Essential security practices for TwinMind integrations covering API key management, webhook verification, data encryption, access control, privacy configuration, and audit logging.
Store keys in environment variables or a secrets manager (GCP Secret Manager, AWS Secrets Manager). Never hardcode credentials. Use .env files (gitignored) with .env.example templates committed to the repo.
Verify x-twinmind-signature headers using HMAC-SHA256 with crypto.timingSafeEqual to prevent timing attacks. Reject requests with missing or invalid signatures.
Use AES-256-GCM encryption for storing transcripts. Store IV and auth tag alongside ciphertext. Key management via environment variables or KMS.
Define Permission enums (transcripts:read, transcripts:write, settings:manage, admin:*) and Express middleware (requirePermission) to enforce RBAC on all routes.
Create a PrivacyConfig interface controlling audio storage (default: never stored), transcript retention days, encryption, local processing, PII redaction patterns (SSN, credit card, email).
Build an AuditLogger class that records userId, action, resource, timestamp, IP address, and user agent for all sensitive operations. Persist to a logging service.
See detailed implementation for complete security code including encryption, webhook verification, RBAC middleware, and audit logging.
| Issue | Cause | Solution |
|---|---|---|
| API key exposed | Hardcoded secret | Rotate key immediately, audit logs |
| Webhook unverified | Missing middleware | Always verify signatures |
| PII leaked | Missing redaction | Enable PII patterns, encrypt data |
| Unauthorized access | No RBAC | Implement permission middleware |
Basic usage: Apply twinmind security basics to a standard project setup with default configuration options.
Advanced scenario: Customize twinmind security basics for production environments with multiple constraints and team-specific requirements.
For production deployment, see twinmind-prod-checklist.
