hex-security-basics

# Hex Security Basics ## Overview Hex is a collaborative data analytics platform where notebooks query production databases, generate visualizations, and share results across teams. Security concerns center on API token management (read vs run scopes), protecting database connection credentials embedded in Hex projects, and ensuring query results containing sensitive business data are not leaked through logs or exports. A compromised run-scope token can trigger arbitrary queries against connected databases. ## API Key Management ```typescript function createHexClient(scope: "read" | "run"): { token: string; baseUrl: string } { const envVar = scope === "run" ? "HEX_RUN_TOKEN" : "HEX_READ_TOKEN"; const token = process.env[envVar]; if (!token) { throw new Error(`Missing ${envVar} — store in secrets manager, never in code`); } // Run tokens can trigger queries — use read tokens for monitoring console.log(`Hex client initialized with ${scope} scope (token suffix: ${token.slice(-4)})`); return { token, baseUrl: "https://app.hex.tech/api/v1" }; } ``` ## Webhook Signature Verification ```typescript import crypto from "crypto"; import { Request, Response, NextFunction } from "express"; function verifyHexWebhook(req: Request, res: Response, next: NextFunction): void { const signature = req.headers["x-hex-signature"] as string; const secret = process.env.HEX_WEBHOOK_SECRET!; const expected = crypto.createHmac("sha256", secret).update(req.body).digest("hex"); ...