playbooks

home / skills / jeremylongshore / claude-code-plugins-plus-skills / groq-security-basics

groq-security-basics skill

/plugins/saas-packs/groq-pack/skills/groq-security-basics

This skill helps you secure Groq API keys and enforce least privilege by guiding secret rotation, environment-based access, and audit logging.

npx playbooks add skill jeremylongshore/claude-code-plugins-plus-skills --skill groq-security-basics

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
3.3 KB
---
name: groq-security-basics
description: |
  Apply Groq security best practices for secrets and access control.
  Use when securing API keys, implementing least privilege access,
  or auditing Groq security configuration.
  Trigger with phrases like "groq security", "groq secrets",
  "secure groq", "groq API key security".
allowed-tools: Read, Write, Grep
version: 1.0.0
license: MIT
author: Jeremy Longshore <[email protected]>
---

# Groq Security Basics

## Overview
Security best practices for Groq API keys, tokens, and access control.

## Prerequisites
- Groq SDK installed
- Understanding of environment variables
- Access to Groq dashboard

## Instructions

### Step 1: Configure Environment Variables
```bash
# .env (NEVER commit to git)
GROQ_API_KEY=sk_live_***
GROQ_SECRET=***

# .gitignore
.env
.env.local
.env.*.local
```

### Step 2: Implement Secret Rotation
```bash
# 1. Generate new key in Groq dashboard
# 2. Update environment variable
export GROQ_API_KEY="new_key_here"

# 3. Verify new key works
curl -H "Authorization: Bearer ${GROQ_API_KEY}" \
  https://api.groq.com/health

# 4. Revoke old key in dashboard
```

### Step 3: Apply Least Privilege
| Environment | Recommended Scopes |
|-------------|-------------------|
| Development | `read:*` |
| Staging | `read:*, write:limited` |
| Production | `Only required scopes` |

## Output
- Secure API key storage
- Environment-specific access controls
- Audit logging enabled

## Error Handling
| Security Issue | Detection | Mitigation |
|----------------|-----------|------------|
| Exposed API key | Git scanning | Rotate immediately |
| Excessive scopes | Audit logs | Reduce permissions |
| Missing rotation | Key age check | Schedule rotation |

## Examples

### Service Account Pattern
```typescript
const clients = {
  reader: new GroqClient({
    apiKey: process.env.GROQ_READ_KEY,
  }),
  writer: new GroqClient({
    apiKey: process.env.GROQ_WRITE_KEY,
  }),
};
```

### Webhook Signature Verification
```typescript
import crypto from 'crypto';

function verifyWebhookSignature(
  payload: string, signature: string, secret: string
): boolean {
  const expected = crypto.createHmac('sha256', secret).update(payload).digest('hex');
  return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected));
}
```

### Security Checklist
- [ ] API keys in environment variables
- [ ] `.env` files in `.gitignore`
- [ ] Different keys for dev/staging/prod
- [ ] Minimal scopes per environment
- [ ] Webhook signatures validated
- [ ] Audit logging enabled

### Audit Logging
```typescript
interface AuditEntry {
  timestamp: Date;
  action: string;
  userId: string;
  resource: string;
  result: 'success' | 'failure';
  metadata?: Record<string, any>;
}

async function auditLog(entry: Omit<AuditEntry, 'timestamp'>): Promise<void> {
  const log: AuditEntry = { ...entry, timestamp: new Date() };

  // Log to Groq analytics
  await groqClient.track('audit', log);

  // Also log locally for compliance
  console.log('[AUDIT]', JSON.stringify(log));
}

// Usage
await auditLog({
  action: 'groq.api.call',
  userId: currentUser.id,
  resource: '/v1/resource',
  result: 'success',
});
```

## Resources
- [Groq Security Guide](https://docs.groq.com/security)
- [Groq API Scopes](https://docs.groq.com/scopes)

## Next Steps
For production deployment, see `groq-prod-checklist`.

Overview

This skill packages Groq security best practices for managing API keys, tokens, and access control across environments. It focuses on safe secret storage, regular rotation, least-privilege scopes, and audit logging. Use it to harden integrations that call Groq APIs and to build repeatable security checks for deployments.

How this skill works

The skill inspects configuration and runtime patterns for secrets and access control, recommending environment-variable usage and .gitignore rules to avoid accidental commits. It defines a rotation workflow: generate, verify, switch, and revoke keys, and it outlines environment-specific scopes and service-account separation. It also shows webhook signature verification and a minimal audit logging pattern to record security-relevant events.

When to use it

  • When storing Groq API keys or other secrets in projects
  • When implementing least-privilege access for dev/staging/production
  • When performing security audits of Groq-related configuration
  • When building or reviewing webhook handling and signature verification
  • When setting up automated key rotation and audit logging

Best practices

  • Never commit .env files or raw API keys to source control; add .env and .env.*.local to .gitignore
  • Store keys in environment variables or a secrets manager and use separate keys per environment
  • Apply least privilege: give development read-only, limit staging writes, and restrict production to only required scopes
  • Implement regular key rotation: create new key, validate, switch, then revoke old key
  • Validate webhook signatures using timing-safe HMAC and log verification failures for investigation
  • Record audit entries for key actions (creation, rotation, access) to both remote analytics and local logs for compliance

Example use cases

  • CI/CD pipeline rotates Groq API keys on schedule and runs a smoke test against the health endpoint before swapping
  • Backend service uses separate reader and writer Groq clients with distinct keys and scopes per environment
  • Webhook receiver verifies HMAC signatures and records audit events when payload validation fails
  • Security audit script scans repos for exposed keys, checks key ages, and reports keys with excessive scopes
  • Deployment checklist ensures .env files are ignored, keys stored in the secrets manager, and audit logging enabled for all API calls

FAQ

How often should I rotate Groq API keys?

Rotate regularly based on your risk profile; a common cadence is every 90 days, or immediately if exposure is suspected.

What scopes should production keys have?

Limit production keys to the minimum scopes required for the service to function; avoid broad read:* or write:* unless explicitly needed.