home / skills / jeremylongshore / claude-code-plugins-plus-skills / replit-security-basics

replit-security-basics skill

safe

/plugins/saas-packs/replit-pack/skills/replit-security-basics

This skill helps you apply Replit security best practices for secrets and access control across environments, enabling safer API usage.

npx playbooks add skill jeremylongshore/claude-code-plugins-plus-skills --skill replit-security-basics

Review the files below or copy the command above to add this skill to your agents.

Files (1)

SKILL.md

3.4 KB

---
name: replit-security-basics
description: |
  Apply Replit security best practices for secrets and access control.
  Use when securing API keys, implementing least privilege access,
  or auditing Replit security configuration.
  Trigger with phrases like "replit security", "replit secrets",
  "secure replit", "replit API key security".
allowed-tools: Read, Write, Grep
version: 1.0.0
license: MIT
author: Jeremy Longshore <[email protected]>
---

# Replit Security Basics

## Overview
Security best practices for Replit API keys, tokens, and access control.

## Prerequisites
- Replit SDK installed
- Understanding of environment variables
- Access to Replit dashboard

## Instructions

### Step 1: Configure Environment Variables
```bash
# .env (NEVER commit to git)
REPLIT_API_KEY=sk_live_***
REPLIT_SECRET=***

# .gitignore
.env
.env.local
.env.*.local
```

### Step 2: Implement Secret Rotation
```bash
# 1. Generate new key in Replit dashboard
# 2. Update environment variable
export REPLIT_API_KEY="new_key_here"

# 3. Verify new key works
curl -H "Authorization: Bearer ${REPLIT_API_KEY}" \
  https://api.replit.com/health

# 4. Revoke old key in dashboard
```

### Step 3: Apply Least Privilege
| Environment | Recommended Scopes |
|-------------|-------------------|
| Development | `read:*` |
| Staging | `read:*, write:limited` |
| Production | `Only required scopes` |

## Output
- Secure API key storage
- Environment-specific access controls
- Audit logging enabled

## Error Handling
| Security Issue | Detection | Mitigation |
|----------------|-----------|------------|
| Exposed API key | Git scanning | Rotate immediately |
| Excessive scopes | Audit logs | Reduce permissions |
| Missing rotation | Key age check | Schedule rotation |

## Examples

### Service Account Pattern
```typescript
const clients = {
  reader: new ReplitClient({
    apiKey: process.env.REPLIT_READ_KEY,
  }),
  writer: new ReplitClient({
    apiKey: process.env.REPLIT_WRITE_KEY,
  }),
};
```

### Webhook Signature Verification
```typescript
import crypto from 'crypto';

function verifyWebhookSignature(
  payload: string, signature: string, secret: string
): boolean {
  const expected = crypto.createHmac('sha256', secret).update(payload).digest('hex');
  return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected));
}
```

### Security Checklist
- [ ] API keys in environment variables
- [ ] `.env` files in `.gitignore`
- [ ] Different keys for dev/staging/prod
- [ ] Minimal scopes per environment
- [ ] Webhook signatures validated
- [ ] Audit logging enabled

### Audit Logging
```typescript
interface AuditEntry {
  timestamp: Date;
  action: string;
  userId: string;
  resource: string;
  result: 'success' | 'failure';
  metadata?: Record<string, any>;
}

async function auditLog(entry: Omit<AuditEntry, 'timestamp'>): Promise<void> {
  const log: AuditEntry = { ...entry, timestamp: new Date() };

  // Log to Replit analytics
  await replitClient.track('audit', log);

  // Also log locally for compliance
  console.log('[AUDIT]', JSON.stringify(log));
}

// Usage
await auditLog({
  action: 'replit.api.call',
  userId: currentUser.id,
  resource: '/v1/resource',
  result: 'success',
});
```

## Resources
- [Replit Security Guide](https://docs.replit.com/security)
- [Replit API Scopes](https://docs.replit.com/scopes)

## Next Steps
For production deployment, see `replit-prod-checklist`.

Overview

This skill applies Replit security best practices for handling API keys, tokens, webhook verification, and access control. It helps you keep secrets out of source control, implement least-privilege scopes per environment, and maintain audit logs. Use it to reduce blast radius and harden Replit-based projects quickly.

How this skill works

The skill inspects configuration patterns and recommends concrete fixes: environment variable usage, .gitignore entries, and scoped keys per environment. It outlines a secret rotation process and shows how to separate service account keys for read/write roles. It also includes webhook signature verification and an audit logging pattern to track sensitive actions.

When to use it

When storing Replit API keys and other secrets to avoid committing them to git.
When implementing least-privilege access across dev, staging, and production.
When rotating keys after suspected exposure or on a regular schedule.
When validating incoming webhooks to prevent replay or tampering.
When adding audit logging for compliance or incident investigations.

Best practices

Keep API keys in environment variables and add all .env files to .gitignore.
Use separate keys per environment (dev/staging/prod) and per role (reader/writer).
Grant only required scopes for each key; reduce scopes when auditing finds excess.
Rotate keys regularly and immediately after any exposure is detected.
Validate webhook signatures with HMAC and timing-safe comparisons.
Record audit entries for critical actions and store logs in a secure location.

Example use cases

Store REPLIT_API_KEY and REPLIT_SECRET in .env and ensure .env is ignored by git.
Create a read-only service account for background analytics and a write-only account for deployments.
Rotate a compromised key: generate new key, update env var, verify with an API health check, then revoke the old key.
Validate incoming webhooks using HMAC-SHA256 and timing-safe equality to prevent tampering.
Emit audit logs on all Replit API calls including userId, action, resource, and result for incident tracing.

FAQ

How often should I rotate Replit API keys?

Rotate keys on a schedule that fits your risk profile (e.g., quarterly) and immediately after any suspected exposure.

What scopes should production keys have?

Production keys should have only the minimum scopes required for the service to function; avoid broad read:* or write:* unless necessary.

How do I verify a webhook is authentic?

Compute an HMAC (e.g., SHA-256) of the payload using your webhook secret and compare with the signature using a timing-safe comparison.