deepgram-security-basics
@jeremylongshore/deepgram-security-basics
Apply Deepgram security best practices for API key management and data protection. Use when securing Deepgram integrations, implementing key rotation, or auditing security configurations. Trigger with phrases like "deepgram security", "deepgram API key security", "secure deepgram", "deepgram key rotation", "deepgram data protection".
Installation
$skills install @jeremylongshore/deepgram-security-basics
Claude Code
Cursor
Copilot
Codex
Antigravity
Details
Pathplugins/saas-packs/deepgram-pack/skills/deepgram-security-basics/SKILL.md
Branchmain
Scoped Name@jeremylongshore/deepgram-security-basics
Usage
After installing, this skill will be available to your AI coding assistant.
Verify installation:
skills listSkill Instructions
name: deepgram-security-basics description: | Apply Deepgram security best practices for API key management and data protection. Use when securing Deepgram integrations, implementing key rotation, or auditing security configurations. Trigger with phrases like "deepgram security", "deepgram API key security", "secure deepgram", "deepgram key rotation", "deepgram data protection". allowed-tools: Read, Grep, Bash(curl:*) version: 1.0.0 license: MIT author: Jeremy Longshore jeremy@intentsolutions.io
Deepgram Security Basics
Overview
Implement security best practices for Deepgram API integration including key management, data protection, and access control.
Prerequisites
- Deepgram Console access
- Understanding of environment variables
- Knowledge of secret management
Security Checklist
- API keys stored in environment variables or secret manager
- Different keys for development/staging/production
- Key rotation schedule established
- Audit logging enabled
- Network access restricted
- Data handling compliant with regulations
Instructions
Step 1: Secure API Key Storage
Never hardcode API keys in source code.
Step 2: Implement Key Rotation
Create a process for regular key rotation.
Step 3: Set Up Access Control
Configure project-level permissions.
Step 4: Enable Audit Logging
Track API usage and access patterns.
Examples
Environment Variable Configuration
# .env.example (commit this)
DEEPGRAM_API_KEY=your-api-key-here
# .env (NEVER commit this)
DEEPGRAM_API_KEY=actual-secret-key
# .gitignore
.env
.env.local
.env.*.local
Secret Manager Integration (AWS)
// lib/secrets.ts
import { SecretsManager } from '@aws-sdk/client-secrets-manager';
const client = new SecretsManager({ region: 'us-east-1' });
let cachedKey: string | null = null;
let cacheExpiry = 0;
export async function getDeepgramKey(): Promise<string> {
// Use cached key if not expired
if (cachedKey && Date.now() < cacheExpiry) {
return cachedKey;
}
const response = await client.getSecretValue({
SecretId: 'deepgram/api-key',
});
if (!response.SecretString) {
throw new Error('Deepgram API key not found in Secrets Manager');
}
const secret = JSON.parse(response.SecretString);
cachedKey = secret.DEEPGRAM_API_KEY;
cacheExpiry = Date.now() + 300000; // 5 minute cache
return cachedKey!;
}
Secret Manager Integration (GCP)
// lib/secrets-gcp.ts
import { SecretManagerServiceClient } from '@google-cloud/secret-manager';
const client = new SecretManagerServiceClient();
export async function getDeepgramKey(): Promise<string> {
const projectId = process.env.GCP_PROJECT_ID;
const secretName = `projects/${projectId}/secrets/deepgram-api-key/versions/latest`;
const [version] = await client.accessSecretVersion({ name: secretName });
const payload = version.payload?.data?.toString();
if (!payload) {
throw new Error('Deepgram API key not found');
}
return payload;
}
Key Rotation Script
// scripts/rotate-key.ts
import { createClient } from '@deepgram/sdk';
interface KeyRotationResult {
oldKeyId: string;
newKeyId: string;
rotatedAt: Date;
}
export async function rotateDeepgramKey(
adminKey: string,
projectId: string
): Promise<KeyRotationResult> {
const client = createClient(adminKey);
// 1. Create new key
const { result: newKey, error: createError } = await client.manage.createProjectKey(
projectId,
{
comment: `Rotated key - ${new Date().toISOString()}`,
scopes: ['usage:write', 'listen:*'],
expiration_date: new Date(Date.now() + 90 * 24 * 60 * 60 * 1000), // 90 days
}
);
if (createError) throw new Error(`Failed to create key: ${createError.message}`);
// 2. Test new key
const testClient = createClient(newKey.key);
const { error: testError } = await testClient.manage.getProjects();
if (testError) {
// Rollback: delete new key
await client.manage.deleteProjectKey(projectId, newKey.key_id);
throw new Error('New key validation failed');
}
// 3. Get old key ID (from current key metadata)
const { result: keys } = await client.manage.getProjectKeys(projectId);
const oldKey = keys?.api_keys.find(k =>
k.comment?.includes('Current production key')
);
// 4. Update secret manager with new key
// (Implementation depends on your secret manager)
// 5. Delete old key after grace period
if (oldKey) {
console.log(`Old key ${oldKey.key_id} scheduled for deletion`);
// Schedule deletion for later to allow propagation
}
return {
oldKeyId: oldKey?.key_id || 'unknown',
newKeyId: newKey.key_id,
rotatedAt: new Date(),
};
}
Scoped API Keys
// Create keys with minimal required permissions
const scopedKeys = {
// Transcription-only key
transcription: {
scopes: ['listen:*'],
comment: 'Read-only transcription key',
},
// Admin key (for key management only)
admin: {
scopes: ['manage:*'],
comment: 'Administrative access only',
},
// Usage tracking key
usage: {
scopes: ['usage:read'],
comment: 'Usage monitoring only',
},
};
async function createScopedKey(
adminKey: string,
projectId: string,
keyType: keyof typeof scopedKeys
) {
const client = createClient(adminKey);
const config = scopedKeys[keyType];
const { result, error } = await client.manage.createProjectKey(
projectId,
config
);
if (error) throw error;
return result;
}
Request Sanitization
// lib/sanitize.ts
export function sanitizeAudioUrl(url: string): string {
const parsed = new URL(url);
// Only allow HTTPS
if (parsed.protocol !== 'https:') {
throw new Error('Only HTTPS URLs are allowed');
}
// Block internal/local URLs
const blockedHosts = ['localhost', '127.0.0.1', '0.0.0.0', '::1'];
if (blockedHosts.includes(parsed.hostname)) {
throw new Error('Local URLs are not allowed');
}
// Block private IP ranges
const privateRanges = [
/^10\./,
/^172\.(1[6-9]|2[0-9]|3[0-1])\./,
/^192\.168\./,
];
if (privateRanges.some(range => range.test(parsed.hostname))) {
throw new Error('Private IP addresses are not allowed');
}
return url;
}
export function sanitizeTranscriptResponse(response: unknown): unknown {
// Remove any unexpected fields that might contain sensitive data
if (typeof response !== 'object' || response === null) {
return response;
}
const allowedFields = [
'results',
'metadata',
'channels',
'alternatives',
'transcript',
'confidence',
'words',
'start',
'end',
];
const sanitized: Record<string, unknown> = {};
for (const [key, value] of Object.entries(response)) {
if (allowedFields.includes(key)) {
sanitized[key] = value;
}
}
return sanitized;
}
Audit Logging
// lib/audit.ts
interface AuditEvent {
timestamp: Date;
action: string;
projectId?: string;
requestId?: string;
userId?: string;
ipAddress?: string;
success: boolean;
metadata?: Record<string, unknown>;
}
export class AuditLogger {
private events: AuditEvent[] = [];
log(event: Omit<AuditEvent, 'timestamp'>) {
const fullEvent: AuditEvent = {
...event,
timestamp: new Date(),
};
this.events.push(fullEvent);
// In production, send to your logging service
console.log(JSON.stringify({
...fullEvent,
timestamp: fullEvent.timestamp.toISOString(),
}));
}
async transcribe(
transcribeFn: () => Promise<unknown>,
context: { userId?: string; ipAddress?: string }
) {
const startTime = Date.now();
try {
const result = await transcribeFn();
this.log({
action: 'TRANSCRIBE',
success: true,
userId: context.userId,
ipAddress: context.ipAddress,
metadata: {
durationMs: Date.now() - startTime,
},
});
return result;
} catch (error) {
this.log({
action: 'TRANSCRIBE',
success: false,
userId: context.userId,
ipAddress: context.ipAddress,
metadata: {
error: error instanceof Error ? error.message : 'Unknown error',
durationMs: Date.now() - startTime,
},
});
throw error;
}
}
}
Data Protection
// lib/data-protection.ts
import crypto from 'crypto';
// Encrypt transcripts at rest
export function encryptTranscript(transcript: string, key: Buffer): string {
const iv = crypto.randomBytes(16);
const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
let encrypted = cipher.update(transcript, 'utf8', 'hex');
encrypted += cipher.final('hex');
const authTag = cipher.getAuthTag();
return JSON.stringify({
iv: iv.toString('hex'),
data: encrypted,
tag: authTag.toString('hex'),
});
}
export function decryptTranscript(encrypted: string, key: Buffer): string {
const { iv, data, tag } = JSON.parse(encrypted);
const decipher = crypto.createDecipheriv(
'aes-256-gcm',
key,
Buffer.from(iv, 'hex')
);
decipher.setAuthTag(Buffer.from(tag, 'hex'));
let decrypted = decipher.update(data, 'hex', 'utf8');
decrypted += decipher.final('utf8');
return decrypted;
}
// Redact sensitive information from transcripts
export function redactSensitiveData(transcript: string): string {
const patterns = [
// Credit card numbers
{ pattern: /\b\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b/g, replacement: '[REDACTED-CC]' },
// SSN
{ pattern: /\b\d{3}[\s-]?\d{2}[\s-]?\d{4}\b/g, replacement: '[REDACTED-SSN]' },
// Phone numbers
{ pattern: /\b\d{3}[\s-]?\d{3}[\s-]?\d{4}\b/g, replacement: '[REDACTED-PHONE]' },
// Email addresses
{ pattern: /\b[\w.-]+@[\w.-]+\.\w+\b/g, replacement: '[REDACTED-EMAIL]' },
];
let redacted = transcript;
for (const { pattern, replacement } of patterns) {
redacted = redacted.replace(pattern, replacement);
}
return redacted;
}
Resources
Next Steps
Proceed to deepgram-prod-checklist for production deployment checklist.
More by jeremylongshore
View allrabbitmq-queue-setup
1,004Rabbitmq Queue Setup - Auto-activating skill for Backend Development. Triggers on: rabbitmq queue setup, rabbitmq queue setup Part of the Backend Development skill category.
model-evaluation-suite
1,004evaluating-machine-learning-models: This skill allows Claude to evaluate machine learning models using a comprehensive suite of metrics. It should be used when the user requests model performance analysis, validation, or testing. Claude can use this skill to assess model accuracy, precision, recall, F1-score, and other relevant metrics. Trigger this skill when the user mentions "evaluate model", "model performance", "testing metrics", "validation results", or requests a comprehensive "model evaluation".
neural-network-builder
1,004building-neural-networks: This skill allows Claude to construct and configure neural network architectures using the neural-network-builder plugin. It should be used when the user requests the creation of a new neural network, modification of an existing one, or assistance with defining the layers, parameters, and training process. The skill is triggered by requests involving terms like "build a neural network," "define network architecture," "configure layers," or specific mentions of neural network types (e.g., "CNN," "RNN," "transformer").
oauth-callback-handler
1,004Oauth Callback Handler - Auto-activating skill for API Integration. Triggers on: oauth callback handler, oauth callback handler Part of the API Integration skill category.