Skip to main content
perplexity-security-basics Apply Perplexity security best practices for secrets and access control.
Use when securing API keys, implementing least privilege access,
or auditing Perplexity security configuration.
Trigger with phrases like "perplexity security", "perplexity secrets",
"secure perplexity", "perplexity API key security".
npx skills add jeremylongshore/claude-code-plugins-plus-skills --skill perplexity-security-basics ai automation claude-code devops mcp ai-agents
Perplexity Security Basics
Overview
Security best practices for Perplexity Sonar API. Key concerns: API key protection (keys start with pplx-), query sanitization (Perplexity searches the open web, so PII in queries gets sent to external sources), and response handling (citations link to third-party sites).
Prerequisites
Perplexity API key from perplexity.ai/settings/api
Understanding of environment variable management
.gitignore configured to exclude secret files
Instructions
Step 1: API Key Management
# .env (NEVER commit to git)
PERPLEXITY_API_KEY=pplx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# .gitignore
.env
.env.local
.env.*.local
*.pem
// Validate key format at startup
function validateApiKey(key: string): void {
if (!key) throw new Error("PERPLEXITY_API_KEY is not set");
if (!key.startsWith("pplx-")) {
throw new Error("PERPLEXITY_API_KEY must start with 'pplx-'");
}
if (key.length < 40) {
throw new Error("PERPLEXITY_API_KEY appears truncated");
}
}
validateApiKey(process.env.PERPLEXITY_API_KEY || "");
Step 2: Query Sanitization (Critical) Perplexity sends your query to the open web for search. Any PII in the query is exposed to external search infrastructure.
function sanitizeQuery(query: string): string {
return query
// Remove email addresses
.replace(/\b[\w.+-]+@[\w-]+\.[\w.]+\b/g, "[email]")
// Remove phone numbers
.replace(/\b\d{3}[-.]?\d{3}[-.]?\d{4}\b/g, "[phone]")
// Remove SSN
.replace(/\b\d{3}-\d{2}-\d{4}\b/g, "[ssn]")
// Remove credit card numbers
.replace(/\b\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b/g, "[card]")
// Remove API keys / tokens
.replace(/\b(pplx-|sk-|pk_|sk_live_)\w{20,}\b/g, "[token]")
// Remove AWS keys
.replace(/\bAKIA[A-Z0-9]{16}\b/g, "[aws-key]");
}
async function safeSearch(rawQuery: string) {
const query = sanitizeQuery(rawQuery);
if (query !== rawQuery) {
console.warn("[Security] PII redacted from Perplexity query");
}
return perplexity.chat.completions.create({
model: "sonar",
messages: [{ role: "user", content: query }],
});
}
Step 3: Restrict Search Domains Use search_domain_filter to prevent Perplexity from searching untrusted or competitor sites.
// Compliance: only search approved sources
const complianceSearch = await perplexity.chat.completions.create({
model: "sonar",
messages: [{ role: "user", content: query }],
search_domain_filter: [
"sec.gov", "nih.gov", "cdc.gov", // Government sources
"nature.com", "science.org", // Academic sources
],
} as any);
// Exclude specific sites
const filteredSearch = await perplexity.chat.completions.create({
model: "sonar",
messages: [{ role: "user", content: query }],
search_domain_filter: [
"-reddit.com", "-quora.com", "-medium.com",
],
} as any);
Step 4: API Key Rotation set -euo pipefail
# 1. Generate new key at perplexity.ai/settings/api
# 2. Update environment / secret manager
# 3. Verify new key works
curl -s -o /dev/null -w "%{http_code}" \
-H "Authorization: Bearer $NEW_PERPLEXITY_API_KEY" \
-H "Content-Type: application/json" \
-d '{"model":"sonar","messages":[{"role":"user","content":"test"}],"max_tokens":5}' \
https://api.perplexity.ai/chat/completions
# Expected: 200
# 4. Delete old key from perplexity.ai/settings/api
Step 5: Security Checklist
Error Handling Security Issue Detection Mitigation API key in git git log --all -S "pplx-"Rotate key immediately, add pre-commit hook PII in query Sanitization function Strip before sending to Perplexity Malicious citation URL URL validation Allowlist trusted domains Key shared across envs Config audit Separate keys per environment
Output
Secure API key storage pattern
PII sanitization for search queries
Domain-filtered search for compliance
Key rotation procedure
Resources
Next Steps For production deployment, see perplexity-prod-checklist.
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
CLI to manage emails via IMAP/SMTP. Use `himalaya` to list, read, write, reply, forward, search, and organize emails from the terminal. Supports multiple accounts and message composition with MML (MIME Meta Language).
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
CLI to manage emails via IMAP/SMTP. Use `himalaya` to list, read, write, reply, forward, search, and organize emails from the terminal. Supports multiple accounts and message composition with MML (MIME Meta Language).