Secret Configuration

Secret Configuration

This guide covers setting up Wrangler secrets for Splinterpic. Never commit secrets to git!

Security Best Practices

Before setting secrets:

1. Never commit secrets to version control
2. Use different secrets for dev/staging/production
3. Rotate secrets regularly (every 90 days recommended)
4. Use strong, randomly generated secrets (minimum 32 characters)
5. Limit access to secrets to authorized team members only
6. Monitor usage for unauthorized access attempts

Required Secrets

1. JWT_SECRET (REQUIRED)

Purpose: Signs authentication tokens

Generate a secure secret:

# Generate random 32-byte secret
node -e "console.log(require('crypto').randomBytes(32).toString('base64'))"

Set the secret:

npx wrangler secret put JWT_SECRET
# Paste the generated secret when prompted

⚠️ Critical: App will crash without this secret!

2. STRIPE_SECRET_KEY (REQUIRED for payments)

Purpose: Stripe API authentication

Get your key:

• Go to: https://dashboard.stripe.com/apikeys
• Copy your Secret Key (starts with sk_live_ or sk_test_)

Set the secret:

npx wrangler secret put STRIPE_SECRET_KEY
# Paste your sk_live_... or sk_test_... key

For development: Use test keys (sk_test_...)

3. STRIPE_WEBHOOK_SECRET (REQUIRED for subscriptions)

Purpose: Verifies Stripe webhook signatures

Setup webhook first:

1. Go to: https://dashboard.stripe.com/webhooks
2. Click “Add endpoint”
3. Endpoint URL: https://api.splinterpic.app/api/webhooks/stripe
4. Select events:
   • checkout.session.completed
   • invoice.payment_succeeded
   • invoice.payment_failed
   • customer.subscription.created
   • customer.subscription.updated
   • customer.subscription.deleted
5. Copy the Signing Secret (starts with whsec_...)

Set the secret:

npx wrangler secret put STRIPE_WEBHOOK_SECRET
# Paste the whsec_... secret

Optional Secrets

4. GITHUB_CLIENT_SECRET (Optional)

Purpose: GitHub OAuth authentication

Setup:

1. Go to: https://github.com/settings/developers
2. Create or edit OAuth App
3. Set Authorization callback URL: https://splinterpic.app/auth/github/callback
4. Copy Client Secret

Set the secret:

npx wrangler secret put GITHUB_CLIENT_SECRET
# Paste GitHub Client Secret

Note: Also update GITHUB_CLIENT_ID in wrangler.toml [vars] section

5. GOOGLE_CLIENT_SECRET (Optional)

Purpose: Google OAuth authentication

Setup:

1. Go to: https://console.cloud.google.com/apis/credentials
2. Create OAuth 2.0 Client ID
3. Set redirect URI: https://splinterpic.app/auth/google/callback
4. Copy Client Secret

Set the secret:

npx wrangler secret put GOOGLE_CLIENT_SECRET
# Paste Google Client Secret

Note: Also update GOOGLE_CLIENT_ID in wrangler.toml [vars] section

6. MAILERSEND_API_TOKEN (Optional)

Purpose: Magic link email authentication

Setup:

1. Go to: https://www.mailersend.com/
2. Get API token from dashboard

Set the secret:

npx wrangler secret put MAILERSEND_API_TOKEN
# Paste MailerSend API token

Verification

After setting secrets, verify:

npx wrangler secret list

Expected output:

┌──────────────────────────┐
│ Name                     │
├──────────────────────────┤
│ JWT_SECRET              │
│ STRIPE_SECRET_KEY       │
│ STRIPE_WEBHOOK_SECRET   │
│ GITHUB_CLIENT_SECRET    │
│ GOOGLE_CLIENT_SECRET    │
│ MAILERSEND_API_TOKEN    │
└──────────────────────────┘

Environment-Specific Secrets

Development

# Use test mode for Stripe
npx wrangler secret put STRIPE_SECRET_KEY
# Paste sk_test_... key

Production

# Use live mode for Stripe
npx wrangler secret put STRIPE_SECRET_KEY
# Paste sk_live_... key

Secret Rotation

Rotate secrets periodically for security:

# 1. Generate new secret
NEW_SECRET=$(node -e "console.log(require('crypto').randomBytes(32).toString('base64'))")

# 2. Update secret
echo $NEW_SECRET | npx wrangler secret put JWT_SECRET

# 3. Redeploy worker
npm run worker:deploy

# 4. Update any local copies

Important: Rotating JWT_SECRET will invalidate all active sessions!

Troubleshooting

Secret not working

Check secret is set:

npx wrangler secret list

Redeploy after setting:

npm run worker:deploy

Stripe webhook failing

Verify webhook URL:

• Should be: https://api.splinterpic.app/api/webhooks/stripe
• Must be publicly accessible

Check signing secret:

• Get from Stripe Dashboard → Webhooks
• Should start with whsec_

OAuth not working

Verify callback URLs match:

• GitHub: https://splinterpic.app/auth/github/callback
• Google: https://splinterpic.app/auth/google/callback

Check Client IDs:

• Set in wrangler.toml [vars] section
• Must match provider settings

Security Checklist

Before going to production:

• All required secrets set
• Using live Stripe keys (not test)
• Webhook signing secret configured
• JWT_SECRET is strong and unique
• OAuth secrets set (if using)
• Secrets verified with wrangler secret list
• Worker redeployed after setting secrets
• .env files not committed to git
• .gitignore includes .env*
• Team members have limited access to secrets

Best Practices

1. Use a Password Manager: Store backup copies of secrets securely
2. Document Secret Owners: Know who has access to what
3. Audit Access: Review secret access logs regularly
4. Automate Rotation: Set calendar reminders for quarterly rotation
5. Use Separate Accounts: Different Stripe accounts for dev/prod
6. Monitor Usage: Watch for unusual API usage patterns
7. Have Rollback Plan: Know how to quickly rotate compromised secrets

Quick Setup Script

For rapid setup (after generating secrets manually):

#!/bin/bash
# setup-secrets.sh - Run this script to set all secrets

echo "Setting JWT_SECRET..."
npx wrangler secret put JWT_SECRET

echo "Setting STRIPE_SECRET_KEY..."
npx wrangler secret put STRIPE_SECRET_KEY

echo "Setting STRIPE_WEBHOOK_SECRET..."
npx wrangler secret put STRIPE_WEBHOOK_SECRET

echo "Secrets setup complete!"
npx wrangler secret list

Make executable: chmod +x setup-secrets.sh

---

Next: Production Deployment