home / skills / jeremylongshore / claude-code-plugins-plus-skills / ideogram-security-basics

ideogram-security-basics skill

safe

/plugins/saas-packs/ideogram-pack/skills/ideogram-security-basics

This skill helps secure Ideogram API keys and enforce least-privilege access with rotation, auditing, and environment-aware safeguards.

npx playbooks add skill jeremylongshore/claude-code-plugins-plus-skills --skill ideogram-security-basics

Review the files below or copy the command above to add this skill to your agents.

Files (1)

SKILL.md

3.4 KB

---
name: ideogram-security-basics
description: |
  Apply Ideogram security best practices for secrets and access control.
  Use when securing API keys, implementing least privilege access,
  or auditing Ideogram security configuration.
  Trigger with phrases like "ideogram security", "ideogram secrets",
  "secure ideogram", "ideogram API key security".
allowed-tools: Read, Write, Grep
version: 1.0.0
license: MIT
author: Jeremy Longshore <[email protected]>
---

# Ideogram Security Basics

## Overview
Security best practices for Ideogram API keys, tokens, and access control.

## Prerequisites
- Ideogram SDK installed
- Understanding of environment variables
- Access to Ideogram dashboard

## Instructions

### Step 1: Configure Environment Variables
```bash
# .env (NEVER commit to git)
IDEOGRAM_API_KEY=sk_live_***
IDEOGRAM_SECRET=***

# .gitignore
.env
.env.local
.env.*.local
```

### Step 2: Implement Secret Rotation
```bash
# 1. Generate new key in Ideogram dashboard
# 2. Update environment variable
export IDEOGRAM_API_KEY="new_key_here"

# 3. Verify new key works
curl -H "Authorization: Bearer ${IDEOGRAM_API_KEY}" \
  https://api.ideogram.com/health

# 4. Revoke old key in dashboard
```

### Step 3: Apply Least Privilege
| Environment | Recommended Scopes |
|-------------|-------------------|
| Development | `read:*` |
| Staging | `read:*, write:limited` |
| Production | `Only required scopes` |

## Output
- Secure API key storage
- Environment-specific access controls
- Audit logging enabled

## Error Handling
| Security Issue | Detection | Mitigation |
|----------------|-----------|------------|
| Exposed API key | Git scanning | Rotate immediately |
| Excessive scopes | Audit logs | Reduce permissions |
| Missing rotation | Key age check | Schedule rotation |

## Examples

### Service Account Pattern
```typescript
const clients = {
  reader: new IdeogramClient({
    apiKey: process.env.IDEOGRAM_READ_KEY,
  }),
  writer: new IdeogramClient({
    apiKey: process.env.IDEOGRAM_WRITE_KEY,
  }),
};
```

### Webhook Signature Verification
```typescript
import crypto from 'crypto';

function verifyWebhookSignature(
  payload: string, signature: string, secret: string
): boolean {
  const expected = crypto.createHmac('sha256', secret).update(payload).digest('hex');
  return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected));
}
```

### Security Checklist
- [ ] API keys in environment variables
- [ ] `.env` files in `.gitignore`
- [ ] Different keys for dev/staging/prod
- [ ] Minimal scopes per environment
- [ ] Webhook signatures validated
- [ ] Audit logging enabled

### Audit Logging
```typescript
interface AuditEntry {
  timestamp: Date;
  action: string;
  userId: string;
  resource: string;
  result: 'success' | 'failure';
  metadata?: Record<string, any>;
}

async function auditLog(entry: Omit<AuditEntry, 'timestamp'>): Promise<void> {
  const log: AuditEntry = { ...entry, timestamp: new Date() };

  // Log to Ideogram analytics
  await ideogramClient.track('audit', log);

  // Also log locally for compliance
  console.log('[AUDIT]', JSON.stringify(log));
}

// Usage
await auditLog({
  action: 'ideogram.api.call',
  userId: currentUser.id,
  resource: '/v1/resource',
  result: 'success',
});
```

## Resources
- [Ideogram Security Guide](https://docs.ideogram.com/security)
- [Ideogram API Scopes](https://docs.ideogram.com/scopes)

## Next Steps
For production deployment, see `ideogram-prod-checklist`.

Overview

This skill teaches Ideogram security basics for managing API keys, secrets, and access control across environments. It focuses on secure storage, automated rotation, least-privilege scopes, webhook verification, and audit logging. Use it to reduce blast radius from leaked credentials and meet basic compliance controls.

How this skill works

The skill inspects common risk points: environment variable handling, key rotation procedures, scope assignment, webhook signature verification, and audit logging. It provides concrete steps and code patterns to store keys out of source control, rotate keys safely, create environment-specific service accounts, and record security events. Follow the checklists and examples to harden an Ideogram integration quickly.

When to use it

When storing and deploying Ideogram API keys or secrets
During application security reviews or audits
When implementing least-privilege access across dev/staging/prod
Before enabling webhooks that must be validated
When establishing audit logging and incident response workflows

Best practices

Never commit .env or secrets to git; keep .env and variants in .gitignore
Store keys in environment variables or a secrets manager, not in source code
Rotate keys regularly and verify new keys before revoking old ones
Issue separate keys per environment and service account roles (reader/writer)
Grant only the minimal scopes required for each environment and service

Example use cases

Set up dev/staging/production keys with progressively restricted scopes
Implement a service account pattern: distinct reader and writer clients with separate keys
Add an automated rotation runbook: generate key, update env, test, then revoke old key
Validate incoming webhooks using HMAC SHA-256 signature verification
Send audit entries to an analytics endpoint and local logs for compliance and forensics

FAQ

How often should I rotate Ideogram API keys?

Rotate keys on a regular cadence based on risk—commonly every 90 days—or immediately after suspected exposure. Automate verification of the new key before revoking the old one.

What scopes should production keys have?

Production keys should have only the specific scopes required for the service to function. Avoid broad wildcard scopes; grant write access only where necessary and narrow read scopes as appropriate.