home / skills / jeremylongshore / claude-code-plugins-plus-skills / gamma-security-basics

gamma-security-basics skill

safe

/plugins/saas-packs/gamma-pack/skills/gamma-security-basics

This skill helps secure Gamma API integration by enforcing secret management, key rotation, access controls, and audit logging for safer workflows.

npx playbooks add skill jeremylongshore/claude-code-plugins-plus-skills --skill gamma-security-basics

Review the files below or copy the command above to add this skill to your agents.

Files (1)

SKILL.md

4.1 KB

---
name: gamma-security-basics
description: |
  Implement security best practices for Gamma integration.
  Use when securing API keys, implementing access controls,
  or auditing Gamma security configuration.
  Trigger with phrases like "gamma security", "gamma API key security",
  "gamma secure", "gamma credentials", "gamma access control".
allowed-tools: Read, Write, Edit, Grep
version: 1.0.0
license: MIT
author: Jeremy Longshore <[email protected]>
---

# Gamma Security Basics

## Overview
Security best practices for Gamma API integration to protect credentials and data.

## Prerequisites
- Active Gamma integration
- Environment variable support
- Understanding of secret management

## Instructions

### Step 1: Secure API Key Storage
```typescript
// NEVER do this
const gamma = new GammaClient({
  apiKey: 'gamma_live_abc123...', // Hardcoded - BAD!
});

// DO this instead
const gamma = new GammaClient({
  apiKey: process.env.GAMMA_API_KEY,
});
```

**Environment Setup:**
```bash
# .env (add to .gitignore!)
GAMMA_API_KEY=gamma_live_abc123...

# Load in application
import 'dotenv/config';
```

### Step 2: Key Rotation Strategy
```typescript
// Support multiple keys for rotation
const gamma = new GammaClient({
  apiKey: process.env.GAMMA_API_KEY_PRIMARY
    || process.env.GAMMA_API_KEY_SECONDARY,
});

// Rotation script
async function rotateApiKey() {
  // 1. Generate new key in Gamma dashboard
  // 2. Update GAMMA_API_KEY_SECONDARY
  // 3. Deploy and verify
  // 4. Swap PRIMARY and SECONDARY
  // 5. Revoke old key
}
```

### Step 3: Request Signing (if supported)
```typescript
import crypto from 'crypto';

function signRequest(payload: object, secret: string): string {
  const timestamp = Date.now().toString();
  const message = timestamp + JSON.stringify(payload);

  return crypto
    .createHmac('sha256', secret)
    .update(message)
    .digest('hex');
}

// Usage with webhook verification
function verifyWebhook(body: string, signature: string, secret: string): boolean {
  const expected = crypto
    .createHmac('sha256', secret)
    .update(body)
    .digest('hex');

  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}
```

### Step 4: Access Control Patterns
```typescript
// Scoped API keys (if supported)
const readOnlyGamma = new GammaClient({
  apiKey: process.env.GAMMA_API_KEY_READONLY,
  scopes: ['presentations:read', 'exports:read'],
});

const fullAccessGamma = new GammaClient({
  apiKey: process.env.GAMMA_API_KEY_FULL,
});

// Permission check before operations
async function createPresentation(user: User, data: object) {
  if (!user.permissions.includes('gamma:create')) {
    throw new Error('Insufficient permissions');
  }
  return fullAccessGamma.presentations.create(data);
}
```

### Step 5: Audit Logging
```typescript
import { GammaClient } from '@gamma/sdk';

function createAuditedClient(userId: string) {
  return new GammaClient({
    apiKey: process.env.GAMMA_API_KEY,
    interceptors: {
      request: (config) => {
        console.log(JSON.stringify({
          timestamp: new Date().toISOString(),
          userId,
          action: `${config.method} ${config.path}`,
          type: 'gamma_api_request',
        }));
        return config;
      },
    },
  });
}
```

## Security Checklist

- [ ] API keys stored in environment variables
- [ ] .env files in .gitignore
- [ ] No keys in source code or logs
- [ ] Key rotation procedure documented
- [ ] Minimal permission scopes used
- [ ] Audit logging enabled
- [ ] Webhook signatures verified
- [ ] HTTPS enforced for all calls

## Error Handling
| Security Issue | Detection | Remediation |
|----------------|-----------|-------------|
| Exposed key | GitHub scanning | Rotate immediately |
| Key in logs | Log audit | Filter sensitive data |
| Unauthorized access | Audit logs | Revoke and investigate |
| Weak permissions | Access review | Apply least privilege |

## Resources
- [Gamma Security Guide](https://gamma.app/docs/security)
- [API Key Management](https://gamma.app/docs/api-keys)
- [OWASP API Security](https://owasp.org/API-Security/)

## Next Steps
Proceed to `gamma-prod-checklist` for production readiness.

Overview

This skill implements security best practices for integrating with Gamma to protect API keys, credentials, and data. It guides secure storage, rotation, request signing, scoped access, and audit logging. The goal is a practical checklist and patterns you can apply in development and production.

How this skill works

The skill inspects integration points and prescribes concrete measures: move secrets to environment variables or a secrets manager, enable key rotation and scoped keys, and add request signing and webhook verification where supported. It also provides interceptor-based audit logging and permission checks to enforce least privilege. Use the patterns and checklist to remediate common Gamma integration risks.

When to use it

During initial Gamma integration to avoid leaking credentials
When preparing an app for production or a security review
If you need to implement or automate API key rotation
When adding webhooks, to verify and sign requests
When enforcing access controls and audit trails for Gamma actions

Best practices

Never hardcode API keys; store them in environment variables or a secrets manager
Put .env and secret files in .gitignore and restrict repo access
Support multiple keys for seamless rotation: primary/secondary flow
Use scoped or read-only keys for limited operations and apply least privilege
Verify webhook signatures and use timing-safe comparisons to avoid tampering
Log Gamma API actions with user context, but filter sensitive fields from logs

Example use cases

Backend service that loads GAMMA_API_KEY from process environment or secret store
Rotation script that updates secondary key, deploys, swaps to primary, then revokes old key
Webhook receiver that validates HMAC signatures and rejects invalid requests
API gateway adding permission checks and using read-only keys for query endpoints
Audit middleware that records timestamp, userId, and Gamma action for investigations

FAQ

How often should I rotate Gamma API keys?

Rotate keys on a regular schedule depending on risk (e.g., 90 days) and immediately after suspected exposure. Support rolling rotation with primary/secondary keys to avoid downtime.

What if Gamma does not support scoped keys?

If scopes are not available, create separate project-level keys with minimized privileges and enforce application-level permission checks before calling Gamma operations.