Secrets Management

Secrets Management

This document explains how secrets and credentials are managed in the Merq platform.

Overview

Method	Status	Description
Environment Variables	✅ Current	Main configuration method
Docker Secrets	🔵 Planned	For Docker Swarm
Kubernetes Secrets	🔵 Planned	For K8s deployments
HashiCorp Vault	🔵 Future	Enterprise secret management

---

Environment Variables

Required Variables

Variable	Description	Example
DB_HOST	PostgreSQL host	localhost
DB_PORT	PostgreSQL port	5432
DB_USER	Database username	merq
DB_PASSWORD	Database password	secure-password
DB_NAME	Database name	merq_db
REDIS_HOST	Redis host	localhost
REDIS_PORT	Redis port	6379
REDIS_PASSWORD	Redis password	redis-password
JWT_SECRET	JWT signing key	random-256-bit-string
JWT_EXPIRY_HOURS	Token expiry in hours	24

API Keys

Variable	Description
RESEND_API_KEY	Resend email service
PLUNK_API_KEY	Plunk email fallback
MAILERSEND_API_KEY	Mailersend fallback
FIREBASE_CREDENTIALS_FILE	Firebase service account path
DO_SPACES_KEY	DigitalOcean Spaces key
DO_SPACES_SECRET	DigitalOcean Spaces secret
TYPESENSE_API_KEY	Typesense search API key

Application Settings

Variable	Description	Default
SERVER_PORT	Server port	8080
APP_ENV	Environment	development

---

.env File

Backend

Create .env file in merq-backend/:

# Database
DB_HOST=localhost
DB_PORT=5432
DB_USER=merq
DB_PASSWORD=your-secure-password
DB_NAME=merq_db

# Redis
REDIS_HOST=localhost
REDIS_PORT=6379
REDIS_PASSWORD=redis-password

# Auth
JWT_SECRET=your-256-bit-secret-key-change-in-production
JWT_EXPIRY_HOURS=24

# Email (at least one required)
RESEND_API_KEY=re_xxxxx
RESEND_SENDER_EMAIL=noreply@yourdomain.com

# Firebase
FIREBASE_CREDENTIALS_FILE=./firebase/service-account.json

# DigitalOcean Spaces
DO_SPACES_KEY=your-spaces-key
DO_SPACES_SECRET=your-spaces-secret
DO_SPACES_BUCKET=your-bucket
DO_SPACES_ENDPOINT=https://sgp1.digitaloceanspaces.com

# Typesense
TYPESENSE_HOST=localhost
TYPESENSE_PORT=8108
TYPESENSE_API_KEY=your-typesense-key

Web

Create .env.local file in merq-web:

VITE_API_BASE_URL=http://localhost:8080/api
VITE_GOOGLE_API_KEY=your-google-maps-key
VITE_SECURE_LOCAL_STORAGE_HASH_KEY=your-32-char-hash-key

Mobile

Create .env.dev or .env.prod file in merq-mobile:

API_BASE_URL=http://localhost:8080/api
GOOGLE_MAPS_API_KEY=your-google-maps-key
STORAGE_ENC_KEY=your-32-char-encryption-key

---

Production Secrets

Docker

# Using environment file
docker run -d \
  --name merq-backend \
  --env-file .env.production \
  merq-backend:latest

Docker Compose

version: '3.8'
services:
  backend:
    image: merq-backend:latest
    env_file:
      - .env.production

Kubernetes

apiVersion: v1
kind: Secret
metadata:
  name: merq-secrets
type: Opaque
stringData:
  DB_PASSWORD: your-password
  JWT_SECRET: your-secret
  RESEND_API_KEY: re_xxxxx

---

Secret Rotation

JWT Secret

1. Generate new secret
2. Update environment variable
3. Deploy application
4. Note: All existing tokens become invalid

API Keys

1. Generate new API key from provider
2. Update environment variable
3. Deploy application
4. Revoke old key

Database Password

1. Update password in database:

ALTER USER merq WITH PASSWORD 'new-password';

2. Update environment variable
3. Deploy application

---

Security Best Practices

DO

• ✅ Use strong, random secrets (256-bit for JWT)
• ✅ Rotate secrets regularly
• ✅ Use different secrets per environment
• ✅ Store secrets in secure location (Vault, K8s Secrets)
• ✅ Use environment-specific secrets

DON’T

• ❌ Commit secrets to version control
• ❌ Use default/example secrets in production
• ❌ Share secrets via email/chat
• ❌ Use simple passwords
• ❌ Hardcode secrets in source code

---

Related Documentation

• Environment Variables - Full variable list
• Installation Guide - Setup guide
• Integrations - Third-party services