Environment & Secrets Management
Rules
- Never commit
.envfiles —.gitignorecovers all.env*patterns NEXT_PUBLIC_prefix exposes variables to the browser — never put secrets here- All secrets stored in 1Password, shared via Fly.io secrets (backend) and Vercel env vars (frontend)
- Rotate
JWT_SECRETandCOOKIE_SECRETbefore Phase 2 public launch - Stripe: separate keys for development, staging, and production environments
Backend Secrets (Fly.io)
| Variable | Purpose | Rotate when |
|---|---|---|
DATABASE_URL | Supabase connection string | On DB credential change |
JWT_SECRET | JWT signing | Before Phase 2 launch |
COOKIE_SECRET | Cookie signing | Before Phase 2 launch |
STRIPE_SECRET_KEY | Stripe server-side | On team member departure |
STRIPE_WEBHOOK_SECRET | Webhook HMAC | On webhook endpoint change |
RESEND_API_KEY | Email sending | Annually or on breach |
R2_ACCESS_KEY_ID / SECRET | Cloudflare R2 | Annually or on breach |
Frontend Env Vars (Vercel)
| Variable | Public? | Value |
|---|---|---|
NEXT_PUBLIC_MEDUSA_BACKEND_URL | Yes | https://api.shop.vespertene.com |
NEXT_PUBLIC_MEDUSA_PUBLISHABLE_KEY | Yes | From Medusa admin → Settings → API Keys |
NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY | Yes | pk_live_... (never sk_live_) |
NEXT_PUBLIC_STORE_URL | Yes | https://shop.vespertene.com |