Secrets & environment
Every secret xcity-home needs, where it lives, and how to rotate it.
Source of truth
| Secret | Where stored | Owner |
|---|---|---|
STRIPE_SECRET_KEY | Cloudflare Pages env | Billing |
STRIPE_WEBHOOK_SECRET | Cloudflare Pages env | Billing |
GOTRUE_JWT_SECRET | Railway (auth.xcity.one) | Identity |
GOTRUE_ADMIN_TOKEN | Cloudflare Pages env | Identity |
LITELLM_MASTER_KEY | Cloudflare Pages env | Inference |
RESEND_API_KEY | Railway (auth.xcity.one) | Identity |
Local development reads from .env; never commit it — .gitignore already includes it.
Rotation
Stripe key — rotate from Stripe Dashboard → API keys → Roll. Update the value in Cloudflare Pages, redeploy. Stripe lets the old key linger for 12h.
Stripe webhook secret — re-create the webhook endpoint in Stripe Dashboard with the new secret. Update env, redeploy. Old endpoint can be deleted after one successful event under the new key.
GoTrue admin token — re-run the token-minting snippet from Concepts: Authentication flow. Update env, redeploy. Old tokens are valid until their exp claim; rotate the JWT secret if you suspect compromise.
LiteLLM master key — generate a new one from the TokenHub admin UI, swap env, redeploy. Per-user inference keys are unaffected — only the admin/provisioning surface is.
Audit
Every rotation should be logged with date, actor, and reason in docs/security/rotation-log.md (private repo). Enterprise tenants can request rotation logs as part of their compliance package — see Security & Compliance.
Last updated: