Client-Server Development Tools
Date: 2026-03-29 Context: Tools for building robust client-server architectures with Claude Code.
This catalog covers best-in-class tools across eight categories of client-server development. Each entry includes what the tool does, which development loop phase it belongs to, how to install it, and how it integrates with Claude Code.
Integration methods key:
- CLI shell-out — Claude Code runs the tool directly via
Bash - MCP server — dedicated Model Context Protocol server available
- Hook — can be wired as a pre/post-commit or pre-push hook
- Plugin — Claude Code plugin or extension available
Authentication & Authorization (implement)
OAuth & Identity Providers
| Tool | What it does | Phase | Install | Claude Code integration |
|---|---|---|---|---|
| Auth.js (formerly NextAuth.js) | Framework-agnostic auth for Next.js, SvelteKit, etc. with 80+ OAuth providers. The established leader for Next.js authentication. | implement | npm i next-auth |
CLI shell-out (scaffold config, generate provider blocks) |
| Better Auth | Comprehensive TypeScript auth framework — sessions, email verification, passkeys, magic links, team management. Works with 20+ frameworks. The most flexible modern open-source option. | implement | npm i better-auth |
CLI shell-out (scaffold, configure providers) |
| Passport.js | Express-compatible auth middleware with 500+ strategies (OAuth, LDAP, SAML, local). Mature ecosystem, widely deployed. | implement | npm i passport |
CLI shell-out (generate strategy configs) |
| Clerk | Managed auth platform with polished prebuilt React UI components. Free tier covers 10,000 MAUs. Fastest path to production auth UX. | implement | npm i @clerk/nextjs |
CLI shell-out (SDK config, environment setup) |
| Auth0 SDK | Enterprise-grade managed auth supporting virtually every OAuth pattern — social logins, SAML, SSO, fine-grained rules. | implement | npm i @auth0/nextjs-auth0 |
CLI shell-out (SDK config, rules scaffolding) |
| Firebase Auth | Google-hosted auth with email/password, phone, and social providers. Tight integration with other Firebase services. | implement | npm i firebase |
CLI shell-out (firebase CLI, config generation) |
| Supabase Auth | Open-source, Postgres-based auth with row-level security. Free tier up to 50,000 MAUs. Part of the broader Supabase platform. | implement | npm i @supabase/supabase-js |
CLI shell-out (supabase CLI, migration generation) |
| Keycloak | Open-source identity and access management by Red Hat. Full control over auth infrastructure — SSO, LDAP federation, social login. | implement | docker run -p 8080:8080 quay.io/keycloak/keycloak start-dev |
CLI shell-out (Docker, REST API via curl) |
| Ory (Kratos/Hydra) | Open-source identity suite — Kratos (identity), Hydra (OAuth2/OIDC), Keto (permissions), Oathkeeper (access proxy). Most comprehensive open-source auth stack. | implement | docker compose up (see Ory docs) |
CLI shell-out (Ory CLI, Docker) |
| Lucia (deprecated) | Lightweight session-based auth library. Deprecated as of March 2025 — now a learning resource. Maintainers recommend Oslo and Arctic libraries instead. | — | npm i lucia (legacy) |
Not recommended for new projects |
JWT Tools
| Tool | What it does | Phase | Install | Claude Code integration |
|---|---|---|---|---|
| jose | Universal JavaScript JOSE implementation (JWT, JWS, JWE, JWK). Works in Node.js, Deno, Bun, browsers, and edge runtimes. Zero dependencies. | implement | npm i jose |
CLI shell-out (token generation/verification scripts) |
| jsonwebtoken | Classic Node.js JWT implementation. Widely used, simple API for sign/verify. | implement | npm i jsonwebtoken |
CLI shell-out (token scripts) |
| jwt-cli | Command-line tool for decoding, encoding, and inspecting JWTs. Useful for debugging tokens during development. | verify | brew install jwt-cli or cargo install jwt-cli |
CLI shell-out (decode/inspect tokens directly) |
| PyJWT | Python JWT library for encoding and decoding JSON Web Tokens. | implement | pip install PyJWT |
CLI shell-out (Python scripts) |
Session Management
| Tool | What it does | Phase | Install | Claude Code integration |
|---|---|---|---|---|
| express-session | Server-side session middleware for Express. Supports multiple stores (Redis, Postgres, MongoDB). | implement | npm i express-session |
CLI shell-out (config scaffolding) |
| connect-redis | Redis session store for express-session. Production-grade session persistence. | implement | npm i connect-redis |
CLI shell-out (config scaffolding) |
| iron-session | Encrypted/signed cookie-based sessions for Next.js and Express. No database required. | implement | npm i iron-session |
CLI shell-out (config scaffolding) |
Access Control (RBAC/ABAC)
| Tool | What it does | Phase | Install | Claude Code integration |
|---|---|---|---|---|
| CASL | Isomorphic JavaScript authorization library. Scales from simple claim-based to full attribute-based access control (ABAC). Integrates with React, Vue, Angular, Prisma. | implement | npm i @casl/ability |
CLI shell-out (ability definition generation) |
| Casbin (Apache) | Language-agnostic authorization library supporting ACL, RBAC, ABAC. Available for Go, Node.js, Python, Java, Rust, and more. Policy defined in configuration files. | implement | npm i casbin (Node) / pip install casbin (Python) |
CLI shell-out (policy file generation, model testing) |
| Oso | Authorization framework with a declarative policy language (Polar). Available for Rust, Python, Node.js, Go, Java. | implement | pip install oso / npm i oso |
CLI shell-out (policy authoring, REPL testing) |
| Permit.io | Authorization-as-a-service platform built on open-source tools (OPA, OPAL). Provides a UI for managing RBAC/ABAC policies. | implement | SDK install varies by language | CLI shell-out (SDK config, policy sync) |
API Architecture (plan/implement)
API Gateways
| Tool | What it does | Phase | Install | Claude Code integration |
|---|---|---|---|---|
| Kong Gateway | Open-source API gateway supporting REST, GraphQL, gRPC. Plugin ecosystem for auth, rate limiting, logging, transformations. Industry standard. | plan/implement | docker run kong/kong-gateway:latest |
CLI shell-out (Docker, Kong Admin API via curl, declarative config generation) |
| Traefik | Cloud-native application proxy with automatic service discovery. Supports Docker, Kubernetes, and multiple providers. Current version: v3.6. | plan/implement | docker run traefik:v3.6 |
CLI shell-out (Docker, YAML config generation) |
| NGINX | High-performance web server and reverse proxy. Foundational infrastructure for load balancing and API routing. | plan/implement | brew install nginx / apt install nginx |
CLI shell-out (config generation, testing with nginx -t) |
| Caddy | Modern web server with automatic HTTPS. Simpler config than NGINX, built-in reverse proxy and load balancing. | plan/implement | brew install caddy |
CLI shell-out (Caddyfile generation, caddy validate) |
GraphQL Tooling
| Tool | What it does | Phase | Install | Claude Code integration |
|---|---|---|---|---|
| Apollo Server | Production-ready GraphQL server. Part of the Apollo ecosystem (Apollo Client, Apollo Router, GraphOS). Most widely adopted. | implement | npm i @apollo/server graphql |
CLI shell-out (schema/resolver scaffolding) |
| GraphQL Yoga | Lightweight, spec-compliant GraphQL server by The Guild. Works with any schema builder (Pothos, Nexus, vanilla graphql-js). | implement | npm i graphql-yoga graphql |
CLI shell-out (server scaffolding) |
| Pothos | Plugin-based GraphQL schema builder for TypeScript. Code-first approach with excellent type inference. v4 current. | implement | npm i @pothos/core |
CLI shell-out (schema type generation) |
| Relay | Facebook's GraphQL client framework. Optimized for performance with compile-time query validation and automatic pagination. | implement | npm i react-relay relay-runtime |
CLI shell-out (Relay compiler, fragment generation) |
Type-Safe APIs (tRPC, gRPC)
| Tool | What it does | Phase | Install | Claude Code integration |
|---|---|---|---|---|
| tRPC | End-to-end typesafe APIs for TypeScript. No schemas or code generation needed — types flow from server to client automatically. v11 current. | implement | npm i @trpc/server @trpc/client |
CLI shell-out (router/procedure scaffolding) |
| Buf CLI | Modern protobuf toolchain replacing protoc. Linting, breaking change detection, and code generation for Protocol Buffers. |
plan/implement | npm i @bufbuild/buf @bufbuild/protobuf |
CLI shell-out (buf lint, buf breaking, buf generate) |
| Connect RPC | Modern gRPC-compatible RPC framework by Buf. Generates idiomatic TypeScript clients, replaces grpc-web. | implement | npm i @connectrpc/connect @bufbuild/protobuf |
CLI shell-out (code generation, server scaffolding) |
| gRPC-web | gRPC for browser clients. Use Connect RPC for new projects; gRPC-web for legacy compatibility. | implement | npm i grpc-web |
CLI shell-out (protoc plugin, code generation) |
| grpcurl | Command-line tool for interacting with gRPC servers. Like curl but for gRPC — supports reflection, JSON input. | verify | brew install grpcurl |
CLI shell-out (API exploration, request testing) |
Real-Time Communication (implement/verify)
WebSocket Libraries
| Tool | What it does | Phase | Install | Claude Code integration |
|---|---|---|---|---|
| ws | Fastest, most popular WebSocket implementation for Node.js. Fully RFC 6455 compliant. ~45M weekly downloads. | implement | npm i ws |
CLI shell-out (server scaffolding) |
| Socket.IO | Real-time bidirectional event-based communication. Automatic reconnection, room support, binary streaming. Falls back to HTTP long-polling. v4.8 current, ~8M weekly downloads. | implement | npm i socket.io (server) / npm i socket.io-client (client) |
CLI shell-out (server/namespace scaffolding) |
| Soketi | Open-source WebSocket server built on uWebSockets.js. Pusher-compatible protocol — drop-in replacement for Pusher. | implement | npm i -g @soketi/soketi |
CLI shell-out (server launch, config) |
| Ably | Managed real-time messaging platform. Pub/sub, presence, history, push notifications. Free tier available. | implement | npm i ably |
CLI shell-out (SDK config, channel setup) |
| Pusher | Managed real-time infrastructure. Channels for pub/sub, presence channels for user awareness. Widely used. | implement | npm i pusher (server) / npm i pusher-js (client) |
CLI shell-out (SDK config) |
WebSocket Testing
| Tool | What it does | Phase | Install | Claude Code integration |
|---|---|---|---|---|
| wscat | Interactive WebSocket client for the command line. Connect, send messages, inspect responses. Node.js-based. | verify | npm i -g wscat |
CLI shell-out (wscat -c ws://localhost:8080) |
| websocat | Powerful CLI WebSocket client written in Rust. Unix-pipe-style composition for scripting and automation. | verify | brew install websocat |
CLI shell-out (pipe-based testing, scripted scenarios) |
| Artillery | Load testing platform supporting HTTP, WebSocket, Socket.IO, and GraphQL. Serverless and distributed execution. | verify | npm i -g artillery |
CLI shell-out (artillery run scenario.yml, report generation) |
Server-Sent Events
| Tool | What it does | Phase | Install | Claude Code integration |
|---|---|---|---|---|
| eventsource | W3C-compatible EventSource client/polyfill for Node.js and browsers. ~500K weekly downloads. | implement | npm i eventsource |
CLI shell-out (client scaffolding) |
| express-sse | Simple SSE middleware for Express. Handles connection management and keep-alive. | implement | npm i express-sse |
CLI shell-out (endpoint scaffolding) |
| sse-channel | SSE broadcasting channel for Node.js. Supports multiple clients, history replay, and auto-reconnect. | implement | npm i sse-channel |
CLI shell-out (server scaffolding) |
| curl (SSE testing) | Built-in tool for testing SSE endpoints — curl -N streams events directly in the terminal. |
verify | Pre-installed on most systems | CLI shell-out (curl -N http://localhost:3000/events) |
Security (implement/verify)
Security Headers & CORS
| Tool | What it does | Phase | Install | Claude Code integration |
|---|---|---|---|---|
| Helmet.js | Sets 15 HTTP security headers with a single middleware call for Express apps. Covers X-Frame-Options, CSP, HSTS, and more. | implement | npm i helmet |
CLI shell-out (middleware config, CSP policy generation) |
| helmet-csp | Standalone Content Security Policy middleware extracted from Helmet. Fine-grained CSP directive configuration. | implement | npm i helmet-csp |
CLI shell-out (CSP policy generation) |
| cors | CORS middleware for Express. Configure allowed origins, methods, headers, and credentials. | implement | npm i cors |
CLI shell-out (config scaffolding) |
| CSP Evaluator | Google's tool for evaluating Content Security Policy effectiveness. Identifies bypasses and weaknesses. | verify | Web-based (no install) | CLI shell-out (curl-based API access) |
Security Scanning
| Tool | What it does | Phase | Install | Claude Code integration |
|---|---|---|---|---|
| Mozilla Observatory | Scans website HTTP headers for security problems — CSP, HSTS, X-Content-Type-Options, and more. Provides actionable grades. | verify | npm i -g observatory-cli (legacy) / use web API |
CLI shell-out (curl to Observatory API) |
| shcheck | Python-based security header checker. Scans response headers and reports missing/misconfigured headers. | verify | pip install shcheck or clone repo |
CLI shell-out (shcheck -d https://example.com) |
| ahead | CLI equivalent to securityheaders.io. Scans and grades security headers from the command line. | verify | Clone from GitHub | CLI shell-out (scan URLs, parse JSON output) |
| securityheaders | Python tool for checking websites for insecure security headers. Supports batch scanning and Docker deployment. | verify | pip install securityheaders |
CLI shell-out (batch scanning, CI integration) |
Rate Limiting
| Tool | What it does | Phase | Install | Claude Code integration |
|---|---|---|---|---|
| express-rate-limit | Basic rate-limiting middleware for Express. In-memory by default, supports Redis and other stores. | implement | npm i express-rate-limit |
CLI shell-out (middleware config generation) |
| rate-limiter-flexible | High-performance rate limiter supporting Redis, Postgres, MongoDB, MySQL, Memcached, and in-memory. Averages 0.7ms per request in cluster mode. | implement | npm i rate-limiter-flexible |
CLI shell-out (config scaffolding with store selection) |
| rate-limit-redis | Redis store for express-rate-limit. Also supports Redict and Valkey. | implement | npm i rate-limit-redis |
CLI shell-out (config scaffolding) |
| Bottleneck | Lightweight, zero-dependency task scheduler and rate limiter for Node.js. Controls concurrency and execution rate. | implement | npm i bottleneck |
CLI shell-out (limiter config generation) |
Data Integrity (implement/verify)
Schema Validation
| Tool | What it does | Phase | Install | Claude Code integration |
|---|---|---|---|---|
| Zod | TypeScript-first schema validation with static type inference. The dominant choice for TypeScript projects. Integrates with tRPC, React Hook Form, and most TypeScript frameworks. | implement | npm i zod |
CLI shell-out (schema generation from types, validation scripts) |
| AJV | Fastest JSON Schema validator. Compiles schemas to optimized JavaScript. Supports JSON Schema draft-06/07/2019-09/2020-12. | implement | npm i ajv |
CLI shell-out (schema validation scripts, compile schemas) |
| Joi | Expressive schema description language and data validator for JavaScript. Rich API with excellent documentation. Server-side focused. | implement | npm i joi |
CLI shell-out (schema generation) |
| Yup | Lightweight validation library inspired by Joi. Popular for client-side form validation with Formik and React Hook Form. | implement | npm i yup |
CLI shell-out (schema generation) |
| Pydantic | Python data validation using type annotations. v2 has dramatically improved performance. The standard for FastAPI. | implement | pip install pydantic |
CLI shell-out (model generation, validation scripts) |
| Marshmallow | Python library for object serialization/deserialization and validation. v4.1 current. Flask-Marshmallow for Flask integration. | implement | pip install marshmallow |
CLI shell-out (schema generation) |
API Contract Testing
| Tool | What it does | Phase | Install | Claude Code integration |
|---|---|---|---|---|
| Pact | Consumer-driven contract testing. The consumer writes tests defining expectations; the provider verifies against them. Gold standard for microservice contract testing. | verify | npm i @pact-foundation/pact --save-dev |
CLI shell-out (pact-cli for broker interaction, test scaffolding) |
| Dredd | Language-agnostic API testing tool that validates implementations against OpenAPI/API Blueprint specs. Sends real HTTP requests. | verify | npm i -g dredd |
CLI shell-out (dredd openapi.yml http://localhost:3000) |
| Schemathesis | Property-based API testing that generates thousands of edge-case requests from OpenAPI or GraphQL schemas. Built on Hypothesis. v4.13 current. | verify | pip install schemathesis |
CLI shell-out (schemathesis run https://api.example.com/openapi.json) |
| Spectral | OpenAPI and AsyncAPI linter. Validates API specs against configurable rulesets. Catches design issues before implementation. | plan/verify | npm i -g @stoplight/spectral-cli |
CLI shell-out (spectral lint openapi.yml) |
Caching Tools
| Tool | What it does | Phase | Install | Claude Code integration |
|---|---|---|---|---|
| ioredis | Full-featured Redis client for Node.js. Supports Cluster, Sentinel, Streams, Pipelining, Lua scripting, and Pub/Sub. Used at Alibaba scale. | implement | npm i ioredis |
CLI shell-out (connection config, cache strategy scaffolding) |
| node-redis | Official Redis client for Node.js. Supports Redis Stack and Redis 8 features (search, JSON, time-series). Recommended for new projects. | implement | npm i redis |
CLI shell-out (connection config, cache scaffolding) |
| redis-cli | Command-line interface for Redis. Essential for inspecting cache state, debugging, and manual operations. | verify | Included with Redis: brew install redis |
CLI shell-out (redis-cli GET key, redis-cli MONITOR) |
| Valkey | Linux Foundation fork of Redis (post-license change). Drop-in Redis replacement. Production-ready v8.1 as of March 2026. Used by AWS ElastiCache. | implement | brew install valkey / docker run valkey/valkey |
CLI shell-out (valkey-cli, same commands as redis-cli) |
| memcached | High-performance distributed memory caching system. Lower memory overhead than Redis for simple key-value caching at extreme scale. | implement | brew install memcached |
CLI shell-out (telnet-based inspection, stats) |
Observability (verify)
Error Tracking
| Tool | What it does | Phase | Install | Claude Code integration |
|---|---|---|---|---|
| Sentry | Error tracking and performance monitoring with structured logging (added late 2025). SDK v9.17+ for JS, v2.27+ for Python. Source maps, breadcrumbs, release tracking. | verify | npm i @sentry/node (Node) / pip install sentry-sdk (Python) |
CLI shell-out (sentry-cli for releases, source maps, deploy tracking) |
| Bugsnag | Error monitoring with strong mobile crash reporting. Deep Android/iOS data including ANR and OOM crashes. | verify | npm i @bugsnag/node / npm i @bugsnag/react |
CLI shell-out (SDK config, source map upload) |
| SigNoz | Open-source alternative to Sentry/Datadog. OpenTelemetry-native, combines metrics, traces, and logs in one platform. | verify | docker compose up (see SigNoz docs) |
CLI shell-out (Docker, OpenTelemetry SDK config) |
Structured Logging
| Tool | What it does | Phase | Install | Claude Code integration |
|---|---|---|---|---|
| Pino | Fastest Node.js JSON logger. Minimal overhead, structured output, transport-based architecture. Recommended when performance is critical and bundle size matters. | implement | npm i pino |
CLI shell-out (logger config scaffolding, pino-pretty for dev) |
| Winston | Most popular Node.js logging library. Multiple transports (console, file, HTTP, syslog), flexible formatting. Recommended when transport variety matters. | implement | npm i winston |
CLI shell-out (logger config, transport scaffolding) |
| structlog | Python structured logging library. Processes log entries through a pipeline of processors. Integrates with Sentry via structlog-sentry. | implement | pip install structlog |
CLI shell-out (logger config, processor pipeline setup) |
| pino-pretty | Pretty-prints Pino JSON logs for development. Colorized, human-readable output from structured logs. | implement | npm i -D pino-pretty |
CLI shell-out (dev logging config) |
Sources
Authentication & Authorization
- Comparing Top Open-Source Auth Libraries in 2026 (BTST)
- Better Auth Official Site
- Auth.js Official Site
- Lucia Auth Deprecation Notice
- Best Open Source Auth Tools 2026 (Cerbos)
- CASL.js Official Site
- Apache Casbin GitHub
- JWT.io Libraries
API Architecture
- tRPC Official Site
- Pothos GraphQL Official Site
- GraphQL Yoga Docs
- Buf Build Official Site
- Connect RPC Docs
- Kong Gateway Docs
- Traefik Documentation
Real-Time Communication
- Socket.IO 2026 Complete Guide
- WebSocket.org Resources
- WebSockets vs SSE (Ably)
- wscat GitHub
- Artillery WebSocket Engine
Security
- Helmet.js Official Site
- Mozilla Observatory
- shcheck GitHub
- ahead — CLI securityheaders.io equivalent
Rate Limiting & Caching
- rate-limiter-flexible GitHub
- Redis Rate Limiting Tutorial
- express-rate-limit GitHub
- ioredis GitHub
- Redis vs Memcached 2026 Benchmarks
Data Validation & Contract Testing
- Comparing Schema Validation Libraries (Bitovi)
- Pact Foundation Official Site
- Schemathesis Official Site
- Marshmallow Documentation