Guidewire Security Implementation Guide

v20260423

guidewire-security-basics

This guide outlines critical security measures for integrating with Guidewire systems, which handle sensitive policyholder PII, claims, and financial data. It covers best practices for implementing OAuth2 JWT authentication, API role scoping, input validation, and sensitive data redaction (PII) to prevent data breaches and meet compliance standards.

Guidewire Security OAuth2 API Insurance PII TypeScript Coding

Get Skill

264 downloads

Overview

Guidewire Security Basics

Overview

Guidewire manages insurance policy administration, claims processing, and billing containing policyholder PII (SSNs, driver's license numbers, medical records for claims), financial settlement data, and adjuster notes. A breach exposes claimant personal information, policy terms, and payment histories across the entire insurance book of business. Secure OAuth2 JWT tokens, Cloud API roles, Gosu custom code, and any integration touching policy or claims data.

API Key Management

function createGuidewireClient(): { token: string; baseUrl: string } {
  const clientId = process.env.GUIDEWIRE_CLIENT_ID;
  const clientSecret = process.env.GUIDEWIRE_CLIENT_SECRET;
  const tokenUrl = process.env.GUIDEWIRE_TOKEN_URL;
  if (!clientId || !clientSecret || !tokenUrl) {
    throw new Error("Missing GUIDEWIRE_CLIENT_ID, CLIENT_SECRET, or TOKEN_URL");
  }
  // OAuth2 tokens are short-lived JWTs — never cache beyond expiry
  console.log("Guidewire OAuth2 client initialized for:", tokenUrl);
  return { token: "", baseUrl: process.env.GUIDEWIRE_API_URL! };
}

Webhook Signature Verification

import crypto from "crypto";
import { Request, Response, NextFunction } from "express";

function verifyGuidewireWebhook(req: Request, res: Response, next: NextFunction): void {
  const signature = req.headers["x-guidewire-signature"] as string;
  const secret = process.env.GUIDEWIRE_WEBHOOK_SECRET!;
  const expected = crypto.createHmac("sha256", secret).update(req.body).digest("hex");
  if (!signature || !crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected))) {
    res.status(401).send("Invalid signature");
    return;
  }
  next();
}

Input Validation

import { z } from "zod";

const ClaimSchema = z.object({
  claim_number: z.string().regex(/^CLM-\d{8,12}$/),
  policy_number: z.string().regex(/^POL-\d{8,12}$/),
  claimant_id: z.string().uuid(),
  loss_date: z.string().regex(/^\d{4}-\d{2}-\d{2}$/),
  loss_type: z.enum(["auto", "property", "liability", "workers_comp", "medical"]),
  reserve_amount: z.number().nonnegative().max(10_000_000),
});

function validateClaimData(data: unknown) {
  return ClaimSchema.parse(data);
}

Data Protection

const GUIDEWIRE_PII_FIELDS = ["ssn", "drivers_license", "medical_records", "bank_account", "claimant_dob", "adjuster_notes"];

function redactGuidewireLog(record: Record<string, unknown>): Record<string, unknown> {
  const redacted = { ...record };
  for (const field of GUIDEWIRE_PII_FIELDS) {
    if (field in redacted) redacted[field] = "[REDACTED]";
  }
  return redacted;
}

Security Checklist

OAuth2 client credentials stored in secrets manager
JWT tokens treated as short-lived, never cached beyond expiry
API roles assigned per-endpoint in GCC (least privilege)
Policyholder SSN and medical data never logged
SAML SSO enforced for Jutro frontend access
Gosu custom code uses ServerUtil for auth, never hardcoded credentials
PII encrypted in custom entities
Claims data access audited per adjuster

Error Handling

Vulnerability	Risk	Mitigation
Leaked OAuth2 credentials	Full policy and claims data access	Secrets manager + short-lived JWTs
Overly broad API roles	Adjuster accesses unrelated claims	Per-endpoint GCC role scoping
PII in Gosu logs	Policyholder SSN/medical data exposure	Field-level redaction in custom code
Hardcoded credentials in Gosu	Credential theft from source code	`ServerUtil` auth + code review gates
Unencrypted claims data	Insurance regulatory violation	Encryption at rest for custom entities

Resources

Next Steps

See guidewire-prod-checklist.

Info

Category Development

Name guidewire-security-basics

Version v20260423

Size 6.4KB

Source jeremylongshore/claude-code-plugins-plus-skills

Updated At 2026-04-28