Credentials Handover¶
Rotate everything on this page
Before the outgoing developer's last day, every credential listed here must be rotated. Credentials that are not rotated remain accessible to someone who no longer works at the company.
Where Credentials Live¶
On the VPS — .env file¶
The root .env file in $PROJECT_PATH contains all runtime secrets. It is not committed to git.
In GitHub — Actions Secrets¶
Go to: GitHub repo → Settings → Secrets and variables → Actions
Credentials to Rotate¶
LLM / AI Provider¶
| Variable | Description | Where to rotate |
|---|---|---|
OPENAI_API_KEY |
Z.AI or OpenAI API key | Z.AI / OpenAI dashboard |
ZAI_API_KEY |
Z.AI API key | Z.AI dashboard |
OPEN_ROUTER_API_KEY |
OpenRouter key | OpenRouter dashboard |
ANTHROPIC_API_KEY |
Anthropic Claude API key | console.anthropic.com |
Service API Keys (Internal Auth)¶
Backend services validate requests using API_KEYS — a comma-separated list of allowed bearer tokens.
| Variable | Description | Action |
|---|---|---|
API_KEYS |
Comma-separated list, e.g. HbznWQA32r,0Z5h3m3OIc |
Generate new random strings, update .env and all client configurations that call Zygy APIs |
Note
Any frontend, mobile app, or external system calling Zygy's APIs must be updated with the new API keys after rotation.
Embedding Service¶
| Variable | Description |
|---|---|
EMBEDDING_API_KEY |
Key for https://embed.zygy.com/embed |
Coordinate with whoever manages the embedding service to issue a new key.
Elasticsearch¶
| Variable | Description | Where to rotate |
|---|---|---|
ES_USER |
Elasticsearch username | Elasticsearch Kibana → Stack Management → Users |
ES_PASSWORD |
Elasticsearch password | Elasticsearch Kibana → Stack Management → Users |
After rotation, update .env on the VPS and restart all services that connect to ES (backend-streamsearch, backend-vectorindexing, backend-generatereport).
Redis¶
| Variable | Description |
|---|---|
REDIS_PASSWORD |
Redis authentication password |
After changing this in .env, restart the redis container and all services that depend on it (backend-workflow, backend-vectorindexing, backend-generatereport).
MongoDB¶
| Variable | Description |
|---|---|
MONGO_URI |
Full MongoDB connection string including username/password |
Coordinate with the MongoDB server team at 103.3.62.250 to change the zygy database user password.
Linode Object Storage¶
| Variable | Description | Where to rotate |
|---|---|---|
LINODE_ACCESS_KEY |
Linode S3 access key | Linode Cloud Manager → Object Storage → Access Keys |
LINODE_SECRET_KEY |
Linode S3 secret key | Same as above |
After rotation, update .env and restart sqlite-backup.
SMTP (Email)¶
| Variable | Description | Where to rotate |
|---|---|---|
SMTP_USER |
SMTP username | Exabytes hosting control panel |
SMTP_PASSWORD |
SMTP password | Exabytes hosting control panel |
Grafana¶
| Item | Description |
|---|---|
| Grafana admin password | Log in to grafana.zygy.com, go to Profile → Change Password |
SSH Keys¶
VPS Access (GitHub Actions)¶
The SSH_PRIVATE_KEY GitHub secret is the private key GitHub Actions uses to SSH into the VPS.
- Generate a new key pair:
ssh-keygen -t ed25519 -f deploy_key -C "github-actions-deploy" - Add the public key to
~/.ssh/authorized_keyson the VPS for userzygy - Remove the old public key from
authorized_keys - Update the
SSH_PRIVATE_KEYGitHub secret with the new private key - Verify a push triggers a successful deploy
Mongo Tunnel SSH Key¶
The key at /home/zygy/.ssh/id_ed25519 on the VPS is used by the mongo-tunnel container.
- Generate a new key:
ssh-keygen -t ed25519 -f id_ed25519_new -C "mongo-tunnel" - Send the new public key to the MongoDB server team and ask them to replace the old one in
~zygy/.ssh/authorized_keyson103.3.62.250 - Replace the private key on the VPS:
cp id_ed25519_new /home/zygy/.ssh/id_ed25519 && chmod 600 /home/zygy/.ssh/id_ed25519 - Restart:
docker-compose restart mongo-tunnel
GitHub Actions Secrets to Update¶
| Secret | When to update |
|---|---|
VPS_HOST |
If the VPS IP changes |
VPS_USER |
If the SSH user changes |
SSH_PRIVATE_KEY |
Rotate now — outgoing developer has the private key |
VPS_PORT |
If SSH port changes |
PROJECT_PATH |
If the project is moved on the VPS |
Rotation Checklist¶
- [ ]
OPENAI_API_KEY/ZAI_API_KEYrotated - [ ]
ANTHROPIC_API_KEYrotated - [ ]
API_KEYS(internal auth) regenerated and all clients updated - [ ]
EMBEDDING_API_KEYrotated - [ ]
ES_PASSWORDchanged in Kibana and.envupdated - [ ]
REDIS_PASSWORDchanged in.envand Redis restarted - [ ]
MONGO_URIpassword changed with MongoDB team - [ ]
LINODE_ACCESS_KEY/LINODE_SECRET_KEYrotated - [ ]
SMTP_PASSWORDchanged - [ ] Grafana admin password changed
- [ ] GitHub Actions
SSH_PRIVATE_KEYrotated (new key pair generated) - [ ] Mongo-tunnel SSH key rotated with MongoDB server team
- [ ] Outgoing developer's personal VPS SSH key removed from
authorized_keys