adding-project-secret-api-key-auth
Pass
Audited by Gen Agent Trust Hub on Jun 24, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill provides documentation and code templates for internal developers to implement a specific authentication architecture. It includes references to internal file paths (e.g., 'posthog/scopes.py') and classes (e.g., 'ProjectSecretAPIKeyAuthentication') that are consistent with the PostHog codebase.
- [SAFE]: Implementation guidance explicitly recommends security measures, including the use of PSAK-aware rate limiters ('PersonalOrProjectSecretApiKeyRateThrottle') and mandatory scope whitelisting to prevent unauthorized access.
- [SAFE]: Code examples use descriptive placeholders (e.g., '<project_id>', '') rather than hardcoded credentials, and the single external URL ('us.posthog.com') is an official service domain belonging to the vendor.
- [SAFE]: The instructions for handling synthetic users ('ProjectSecretAPIKeyUser') properly address security considerations like avoiding foreign key usage and managing object-level access controls.
Audit Metadata