Secrets and keys
Secret environment variables, allowed storage locations, and rotation policy.
Secrets — database passwords, JWT signing keys, LLM provider API keys, and Redis credentials — must never appear in git, logs, or client bundles. This page lists Phase 1 secret variables and the rotation expectations that apply in production.
Allowed secret locations
| Environment | Storage |
|---|---|
| Local development | Untracked .env per service; copy from .env.example placeholders |
| Staging / production | Vault, cloud secrets manager, or K8s External Secrets |
| Forbidden everywhere | Git commits, Helm values in repo, docs, test fixtures, stdout logs |
Dashboard rule: only NEXT_PUBLIC_* variables are safe in browser bundles. Never prefix secrets with NEXT_PUBLIC_.
Phase 1 secret variables
Database
| Parameter | Type | Description |
|---|---|---|
POSTGRES_DSNRequired | connection string | Full Postgres DSN for auth service (postgres://...). |
POSTGRES_MIGRATE_DSN | connection string | Go migrate runner DSN; derived from POSTGRES_DSN when unset. |
POSTGRES_PASSWORD | string | Used only when building DSN from host/port/user parts. |
Redis (proxy)
| Parameter | Type | Description |
|---|---|---|
REDIS_URL | url | e.g. redis://:password@host:6379/0. Empty disables rate limiting (Noop limiter). |
LLM providers (proxy, live mode)
| Parameter | Type | Description |
|---|---|---|
OPENAI_API_KEYRequired | string | Required when IBEX_LLM_MODE=live and using OpenAI. |
ANTHROPIC_API_KEYRequired | string | Required when IBEX_LLM_MODE=live and using Anthropic. |
IBEX_LLM_MODE | enum | Set mock for local dev without provider keys. Default: live |
JWT signing (auth, Phase 2 dashboard)
| Parameter | Type | Description |
|---|---|---|
JWT_PRIVATE_KEY_PEMRequired | PEM | RS256 signing key — auth service only; never expose to proxy or clients. |
JWT_PUBLIC_KEYS_PEM | PEM | Verification keyset for services that validate dashboard JWTs. |
JWT_KEY_ID_CURRENTRequired | string | kid header for active signing key; required for rotation. |
OIDC_CLIENT_SECRET | string | Enterprise SSO client secret when OIDC_ENABLED=true. |
Token hashing (auth)
Argon2id parameters are configured via IBEX_ARGON2_MEMORY_KIB, IBEX_ARGON2_TIME, and IBEX_ARGON2_PARALLELISM per ADR-0010. PAT wire values are hashed before storage; plaintext is returned once at creation and never logged.
Rotation policy
Service-to-service tokens
Rotate every 24 hours with a 1-hour overlap window so in-flight requests still validate.
JWT signing keys
Rotate every 90 days. Maintain a keyset (JWT_PUBLIC_KEYS_PEM) so verifiers accept the previous key during JWT_KEYSET_GRACE_SECONDS.
Database credentials
Rotate every 30 days when using dynamic secrets; update DSN in secrets manager before revoking old creds.
LLM provider keys
Customer-managed for BYOK; update via API without downtime when orgs rotate keys.
Cryptographic standards
| Use case | Algorithm |
|---|---|
| Password and PAT hashing | Argon2id |
| Dashboard JWT | RS256 |
| Symmetric encryption | AES-256-GCM |
| Content hashing | SHA-256 |
Forbidden: MD5, SHA-1, custom crypto, home-grown JWT verification, storing encryption keys next to ciphertext.
Logging and observability
Structured JSON logs include request_id and trace_id when OTel is initialized. IBEX_LOG_LEVEL=DEBUG may expose sensitive details — disable broadly in production.
Startup validation
Services fail fast at startup when required secrets are missing or when production detects unsafe dev defaults (e.g. IBEX_ENV=production with mock auth). Prefer a crash at boot over running with invalid configuration.
Related
Was this page helpful?
Last updated on