home / skills / jeremylongshore / claude-code-plugins-plus-skills / instantly-security-basics

instantly-security-basics skill

safe

/plugins/saas-packs/instantly-pack/skills/instantly-security-basics

This skill helps you implement Instantly security basics by enforcing secret rotation, least privilege, and audit logging for safer API usage.

npx playbooks add skill jeremylongshore/claude-code-plugins-plus-skills --skill instantly-security-basics

Review the files below or copy the command above to add this skill to your agents.

Files (1)

SKILL.md

3.4 KB

---
name: instantly-security-basics
description: |
  Apply Instantly security best practices for secrets and access control.
  Use when securing API keys, implementing least privilege access,
  or auditing Instantly security configuration.
  Trigger with phrases like "instantly security", "instantly secrets",
  "secure instantly", "instantly API key security".
allowed-tools: Read, Write, Grep
version: 1.0.0
license: MIT
author: Jeremy Longshore <[email protected]>
---

# Instantly Security Basics

## Overview
Security best practices for Instantly API keys, tokens, and access control.

## Prerequisites
- Instantly SDK installed
- Understanding of environment variables
- Access to Instantly dashboard

## Instructions

### Step 1: Configure Environment Variables
```bash
# .env (NEVER commit to git)
INSTANTLY_API_KEY=sk_live_***
INSTANTLY_SECRET=***

# .gitignore
.env
.env.local
.env.*.local
```

### Step 2: Implement Secret Rotation
```bash
# 1. Generate new key in Instantly dashboard
# 2. Update environment variable
export INSTANTLY_API_KEY="new_key_here"

# 3. Verify new key works
curl -H "Authorization: Bearer ${INSTANTLY_API_KEY}" \
  https://api.instantly.com/health

# 4. Revoke old key in dashboard
```

### Step 3: Apply Least Privilege
| Environment | Recommended Scopes |
|-------------|-------------------|
| Development | `read:*` |
| Staging | `read:*, write:limited` |
| Production | `Only required scopes` |

## Output
- Secure API key storage
- Environment-specific access controls
- Audit logging enabled

## Error Handling
| Security Issue | Detection | Mitigation |
|----------------|-----------|------------|
| Exposed API key | Git scanning | Rotate immediately |
| Excessive scopes | Audit logs | Reduce permissions |
| Missing rotation | Key age check | Schedule rotation |

## Examples

### Service Account Pattern
```typescript
const clients = {
  reader: new InstantlyClient({
    apiKey: process.env.INSTANTLY_READ_KEY,
  }),
  writer: new InstantlyClient({
    apiKey: process.env.INSTANTLY_WRITE_KEY,
  }),
};
```

### Webhook Signature Verification
```typescript
import crypto from 'crypto';

function verifyWebhookSignature(
  payload: string, signature: string, secret: string
): boolean {
  const expected = crypto.createHmac('sha256', secret).update(payload).digest('hex');
  return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected));
}
```

### Security Checklist
- [ ] API keys in environment variables
- [ ] `.env` files in `.gitignore`
- [ ] Different keys for dev/staging/prod
- [ ] Minimal scopes per environment
- [ ] Webhook signatures validated
- [ ] Audit logging enabled

### Audit Logging
```typescript
interface AuditEntry {
  timestamp: Date;
  action: string;
  userId: string;
  resource: string;
  result: 'success' | 'failure';
  metadata?: Record<string, any>;
}

async function auditLog(entry: Omit<AuditEntry, 'timestamp'>): Promise<void> {
  const log: AuditEntry = { ...entry, timestamp: new Date() };

  // Log to Instantly analytics
  await instantlyClient.track('audit', log);

  // Also log locally for compliance
  console.log('[AUDIT]', JSON.stringify(log));
}

// Usage
await auditLog({
  action: 'instantly.api.call',
  userId: currentUser.id,
  resource: '/v1/resource',
  result: 'success',
});
```

## Resources
- [Instantly Security Guide](https://docs.instantly.com/security)
- [Instantly API Scopes](https://docs.instantly.com/scopes)

## Next Steps
For production deployment, see `instantly-prod-checklist`.

Overview

This skill applies Instantly security best practices for API keys, tokens, webhooks, and access control. It guides you to store secrets safely, rotate credentials, enforce least-privilege scopes, and enable audit logging. Use it to reduce risk of credential exposure and to standardize security checks across environments.

How this skill works

The skill inspects how API keys and secrets are managed and recommends actionable changes: environment variable usage, git ignore rules, scoped keys per environment, rotation workflow, and webhook signature verification. It outlines detection and mitigation steps for common security issues and provides patterns for service accounts and audit logging. You can follow the stepwise instructions to verify new keys, revoke old ones, and implement audit entries for compliance.

When to use it

Securing Instantly API keys before deploying to production
Implementing least-privilege access across dev/staging/prod
Auditing existing Instantly configuration for exposed keys or excessive scopes
Setting up webhook signature verification for incoming events
Designing an audit logging workflow for Instantly API activity

Best practices

Never commit .env files or secrets to version control; add all .env* to .gitignore
Store keys in environment variables or a secrets manager, not in code
Use separate keys per environment and per service (reader/writer service account pattern)
Grant minimal scopes required by each environment and regularly review permissions
Rotate keys on a schedule and immediately if a key is exposed; verify new keys before revoking old ones
Validate webhook signatures with a timing-safe HMAC comparison and log verification results

Example use cases

Quick checklist before a production rollout: env vars in place, keys scoped, rotation scheduled, audit logging enabled
Implementing a reader/writer service account model for least privilege in microservices
Responding to a detected exposed key: rotate, verify, and revoke using the described workflow
Adding audit entries for sensitive API calls to support compliance and incident investigation
Setting up automated scans to detect long-lived keys and prompt rotation

FAQ

How often should I rotate Instantly API keys?

Rotate keys on a regular cadence (e.g., every 90 days) and immediately after any suspected exposure. Adjust frequency based on risk and regulatory needs.

What scopes should production keys have?

Production keys should only include the exact scopes required for operation. Avoid broad read:* or write:* permissions unless strictly necessary.

How do I verify a webhook is genuine?

Compute an HMAC (e.g., sha256) of the payload using the webhook secret and compare with the provided signature using timing-safe equality. Log failures for investigation.