Skill

clari-security-basics

Secures Clari API tokens using AWS Secrets Manager, redacts PII from forecast exports in Python, and applies access control checklists.

Python

AWS

Bash

security

authentication

npx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills --plugin clari-pack

Tool Access

This skill is limited to using the following tools:

ReadWriteEditGrep

Preview

Secure your Clari integration: API token management, exported data PII handling, and access control best practices.

SKILL.md

Similar Skills

clari-install-auth

1.9k

Configures Clari API key authentication, environment setup, and connectivity tests for forecast data exports to Snowflake, BigQuery, or Redshift.

6 tools

clari-pack

clay-security-basics

1.9k

Secures Clay integrations with API key storage in secrets managers, webhook signature verification via Node.js middleware, and provider credential isolation.

4 tools

clay-pack

clickup-security-basics

1.9k

Secures ClickUp API tokens with .env storage, git pre-commit hooks, rotation via curl/gh/vault/aws, and least-privilege OAuth scopes in TypeScript.

3 tools

clickup-pack

Stats

Parent Repo Stars1854

Parent Repo Forks248

Last CommitMar 22, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Clari Security Basics

Overview

Secure your Clari integration: API token management, exported data PII handling, and access control best practices.

Instructions

Step 1: Token Management

# Store token in secrets manager aws secretsmanager create-secret \ --name "clari/prod/api-token" \ --secret-string "${CLARI_API_KEY}" # In CI/CD, load from secrets export CLARI_API_KEY=$(aws secretsmanager get-secret-value \ --secret-id "clari/prod/api-token" --query SecretString --output text)

Rotation: Clari API tokens are generated per-user. To rotate, generate a new token in User Settings, update all consumers, then discard the old one.

Step 2: Exported Data PII Handling

Clari export data contains PII (rep names, emails, deal amounts):

def redact_pii(entries: list[dict]) -> list[dict]: """Redact PII from forecast entries for non-production use.""" import hashlib redacted = [] for entry in entries: r = entry.copy() if "ownerEmail" in r: r["ownerEmail"] = hashlib.sha256( r["ownerEmail"].encode() ).hexdigest()[:12] + "@redacted" if "ownerName" in r: r["ownerName"] = f"Rep-{hashlib.sha256(r['ownerName'].encode()).hexdigest()[:6]}" redacted.append(r) return redacted

Step 3: Security Checklist

API token in secrets manager, not in code

.env files in .gitignore

Exported data stored in access-controlled warehouse

PII redacted in non-production environments

Export download URLs are temporary -- do not cache

Audit who has API token access

Token regenerated if any team member leaves

Resources

Next Steps

For production deployment, see clari-prod-checklist.