Skip to main content
AI/MLjeremylongshore

hootsuite-security-basics

'Apply Hootsuite security best practices for secrets and access control.

Stars
2,267
Source
jeremylongshore/claude-code-plugins-plus-skills
Updated
2026-05-31
Slug
jeremylongshore--claude-code-plugins-plus-skills--hootsuite-security-basics
View on GitHubRaw SKILL.md

// install — copy + paste into any project

mkdir -p .claude/skills && curl -fsSL https://raw.githubusercontent.com/jeremylongshore/claude-code-plugins-plus-skills/HEAD/plugins/saas-packs/hootsuite-pack/skills/hootsuite-security-basics/SKILL.md -o .claude/skills/hootsuite-security-basics.md

Drops the SKILL.md into .claude/skills/hootsuite-security-basics.md. Works with Claude Code, Cursor, and any agent that loads SKILL.md files from .claude/skills/.

Hootsuite Security Basics

Credential Inventory

Credential Scope Rotation
Client ID App-level Never (app identifier)
Client Secret App-level Rotate if compromised
Access Token User session Auto-expires (~1 hour)
Refresh Token User session Rotate on each refresh

Instructions

Step 1: Secure Token Storage

# .env (never commit)
HOOTSUITE_CLIENT_ID=app_client_id
HOOTSUITE_CLIENT_SECRET=app_secret
HOOTSUITE_ACCESS_TOKEN=current_token
HOOTSUITE_REFRESH_TOKEN=refresh_token

Step 2: Token Refresh Security

// Always use HTTPS for token exchange
// Store refresh tokens encrypted at rest
// Rotate refresh tokens on each use (Hootsuite returns new ones)
async function secureRefresh(refreshToken: string) {
  const res = await fetch('https://platform.hootsuite.com/oauth2/token', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/x-www-form-urlencoded',
      'Authorization': `Basic ${Buffer.from(`${process.env.HOOTSUITE_CLIENT_ID}:${process.env.HOOTSUITE_CLIENT_SECRET}`).toString('base64')}`,
    },
    body: new URLSearchParams({ grant_type: 'refresh_token', refresh_token: refreshToken }),
  });
  const tokens = await res.json();
  // Store new refresh_token, discard old one
  return tokens;
}

Step 3: Security Checklist

  • Client secret in secrets vault, never in code
  • Access tokens never logged or exposed
  • Refresh tokens stored encrypted
  • HTTPS for all OAuth requests
  • Pre-commit hook blocks HOOTSUITE_ credential leaks
  • Separate OAuth apps for dev/staging/prod

Resources

Next Steps

For production, see hootsuite-prod-checklist.