playbooks

home / skills / jeremylongshore / claude-code-plugins-plus-skills / clay-security-basics

clay-security-basics skill

/plugins/saas-packs/clay-pack/skills/clay-security-basics

This skill helps you enforce Clay security best practices for keys, rotation, and access control across environments.

npx playbooks add skill jeremylongshore/claude-code-plugins-plus-skills --skill clay-security-basics

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
3.3 KB
---
name: clay-security-basics
description: |
  Apply Clay security best practices for secrets and access control.
  Use when securing API keys, implementing least privilege access,
  or auditing Clay security configuration.
  Trigger with phrases like "clay security", "clay secrets",
  "secure clay", "clay API key security".
allowed-tools: Read, Write, Grep
version: 1.0.0
license: MIT
author: Jeremy Longshore <[email protected]>
---

# Clay Security Basics

## Overview
Security best practices for Clay API keys, tokens, and access control.

## Prerequisites
- Clay SDK installed
- Understanding of environment variables
- Access to Clay dashboard

## Instructions

### Step 1: Configure Environment Variables
```bash
# .env (NEVER commit to git)
CLAY_API_KEY=sk_live_***
CLAY_SECRET=***

# .gitignore
.env
.env.local
.env.*.local
```

### Step 2: Implement Secret Rotation
```bash
# 1. Generate new key in Clay dashboard
# 2. Update environment variable
export CLAY_API_KEY="new_key_here"

# 3. Verify new key works
curl -H "Authorization: Bearer ${CLAY_API_KEY}" \
  https://api.clay.com/health

# 4. Revoke old key in dashboard
```

### Step 3: Apply Least Privilege
| Environment | Recommended Scopes |
|-------------|-------------------|
| Development | `read:*` |
| Staging | `read:*, write:limited` |
| Production | `Only required scopes` |

## Output
- Secure API key storage
- Environment-specific access controls
- Audit logging enabled

## Error Handling
| Security Issue | Detection | Mitigation |
|----------------|-----------|------------|
| Exposed API key | Git scanning | Rotate immediately |
| Excessive scopes | Audit logs | Reduce permissions |
| Missing rotation | Key age check | Schedule rotation |

## Examples

### Service Account Pattern
```typescript
const clients = {
  reader: new ClayClient({
    apiKey: process.env.CLAY_READ_KEY,
  }),
  writer: new ClayClient({
    apiKey: process.env.CLAY_WRITE_KEY,
  }),
};
```

### Webhook Signature Verification
```typescript
import crypto from 'crypto';

function verifyWebhookSignature(
  payload: string, signature: string, secret: string
): boolean {
  const expected = crypto.createHmac('sha256', secret).update(payload).digest('hex');
  return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected));
}
```

### Security Checklist
- [ ] API keys in environment variables
- [ ] `.env` files in `.gitignore`
- [ ] Different keys for dev/staging/prod
- [ ] Minimal scopes per environment
- [ ] Webhook signatures validated
- [ ] Audit logging enabled

### Audit Logging
```typescript
interface AuditEntry {
  timestamp: Date;
  action: string;
  userId: string;
  resource: string;
  result: 'success' | 'failure';
  metadata?: Record<string, any>;
}

async function auditLog(entry: Omit<AuditEntry, 'timestamp'>): Promise<void> {
  const log: AuditEntry = { ...entry, timestamp: new Date() };

  // Log to Clay analytics
  await clayClient.track('audit', log);

  // Also log locally for compliance
  console.log('[AUDIT]', JSON.stringify(log));
}

// Usage
await auditLog({
  action: 'clay.api.call',
  userId: currentUser.id,
  resource: '/v1/resource',
  result: 'success',
});
```

## Resources
- [Clay Security Guide](https://docs.clay.com/security)
- [Clay API Scopes](https://docs.clay.com/scopes)

## Next Steps
For production deployment, see `clay-prod-checklist`.

Overview

This skill applies Clay security best practices for managing API keys, tokens, webhooks, and access control across environments. It focuses on secure secret storage, key rotation, least-privilege scopes, webhook verification, and audit logging. Use it to harden integrations and reduce blast radius from exposed credentials.

How this skill works

The skill inspects configuration patterns and recommends concrete changes: moving secrets into environment variables, adding .gitignore entries, and separating keys per environment. It describes a rotation workflow for issuing, testing, and revoking keys, shows service-account patterns for readers/writers, and provides code examples for webhook signature verification and audit logging. It also maps detection to mitigation for common issues like exposed keys or excessive scopes.

When to use it

  • Securing Clay API keys before deploying to staging or production
  • Implementing least-privilege scopes for different environments
  • Auditing an existing Clay configuration for secrets and access problems
  • Adding webhook signature verification to incoming callbacks
  • Establishing or improving audit logging for Clay API usage

Best practices

  • Store all API keys in environment variables and never commit .env files to version control
  • Keep separate keys per environment (dev, staging, prod) with minimal scopes
  • Rotate keys regularly: deploy new key, verify, then revoke the old key
  • Validate webhook signatures using HMAC and timing-safe comparison
  • Log key usage and security events to an audit stream and local logs for compliance

Example use cases

  • CI/CD pipeline that loads CLAY_API_KEY from secrets manager and rejects builds if .env is tracked
  • A microservice using separate reader and writer Clay clients with different API keys
  • Incident response playbook: detect exposed key via git scan, rotate immediately, and update deployments
  • Webhook endpoint verifying signatures before processing events and recording audit entries
  • Pre-deployment security checklist that enforces minimal scopes and key rotation deadlines

FAQ

How often should I rotate Clay API keys?

Rotate keys regularly based on your risk profile; a common cadence is every 90 days or immediately after any suspected exposure.

What if I find a key committed to git?

Revoke the key immediately, rotate to a new key, update all deployments and rotate any derived secrets; scan history and notify affected teams.