Security best practices for Windsurf API keys, tokens, and access control.
# .env (NEVER commit to git)
WINDSURF_API_KEY=sk_live_***
WINDSURF_SECRET=***
# .gitignore
.env
.env.local
.env.*.local
set -euo pipefail
# 1. Generate new key in Windsurf dashboard
# 2. Update environment variable
export WINDSURF_API_KEY="new_key_here"
# 3. Verify new key works
curl -H "Authorization: Bearer ${WINDSURF_API_KEY}" \
https://api.windsurf.com/health
# 4. Revoke old key in dashboard
| Environment | Recommended Scopes |
|---|---|
| Development | read:* |
| Staging | read:*, write:limited |
| Production | Only required scopes |
| Security Issue | Detection | Mitigation |
|---|---|---|
| Exposed API key | Git scanning | Rotate immediately |
| Excessive scopes | Audit logs | Reduce permissions |
| Missing rotation | Key age check | Schedule rotation |
const clients = {
reader: new WindsurfClient({
apiKey: process.env.WINDSURF_READ_KEY,
}),
writer: new WindsurfClient({
apiKey: process.env.WINDSURF_WRITE_KEY,
}),
};
import crypto from 'crypto';
function verifyWebhookSignature(
payload: string, signature: string, secret: string
): boolean {
const expected = crypto.createHmac('sha256', secret).update(payload).digest('hex');
return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected));
}
.env files in .gitignore
interface AuditEntry {
timestamp: Date;
action: string;
userId: string;
resource: string;
result: 'success' | 'failure';
metadata?: Record<string, any>;
}
async function auditLog(entry: Omit<AuditEntry, 'timestamp'>): Promise<void> {
const log: AuditEntry = { ...entry, timestamp: new Date() };
// Log to Windsurf analytics
await windsurfClient.track('audit', log);
// Also log locally for compliance
console.log('[AUDIT]', JSON.stringify(log));
}
// Usage
await auditLog({
action: 'windsurf.api.call',
userId: currentUser.id,
resource: '/v1/resource',
result: 'success',
});
For production deployment, see windsurf-prod-checklist.