登录
下载
技能 编程开发 SalesLoft API安全集成指南

SalesLoft API安全集成指南

v20260423
salesloft-security-basics
本指南详细介绍了SalesLoft API的安全最佳实践。内容涵盖OAuth令牌的生命周期管理、使用HMAC-SHA256验证Webhook签名以防重放攻击,以及遵循最小权限原则。适用于设计和实现生产级的、高安全要求的企业级API集成。
SalesLoft 安全 OAuth API Webhook 密钥 TypeScript 集成
获取技能
320 次下载
概览

SalesLoft Security Basics

Overview

Secure SalesLoft API integrations: OAuth token management, webhook signature verification, secret storage, and scope-based access control. SalesLoft uses OAuth 2.0 bearer tokens and HMAC-SHA256 webhook signatures.

Instructions

Step 1: Secret Storage

# .gitignore -- NEVER commit credentials
.env
.env.local
.env.*.local

# .env
SALESLOFT_CLIENT_ID=app-client-id
SALESLOFT_CLIENT_SECRET=app-secret
SALESLOFT_WEBHOOK_SECRET=webhook-signing-secret

// Validate secrets at startup
const required = ['SALESLOFT_CLIENT_ID', 'SALESLOFT_CLIENT_SECRET'];
for (const key of required) {
  if (!process.env[key]) throw new Error(`Missing required env: ${key}`);
}

Step 2: Token Lifecycle Management

// Store tokens securely with expiry tracking
interface TokenStore {
  accessToken: string;
  refreshToken: string;
  expiresAt: number; // Unix timestamp
}

async function getValidToken(store: TokenStore): Promise<string> {
  // Refresh 5 minutes before expiry
  if (Date.now() > (store.expiresAt - 300) * 1000) {
    const refreshed = await refreshAccessToken(store.refreshToken);
    store.accessToken = refreshed.access_token;
    store.refreshToken = refreshed.refresh_token;
    store.expiresAt = Math.floor(Date.now() / 1000) + refreshed.expires_in;
    await persistTokenStore(store); // Save to DB or secret manager
  }
  return store.accessToken;
}

Step 3: Webhook Signature Verification

import crypto from 'crypto';

function verifyWebhookSignature(
  rawBody: Buffer,
  signature: string,
  timestamp: string,
  secret: string,
): boolean {
  // Reject stale webhooks (replay attack prevention)
  const age = Math.abs(Date.now() / 1000 - parseInt(timestamp));
  if (age > 300) return false; // 5-minute window

  const expected = crypto
    .createHmac('sha256', secret)
    .update(`${timestamp}.${rawBody.toString()}`)
    .digest('hex');

  return crypto.timingSafeEqual(
    Buffer.from(signature), Buffer.from(expected)
  );
}

Step 4: OAuth Scope Minimization

Use Case Required Scopes Avoid
Read-only dashboard people:read, cadences:read *:write
Cadence enrollment people:read, cadence_memberships:create admin
Full sync people:*, cadences:*, activities:read Team admin scopes

Step 5: Security Checklist

  • OAuth tokens stored in secret manager (not env files in prod)
  • Refresh tokens encrypted at rest
  • Webhook endpoints verify signatures before processing
  • .env files in .gitignore
  • Different OAuth apps for dev/staging/prod
  • Token refresh runs before expiry (not after 401)
  • API logs monitored for unusual access patterns

Error Handling

Issue Detection Response
Token leaked in git GitHub secret scanning alerts Revoke immediately, rotate
Webhook replay attack Timestamp > 5 min old Reject request
Brute force on webhook High 401 rate Rate limit webhook endpoint

Resources

Next Steps

For production deployment, see salesloft-prod-checklist.

信息
Category 编程开发
Name salesloft-security-basics
版本 v20260423
大小 3.91KB
Source jeremylongshore/claude-code-plugins-plus-skills
更新时间 2026-04-28
语言
简体中文
English