Secure Automation Patterns
Who this is for
Developers building production automation that uses the CloudAIPilot API or webhooks, who want to follow security best practices.
What you will complete
Apply security best practices for API token management, webhook verification, and automated CI/CD pipelines that interact with CloudAIPilot.
Token security
Never hardcode tokens. API tokens must never appear as literal strings in source code, configuration files committed to version control, or Docker images.
Use environment variables or secrets managers:
# Good: read token from environment
curl -H "Authorization: Bearer $CLOUDAIPILOT_TOKEN" ...
# Bad: hardcoded token in script
curl -H "Authorization: Bearer sk-abc123xyz..." ...Use CI/CD secrets storage:
- GitHub Actions: store as a Repository Secret → access via
${{ secrets.CLOUDAIPILOT_TOKEN }} - GitLab CI: store as a CI/CD Variable → access via
$CLOUDAIPILOT_TOKEN - CircleCI: store as an Environment Variable in project settings
Use minimum-privilege tokens. Create API tokens under a Member-role account for automation that only needs to trigger deployments. Use Admin-role tokens only for automation that requires administrative operations.
Rotate tokens regularly. Rotate API tokens at least every 90 days, or immediately after a team member who had access leaves.
Webhook security
Always configure a secret. When adding a webhook channel, enter a randomly generated secret (at least 32 characters). Use this to verify every incoming webhook payload.
Always verify the signature:
import hmac
import hashlib
def is_valid_signature(payload_bytes: bytes, secret: str, sig_header: str) -> bool:
expected_sig = hmac.new(
secret.encode(),
payload_bytes,
hashlib.sha256
).hexdigest()
received_sig = sig_header.replace("sha256=", "")
return hmac.compare_digest(expected_sig, received_sig)
# In your webhook handler:
raw_body = request.get_data() # Raw bytes, not parsed JSON
signature = request.headers.get("X-CloudAIPilot-Signature", "")
if not is_valid_signature(raw_body, WEBHOOK_SECRET, signature):
return {"error": "invalid signature"}, 401Reject requests without a signature. If you configure a secret but receive a request without the X-CloudAIPilot-Signature header, reject it.
Use HTTPS only. CloudAIPilot only sends webhooks to HTTPS endpoints. Never configure an HTTP (non-TLS) endpoint for production webhooks.
Principle of least privilege in automation
Design automation scripts with the minimum access needed:
| Automation task | Minimum required role |
|---|---|
| Trigger a site deployment | Member |
| Check server metrics | Member |
| Create a backup | Member |
| Provision a server | Admin |
| Delete resources | Admin |
| Change AI settings | Admin |
Use a dedicated service account (a CloudAIPilot user whose sole purpose is automation) rather than a personal user account. If the service account's token is compromised, you can revoke it without affecting your personal login.
Audit your automation access
Regularly review:
- All active API tokens under Settings → API Tokens — remove any that are no longer used.
- The audit log for API-initiated actions — confirm automation is only doing what you expect.
- Service account roles — verify the automation account has not been given more access than needed.