gamma-security-basics
Implement security best practices for Gamma integration. Use when securing API keys, implementing access controls, or auditing Gamma security configuration. Trigger with phrases like "gamma security", "gamma API key security", "gamma secure", "gamma credentials", "gamma access control".
Installation
Details
Usage
After installing, this skill will be available to your AI coding assistant.
Verify installation:
skills listSkill Instructions
name: gamma-security-basics description: | Implement security best practices for Gamma integration. Use when securing API keys, implementing access controls, or auditing Gamma security configuration. Trigger with phrases like "gamma security", "gamma API key security", "gamma secure", "gamma credentials", "gamma access control". allowed-tools: Read, Write, Edit, Grep version: 1.0.0 license: MIT author: Jeremy Longshore jeremy@intentsolutions.io
Gamma Security Basics
Overview
Security best practices for Gamma API integration to protect credentials and data.
Prerequisites
- Active Gamma integration
- Environment variable support
- Understanding of secret management
Instructions
Step 1: Secure API Key Storage
// NEVER do this
const gamma = new GammaClient({
apiKey: 'gamma_live_abc123...', // Hardcoded - BAD!
});
// DO this instead
const gamma = new GammaClient({
apiKey: process.env.GAMMA_API_KEY,
});
Environment Setup:
# .env (add to .gitignore!)
GAMMA_API_KEY=gamma_live_abc123...
# Load in application
import 'dotenv/config';
Step 2: Key Rotation Strategy
// Support multiple keys for rotation
const gamma = new GammaClient({
apiKey: process.env.GAMMA_API_KEY_PRIMARY
|| process.env.GAMMA_API_KEY_SECONDARY,
});
// Rotation script
async function rotateApiKey() {
// 1. Generate new key in Gamma dashboard
// 2. Update GAMMA_API_KEY_SECONDARY
// 3. Deploy and verify
// 4. Swap PRIMARY and SECONDARY
// 5. Revoke old key
}
Step 3: Request Signing (if supported)
import crypto from 'crypto';
function signRequest(payload: object, secret: string): string {
const timestamp = Date.now().toString();
const message = timestamp + JSON.stringify(payload);
return crypto
.createHmac('sha256', secret)
.update(message)
.digest('hex');
}
// Usage with webhook verification
function verifyWebhook(body: string, signature: string, secret: string): boolean {
const expected = crypto
.createHmac('sha256', secret)
.update(body)
.digest('hex');
return crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(expected)
);
}
Step 4: Access Control Patterns
// Scoped API keys (if supported)
const readOnlyGamma = new GammaClient({
apiKey: process.env.GAMMA_API_KEY_READONLY,
scopes: ['presentations:read', 'exports:read'],
});
const fullAccessGamma = new GammaClient({
apiKey: process.env.GAMMA_API_KEY_FULL,
});
// Permission check before operations
async function createPresentation(user: User, data: object) {
if (!user.permissions.includes('gamma:create')) {
throw new Error('Insufficient permissions');
}
return fullAccessGamma.presentations.create(data);
}
Step 5: Audit Logging
import { GammaClient } from '@gamma/sdk';
function createAuditedClient(userId: string) {
return new GammaClient({
apiKey: process.env.GAMMA_API_KEY,
interceptors: {
request: (config) => {
console.log(JSON.stringify({
timestamp: new Date().toISOString(),
userId,
action: `${config.method} ${config.path}`,
type: 'gamma_api_request',
}));
return config;
},
},
});
}
Security Checklist
- API keys stored in environment variables
- .env files in .gitignore
- No keys in source code or logs
- Key rotation procedure documented
- Minimal permission scopes used
- Audit logging enabled
- Webhook signatures verified
- HTTPS enforced for all calls
Error Handling
| Security Issue | Detection | Remediation |
|---|---|---|
| Exposed key | GitHub scanning | Rotate immediately |
| Key in logs | Log audit | Filter sensitive data |
| Unauthorized access | Audit logs | Revoke and investigate |
| Weak permissions | Access review | Apply least privilege |
Resources
Next Steps
Proceed to gamma-prod-checklist for production readiness.
More by jeremylongshore
View allRabbitmq Queue Setup - Auto-activating skill for Backend Development. Triggers on: rabbitmq queue setup, rabbitmq queue setup Part of the Backend Development skill category.
evaluating-machine-learning-models: This skill allows Claude to evaluate machine learning models using a comprehensive suite of metrics. It should be used when the user requests model performance analysis, validation, or testing. Claude can use this skill to assess model accuracy, precision, recall, F1-score, and other relevant metrics. Trigger this skill when the user mentions "evaluate model", "model performance", "testing metrics", "validation results", or requests a comprehensive "model evaluation".
building-neural-networks: This skill allows Claude to construct and configure neural network architectures using the neural-network-builder plugin. It should be used when the user requests the creation of a new neural network, modification of an existing one, or assistance with defining the layers, parameters, and training process. The skill is triggered by requests involving terms like "build a neural network," "define network architecture," "configure layers," or specific mentions of neural network types (e.g., "CNN," "RNN," "transformer").
Oauth Callback Handler - Auto-activating skill for API Integration. Triggers on: oauth callback handler, oauth callback handler Part of the API Integration skill category.