How does this skill help with Klaviyo API keys?

It provides specific guidance on distinguishing between public and private keys, storing them in environment variables, and implementing a zero-downtime rotation process to ensure security.

What is 'least-privilege' in the context of Klaviyo?

It refers to assigning only the specific API scopes (such as profiles:read) required for a particular environment or task, minimizing the potential impact if a key is ever compromised.

Can this skill help if I have accidentally leaked an API key?

Yes, it provides detection methods using tools like git scanning and outlines a clear mitigation plan to revoke, rotate, and audit your configuration after a secret leak.

Does it include code for webhook verification?

Yes, the skill includes optimized TypeScript and Node.js snippets for HMAC-SHA256 signature verification to ensure incoming Klaviyo webhooks are authentic and haven't been tampered with.

Klaviyo Security Best Practices

Name: Klaviyo Security Best Practices
Author: jeremylongshore

byjeremylongshore

•

2,028

•

Marketing Automation

Implements secure Klaviyo API integrations through robust key management, webhook verification, and secret rotation procedures.

This skill equips Claude Code with the domain-specific knowledge required to secure Klaviyo implementations against unauthorized access and data leaks. It provides detailed patterns for managing private and public API keys, configuring environment variables for different environments, and implementing least-privilege OAuth scopes. Developers can use this skill to generate HMAC-SHA256 webhook signature verification code, perform security audits on their codebase, and execute zero-downtime API key rotation to maintain a high security posture in their marketing automation stack.

Key Features

01HMAC-SHA256 webhook signature verification patterns for Express and TypeScript

02Least-privilege scope recommendations for dev, staging, and production

03Automated environment variable configuration for secure secret management

04Standardized zero-downtime API key rotation procedures

052,028 GitHub stars

06Security auditing checklist to detect leaked keys and excessive permissions

Use Cases

01Securing a new Klaviyo integration with validated environment variable loading

02Implementing middleware to verify authentic Klaviyo webhook payloads

03Rotating production API keys without disrupting live marketing flows

Key Features

01HMAC-SHA256 webhook signature verification patterns for Express and TypeScript

02Least-privilege scope recommendations for dev, staging, and production

03Automated environment variable configuration for secure secret management

04Standardized zero-downtime API key rotation procedures

052,028 GitHub stars

06Security auditing checklist to detect leaked keys and excessive permissions

Use Cases

01Securing a new Klaviyo integration with validated environment variable loading

02Implementing middleware to verify authentic Klaviyo webhook payloads

03Rotating production API keys without disrupting live marketing flows