OpenSkillIndex← back to search
claude-code

Claude-code-plugins serpapi-security-basics

install
source · Clone the upstream repo
git clone https://github.com/jeremylongshore/claude-code-plugins-plus-skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/jeremylongshore/claude-code-plugins-plus-skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/saas-packs/serpapi-pack/skills/serpapi-security-basics" ~/.claude/skills/jeremylongshore-claude-code-plugins-serpapi-security-basics && rm -rf "$T"
manifest: plugins/saas-packs/serpapi-pack/skills/serpapi-security-basics/SKILL.md
tags
#saas#search#seo#serpapi
source content

SerpApi Security Basics

Overview

SerpApi uses a single API key for authentication. The key grants full account access -- there are no scoped keys or OAuth. Protect it like a credit card: never expose in frontend code, always proxy through your backend.

Instructions

Step 1: Never Expose API Key in Frontend

// BAD: API key in browser-side code
const result = await fetch(`https://serpapi.com/search.json?q=${query}&api_key=YOUR_KEY`);

// GOOD: Proxy through your backend
// Frontend
const result = await fetch(`/api/search?q=${encodeURIComponent(query)}`);

// Backend (api/search.ts)
export async function GET(req: Request) {
  const url = new URL(req.url);
  const q = url.searchParams.get('q');
  const result = await getJson({
    engine: 'google', q,
    api_key: process.env.SERPAPI_API_KEY, // Server-side only
  });
  return Response.json(result.organic_results);
}

Step 2: Secure Storage

# .gitignore
.env
.env.local

# Use platform secret managers in production
gh secret set SERPAPI_API_KEY       # GitHub Actions
vercel env add SERPAPI_API_KEY      # Vercel
fly secrets set SERPAPI_API_KEY=x   # Fly.io

Step 3: Rate Limit Your Proxy

// Prevent abuse of your search proxy endpoint
import rateLimit from 'express-rate-limit';

const searchLimiter = rateLimit({
  windowMs: 60_000,    // 1 minute
  max: 10,             // 10 searches per minute per IP
  message: 'Too many searches, try again later',
});

app.get('/api/search', searchLimiter, searchHandler);

Step 4: Monitor Usage

# Set up daily usage check
curl -s "https://serpapi.com/account.json?api_key=$SERPAPI_API_KEY" \
  | jq '{used: .this_month_usage, remaining: .plan_searches_left}'

# Alert if usage is unexpectedly high

Security Checklist

  • API key in environment variables only
  • .env
    in 
    .gitignore
  • Backend proxy for all search requests
  • Rate limiting on proxy endpoints
  • Usage monitoring and alerts
  • Separate keys for dev/prod (if available)

Resources

Next Steps

For production deployment, see 

serpapi-prod-checklist
.