deepgram-security-basics

# Deepgram Security Basics ## Overview Security best practices for Deepgram integration: scoped API keys, key rotation, Deepgram's built-in PII redaction feature, client-side temporary keys, SSRF prevention for audio URLs, and audit logging. ## Security Checklist - [ ] API keys in environment variables or secret manager (never in code) - [ ] Separate keys per environment (dev/staging/prod) - [ ] Keys scoped to minimum required permissions - [ ] Key rotation schedule (90 days recommended) - [ ] Deepgram `redact` option enabled for PII-sensitive audio - [ ] Audio URLs validated (HTTPS only, no private IPs) - [ ] Audit logging on all transcription operations ## Instructions ### Step 1: Scoped API Keys Create keys with minimal permissions in Console > Settings > API Keys: ```typescript // Production transcription service — only needs listen scope const sttKey = process.env.DEEPGRAM_STT_KEY; // Scope: listen // TTS service — only needs speak scope const ttsKey = process.env.DEEPGRAM_TTS_KEY; // Scope: speak // Monitoring dashboard — only needs usage read const monitorKey = process.env.DEEPGRAM_MONITOR_KEY; // Scope: usage:read // Admin operations — separate key, restricted access const adminKey = process.env.DEEPGRAM_ADMIN_KEY; // Scope: manage, keys ``` ### Step 2: Deepgram Built-in PII Redaction ```typescript import { createClient } from '@deepgram/sdk'; const deepgram = createClient(process.env.DEEPGRAM_API_KEY!); // Deepgram redacts PII directly in the transcr...