Security Portal

Secrets & key management

Start here:

• Vault usage (app-level secret encryption): docs/guides/VAULT-USAGE.md
• Production readiness requirements (Tier A/B/C): docs/PRODUCTION_READY_CHECKLIST.md

What to treat as production secrets

• DB credentials (Postgres)
• Redis password
• RPC provider endpoints + API keys (QuickNode/NOWNodes/etc.)
• Payment provider keys (Paystar/FinnoTech/etc.)
• Bot tokens / webhook secrets
• Vault KEK (master encryption key)

Recommended production posture (minimum)

• Use Docker Swarm secrets (or an external secret manager) for sensitive values.
• Never bake secrets into images.
• Keep audit logs and access controls around key operations (withdrawals, swaps, fiat flows).