glean-security-basics

# Glean Security Basics ## Overview Glean indexes and searches across an enterprise's entire knowledge base — Confluence, Google Drive, Slack, GitHub, and dozens more connectors. Security concerns center on indexing token management (write-access tokens that can push content into the search index), client token scoping (user-level search permissions), and document-level access controls. A leaked indexing token allows injecting arbitrary content into enterprise search results. ## API Key Management ```typescript function createGleanClient(tokenType: "indexing" | "client"): { token: string; baseUrl: string } { const token = tokenType === "indexing" ? process.env.GLEAN_INDEXING_TOKEN : process.env.GLEAN_CLIENT_TOKEN; if (!token) { throw new Error(`Missing GLEAN_${tokenType.toUpperCase()}_TOKEN — store in secrets manager`); } // Indexing tokens have WRITE access — never expose in frontend code if (tokenType === "indexing") { console.log("WARNING: Indexing token loaded — backend use only"); } return { token, baseUrl: `https://${process.env.GLEAN_INSTANCE}.glean.com/api` }; } ``` ## Webhook Signature Verification ```typescript import crypto from "crypto"; import { Request, Response, NextFunction } from "express"; function verifyGleanWebhook(req: Request, res: Response, next: NextFunction): void { const signature = req.headers["x-glean-signature"] as string; const secret = process.env.GLEAN_WEBHOOK_SECRET!; const expected = crypto.createHmac("...