From palantir-pack
Apply Palantir Foundry security best practices for credentials, scopes, and access control. Use when securing API tokens, implementing least privilege access, or auditing Foundry security configuration. Trigger with phrases like "palantir security", "foundry secrets", "secure palantir", "palantir API key security", "foundry scopes".
npx claudepluginhub flight505/skill-forge --plugin palantir-packThis skill is limited to using the following tools:
Security best practices for Foundry API tokens, OAuth2 credentials, scope management, and secret rotation. Covers both personal access tokens (dev) and service user credentials (production).
Guides Next.js Cache Components and Partial Prerendering (PPR): 'use cache' directives, cacheLife(), cacheTag(), revalidateTag() for caching, invalidation, static/dynamic optimization. Auto-activates on cacheComponents: true.
Guides building MCP servers enabling LLMs to interact with external services via tools. Covers best practices, TypeScript/Node (MCP SDK), Python (FastMCP).
Share bugs, ideas, or general feedback.
Security best practices for Foundry API tokens, OAuth2 credentials, scope management, and secret rotation. Covers both personal access tokens (dev) and service user credentials (production).
# .env — NEVER commit to git
FOUNDRY_HOSTNAME=mycompany.palantirfoundry.com
FOUNDRY_CLIENT_ID=your-client-id
FOUNDRY_CLIENT_SECRET=your-client-secret
# .gitignore — ensure .env files are excluded
echo '.env' >> .gitignore
echo '.env.local' >> .gitignore
echo '.env.*.local' >> .gitignore
For production, use a secrets manager:
# AWS Secrets Manager
aws secretsmanager create-secret --name foundry/prod \
--secret-string '{"client_id":"xxx","client_secret":"yyy","hostname":"zzz"}'
# Google Cloud Secret Manager
echo -n "your-client-secret" | gcloud secrets create foundry-client-secret --data-file=-
# HashiCorp Vault
vault kv put secret/foundry client_id=xxx client_secret=yyy
| Environment | Recommended Scopes | Rationale |
|---|---|---|
| Development | api:read-data | Read-only prevents accidental mutations |
| Staging | api:read-data, api:write-data | Test writes in safe environment |
| Production | Only scopes your app actually needs | Minimize blast radius |
# Production app that only reads Ontology objects:
auth = foundry.ConfidentialClientAuth(
client_id=os.environ["FOUNDRY_CLIENT_ID"],
client_secret=os.environ["FOUNDRY_CLIENT_SECRET"],
hostname=os.environ["FOUNDRY_HOSTNAME"],
scopes=["api:ontology-read"], # Minimum viable scope
)
# 1. Generate new credentials in Developer Console
# 2. Deploy new credentials alongside old ones
# 3. Verify new credentials work
python -c "
import os, foundry
auth = foundry.ConfidentialClientAuth(
client_id=os.environ['NEW_CLIENT_ID'],
client_secret=os.environ['NEW_CLIENT_SECRET'],
hostname=os.environ['FOUNDRY_HOSTNAME'],
scopes=['api:read-data'],
)
auth.sign_in_as_service_user()
print('New credentials verified')
"
# 4. Remove old credentials from Developer Console
# 5. Update environment variables to use new credentials only
# Scan for leaked credentials in git history
git log --all -p | grep -i "foundry_token\|foundry_client_secret" | head -5
# If found: rotate immediately, then use git-filter-repo to remove
# Pre-commit hook to prevent committing secrets
# .pre-commit-config.yaml
# - repo: https://github.com/Yelp/detect-secrets
# hooks:
# - id: detect-secrets
.env files listed in .gitignore| Security Issue | Detection | Mitigation |
|---|---|---|
| Exposed token in git | detect-secrets scan | Rotate immediately, scrub history |
| Overly broad scopes | Audit app permissions | Reduce to minimum needed |
| Stale credentials | Age > 90 days | Rotate on schedule |
| Shared credentials | Multiple users same token | Create per-user service users |
For production deployment, see palantir-prod-checklist.