Apply Deepgram security best practices for API key management and data protection. Use when securing Deepgram integrations, implementing key rotation, or auditing security configurations. Trigger with phrases like "deepgram security", "deepgram API key security", "secure deepgram", "deepgram key rotation", "deepgram data protection".
/plugin marketplace add jeremylongshore/claude-code-plugins-plus-skills/plugin install deepgram-pack@claude-code-plugins-plusThis skill is limited to using the following tools:
Implement security best practices for Deepgram API integration including key management, data protection, and access control.
Never hardcode API keys in source code.
Create a process for regular key rotation.
Configure project-level permissions.
Track API usage and access patterns.
# .env.example (commit this)
DEEPGRAM_API_KEY=your-api-key-here
# .env (NEVER commit this)
DEEPGRAM_API_KEY=actual-secret-key
# .gitignore
.env
.env.local
.env.*.local
// lib/secrets.ts
import { SecretsManager } from '@aws-sdk/client-secrets-manager';
const client = new SecretsManager({ region: 'us-east-1' });
let cachedKey: string | null = null;
let cacheExpiry = 0;
export async function getDeepgramKey(): Promise<string> {
// Use cached key if not expired
if (cachedKey && Date.now() < cacheExpiry) {
return cachedKey;
}
const response = await client.getSecretValue({
SecretId: 'deepgram/api-key',
});
if (!response.SecretString) {
throw new Error('Deepgram API key not found in Secrets Manager');
}
const secret = JSON.parse(response.SecretString);
cachedKey = secret.DEEPGRAM_API_KEY;
cacheExpiry = Date.now() + 300000; // 5 minute cache
return cachedKey!;
}
// lib/secrets-gcp.ts
import { SecretManagerServiceClient } from '@google-cloud/secret-manager';
const client = new SecretManagerServiceClient();
export async function getDeepgramKey(): Promise<string> {
const projectId = process.env.GCP_PROJECT_ID;
const secretName = `projects/${projectId}/secrets/deepgram-api-key/versions/latest`;
const [version] = await client.accessSecretVersion({ name: secretName });
const payload = version.payload?.data?.toString();
if (!payload) {
throw new Error('Deepgram API key not found');
}
return payload;
}
// scripts/rotate-key.ts
import { createClient } from '@deepgram/sdk';
interface KeyRotationResult {
oldKeyId: string;
newKeyId: string;
rotatedAt: Date;
}
export async function rotateDeepgramKey(
adminKey: string,
projectId: string
): Promise<KeyRotationResult> {
const client = createClient(adminKey);
// 1. Create new key
const { result: newKey, error: createError } = await client.manage.createProjectKey(
projectId,
{
comment: `Rotated key - ${new Date().toISOString()}`,
scopes: ['usage:write', 'listen:*'],
expiration_date: new Date(Date.now() + 90 * 24 * 60 * 60 * 1000), // 90 days
}
);
if (createError) throw new Error(`Failed to create key: ${createError.message}`);
// 2. Test new key
const testClient = createClient(newKey.key);
const { error: testError } = await testClient.manage.getProjects();
if (testError) {
// Rollback: delete new key
await client.manage.deleteProjectKey(projectId, newKey.key_id);
throw new Error('New key validation failed');
}
// 3. Get old key ID (from current key metadata)
const { result: keys } = await client.manage.getProjectKeys(projectId);
const oldKey = keys?.api_keys.find(k =>
k.comment?.includes('Current production key')
);
// 4. Update secret manager with new key
// (Implementation depends on your secret manager)
// 5. Delete old key after grace period
if (oldKey) {
console.log(`Old key ${oldKey.key_id} scheduled for deletion`);
// Schedule deletion for later to allow propagation
}
return {
oldKeyId: oldKey?.key_id || 'unknown',
newKeyId: newKey.key_id,
rotatedAt: new Date(),
};
}
// Create keys with minimal required permissions
const scopedKeys = {
// Transcription-only key
transcription: {
scopes: ['listen:*'],
comment: 'Read-only transcription key',
},
// Admin key (for key management only)
admin: {
scopes: ['manage:*'],
comment: 'Administrative access only',
},
// Usage tracking key
usage: {
scopes: ['usage:read'],
comment: 'Usage monitoring only',
},
};
async function createScopedKey(
adminKey: string,
projectId: string,
keyType: keyof typeof scopedKeys
) {
const client = createClient(adminKey);
const config = scopedKeys[keyType];
const { result, error } = await client.manage.createProjectKey(
projectId,
config
);
if (error) throw error;
return result;
}
// lib/sanitize.ts
export function sanitizeAudioUrl(url: string): string {
const parsed = new URL(url);
// Only allow HTTPS
if (parsed.protocol !== 'https:') {
throw new Error('Only HTTPS URLs are allowed');
}
// Block internal/local URLs
const blockedHosts = ['localhost', '127.0.0.1', '0.0.0.0', '::1'];
if (blockedHosts.includes(parsed.hostname)) {
throw new Error('Local URLs are not allowed');
}
// Block private IP ranges
const privateRanges = [
/^10\./,
/^172\.(1[6-9]|2[0-9]|3[0-1])\./,
/^192\.168\./,
];
if (privateRanges.some(range => range.test(parsed.hostname))) {
throw new Error('Private IP addresses are not allowed');
}
return url;
}
export function sanitizeTranscriptResponse(response: unknown): unknown {
// Remove any unexpected fields that might contain sensitive data
if (typeof response !== 'object' || response === null) {
return response;
}
const allowedFields = [
'results',
'metadata',
'channels',
'alternatives',
'transcript',
'confidence',
'words',
'start',
'end',
];
const sanitized: Record<string, unknown> = {};
for (const [key, value] of Object.entries(response)) {
if (allowedFields.includes(key)) {
sanitized[key] = value;
}
}
return sanitized;
}
// lib/audit.ts
interface AuditEvent {
timestamp: Date;
action: string;
projectId?: string;
requestId?: string;
userId?: string;
ipAddress?: string;
success: boolean;
metadata?: Record<string, unknown>;
}
export class AuditLogger {
private events: AuditEvent[] = [];
log(event: Omit<AuditEvent, 'timestamp'>) {
const fullEvent: AuditEvent = {
...event,
timestamp: new Date(),
};
this.events.push(fullEvent);
// In production, send to your logging service
console.log(JSON.stringify({
...fullEvent,
timestamp: fullEvent.timestamp.toISOString(),
}));
}
async transcribe(
transcribeFn: () => Promise<unknown>,
context: { userId?: string; ipAddress?: string }
) {
const startTime = Date.now();
try {
const result = await transcribeFn();
this.log({
action: 'TRANSCRIBE',
success: true,
userId: context.userId,
ipAddress: context.ipAddress,
metadata: {
durationMs: Date.now() - startTime,
},
});
return result;
} catch (error) {
this.log({
action: 'TRANSCRIBE',
success: false,
userId: context.userId,
ipAddress: context.ipAddress,
metadata: {
error: error instanceof Error ? error.message : 'Unknown error',
durationMs: Date.now() - startTime,
},
});
throw error;
}
}
}
// lib/data-protection.ts
import crypto from 'crypto';
// Encrypt transcripts at rest
export function encryptTranscript(transcript: string, key: Buffer): string {
const iv = crypto.randomBytes(16);
const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
let encrypted = cipher.update(transcript, 'utf8', 'hex');
encrypted += cipher.final('hex');
const authTag = cipher.getAuthTag();
return JSON.stringify({
iv: iv.toString('hex'),
data: encrypted,
tag: authTag.toString('hex'),
});
}
export function decryptTranscript(encrypted: string, key: Buffer): string {
const { iv, data, tag } = JSON.parse(encrypted);
const decipher = crypto.createDecipheriv(
'aes-256-gcm',
key,
Buffer.from(iv, 'hex')
);
decipher.setAuthTag(Buffer.from(tag, 'hex'));
let decrypted = decipher.update(data, 'hex', 'utf8');
decrypted += decipher.final('utf8');
return decrypted;
}
// Redact sensitive information from transcripts
export function redactSensitiveData(transcript: string): string {
const patterns = [
// Credit card numbers
{ pattern: /\b\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b/g, replacement: '[REDACTED-CC]' },
// SSN
{ pattern: /\b\d{3}[\s-]?\d{2}[\s-]?\d{4}\b/g, replacement: '[REDACTED-SSN]' },
// Phone numbers
{ pattern: /\b\d{3}[\s-]?\d{3}[\s-]?\d{4}\b/g, replacement: '[REDACTED-PHONE]' },
// Email addresses
{ pattern: /\b[\w.-]+@[\w.-]+\.\w+\b/g, replacement: '[REDACTED-EMAIL]' },
];
let redacted = transcript;
for (const { pattern, replacement } of patterns) {
redacted = redacted.replace(pattern, replacement);
}
return redacted;
}
Proceed to deepgram-prod-checklist for production deployment checklist.
This skill should be used when the user asks to "create a hookify rule", "write a hook rule", "configure hookify", "add a hookify rule", or needs guidance on hookify rule syntax and patterns.
Create distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.