Skill

flexport-security-basics

Verifies Flexport webhook signatures with HMAC-SHA256, rotates API keys via bash procedures, and applies least-privilege scopes for secure Node.js integrations.

Typescript

Javascript

npx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills --plugin flexport-pack

Tool Access

This skill is limited to using the following tools:

ReadWriteGrep

Preview

Security practices for Flexport API integrations: key management, webhook signature validation with `X-Hub-Signature`, and least-privilege access patterns for supply chain data.

SKILL.md

Similar Skills

flexport-prod-checklist

1.9k

Executes Flexport production checklist for logistics API integrations: auth/secrets, webhooks, monitoring/alerts, data validation, rollback.

3 tools

flexport-pack

klaviyo-security-basics

1.9k

Applies Klaviyo security best practices for API key management, OAuth scopes, webhook HMAC-SHA256 verification, and secret rotation in integrations.

4 tools

klaviyo-pack

fireflies-security-basics

1.9k

Secures Fireflies.ai API keys with env vars and git hooks; verifies webhook HMAC-SHA256 signatures in Node.js/Express or Python. Use for integration audits.

3 tools

fireflies-pack

Stats

Parent Repo Stars1854

Parent Repo Forks248

Last CommitMar 22, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Flexport Security Basics

Overview

Security practices for Flexport API integrations: key management, webhook signature validation with X-Hub-Signature, and least-privilege access patterns for supply chain data.

Instructions

Step 1: Webhook Signature Verification

Flexport signs webhook payloads with HMAC-SHA256 using your webhook secret. The signature is in the X-Hub-Signature header.

import crypto from 'crypto';

function verifyFlexportWebhook(
  payload: string | Buffer,
  signature: string,
  secret: string
): boolean {
  const expected = 'sha256=' + crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');

  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}

// Express middleware
app.post('/webhooks/flexport', express.raw({ type: '*/*' }), (req, res) => {
  const sig = req.headers['x-hub-signature'] as string;
  if (!verifyFlexportWebhook(req.body, sig, process.env.FLEXPORT_WEBHOOK_SECRET!)) {
    return res.status(401).send('Invalid signature');
  }
  const event = JSON.parse(req.body.toString());
  // Process event...
  res.status(200).send('OK');
});

Step 2: API Key Management

# Environment separation (NEVER share keys across environments)
# .env.development
FLEXPORT_API_KEY=your_dev_key
FLEXPORT_WEBHOOK_SECRET=your_dev_webhook_secret

# .env.production
FLEXPORT_API_KEY=your_prod_key
FLEXPORT_WEBHOOK_SECRET=your_prod_webhook_secret

# .gitignore — mandatory entries
.env
.env.*
!.env.example

Step 3: Key Rotation Procedure

# 1. Generate new key in Flexport Portal > Settings > Developer
# 2. Deploy new key to production (dual-key period)
# 3. Verify new key works
curl -s -o /dev/null -w "%{http_code}" \
  -H "Authorization: Bearer $NEW_FLEXPORT_API_KEY" \
  -H "Flexport-Version: 2" \
  https://api.flexport.com/shipments?per=1
# 4. Revoke old key in Portal
# 5. Remove old key from all environments

Step 4: Least Privilege Access

Role	API Scope	Use Case
Read-only	`GET /shipments`, `GET /products`	Dashboards, reporting
Booking manager	`POST /bookings`, `PATCH /purchase_orders`	Operations team
Full access	All endpoints	Admin, CI/CD pipelines

Security Checklist

API keys stored in environment variables or secret manager
.env files in .gitignore
Webhook signatures verified on every request
Different keys for dev/staging/prod
Key rotation scheduled quarterly
Git history scanned for leaked keys
HTTPS enforced for all API calls
Request/response logging redacts auth headers

Resources

Next Steps

For production deployment, see flexport-prod-checklist.