Apply Lokalise security best practices for API tokens and access control.
Use when securing API tokens, implementing least privilege access,
or auditing Lokalise security configuration.
Trigger with phrases like "lokalise security", "lokalise secrets",
"secure lokalise", "lokalise API token security".
Security practices for Lokalise integrations: API token management with scoped permissions, translation content sanitization, CI/CD secret handling, webhook secret verification, and audit logging. Lokalise handles translation strings that may contain user-facing content, interpolation variables, and occasionally PII embedded in keys or values.
Prerequisites
Lokalise API token provisioned (admin token for audit, scoped tokens for operations)
Understanding of Lokalise token permission model (read-only vs read-write)
#!/bin/bash
# scripts/scan-secrets.sh — Run in CI or as pre-commit hook
set -euo pipefail
echo "=== Lokalise Token Security Scan ==="
# Check for hardcoded tokens in source files
HARDCODED=$(grep -rn "X-Api-Token\|apiKey.*['\"][a-f0-9]\{32,\}" \
--include="*.ts" --include="*.js" --include="*.json" --include="*.yml" \
src/ .github/ 2>/dev/null \
| grep -v node_modules \
| grep -v "process.env\|secrets\.\|vars\.\|\${{" || true)
if [[ -n "$HARDCODED" ]]; then
echo "FAIL: Potential hardcoded token found:"
echo "$HARDCODED"
exit 1
fi
# Verify .env files are gitignored
if ! grep -q "\.env" .gitignore 2>/dev/null; then
echo "WARN: .env not in .gitignore — add it immediately"
fi
# Check git history for leaked tokens
HISTORY_LEAK=$(git log --all -p --diff-filter=A -- '*.env' '*.env.*' 2>/dev/null \
| grep -i "LOKALISE_API_TOKEN=" | head -3 || true)
if [[ -n "$HISTORY_LEAK" ]]; then
echo "CRITICAL: Token found in git history. Rotate immediately."
echo " Use 'git filter-repo' to remove, then rotate the token."
exit 1
fi
echo "PASS: No hardcoded tokens detected"
Step 6: Audit Translation Changes
interface TranslationAuditEntry {
timestamp: string;
projectId: string;
key: string;
locale: string;
userId: string;
action: "create" | "update" | "delete";
// Never log actual content — may contain PII
oldLength: number;
newLength: number;
}
function logTranslationChange(entry: TranslationAuditEntry): void {
// Ship to your logging backend (Datadog, CloudWatch, etc.)
console.log(JSON.stringify({
level: "info",
event: "translation_change",
...entry,
}));
}
Output
Scoped token configuration with separate read/write/admin tokens
Translation content validator catching XSS, credential leaks, and malformed placeholders
Webhook secret verification middleware for Express
CI/CD workflow using repository secrets with masked output
Pre-commit/CI scan script for hardcoded tokens
Audit logging for translation changes (PII-safe)
Error Handling
Issue
Cause
Solution
Token leaked in CI logs
Token in command output
Use env variables; GitHub Actions auto-masks secrets
XSS via translations
Unsanitized translation rendered as HTML
Validate with validateTranslation() before use
Overprivileged access
Using admin token for read-only operations
Create scoped tokens per use case
Unauthorized changes
No audit trail
Register webhook for project.translation.updated events
Token in git history
Committed .env file
Rotate token immediately, use git filter-repo to scrub