Secrets
Rules
- Keep real secrets only in
.envor a secret manager. - Do not commit
.env. - Do not paste secrets into support chats, tickets, screenshots, or logs.
- Rotate any secret that may have been exposed.
- Keep encryption secrets stable across deployments and backups.
Important Secrets
NEXTAUTH_SECRET: session/auth security.- Internal service API keys.
- Provider API keys for transcription, AI, translation, and email.
FEDIVERSE_KEY_ENCRYPTION_SECRET: encrypts ActivityPub private keys.FEDIVERSE_DELIVERY_SECRET: protects internal federation delivery endpoint.- TURN credentials for video reliability.
Rotation
Rotation impact varies. Provider keys can usually be rotated by updating .env and recreating affected containers. Encryption keys may require data migration or actor-key rotation.