Juicebox Security Basics

Overview

Juicebox provides AI-powered people search and analysis, processing datasets containing professional profiles, contact enrichment data, and query results. Security concerns include API key protection, GDPR/CCPA compliance for candidate and contact data, data retention policy enforcement, and ensuring enriched contact information (emails, phone numbers) is not leaked through logs or unencrypted storage. A compromised API key grants access to people search and enrichment capabilities.

API Key Management

function createJuiceboxClient(): { apiKey: string; baseUrl: string } {
  const apiKey = process.env.JUICEBOX_API_KEY;
  if (!apiKey) {
    throw new Error("Missing JUICEBOX_API_KEY — store in secrets manager, never in code");
  }
  // Juicebox keys access people data — treat as PII-adjacent
  console.log("Juicebox client initialized (key suffix:", apiKey.slice(-4), ")");
  return { apiKey, baseUrl: "https://api.juicebox.ai/v1" };
}

Webhook Signature Verification

import crypto from "crypto";
import { Request, Response, NextFunction } from "express";

function verifyJuiceboxWebhook(req: Request, res: Response, next: NextFunction): void {
  const signature = req.headers["x-juicebox-signature"] as string;
  const secret = process.env.JUICEBOX_WEBHOOK_SECRET!;
  const expected = crypto.createHmac("sha256", secret).update(req.body).digest("hex");
  if (!signature || !crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected))) {
    res.status(401).send("Invalid signature");
    return;
  }
  next();
}

Input Validation

import { z } from "zod";

const PeopleSearchSchema = z.object({
  query: z.string().min(1).max(500),
  filters: z.object({
    location: z.string().optional(),
    company: z.string().optional(),
    title: z.string().optional(),
    industry: z.string().optional(),
  }).optional(),
  max_results: z.number().int().min(1).max(100).default(25),
  enrich_contacts: z.boolean().default(false),
});

function validateSearchQuery(data: unknown) {
  return PeopleSearchSchema.parse(data);
}

Data Protection

const JUICEBOX_PII_FIELDS = ["personal_email", "phone_number", "social_profiles", "home_address", "enrichment_data"];

function redactJuiceboxLog(record: Record<string, unknown>): Record<string, unknown> {
  const redacted = { ...record };
  for (const field of JUICEBOX_PII_FIELDS) {
    if (field in redacted) redacted[field] = "[REDACTED]";
  }
  return redacted;
}

Security Checklist

• API keys stored in secrets manager, separate keys per environment
• Enriched contact data encrypted at rest
• GDPR consent documented for EU candidate data
• CCPA opt-out mechanism implemented for California residents
• Data retention policy enforced (auto-delete after defined period)
• Contact enrichment results never logged in plaintext
• Search queries redacted in application logs
• Pre-commit hook blocks

  jb_live_*

  credential patterns

Error Handling

Vulnerability	Risk	Mitigation
Leaked API key	Unauthorized people search and enrichment	Secrets manager + key rotation
Contact data in logs	PII exposure violating GDPR/CCPA	Field-level redaction pipeline
Missing data retention	Stale candidate data accumulates	Automated retention enforcement
Enrichment without consent	Privacy regulation violation	Consent gate before enrichment calls
Unencrypted contact storage	Bulk PII breach from database leak	Encryption at rest + access controls

Resources

• Juicebox Privacy
• OWASP API Security Top 10

Next Steps

See

juicebox-prod-checklist

.