linktree-security-basics

# Linktree Security Basics ## Overview Linktree integrations handle user-generated content (link titles, URLs, bios) and analytics data that is PII-adjacent — click counts, geographic breakdowns, and referrer URLs can fingerprint individual visitors. Bearer token authentication means a leaked key grants full account access including link creation, profile modification, and analytics export. Webhook payloads carry real-time event data signed with HMAC-SHA256, and failing to verify signatures opens your endpoint to spoofed events and data poisoning. ## Prerequisites - Secrets manager (AWS SSM, GCP Secret Manager, or Vault) for all Linktree credentials - HTTPS enforced on all webhook receiver endpoints - `.env` files in `.gitignore` — never committed to version control - Logging infrastructure that supports field-level redaction ## API Key Management ```typescript // Load Linktree bearer token from environment — never hardcode const LINKTREE_TOKEN = process.env.LINKTREE_API_KEY; function validateLinktreeConfig(): void { if (!LINKTREE_TOKEN || LINKTREE_TOKEN.startsWith('lt_test_')) { throw new Error('Missing or test-only LINKTREE_API_KEY — set a production token'); } } function linktreeHeaders(): Record<string, string> { return { Authorization: `Bearer ${LINKTREE_TOKEN}`, 'Content-Type': 'application/json', }; } // Call validateLinktreeConfig() at startup, before accepting requests ``` ## Webhook Signature Verification ```typescript import crypto fro...