Security practices for Lokalise integrations: API token management with scoped permissions, translation content sanitization, CI/CD secret handling, webhook secret verification, and audit logging. Lokalise handles translation strings that may contain user-facing content, interpolation variables, and occasionally PII embedded in keys or values.
Lokalise API tokens are either read-only or read-write. Create separate tokens per use case to enforce least privilege.
import { LokaliseApi } from "@lokalise/node-api";
// Token strategy: separate tokens per context
const TOKENS = {
// CI download pipeline — read-only token
ciDownload: process.env.LOKALISE_READ_TOKEN,
// CI upload pipeline — read-write token
ciUpload: process.env.LOKALISE_WRITE_TOKEN,
// Admin operations (contributor management, webhooks) — admin token
admin: process.env.LOKALISE_ADMIN_TOKEN,
} as const;
function getClient(scope: keyof typeof TOKENS): LokaliseApi {
const token = TOKENS[scope];
if (!token) {
throw new Error(
`LOKALISE_${scope.toUpperCase()}_TOKEN not set. ` +
`Generate at https://app.lokalise.com/profile#apitokens`
);
}
return new LokaliseApi({ apiKey: token, enableCompression: true });
}
// Download translations — uses read-only token
const readClient = getClient("ciDownload");
const bundle = await readClient.files().download(projectId, {
format: "json",
original_filenames: false,
bundle_structure: "%LANG_ISO%.json",
});
Translation strings may contain interpolation variables, HTML, or user-generated content. Validate before rendering.
interface ValidationIssue {
key: string;
severity: "critical" | "warning";
message: string;
}
function validateTranslation(key: string, value: string): ValidationIssue[] {
const issues: ValidationIssue[] = [];
// XSS: Check for script injection in translations
if (/<script|javascript:|on\w+=/i.test(value)) {
issues.push({ key, severity: "critical", message: "Potential XSS payload" });
}
// Credential leak: Check for secrets in translation values
if (/(api_key|password|secret|token)\s*[:=]/i.test(value)) {
issues.push({ key, severity: "critical", message: "Possible credential in value" });
}
// Placeholder integrity: Ensure ICU/i18next placeholders are well-formed
const placeholders = value.match(/\{[^}]+\}|\{\{[^}]+\}\}/g) ?? [];
for (const p of placeholders) {
if (/[<>'"]/.test(p)) {
issues.push({ key, severity: "warning", message: `Suspicious placeholder: ${p}` });
}
}
return issues;
}
// Validate all translations after download
import { readFileSync } from "fs";
function auditTranslationFile(filePath: string): ValidationIssue[] {
const data: Record<string, string> = JSON.parse(
readFileSync(filePath, "utf-8")
);
return Object.entries(data).flatMap(([key, value]) =>
validateTranslation(key, value)
);
}
const issues = auditTranslationFile("./src/locales/de.json");
const critical = issues.filter((i) => i.severity === "critical");
if (critical.length > 0) {
console.error("CRITICAL security issues found in translations:");
critical.forEach((i) => console.error(` ${i.key}: ${i.message}`));
process.exit(1);
}
Lokalise sends a random alphanumeric secret in the X-Secret header. Always verify it.
import express from "express";
const WEBHOOK_SECRET = process.env.LOKALISE_WEBHOOK_SECRET!;
function verifyWebhookSecret(
req: express.Request,
res: express.Response,
next: express.NextFunction
): void {
const secret = req.headers["x-secret"] as string | undefined;
if (!secret || secret !== WEBHOOK_SECRET) {
console.error("Webhook secret verification failed", {
ip: req.ip,
path: req.path,
hasSecret: !!secret,
});
res.status(401).json({ error: "Invalid webhook secret" });
return;
}
next();
}
# GitHub Actions: use repository secrets, never hardcode tokens
name: Sync Translations
on:
push:
branches: [main]
paths: ['src/locales/en.json']
jobs:
sync:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Pull translations
env:
LOKALISE_API_TOKEN: ${{ secrets.LOKALISE_READ_TOKEN }}
LOKALISE_PROJECT_ID: ${{ vars.LOKALISE_PROJECT_ID }}
run: |
# Token is masked in logs by GitHub Actions
lokalise2 file download \
--token "$LOKALISE_API_TOKEN" \
--project-id "$LOKALISE_PROJECT_ID" \
--format json \
--original-filenames=false \
--bundle-structure "%LANG_ISO%.json" \
--unzip-to ./src/locales/
#!/bin/bash
# scripts/scan-secrets.sh — Run in CI or as pre-commit hook
set -euo pipefail
echo "=== Lokalise Token Security Scan ==="
# Check for hardcoded tokens in source files
HARDCODED=$(grep -rn "X-Api-Token\|apiKey.*['\"][a-f0-9]\{32,\}" \
--include="*.ts" --include="*.js" --include="*.json" --include="*.yml" \
src/ .github/ 2>/dev/null \
| grep -v node_modules \
| grep -v "process.env\|secrets\.\|vars\.\|\${{" || true)
if [[ -n "$HARDCODED" ]]; then
echo "FAIL: Potential hardcoded token found:"
echo "$HARDCODED"
exit 1
fi
# Verify .env files are gitignored
if ! grep -q "\.env" .gitignore 2>/dev/null; then
echo "WARN: .env not in .gitignore — add it immediately"
fi
# Check git history for leaked tokens
HISTORY_LEAK=$(git log --all -p --diff-filter=A -- '*.env' '*.env.*' 2>/dev/null \
| grep -i "LOKALISE_API_TOKEN=" | head -3 || true)
if [[ -n "$HISTORY_LEAK" ]]; then
echo "CRITICAL: Token found in git history. Rotate immediately."
echo " Use 'git filter-repo' to remove, then rotate the token."
exit 1
fi
echo "PASS: No hardcoded tokens detected"
interface TranslationAuditEntry {
timestamp: string;
projectId: string;
key: string;
locale: string;
userId: string;
action: "create" | "update" | "delete";
// Never log actual content — may contain PII
oldLength: number;
newLength: number;
}
function logTranslationChange(entry: TranslationAuditEntry): void {
// Ship to your logging backend (Datadog, CloudWatch, etc.)
console.log(JSON.stringify({
level: "info",
event: "translation_change",
...entry,
}));
}
| Issue | Cause | Solution |
|---|---|---|
| Token leaked in CI logs | Token in command output | Use env variables; GitHub Actions auto-masks secrets |
| XSS via translations | Unsanitized translation rendered as HTML | Validate with validateTranslation() before use |
| Overprivileged access | Using admin token for read-only operations | Create scoped tokens per use case |
| Unauthorized changes | No audit trail | Register webhook for project.translation.updated events |
| Token in git history | Committed .env file | Rotate token immediately, use git filter-repo to scrub |
For enterprise-level access control with SSO and contributor groups, see lokalise-enterprise-rbac.