Clari Security Basics
Overview
Secure your Clari integration: API token management, exported data PII handling, and access control best practices.
Instructions
Step 1: Token Management
# Store token in secrets manager
aws secretsmanager create-secret \
--name "clari/prod/api-token" \
--secret-string "${CLARI_API_KEY}"
# In CI/CD, load from secrets
export CLARI_API_KEY=$(aws secretsmanager get-secret-value \
--secret-id "clari/prod/api-token" --query SecretString --output text)
Rotation: Clari API tokens are generated per-user. To rotate, generate a new token in User Settings, update all consumers, then discard the old one.
Step 2: Exported Data PII Handling
Clari export data contains PII (rep names, emails, deal amounts):
def redact_pii(entries: list[dict]) -> list[dict]:
"""Redact PII from forecast entries for non-production use."""
import hashlib
redacted = []
for entry in entries:
r = entry.copy()
if "ownerEmail" in r:
r["ownerEmail"] = hashlib.sha256(
r["ownerEmail"].encode()
).hexdigest()[:12] + "@redacted"
if "ownerName" in r:
r["ownerName"] = f"Rep-{hashlib.sha256(r['ownerName'].encode()).hexdigest()[:6]}"
redacted.append(r)
return redacted
Step 3: Security Checklist
- [ ] API token in secrets manager, not in code
- [ ]
.envfiles in.gitignore - [ ] Exported data stored in access-controlled warehouse
- [ ] PII redacted in non-production environments
- [ ] Export download URLs are temporary -- do not cache
- [ ] Audit who has API token access
- [ ] Token regenerated if any team member leaves
Resources
Next Steps
For production deployment, see clari-prod-checklist.