Skip to content

Secrets

Rules

  • Keep real secrets only in .env or a secret manager.
  • Do not commit .env.
  • Do not paste secrets into support chats, tickets, screenshots, or logs.
  • Rotate any secret that may have been exposed.
  • Keep encryption secrets stable across deployments and backups.

Important Secrets

  • NEXTAUTH_SECRET: session/auth security.
  • Internal service API keys.
  • Provider API keys for transcription, AI, translation, and email.
  • FEDIVERSE_KEY_ENCRYPTION_SECRET: encrypts ActivityPub private keys.
  • FEDIVERSE_DELIVERY_SECRET: protects internal federation delivery endpoint.
  • TURN credentials for video reliability.

Rotation

Rotation impact varies. Provider keys can usually be rotated by updating .env and recreating affected containers. Encryption keys may require data migration or actor-key rotation.