playbooks

home / skills / jeremylongshore / claude-code-plugins-plus-skills / apollo-security-basics

apollo-security-basics skill

/plugins/saas-packs/apollo-pack/skills/apollo-security-basics

This skill helps secure Apollo integrations with best practices for API keys, data protection, and access controls.

npx playbooks add skill jeremylongshore/claude-code-plugins-plus-skills --skill apollo-security-basics

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
8.3 KB
---
name: apollo-security-basics
description: |
  Apply Apollo.io API security best practices.
  Use when securing Apollo integrations, managing API keys,
  or implementing secure data handling.
  Trigger with phrases like "apollo security", "secure apollo api",
  "apollo api key security", "apollo data protection".
allowed-tools: Read, Grep, Bash(curl:*)
version: 1.0.0
license: MIT
author: Jeremy Longshore <[email protected]>
---

# Apollo Security Basics

## Overview
Implement security best practices for Apollo.io API integrations including key management, data protection, and access controls.

## API Key Security

### Never Hardcode Keys
```typescript
// BAD - Never do this
const apiKey = 'sk_live_abc123...';

// GOOD - Use environment variables
const apiKey = process.env.APOLLO_API_KEY;

// BETTER - Validate on startup
if (!process.env.APOLLO_API_KEY) {
  throw new Error('APOLLO_API_KEY environment variable is required');
}
```

### Secure Storage
```bash
# .env file (never commit!)
APOLLO_API_KEY=your-api-key-here

# .gitignore (always include!)
.env
.env.local
.env.*.local
*.key
```

### Key Rotation
```typescript
// src/lib/apollo/key-rotation.ts
interface KeyConfig {
  primary: string;
  secondary?: string;
  rotateAt?: Date;
}

class ApiKeyManager {
  private config: KeyConfig;

  constructor() {
    this.config = {
      primary: process.env.APOLLO_API_KEY!,
      secondary: process.env.APOLLO_API_KEY_SECONDARY,
      rotateAt: process.env.APOLLO_KEY_ROTATE_AT
        ? new Date(process.env.APOLLO_KEY_ROTATE_AT)
        : undefined,
    };
  }

  getActiveKey(): string {
    if (this.config.rotateAt && new Date() > this.config.rotateAt) {
      if (this.config.secondary) {
        return this.config.secondary;
      }
      console.warn('Key rotation date passed but no secondary key available');
    }
    return this.config.primary;
  }

  async testKey(key: string): Promise<boolean> {
    try {
      const response = await axios.get('https://api.apollo.io/v1/auth/health', {
        params: { api_key: key },
      });
      return response.status === 200;
    } catch {
      return false;
    }
  }

  async rotateKeys(): Promise<void> {
    if (!this.config.secondary) {
      throw new Error('No secondary key configured for rotation');
    }

    // Verify secondary key works
    const isValid = await this.testKey(this.config.secondary);
    if (!isValid) {
      throw new Error('Secondary key is invalid');
    }

    // Swap keys
    console.log('Rotating API keys...');
    this.config.primary = this.config.secondary;
    this.config.secondary = undefined;
    // TODO: Persist to secure storage
  }
}
```

## Network Security

### HTTPS Only
```typescript
// Force HTTPS
const apolloClient = axios.create({
  baseURL: 'https://api.apollo.io/v1', // Always HTTPS
  timeout: 30000,
});

// Validate SSL certificates (default in production)
// For development ONLY, you might need:
// httpsAgent: new https.Agent({ rejectUnauthorized: false })
```

### IP Allowlisting
```typescript
// If using Apollo Enterprise with IP restrictions
// Configure your server's outbound IP in Apollo settings

// For cloud deployments, use static IPs:
// - Google Cloud: Configure Cloud NAT with static IPs
// - AWS: Use NAT Gateway with Elastic IP
// - Azure: Configure NAT Gateway with public IP
```

## Data Protection

### PII Handling
```typescript
// src/lib/apollo/pii-handler.ts
const PII_FIELDS = ['email', 'phone', 'personal_email', 'mobile_phone'];

function redactPII(data: any, fields: string[] = PII_FIELDS): any {
  if (!data) return data;

  if (Array.isArray(data)) {
    return data.map((item) => redactPII(item, fields));
  }

  if (typeof data === 'object') {
    const result: any = {};
    for (const [key, value] of Object.entries(data)) {
      if (fields.includes(key) && typeof value === 'string') {
        result[key] = redactForLogging(value);
      } else {
        result[key] = redactPII(value, fields);
      }
    }
    return result;
  }

  return data;
}

function redactForLogging(value: string): string {
  if (value.includes('@')) {
    // Email: show first 2 chars and domain
    const [local, domain] = value.split('@');
    return `${local.substring(0, 2)}***@${domain}`;
  }
  // Phone: show last 4 digits
  return `***-***-${value.slice(-4)}`;
}

// Usage in logging
console.log('Contact data:', redactPII(contactData));
```

### Secure Logging
```typescript
// src/lib/apollo/secure-logger.ts
import pino from 'pino';

const logger = pino({
  redact: {
    paths: [
      'api_key',
      'apiKey',
      '*.api_key',
      '*.email',
      '*.phone',
      'headers.authorization',
    ],
    censor: '[REDACTED]',
  },
});

// Apollo request interceptor with secure logging
apolloClient.interceptors.request.use((config) => {
  logger.info({
    type: 'apollo_request',
    method: config.method,
    url: config.url,
    // Don't log full request body
    bodyKeys: config.data ? Object.keys(config.data) : [],
  });
  return config;
});
```

### Data Retention
```typescript
// src/lib/apollo/data-retention.ts
interface CacheConfig {
  ttlMinutes: number;
  maxEntries: number;
}

class SecureCache {
  private cache = new Map<string, { data: any; expiresAt: number }>();
  private config: CacheConfig;

  constructor(config: CacheConfig) {
    this.config = config;
    // Cleanup expired entries every minute
    setInterval(() => this.cleanup(), 60000);
  }

  set(key: string, data: any): void {
    // Enforce max entries
    if (this.cache.size >= this.config.maxEntries) {
      const oldest = [...this.cache.entries()].sort(
        (a, b) => a[1].expiresAt - b[1].expiresAt
      )[0];
      if (oldest) this.cache.delete(oldest[0]);
    }

    this.cache.set(key, {
      data,
      expiresAt: Date.now() + this.config.ttlMinutes * 60 * 1000,
    });
  }

  get(key: string): any | null {
    const entry = this.cache.get(key);
    if (!entry) return null;
    if (Date.now() > entry.expiresAt) {
      this.cache.delete(key);
      return null;
    }
    return entry.data;
  }

  private cleanup(): void {
    const now = Date.now();
    for (const [key, entry] of this.cache.entries()) {
      if (now > entry.expiresAt) {
        this.cache.delete(key);
      }
    }
  }

  clear(): void {
    this.cache.clear();
  }
}

// Short TTL for sensitive data
export const apolloCache = new SecureCache({
  ttlMinutes: 15,
  maxEntries: 1000,
});
```

## Access Control

### Role-Based API Key Usage
```typescript
// Different keys for different access levels
const API_KEYS = {
  readonly: process.env.APOLLO_API_KEY_READONLY,
  standard: process.env.APOLLO_API_KEY_STANDARD,
  admin: process.env.APOLLO_API_KEY_ADMIN,
};

function getApiKeyForOperation(operation: string): string {
  const readOnlyOps = ['search', 'enrich', 'get'];
  const adminOps = ['delete', 'bulk_update'];

  if (adminOps.some((op) => operation.includes(op))) {
    return API_KEYS.admin!;
  }
  if (readOnlyOps.some((op) => operation.includes(op))) {
    return API_KEYS.readonly!;
  }
  return API_KEYS.standard!;
}
```

## Security Checklist

### Pre-Deployment
- [ ] API key stored in environment variables
- [ ] .env files added to .gitignore
- [ ] No hardcoded credentials in code
- [ ] HTTPS enforced for all requests
- [ ] Timeout configured for requests
- [ ] Error responses don't leak sensitive data

### Production
- [ ] API key rotation schedule established
- [ ] Logging redacts PII
- [ ] Cache has appropriate TTL
- [ ] Access audit trail enabled
- [ ] Rate limiting implemented
- [ ] IP allowlisting configured (if enterprise)

### Compliance
- [ ] Data retention policy documented
- [ ] GDPR/CCPA requirements met
- [ ] Data processing agreement signed
- [ ] Contact export controls in place
- [ ] Deletion capability implemented

## Output
- Secure API key management
- PII redaction for logging
- Data retention controls
- Role-based access patterns
- Security audit checklist

## Error Handling
| Issue | Mitigation |
|-------|------------|
| Key exposure | Immediate rotation |
| PII in logs | Implement redaction |
| Unauthorized access | Audit and revoke |
| Data breach | Follow incident response |

## Resources
- [Apollo Security Practices](https://www.apollo.io/security)
- [OWASP API Security](https://owasp.org/www-project-api-security/)
- [GDPR for API Developers](https://gdpr.eu/)

## Next Steps
Proceed to `apollo-prod-checklist` for production deployment.

Overview

This skill helps apply Apollo.io API security best practices for integrations, key management, and data protection. It focuses on practical controls like secure key storage, rotation, HTTPS enforcement, PII redaction, and role-based key usage. Use it to harden Apollo connections before deployment and during production operations.

How this skill works

The skill inspects integration points and recommends patterns: environment-based key storage, key rotation workflows, outbound network controls, secure logging, and short-lived caching for sensitive data. It provides reusable code patterns and configuration checks (HTTPS, timeouts, IP allowlisting) and prescribes role-based API key selection and PII redaction for logs and telemetry.

When to use it

  • When adding or updating Apollo API integrations
  • Before committing code that touches Apollo credentials
  • During security reviews or pre-deployment checklists
  • When implementing logging, caching, or data retention for Apollo data
  • If you need role-based access or IP allowlisting for enterprise deployments

Best practices

  • Never hardcode API keys; read from environment and validate at startup
  • Store keys in secure secret stores and exclude .env files from VCS
  • Implement key rotation with a verified secondary key and automated swap
  • Enforce HTTPS, validate SSL, use timeouts and retry limits
  • Redact PII in logs and limit how much request/response data you log
  • Use short TTL caches for sensitive data and enforce max entries

Example use cases

  • Server app reading APOLLO_API_KEY from environment and failing fast if missing
  • Rotation routine that verifies a secondary key before promoting it to primary
  • Interceptor that logs request metadata but redacts email and phone fields
  • Cache layer that expires contact data after 15 minutes to reduce retention risk
  • Mapping operations to readonly/standard/admin keys to enforce least privilege

FAQ

How should I store Apollo API keys in production?

Use a managed secrets store (KMS/Secrets Manager) or environment variables injected by your deployment system. Never commit keys to source control; validate presence on startup.

When should I rotate keys?

Establish a rotation schedule (e.g., 90 days) and rotate immediately on suspected exposure. Always verify the new key works before switching and automate rotation where possible.