home / skills / jeremylongshore / claude-code-plugins-plus-skills / retellai-security-basics

retellai-security-basics skill

safe

/plugins/saas-packs/retellai-pack/skills/retellai-security-basics

This skill helps you secure Retell AI API keys and enforce least privilege with rotation, auditing, and environment-safe practices.

npx playbooks add skill jeremylongshore/claude-code-plugins-plus-skills --skill retellai-security-basics

Review the files below or copy the command above to add this skill to your agents.

Files (1)

SKILL.md

3.4 KB

---
name: retellai-security-basics
description: |
  Apply Retell AI security best practices for secrets and access control.
  Use when securing API keys, implementing least privilege access,
  or auditing Retell AI security configuration.
  Trigger with phrases like "retellai security", "retellai secrets",
  "secure retellai", "retellai API key security".
allowed-tools: Read, Write, Grep
version: 1.0.0
license: MIT
author: Jeremy Longshore <[email protected]>
---

# Retell AI Security Basics

## Overview
Security best practices for Retell AI API keys, tokens, and access control.

## Prerequisites
- Retell AI SDK installed
- Understanding of environment variables
- Access to Retell AI dashboard

## Instructions

### Step 1: Configure Environment Variables
```bash
# .env (NEVER commit to git)
RETELLAI_API_KEY=sk_live_***
RETELLAI_SECRET=***

# .gitignore
.env
.env.local
.env.*.local
```

### Step 2: Implement Secret Rotation
```bash
# 1. Generate new key in Retell AI dashboard
# 2. Update environment variable
export RETELLAI_API_KEY="new_key_here"

# 3. Verify new key works
curl -H "Authorization: Bearer ${RETELLAI_API_KEY}" \
  https://api.retellai.com/health

# 4. Revoke old key in dashboard
```

### Step 3: Apply Least Privilege
| Environment | Recommended Scopes |
|-------------|-------------------|
| Development | `read:*` |
| Staging | `read:*, write:limited` |
| Production | `Only required scopes` |

## Output
- Secure API key storage
- Environment-specific access controls
- Audit logging enabled

## Error Handling
| Security Issue | Detection | Mitigation |
|----------------|-----------|------------|
| Exposed API key | Git scanning | Rotate immediately |
| Excessive scopes | Audit logs | Reduce permissions |
| Missing rotation | Key age check | Schedule rotation |

## Examples

### Service Account Pattern
```typescript
const clients = {
  reader: new RetellAIClient({
    apiKey: process.env.RETELLAI_READ_KEY,
  }),
  writer: new RetellAIClient({
    apiKey: process.env.RETELLAI_WRITE_KEY,
  }),
};
```

### Webhook Signature Verification
```typescript
import crypto from 'crypto';

function verifyWebhookSignature(
  payload: string, signature: string, secret: string
): boolean {
  const expected = crypto.createHmac('sha256', secret).update(payload).digest('hex');
  return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected));
}
```

### Security Checklist
- [ ] API keys in environment variables
- [ ] `.env` files in `.gitignore`
- [ ] Different keys for dev/staging/prod
- [ ] Minimal scopes per environment
- [ ] Webhook signatures validated
- [ ] Audit logging enabled

### Audit Logging
```typescript
interface AuditEntry {
  timestamp: Date;
  action: string;
  userId: string;
  resource: string;
  result: 'success' | 'failure';
  metadata?: Record<string, any>;
}

async function auditLog(entry: Omit<AuditEntry, 'timestamp'>): Promise<void> {
  const log: AuditEntry = { ...entry, timestamp: new Date() };

  // Log to Retell AI analytics
  await retellaiClient.track('audit', log);

  // Also log locally for compliance
  console.log('[AUDIT]', JSON.stringify(log));
}

// Usage
await auditLog({
  action: 'retellai.api.call',
  userId: currentUser.id,
  resource: '/v1/resource',
  result: 'success',
});
```

## Resources
- [Retell AI Security Guide](https://docs.retellai.com/security)
- [Retell AI API Scopes](https://docs.retellai.com/scopes)

## Next Steps
For production deployment, see `retellai-prod-checklist`.

Overview

This skill applies Retell AI security best practices for handling API keys, tokens, webhooks, and access control across environments. It focuses on safe secret storage, automated rotation, least-privilege scopes, and audit logging to reduce risk. Use it to standardize how your applications interact with Retell AI securely.

How this skill works

The skill inspects common secret management patterns and provides concrete steps to move secrets out of source control into environment variables and secret stores. It describes a secret-rotation workflow: create a new key, verify it, swap environment values, then revoke the old key. It also prescribes environment-specific scopes, service-account separation, webhook signature verification, and audit logging patterns to detect and mitigate security issues.

When to use it

Securing Retell AI API keys before deployment
Implementing least-privilege access across dev/staging/prod
Auditing Retell AI configuration and permissions
Setting up webhook verification for incoming events
Creating an incident playbook for exposed keys

Best practices

Never commit .env files or API keys to version control; add .env* to .gitignore
Store keys in environment variables or a dedicated secrets manager and avoid hard-coding
Rotate keys periodically and immediately after suspected exposure; verify new keys before revoking old ones
Grant minimal scopes per environment: read-only in development, limited write in staging, and only required scopes in production
Use separate service-account keys for reader/writer roles instead of one key with broad permissions
Validate webhook payloads with HMAC signatures and use timing-safe comparisons to prevent tampering

Example use cases

CI/CD deploys that pull Retell AI keys from a secrets manager and inject them as environment variables
Runtime setup with distinct RETELLAI_READ_KEY and RETELLAI_WRITE_KEY for service-account separation
Automated rotation job: generate key in dashboard, update secret store, run health check, then revoke old key
Webhook endpoint verifying HMAC signature before processing events and logging failures to an audit store
Audit log pipeline that records API calls, actors, resources, results, and stores logs for compliance

FAQ

How often should I rotate Retell AI API keys?

Rotate keys on a regular cadence (for example every 90 days) and immediately after any suspected exposure. Use scripted or CI-driven rotation to minimize downtime.

What if I accidentally commit a key to Git?

Treat it as compromised: rotate the key immediately, revoke the old key in the dashboard, search the repo history and remove secrets, and enable repository scanning and alerts to prevent recurrence.