Hootsuite Security Basics Skill

Hootsuite Security Basics

Credential Inventory

| Credential | Scope | Rotation | |-----------|-------|----------| | Client ID | App-level | Never (app identifier) | | Client Secret | App-level | Rotate if compromised | | Access Token | User session | Auto-expires (~1 hour) | | Refresh Token | User session | Rotate on each refresh |

Instructions

Step 1: Secure Token Storage

# .env (never commit)
HOOTSUITE_CLIENT_ID=app_client_id
HOOTSUITE_CLIENT_SECRET=app_secret
HOOTSUITE_ACCESS_TOKEN=current_token
HOOTSUITE_REFRESH_TOKEN=refresh_token

Step 2: Token Refresh Security

// Always use HTTPS for token exchange
// Store refresh tokens encrypted at rest
// Rotate refresh tokens on each use (Hootsuite returns new ones)
async function secureRefresh(refreshToken: string) {
  const res = await fetch('https://platform.hootsuite.com/oauth2/token', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/x-www-form-urlencoded',
      'Authorization': `Basic ${Buffer.from(`${process.env.HOOTSUITE_CLIENT_ID}:${process.env.HOOTSUITE_CLIENT_SECRET}`).toString('base64')}`,
    },
    body: new URLSearchParams({ grant_type: 'refresh_token', refresh_token: refreshToken }),
  });
  const tokens = await res.json();
  // Store new refresh_token, discard old one
  return tokens;
}

Step 3: Security Checklist

[ ] Client secret in secrets vault, never in code
[ ] Access tokens never logged or exposed
[ ] Refresh tokens stored encrypted
[ ] HTTPS for all OAuth requests
[ ] Pre-commit hook blocks HOOTSUITE_ credential leaks
[ ] Separate OAuth apps for dev/staging/prod

Resources

Hootsuite OAuth 2.0

Next Steps

For production, see hootsuite-prod-checklist.

Agent Skills: Hootsuite Security Basics

Install this agent skill to your local

Skill Files