navan-prod-checklist
Use when validating production readiness for a Navan API integration — credential rotation, alerting, rate limits, SSO, SCIM, and compliance audit trails. Trigger with "navan prod checklist" or "navan production readiness".
Best use case
navan-prod-checklist is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Use when validating production readiness for a Navan API integration — credential rotation, alerting, rate limits, SSO, SCIM, and compliance audit trails. Trigger with "navan prod checklist" or "navan production readiness".
Teams using navan-prod-checklist should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/navan-prod-checklist/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How navan-prod-checklist Compares
| Feature / Agent | navan-prod-checklist | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Use when validating production readiness for a Navan API integration — credential rotation, alerting, rate limits, SSO, SCIM, and compliance audit trails. Trigger with "navan prod checklist" or "navan production readiness".
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
ChatGPT vs Claude for Agent Skills
Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.
SKILL.md Source
# Navan Production Checklist
## Overview
Gated production readiness verification for Navan REST API integrations. Navan has no SDK and no sandbox — production is the only environment, making this checklist critical.
## Prerequisites
- Navan admin access (Admin > Travel admin > Settings)
- OAuth credentials stored in a secret manager (credentials are viewable only once)
- SSO identity provider configured (Okta, Azure AD, or Google Workspace)
- `curl` and `jq` for verification commands
## Instructions
### Domain 1 — Credential Security
- [ ] **Secret storage**: OAuth `client_id` and `client_secret` stored in a secret manager (AWS Secrets Manager, GCP Secret Manager, HashiCorp Vault) — never in environment variables, config files, or source control
- [ ] **Rotation plan documented**: Schedule for rotating credentials (recommend 90-day cycle)
- [ ] **Zero-downtime rotation tested**: Dual-credential swap procedure validated
```bash
# Verify current credentials work
curl -s -X POST "https://api.navan.com/ta-auth/oauth/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials&client_id=$NAVAN_CLIENT_ID&client_secret=$NAVAN_CLIENT_SECRET" \
| jq '{authenticated: (.access_token != null), error: .error}'
```
**Rotation procedure:**
1. Generate new credentials in Admin > Integrations (old ones remain valid)
2. Deploy new credentials to secret manager
3. Update application configuration to reference new secret version
4. Verify new credentials with `/ta-auth/oauth/token`
5. Revoke old credentials in Admin > Integrations
6. Confirm old credentials return HTTP 401
### Domain 2 — Error Handling and Alerting
- [ ] **All HTTP error codes handled**: 400, 401, 403, 404, 429, 500, 502, 503
- [ ] **Retry logic with exponential backoff**: For 429 and 5xx responses
- [ ] **Alert thresholds configured**: Error rate > 5% over 5 minutes triggers alert
- [ ] **Dead letter queue**: Failed API requests stored for retry or manual review
```bash
# Health check endpoint pattern
health_check() {
RESPONSE=$(curl -s -w "%{http_code}" -o /tmp/navan-health.json \
-X POST "https://api.navan.com/ta-auth/oauth/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials&client_id=$NAVAN_CLIENT_ID&client_secret=$NAVAN_CLIENT_SECRET")
if [ "$RESPONSE" = "200" ]; then
echo '{"status":"healthy","navan_api":"reachable"}'
elif [ "$RESPONSE" = "429" ]; then
echo '{"status":"degraded","reason":"rate_limited"}'
else
echo "{\"status\":\"unhealthy\",\"http_code\":\"$RESPONSE\"}"
fi
}
```
### Domain 3 — Rate Limiting
- [ ] **Client-side rate limiter**: Token bucket or sliding window before API calls
- [ ] **429 response handling**: Parse `Retry-After` header and honor wait time
- [ ] **Request queuing**: Burst requests queued rather than dropped
- [ ] **Rate limit monitoring**: Dashboard showing API call volume and 429 frequency
### Domain 4 — Data Pipeline
- [ ] **BOOKING table sync**: Weekly full refresh configured (Fivetran, Airbyte, or custom)
- [ ] **TRANSACTION table sync**: Incremental sync with deduplication by transaction UUID
- [ ] **Data backup strategy**: Export snapshots stored in cloud storage with retention policy
- [ ] **Reconciliation checks**: Automated comparison between Navan data and ERP records
### Domain 5 — SSO and User Provisioning
- [ ] **SAML SSO verified**: Login flow tested end-to-end through identity provider
```bash
# Verify users are synced via API
TOKEN=$(curl -s -X POST "https://api.navan.com/ta-auth/oauth/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials&client_id=$NAVAN_CLIENT_ID&client_secret=$NAVAN_CLIENT_SECRET" \
| jq -r '.access_token')
curl -s -H "Authorization: Bearer $TOKEN" \
"https://api.navan.com/v1/users" \
| jq '{total_users: (.data | length), sample: .data[0] | {id, email, status}}'
```
- [ ] **SCIM provisioning active**: User create/update/deactivate syncing from IdP
- [ ] **Deprovisioning tested**: Terminated employees removed from Navan within 24 hours
- [ ] **Role mapping documented**: IdP groups mapped to Navan roles (traveler, approver, admin)
### Domain 6 — Compliance and Audit
- [ ] **API access logging**: All Navan API calls logged with timestamp, endpoint, response code, and user context
- [ ] **Audit trail retention**: Logs retained per your compliance requirements (SOC 2: 1 year minimum)
- [ ] **Data classification**: Navan data (PII, payment info) classified and handled per PCI DSS L1
- [ ] **Compliance certifications verified**: Confirm Navan's SOC 1/2 Type II, ISO 27001, PCI DSS L1, GDPR status at [navan.com/security](https://navan.com/security)
## Output
A completed checklist with:
- Pass/fail status for each domain
- Verification command output proving each check
- Identified gaps with remediation plan and owner
- Sign-off from security and operations leads
## Error Handling
| Check Failure | Impact | Remediation |
|---------------|--------|-------------|
| Credentials in plaintext | Critical — security breach risk | Move to secret manager immediately |
| No retry logic on 429 | High — cascading failures under load | Implement exponential backoff |
| SCIM not configured | Medium — manual user management overhead | Enable SCIM in IdP and Navan admin |
| No audit logging | High — compliance violation | Add structured logging to API client |
## Examples
Run a quick pre-launch validation:
```bash
# Rapid smoke test — auth + user count + timing
echo "=== Navan Production Smoke Test ==="
curl -s -w "Auth: %{http_code} (%{time_total}s)\n" -o /tmp/navan-auth.json \
-X POST "https://api.navan.com/ta-auth/oauth/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials&client_id=$NAVAN_CLIENT_ID&client_secret=$NAVAN_CLIENT_SECRET"
TOKEN=$(jq -r '.access_token' /tmp/navan-auth.json)
curl -s -w "Users: %{http_code} (%{time_total}s)\n" -o /tmp/navan-users.json \
-H "Authorization: Bearer $TOKEN" \
"https://api.navan.com/v1/users"
echo "User count: $(jq '.data | length' /tmp/navan-users.json)"
```
## Resources
- [Navan Security](https://navan.com/security) — SOC 2, ISO 27001, PCI DSS certifications
- [Navan Integrations](https://navan.com/integrations) — Connector catalog and setup guides
- [Navan Help Center](https://app.navan.com/app/helpcenter) — Admin documentation
## Next Steps
- Use `navan-upgrade-migration` for ongoing API change management
- Use `navan-observability` for monitoring stack setup
- Use `navan-incident-runbook` if production issues arise post-launchRelated Skills
workhuman-prod-checklist
Workhuman prod checklist for employee recognition and rewards API. Use when integrating Workhuman Social Recognition, or building recognition workflows with HRIS systems. Trigger: "workhuman prod checklist".
wispr-prod-checklist
Wispr Flow prod checklist for voice-to-text API integration. Use when integrating Wispr Flow dictation, WebSocket streaming, or building voice-powered applications. Trigger: "wispr prod checklist".
windsurf-prod-checklist
Execute Windsurf production readiness checklist for team and enterprise deployments. Use when rolling out Windsurf to a team, preparing for enterprise deployment, or auditing production configuration. Trigger with phrases like "windsurf production", "windsurf team rollout", "windsurf go-live", "windsurf enterprise deploy", "windsurf checklist".
webflow-prod-checklist
Execute Webflow production deployment checklist — token security, rate limit hardening, health checks, circuit breakers, gradual rollout, and rollback procedures. Use when deploying Webflow integrations to production or preparing for launch. Trigger with phrases like "webflow production", "deploy webflow", "webflow go-live", "webflow launch checklist", "webflow production ready".
vercel-prod-checklist
Vercel production deployment checklist with rollback and promotion procedures. Use when deploying to production, preparing for launch, or implementing go-live and instant rollback procedures. Trigger with phrases like "vercel production", "deploy vercel prod", "vercel go-live", "vercel launch checklist", "vercel promote".
veeva-prod-checklist
Veeva Vault prod checklist for REST API and clinical operations. Use when working with Veeva Vault document management and CRM. Trigger: "veeva prod checklist".
vastai-prod-checklist
Execute Vast.ai production deployment checklist for GPU workloads. Use when deploying training pipelines to production, preparing for large-scale GPU jobs, or auditing production readiness. Trigger with phrases like "vastai production", "deploy vastai", "vastai go-live", "vastai launch checklist".
twinmind-prod-checklist
Complete production deployment checklist for TwinMind integrations. Use when preparing to deploy, auditing production readiness, or ensuring best practices are followed. Trigger with phrases like "twinmind production", "deploy twinmind", "twinmind go-live checklist", "twinmind production ready".
together-prod-checklist
Together AI prod checklist for inference, fine-tuning, and model deployment. Use when working with Together AI's OpenAI-compatible API. Trigger: "together prod checklist".
techsmith-prod-checklist
TechSmith prod checklist for Snagit COM API and Camtasia automation. Use when working with TechSmith screen capture and video editing automation. Trigger: "techsmith prod checklist".
supabase-prod-checklist
Execute Supabase production deployment checklist covering RLS, key hygiene, connection pooling, backups, monitoring, Edge Functions, and Storage policies. Use when deploying to production, preparing for launch, or auditing a live Supabase project for security and performance gaps. Trigger with "supabase production", "supabase go-live", "supabase launch checklist", "supabase prod ready", "deploy supabase", "supabase production readiness".
stackblitz-prod-checklist
Production checklist for WebContainer apps: headers, browser support, fallbacks. Use when working with WebContainers or StackBlitz SDK. Trigger: "stackblitz production".