From fireflies-pack
Secures Fireflies.ai API keys with env vars and git hooks; verifies webhook HMAC-SHA256 signatures in Node.js/Express or Python. Use for integration audits.
How this skill is triggered — by the user, by Claude, or both
Slash command
/fireflies-pack:fireflies-security-basicsThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Security essentials for Fireflies.ai: API key management, webhook HMAC-SHA256 signature verification, transcript access controls, and audit practices.
Security essentials for Fireflies.ai: API key management, webhook HMAC-SHA256 signature verification, transcript access controls, and audit practices.
# .env (NEVER commit)
FIREFLIES_API_KEY=your-api-key
FIREFLIES_WEBHOOK_SECRET=your-16-to-32-char-secret
# .gitignore
.env
.env.local
.env.*.local
Pre-commit hook to catch leaked keys:
#!/bin/bash
# .git/hooks/pre-commit
if git diff --cached --name-only | xargs grep -l 'FIREFLIES_API_KEY\s*=' 2>/dev/null; then
echo "ERROR: Potential API key in commit. Remove before committing."
exit 1
fi
Fireflies signs webhook payloads with HMAC-SHA256. The signature arrives in the x-hub-signature header.
import crypto from "crypto";
function verifyFirefliesWebhook(
payload: string,
signature: string,
secret: string
): boolean {
const expected = crypto
.createHmac("sha256", secret)
.update(payload)
.digest("hex");
// Timing-safe comparison prevents timing attacks
return crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(expected)
);
}
// Express middleware
import express from "express";
const app = express();
app.post("/webhooks/fireflies",
express.raw({ type: "application/json" }),
(req, res) => {
const signature = req.headers["x-hub-signature"] as string;
const payload = req.body.toString();
if (!signature || !verifyFirefliesWebhook(payload, signature, process.env.FIREFLIES_WEBHOOK_SECRET!)) {
console.warn("Invalid webhook signature rejected");
return res.status(401).json({ error: "Invalid signature" });
}
const event = JSON.parse(payload);
console.log(`Verified webhook: ${event.eventType} for ${event.meetingId}`);
res.status(200).json({ received: true });
}
);
FIREFLIES_WEBHOOK_SECRETimport hmac, hashlib, json
from flask import Flask, request, jsonify
app = Flask(__name__)
def verify_signature(payload: bytes, signature: str, secret: str) -> bool:
expected = hmac.new(
secret.encode(), payload, hashlib.sha256
).hexdigest()
return hmac.compare_digest(signature, expected)
@app.post("/webhooks/fireflies")
def handle_webhook():
signature = request.headers.get("x-hub-signature", "")
if not verify_signature(request.data, signature, os.environ["FIREFLIES_WEBHOOK_SECRET"]):
return jsonify({"error": "Invalid signature"}), 401
event = request.json
print(f"Verified: {event['eventType']} for {event['meetingId']}")
return jsonify({"received": True})
Fireflies supports these privacy levels via updateMeetingPrivacy:
| Level | Access |
|---|---|
owner | Only meeting organizer |
participants | Only meeting participants |
teammatesandparticipants | Workspace members + participants |
teammates | All workspace members |
link | Anyone with the link |
// Lock a transcript to participants only
await firefliesQuery(`
mutation($id: String!, $privacy: String!) {
updateMeetingPrivacy(transcript_id: $id, privacy_level: $privacy)
}
`, { id: "transcript-id", privacy: "participants" });
set -euo pipefail
# 1. Generate new key in Fireflies dashboard (Integrations > Fireflies API)
# 2. Test new key
curl -s -X POST https://api.fireflies.ai/graphql \
-H "Authorization: Bearer $NEW_KEY" \
-H "Content-Type: application/json" \
-d '{"query": "{ user { email } }"}' | jq '.data.user.email'
# 3. Update environment/secret store
# 4. Verify production
# 5. Old key is automatically invalidated when new one is generated
.env files in .gitignoreparticipants or stricter| Issue | Detection | Fix |
|---|---|---|
| Leaked API key | Git scanning, CI alerts | Regenerate immediately in dashboard |
| Invalid webhook signature | 401 from your endpoint | Verify secret matches dashboard |
| Overly permissive privacy | Audit transcript visibility | Set to participants default |
| Key rotation gap | Auth failures after rotation | Deploy new key before revoking old |
For production deployment, see fireflies-prod-checklist.
npx claudepluginhub earth-treasure-inc/claude-code-plugins-plus-skills-1d8dce0c --plugin fireflies-pack7plugins reuse this skill
First indexed Jul 10, 2026
Showing the 6 earliest of 7 plugins
Guides securing Fireflies.ai API keys, verifying webhook HMAC-SHA256 signatures, and auditing security configuration.
Provides security practices for Fathom API key management, webhook signature verification, input validation, and PII redaction in meeting data.
Applies Firecrawl security best practices for API key management (fc- keys), webhook HMAC-SHA256 signature verification, and environment-based key separation.