Hex Security Basics

Overview

Hex is a collaborative data analytics platform where notebooks query production databases, generate visualizations, and share results across teams. Security concerns center on API token management (read vs run scopes), protecting database connection credentials embedded in Hex projects, and ensuring query results containing sensitive business data are not leaked through logs or exports. A compromised run-scope token can trigger arbitrary queries against connected databases.

API Key Management

function createHexClient(scope: "read" | "run"): { token: string; baseUrl: string } {
  const envVar = scope === "run" ? "HEX_RUN_TOKEN" : "HEX_READ_TOKEN";
  const token = process.env[envVar];
  if (!token) {
    throw new Error(`Missing ${envVar} — store in secrets manager, never in code`);
  }
  // Run tokens can trigger queries — use read tokens for monitoring
  console.log(`Hex client initialized with ${scope} scope (token suffix: ${token.slice(-4)})`);
  return { token, baseUrl: "https://app.hex.tech/api/v1" };
}

Webhook Signature Verification

import crypto from "crypto";
import { Request, Response, NextFunction } from "express";

function verifyHexWebhook(req: Request, res: Response, next: NextFunction): void {
  const signature = req.headers["x-hex-signature"] as string;
  const secret = process.env.HEX_WEBHOOK_SECRET!;
  const expected = crypto.createHmac("sha256", secret).update(req.body).digest("hex");
  if (!signature || !crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected))) {
    res.status(401).send("Invalid signature");
    return;
  }
  next();
}

Input Validation

import { z } from "zod";

const HexRunRequestSchema = z.object({
  project_id: z.string().uuid(),
  input_params: z.record(z.string(), z.unknown()).optional(),
  notify_on_completion: z.boolean().default(false),
  update_cache: z.boolean().default(false),
});

function validateHexRunRequest(data: unknown) {
  return HexRunRequestSchema.parse(data);
}

Data Protection

const HEX_SENSITIVE_FIELDS = ["db_connection_string", "query_results", "api_token", "input_params", "export_url"];

function redactHexLog(record: Record<string, unknown>): Record<string, unknown> {
  const redacted = { ...record };
  for (const field of HEX_SENSITIVE_FIELDS) {
    if (field in redacted) redacted[field] = "[REDACTED]";
  }
  return redacted;
}

Security Checklist

• API tokens stored in secrets vault, never in code
• Read-only tokens for monitoring, run tokens for orchestration only
• Token expiration set to 90 days maximum
• Separate tokens per environment (dev/staging/prod)
• Pre-commit hook blocks hex_token_* patterns
• Database connection credentials managed in Hex workspace settings
• Query result exports reviewed for sensitive data before sharing
• Notebook sharing permissions audited per team

Error Handling

Vulnerability	Risk	Mitigation
Leaked run-scope token	Arbitrary queries against production databases	Secrets vault + least-privilege scoping
Database credentials in notebooks	Connection strings exposed to all collaborators	Hex workspace-managed connections
Query results in logs	Sensitive business data leaked	Field-level redaction pipeline
Overly broad notebook sharing	Confidential analytics visible to wrong teams	Per-notebook permission scoping
No token expiration	Indefinite access from compromised token	90-day expiration policy

Resources

• Hex API Authentication
• OWASP API Security Top 10

Next Steps

See hex-prod-checklist.