Claude
Skills
Sign in
Back

apollo-security-basics

Included with Lifetime
$97 forever

Apply Apollo.io API security best practices. Use when securing Apollo integrations, managing API keys, or implementing secure data handling. Trigger with phrases like "apollo security", "secure apollo api", "apollo api key security", "apollo data protection".

Backend & APIssaasapolloapisecurity

What this skill does

# Apollo Security Basics

## Overview

Security best practices for Apollo.io API integrations. Apollo API keys grant broad access to 275M+ contacts — a leaked key is a serious incident. This covers key management, PII redaction, data access controls, key rotation, and audit procedures.

## Prerequisites

- Valid Apollo.io API credentials
- Node.js 18+

## Instructions

### Step 1: Secure API Key Storage

Apollo supports two key types with different risk profiles:

- **Standard key**: search + enrichment only (lower risk)
- **Master key**: full CRM access including delete (highest risk)

```typescript
// NEVER: const API_KEY = 'abc123';  // hardcoded
// NEVER: params: { api_key: key }   // query string (logged in server access logs)

// ALWAYS: x-api-key header + env var or secret manager
import { SecretManagerServiceClient } from '@google-cloud/secret-manager';

async function getApiKey(): Promise<string> {
  // Dev/staging: environment variable
  if (process.env.APOLLO_API_KEY) return process.env.APOLLO_API_KEY;

  // Production: GCP Secret Manager
  const client = new SecretManagerServiceClient();
  const [version] = await client.accessSecretVersion({
    name: 'projects/my-project/secrets/apollo-api-key/versions/latest',
  });
  return version.payload?.data?.toString() ?? '';
}
```

```bash
# .gitignore — prevent accidental commits
.env
.env.local
.env.*.local
*.pem
secrets/
```

### Step 2: PII Redaction for Logging

Apollo responses contain emails, phone numbers, and LinkedIn profiles. Never log raw responses in production.

```typescript
// src/apollo/redact.ts
const PII_PATTERNS: [RegExp, string][] = [
  [/\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z]{2,}\b/gi, '[EMAIL]'],
  [/\b\+?\d{1,3}[-.\s]?\(?\d{1,4}\)?[-.\s]?\d{1,4}[-.\s]?\d{1,9}\b/g, '[PHONE]'],
  [/x-api-key[:\s]+["']?[\w-]+["']?/gi, 'x-api-key: [REDACTED]'],
  [/linkedin\.com\/in\/[^\s"',]+/gi, 'linkedin.com/in/[REDACTED]'],
];

export function redactPII(text: string): string {
  let result = text;
  for (const [pattern, replacement] of PII_PATTERNS) {
    result = result.replace(pattern, replacement);
  }
  return result;
}

// Attach as axios interceptor
client.interceptors.response.use((response) => {
  if (process.env.NODE_ENV === 'production') {
    // Never log raw Apollo response data in production
    console.log(`[Apollo] ${response.status} ${response.config.url}`);
  } else {
    console.log('[Apollo]', redactPII(JSON.stringify(response.data).slice(0, 500)));
  }
  return response;
});
```

### Step 3: Use Minimal Key Permissions

```typescript
// src/apollo/scoped-client.ts
// Use standard keys for read-only operations, master keys only where needed

export function createReadOnlyClient() {
  return axios.create({
    baseURL: 'https://api.apollo.io/api/v1',
    headers: {
      'Content-Type': 'application/json',
      'x-api-key': process.env.APOLLO_STANDARD_KEY!,  // search + enrich only
    },
  });
}

export function createFullAccessClient() {
  return axios.create({
    baseURL: 'https://api.apollo.io/api/v1',
    headers: {
      'Content-Type': 'application/json',
      'x-api-key': process.env.APOLLO_MASTER_KEY!,  // full CRM access
    },
  });
}
```

### Step 4: API Key Rotation Procedure

```typescript
async function rotateApiKey() {
  // 1. Generate new key in Apollo Dashboard (Settings > Integrations > API Keys)
  const newKey = process.env.APOLLO_API_KEY_NEW;
  const oldKey = process.env.APOLLO_API_KEY;

  // 2. Verify new key works
  try {
    const resp = await axios.get('https://api.apollo.io/api/v1/auth/health', {
      headers: { 'x-api-key': newKey! },
    });
    if (!resp.data.is_logged_in) throw new Error('New key failed auth check');
    console.log('New API key verified');
  } catch {
    console.error('New API key invalid — aborting rotation');
    return;
  }

  // 3. Update secret manager / env vars with new key
  // 4. Deploy with new key
  // 5. Revoke old key in Apollo Dashboard
  console.log('Rotation steps: update secrets -> deploy -> revoke old key in dashboard');
}
```

### Step 5: Security Audit Script

```typescript
async function runSecurityAudit() {
  const checks: Array<{ name: string; pass: boolean; detail: string }> = [];

  // 1. API key not in source code
  const { execSync } = await import('child_process');
  try {
    execSync('grep -rn "x-api-key.*[a-zA-Z0-9]\\{20,\\}" src/ --include="*.ts"', { stdio: 'pipe' });
    checks.push({ name: 'No hardcoded keys', pass: false, detail: 'Hardcoded key found in source!' });
  } catch {
    checks.push({ name: 'No hardcoded keys', pass: true, detail: 'OK' });
  }

  // 2. HTTPS enforced
  checks.push({
    name: 'HTTPS only',
    pass: !process.env.APOLLO_BASE_URL || process.env.APOLLO_BASE_URL.startsWith('https://'),
    detail: 'Base URL uses HTTPS',
  });

  // 3. .env is gitignored
  const gitCheck = execSync('git check-ignore .env 2>/dev/null || echo NOT').toString().trim();
  checks.push({ name: '.env gitignored', pass: gitCheck !== 'NOT', detail: gitCheck !== 'NOT' ? 'OK' : 'ADD .env to .gitignore' });

  // 4. Header auth (not query param)
  try {
    execSync('grep -rn "api_key.*=" src/ --include="*.ts" | grep -v "x-api-key"', { stdio: 'pipe' });
    checks.push({ name: 'Header auth only', pass: false, detail: 'Found api_key in query params — use x-api-key header' });
  } catch {
    checks.push({ name: 'Header auth only', pass: true, detail: 'OK' });
  }

  for (const c of checks) console.log(`${c.pass ? 'PASS' : 'FAIL'} ${c.name}: ${c.detail}`);
}
```

## Output

- Secure API key loading from env vars or GCP Secret Manager
- PII redaction utility for emails, phones, API keys, and LinkedIn URLs
- Scoped clients: read-only (standard key) vs full-access (master key)
- Key rotation procedure with verification
- Automated security audit checking for hardcoded keys and header auth

## Error Handling

| Issue | Mitigation |
|-------|------------|
| API key committed to git | Rotate immediately, revoke old key in Apollo dashboard |
| PII in log files | Enable `redactPII` interceptor, review log retention |
| Using `api_key` query param | Switch to `x-api-key` header — query params appear in server logs |
| Master key used everywhere | Split into standard + master keys, use minimal permissions |

## Resources

- Apollo Security Practices
- [Create API Keys](https://docs.apollo.io/docs/create-api-key)
- [OWASP API Security Top 10](https://owasp.org/www-project-api-security/)
- [GCP Secret Manager](https://cloud.google.com/secret-manager/docs)

## Next Steps

Proceed to `apollo-prod-checklist` for production deployment.
Files: 2
Size: 15.0 KB
Complexity: 34/100
Category: Backend & APIs
Source: https://github.com/jeremylongshore/claude-code-plugins-plus-skills/tree/main/plugins/saas-packs/apollo-pack/skills/apollo-security-basics

Related in Backend & APIs

jfrog

Included

Interact with the JFrog Platform via the JFrog CLI and REST/GraphQL APIs. Use this skill when the user wants to manage Artifactory repositories, upload or download artifacts, manage builds, configure permissions, manage users and groups, work with access tokens, configure JFrog CLI servers, search artifacts, manage properties, set up replication, manage JFrog Projects, run security audits or scans, look up CVE details, query exposures scan results from JFrog Advanced Security, manage release bundles and lifecycle operations, aggregate or export platform data, or perform any JFrog Platform administration task. Also use when the user mentions jf, jfrog, artifactory, xray, distribution, evidence, apptrust, onemodel, graphql, workers, mission control, curation, advanced security, exposures, or any JFrog product name.

Backend & APIsscripts

cupynumeric-migration-readiness

Included

Pre-migration readiness assessor for porting NumPy to cuPyNumeric. Use BEFORE substantial porting work begins when the user asks whether code will scale on GPU, whether they should migrate to cuPyNumeric, which NumPy patterns transfer cleanly, what must be refactored before porting, or mentions pre-port assessment, scaling analysis, or refactor planning. Inspect the user's source code, look up NumPy usage, cross-reference the cuPyNumeric API support manifest, and distinguish distributed-scaling-friendly patterns from blockers such as unsupported APIs, scalar synchronization, host round-trips, Python/object-heavy control flow, shape/data-dependent branching, and in-place mutation hazards. Produce a verdict of READY, LIGHT REFACTOR, SIGNIFICANT REFACTOR, or NOT RECOMMENDED, with concrete refactor pointers.

Backend & APIsscripts

alibabacloud-data-agent-skill

Included

Invoke Alibaba Cloud Apsara Data Agent for Analytics via CLI to perform natural language-driven data analysis on enterprise databases. Data Agent for Analytics is an intelligent data analysis agent developed by Alibaba Cloud Database team for enterprise users. It automatically completes requirement analysis, data understanding, analysis insights, and report generation based on natural language descriptions. This tool supports: discovering data resources (instances/databases/tables) managed in DMS, initiating query or deep analysis sessions, real-time progress tracking, and retrieving analysis conclusions and generated reports. Use this Skill when users need to query databases, analyze data trends, generate data reports, ask questions in natural language, or mention "Data Agent", "data analysis", "database query", "SQL analysis", "data insights".

Backend & APIsscripts

token-optimizer

Included

Reduce OpenClaw token usage and API costs through smart model routing, heartbeat optimization, budget tracking, and native 2026.2.15 features (session pruning, bootstrap size limits, cache TTL alignment). Use when token costs are high, API rate limits are being hit, or hosting multiple agents at scale. The 4 executable scripts (context_optimizer, model_router, heartbeat_optimizer, token_tracker) are local-only — no network requests, no subprocess calls, no system modifications. Reference files (PROVIDERS.md, config-patches.json) document optional multi-provider strategies that require external API keys and network access if you choose to use them. See SECURITY.md for full breakdown.

Backend & APIsscripts

resend-cli

Included

Use this skill when the task is specifically about operating Resend from an AI agent, terminal session, or CI job via the official resend CLI: installing/authenticating the CLI, sending/listing/updating/cancelling emails, batch sends, domains and DNS, webhooks and local listeners, inbound receiving, contacts, topics, segments, broadcasts, templates, API keys, profiles, or debugging Resend CLI/API failures. Trigger on mentions of Resend CLI, `resend`, `resend doctor`, `resend emails send`, `resend domains`, `resend webhooks listen`, `resend emails receiving`, or agent-friendly terminal automation.

Backend & APIsscripts

alibabacloud-odps-maxframe-coding

Included

Use this skill for MaxFrame SDK development and documentation navigation on Alibaba Cloud MaxCompute (ODPS). Helps answer MaxFrame API, concept, official example, and supported pandas API questions; create data processing programs; read/write MaxCompute tables; debug jobs (remote or local); and build custom DPE runtime images. Trigger when users mention MaxFrame, MaxCompute with MaxFrame, ODPS table processing, DPE runtime, MaxFrame docs/examples, DataFrame/Tensor operations, or GPU runtime setup. Works for both English and Chinese queries about Alibaba Cloud data processing with MaxFrame.

Backend & APIsscripts
Sign up & unlock — $97