/skills/workos-authkit-tanstack-start/SKILL.md b/skills/workos-authkit-tanstack-start/SKILL.md
@@ -24,7 +24,7 @@ description: Integrate WorkOS AuthKit with TanStack Start applications. Full-sta
 
 **STOP - Do not proceed until complete.**
 
-WebFetch: `https://github.com/workos/authkit-tanstack-start/blob/main/README.md`
+WebFetch: `https://raw.githubusercontent.com/workos/authkit-tanstack-start/main/README.md`
 
 From README, extract:
 
@@ -107,14 +107,6 @@ export default createStart({
 });
 ```
 
-### Verification Checklist
-
-- [ ] `authkitMiddleware` imported from `@workos/authkit-tanstack-react-start`
-- [ ] Middleware in `requestMiddleware` array
-- [ ] File exports the config (default export or named `startInstance`)
-
-Verify: `grep -r "authkitMiddleware" src/ app/ 2>/dev/null`
-
 ## Callback Route (CRITICAL)
 
 Path must match `WORKOS_REDIRECT_URI`. For `/api/auth/callback`:
@@ -208,6 +200,26 @@ function Profile() {
 
 **Note:** Server-side `getAuth()` is preferred for most use cases.
 
+## Verification Checklist (ALL MUST PASS)
+
+Run these commands to confirm integration. **Do not mark complete until all pass:**
+
+```bash
+# 1. Check authkitMiddleware is configured
+grep -r "authkitMiddleware" src/ app/ 2>/dev/null || echo "FAIL: Middleware not configured"
+
+# 2. Check callback route exists
+find src/routes app/routes -name "*callback*" 2>/dev/null
+
+# 3. Check environment variables
+grep -c "WORKOS_" .env 2>/dev/null || echo "FAIL: No env vars found"
+
+# 4. Build succeeds
+pnpm build
+```
+
+**If check #1 fails:** authkitMiddleware must be in src/start.ts (or app/start.ts for legacy) requestMiddleware array. Auth will fail silently without it.
+
 ## Error Recovery
 
 ### "AuthKit middleware is not configured"

diff --git a/skills/workos-authkit-vanilla-js/SKILL.md b/skills/workos-authkit-vanilla-js/SKILL.md
@@ -9,7 +9,7 @@ description: Integrate WorkOS AuthKit with vanilla JavaScript applications. No f
 
 ### Step 1: Fetch README (BLOCKING)
 
-WebFetch: `https://github.com/workos/authkit-js/blob/main/README.md`
+WebFetch: `https://raw.githubusercontent.com/workos/authkit-js/main/README.md`
 
 **README is source of truth.** If this skill conflicts, follow README.
 
@@ -43,16 +43,25 @@ Follow README examples for:
 const authkit = await createClient(clientId);
 ```
 
-## Verification Checklist
+## Verification Checklist (ALL MUST PASS)
 
-- [ ] README fetched and read before writing code
-- [ ] Project type detected (bundled vs CDN)
-- [ ] SDK installed/script added
-- [ ] `createClient()` called with `await`
-- [ ] Client ID provided (env var or hardcoded)
-- [ ] Sign in called from user gesture (click handler)
-- [ ] No console errors on page load
-- [ ] Auth UI updates on sign in/out
+Run these commands to confirm integration. **Do not mark complete until all pass:**
+
+```bash
+# 1. Check SDK is available (bundled or CDN)
+grep -r "createClient\|WorkOS" src/ *.html 2>/dev/null || echo "FAIL: SDK not found"
+
+# 2. Check createClient uses await
+grep -rn "await createClient" src/ *.js *.html 2>/dev/null || echo "FAIL: createClient must be awaited"
+
+# 3. Check sign-in is on user gesture (click handler)
+grep -rn "signIn\|sign_in" src/ *.js *.html 2>/dev/null
+
+# 4. Build succeeds (bundled projects only)
+pnpm build 2>/dev/null || echo "CDN project — verify manually in browser"
+```
+
+**If check #2 fails:** createClient() is async and must be awaited. Using it without await returns a Promise, not a client.
 
 ## Environment Variables
 

diff --git a/skills/workos-elixir/SKILL.md b/skills/workos-elixir/SKILL.md
@@ -37,6 +37,43 @@ Check `.env.local` for:
 - `WORKOS_API_KEY` - starts with `sk_`
 - `WORKOS_CLIENT_ID` - starts with `client_`
 
+## Step 2b: Partial Install Recovery
+
+Before creating new files, check if a previous AuthKit attempt exists:
+
+1. Check if `:workos` is already in `mix.exs` dependencies
+2. Check for incomplete auth code — AuthController exists but has TODO stubs, 501 responses, or missing callback/sign_out functions
+3. If partial install detected:
+   - Do NOT re-add the SDK dependency (it's already there)
+   - Do NOT re-run `mix deps.get` if deps are already fetched
+   - Read existing auth files to understand what's done vs missing
+   - Complete the integration by filling gaps (controller methods, routes)
+   - Preserve any working code — only fix what's broken
+   - Check for missing `/auth/callback` route (most common gap)
+
+## Step 2c: Existing Auth System Detection
+
+Check for existing authentication before integrating:
+
+```
+mix.exs has ':ueberauth'?                          → Ueberauth auth
+mix.exs has ':pow'?                                → Pow auth
+mix.exs has ':guardian'?                           → Guardian JWT auth
+mix.exs has ':phx_gen_auth'?                       → Phoenix generated auth
+config/*.exs has 'Ueberauth' config?               → Ueberauth configured
+router.ex has '/:provider' wildcard auth routes?   → Ueberauth routes
+```
+
+If existing auth detected:
+
+- Do NOT remove or disable it
+- Add WorkOS AuthKit alongside the existing system
+- If Ueberauth is configured, be careful of `/:provider` wildcard routes — use a specific scope like `/auth/workos` to avoid conflicts
+- Reuse existing session infrastructure if compatible
+- Create separate route paths for WorkOS auth
+- Ensure existing auth routes continue to work unchanged
+- Document in code comments how to migrate fully to WorkOS later
+
 ## Step 3: Install SDK
 
 Add the `workos` package to `mix.exs` dependencies:

diff --git a/skills/workos-go/SKILL.md b/skills/workos-go/SKILL.md
@@ -9,7 +9,7 @@ description: Integrate WorkOS AuthKit with Go applications. Supports Gin and std
 
 **STOP. Do not proceed until complete.**
 
-WebFetch: `https://github.com/workos/workos-go/blob/main/README.md`
+WebFetch: `https://raw.githubusercontent.com/workos/workos-go/main/README.md`
 
 The README is the source of truth for SDK API usage. If this skill conflicts with README, follow README.
 
@@ -40,6 +40,41 @@ go.mod contains github.com/gin-gonic/gin?
   +-- No  --> Use stdlib net/http patterns
 ```
 
+## Step 2b: Partial Install Recovery
+
+Before creating new files, check if a previous AuthKit attempt exists:
+
+1. Check if `github.com/workos/workos-go` is already in `go.mod`
+2. Check for incomplete auth code — files that import WorkOS packages but have non-functional handlers (TODO comments, 501 responses, empty handler bodies)
+3. If partial install detected:
+   - Do NOT re-run `go get` (the module is already there)
+   - Read existing auth files to understand what's done vs missing
+   - Complete the integration by filling gaps rather than starting fresh
+   - Preserve any working code — only fix what's broken
+   - If `usermanagement.SetAPIKey()` is already called in `init()`, don't call it again
+   - Always run `go mod tidy` after changes to keep `go.sum` consistent
+
+## Step 2c: Existing Auth System Detection
+
+Check for existing authentication before integrating:
+
+```
+*.go files have 'jwt' or 'JWT'?             → Custom JWT auth
+*.go files have 'oauth2'?                   → OAuth2 middleware
+*.go files have 'authMiddleware'?            → Custom auth middleware
+go.mod has 'golang.org/x/oauth2'?           → OAuth2 package
+go.mod has 'github.com/coreos/go-oidc'?     → OIDC auth
+```
+
+If existing auth detected:
+
+- Do NOT remove or disable it
+- Add WorkOS AuthKit alongside the existing system
+- Create separate route paths for WorkOS auth (e.g., `/auth/workos/login` if `/auth/login` is taken)
+- Match handler signatures to the detected framework (Gin `*gin.Context` vs stdlib `http.ResponseWriter, *http.Request`)
+- Ensure existing auth middleware continues to work on its routes
+- Document in code comments how to migrate fully to WorkOS later
+
 ## Step 3: Install SDK
 
 Run: