lucidchart-security-basics

# Lucidchart Security Basics ## Overview Lucidchart documents often contain sensitive business diagrams — org charts, network topologies, database schemas, and architecture plans that reveal internal infrastructure. The API uses OAuth2 client credentials, meaning a compromised client secret grants access to every document the integration can reach. Collaboration sharing with granular permission levels (view, edit, owner) must be enforced server-side. API versioning via the `Lucid-Api-Version` header requires pinning to avoid unexpected schema changes that break validation logic. ## Prerequisites - OAuth2 client ID and secret stored in a secrets manager (not environment files) - HTTPS enforced on all redirect URIs and webhook endpoints - `Lucid-Api-Version` header pinned to a tested version in all requests - `.env` files in `.gitignore` — never committed to version control ## API Key Management ```typescript // OAuth2 client credentials — load from secrets manager at startup const LUCID_CLIENT_ID = process.env.LUCID_CLIENT_ID; const LUCID_CLIENT_SECRET = process.env.LUCID_CLIENT_SECRET; function validateLucidConfig(): void { if (!LUCID_CLIENT_ID || !LUCID_CLIENT_SECRET) { throw new Error('Missing LUCID_CLIENT_ID or LUCID_CLIENT_SECRET'); } } async function getLucidAccessToken(): Promise<string> { const resp = await fetch('https://api.lucid.co/oauth2/token', { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded' }, body: n...