CLAUDE DESKTOP & COWORK. OAUTH2 + PKCE, SKILLS IN EVERY SESSION.

Cowork opens with a blank slate. No memory of your last session, no record of the brand voice you shaped last week, no trace of the client-report template you wrote on Tuesday. You re-paste context, or accept that Claude sounds a little different every time.

The systemprompt.io connection uses OAuth2 with PKCE. Click connect, log in at systemprompt.io, approve. An authorisation code comes back, Cowork exchanges it at the token endpoint, and the session binds. No API key lands on disk. PKCE binds the code exchange to the one-time secret Cowork generated for the flow, so a captured code cannot be replayed from another machine. The authorize validator rejects missing or weak challenges outright; the file is named in the references.

Once the handshake completes, every skill on your account is available in Cowork. Your Anthropic login, Google credentials, and GitHub token do not travel through the connection. The plugin receives short-lived session JWTs that identify the user, not keys to upstream accounts. Staff engineers verifying this read the OIDC discovery document, authorize endpoint, and token exchange, all in one binary you run yourself.

A fresh chat every time is not just inconvenient. The tone, the process, and the correction you made at message forty die when the window closes. The next session starts with a Claude that does not know you.

A systemprompt.io skill is a Markdown document plus a small config block. It holds the instructions you want Claude to follow, tags for grouping, and an enabled flag so you can switch one off without deleting it. "My skills" means the Markdown files you wrote, not hidden features and not a shared prompt library. Read every one of them in the dashboard, edit in your browser, export as files. Cancel your account and you walk away with the Markdown.

Each skill scopes to your account through an owner reference, which is how the server decides whose skills to return when Cowork asks. The skill service loads them at session start, and a runtime injector merges the skill's instructions onto the base prompt before the tool call runs. A compliance officer finds the skill that shaped a response in the same audit row as the tool call. The loader file is named in the references.

Skills are not a one-time import. They live on the dashboard and change as you do. When a client sends fresh brand guidelines on Friday, the old version is already wrong.

Edit a skill in the browser and the ingestion service reads the updated config, pulls the Markdown body, and writes the new version to the database. The next Cowork session asks for your skills at start and gets the fresh copy. The reverse works too. A skill you draft inside a Cowork conversation lands on the dashboard for later editing. The injector file that merges skill content onto the prompt is named in the references.

For a team workspace, the plugin manifest controls which organisation skills distribute to members. That channel is separate from personal skills. Personal skills stay in your account. Team skills publish through an admin and reach members. The two do not cross over unless an admin promotes a personal skill into the team library.

A skill you cannot find when you need it is a skill you will not use. If the brand voice guide lives three tabs deep in a dashboard, you paste a rough approximation instead and the tone drifts.

Type a forward slash in Cowork and your skills appear as commands. Pick one and Claude receives the skill's instructions as part of the prompt for that turn. The slash command is a thin shell around the same injector the rest of the plugin uses, so a skill behaves the same whether you invoke it explicitly or an agent routes to it. The injector file is named below if you want to confirm that the merge happens before the model sees the message.

The loader supports an auto-discover mode that picks up every skill file in a directory, so adding a skill is a matter of dropping a Markdown file on the dashboard and reloading. Bind a skill to a specific agent or MCP server for scope, or leave it available everywhere. The loader iterates the directory, not a fixed list, so the count is unbounded.

If you use Cowork at work and at home, the two tenants should stay separate. Personal experiment skills should not land in your employer's dashboard. The employer's confidential process skills should not sit on a machine you control.

Every skill load passes an RBAC check before content returns. The server resolves the session token to a principal, looks up the skill's owner, and compares. A mismatch returns nothing, not even an error that would confirm the skill exists. The same middleware protects the rest of systemprompt.io, which is why personal skills stay invisible to a team workspace you belong to, and a team workspace's skills only return when you connect under that workspace. The permission middleware and load service are named below for a compliance officer tracing a request.

Lifecycle hooks let a team workspace attach policy at named points in the session. The set covers before and after every tool call with a failure variant, session start, session end, prompt submission, notifications, stops, and subagent start and stop. A team hook can inspect a tool call and block it, or log every prompt for audit, without code on your laptop. The HookEvent enum is in the hooks module and staff engineers confirming the surface has not grown silently can read it there.