clickup-security-basics
Installation
SKILL.md
ClickUp Security Basics
Overview
Secure ClickUp API credentials and access patterns. ClickUp personal tokens never expire, making rotation discipline critical. OAuth tokens also do not expire but can be revoked.
Token Types and Risk
| Token Type | Prefix | Expires | Scope | Risk Level |
|---|---|---|---|---|
| Personal API Token | pk_ |
Never | Full user access | High -- treat like password |
| OAuth Access Token | Varies | Never | Per-authorized workspace | Medium -- per-user |
| OAuth Client Secret | N/A | Never | App-level | Critical -- server-side only |
Secure Storage
# .env (NEVER commit)
CLICKUP_API_TOKEN=pk_12345678_ABCDEFGHIJKLMNOPQRSTUVWXYZ