Clari Security Basics

Overview

Secure your Clari integration: API token management, exported data PII handling, and access control best practices.

Instructions

Step 1: Token Management

# Store token in secrets manager
aws secretsmanager create-secret \
  --name "clari/prod/api-token" \
  --secret-string "${CLARI_API_KEY}"

# In CI/CD, load from secrets
export CLARI_API_KEY=$(aws secretsmanager get-secret-value \
  --secret-id "clari/prod/api-token" --query SecretString --output text)

Rotation: Clari API tokens are generated per-user. To rotate, generate a new token in User Settings, update all consumers, then discard the old one.

Step 2: Exported Data PII Handling

Clari export data contains PII (rep names, emails, deal amounts):

def redact_pii(entries: list[dict]) -> list[dict]:
    """Redact PII from forecast entries for non-production use."""
    import hashlib

    redacted = []
    for entry in entries:
        r = entry.copy()
        if "ownerEmail" in r:
            r["ownerEmail"] = hashlib.sha256(
                r["ownerEmail"].encode()
            ).hexdigest()[:12] + "@redacted"
        if "ownerName" in r:
            r["ownerName"] = f"Rep-{hashlib.sha256(r['ownerName'].encode()).hexdigest()[:6]}"
        redacted.append(r)
    return redacted

Step 3: Security Checklist

• API token in secrets manager, not in code
• .env files in .gitignore
• Exported data stored in access-controlled warehouse
• PII redacted in non-production environments
• Export download URLs are temporary -- do not cache
• Audit who has API token access
• Token regenerated if any team member leaves

Resources

• Clari Security
• Clari Developer Portal

Next Steps

For production deployment, see clari-prod-checklist.