┌─────────────────┐
│ Client Request │
└────────┬────────┘
│
┌───────▼────────┐
│ Rate Limiter │
└───────┬────────┘
│
┌────────────┴───────────┐
│ │
┌───────▼─────┐ ┌──────▼──────┐
│ API Key │ │ Request │
│ Validator │ │ Signature │
└───────┬─────┘ └──────┬──────┘
│ │
┌─────┴────────────────┬──────┘
│ │
┌───────▼────────┐ ┌───────▼────────┐
│ Redis Rate │ │ Supabase │
│ Tracking │ │ Auth │
└───────┬────────┘ └───────┬────────┘
│ │
└──────────┬──────────┘
│
┌───────▼───────┐
│ Route │
│ Handler │
└───────┬───────┘
│
┌─────────┴─────────┐
│ │
┌────────▼─────────┐ ┌──────▼────────┐
│ Data Encryption │ │ Response │
│ Service │ │ Signing │
└────────┬─────────┘ └──────┬────────┘
│ │
└────────┬─────────┘
│
┌───────▼──────┐
│ Response │
└──────────────┘
1. API_KEY
- Primary authentication mechanism
- Required for all API requests
- System will reject all requests without valid API key
- CRITICALITY: HIGH ⚠️
2. ENCRYPTION_KEY
- Used for sensitive data encryption/decryption
- Required for secure data storage and transmission
- System will fail to process sensitive data without it
- CRITICALITY: HIGH ⚠️
1. WEBHOOK_ENCRYPTION_KEY
- Used for webhook payload encryption
- System can still process requests without it
- Affects only webhook functionality
- CRITICALITY: MEDIUM
2. SECURITY_SIGNATURE_SECRET
- Used for request signature verification
- Adds extra security layer but not critical
- System can be configured to skip verification
- CRITICALITY: MEDIUM
3. WEBHOOK_SECRET
- Used for webhook authentication
- Only affects webhook delivery
- Can be disabled if needed
- CRITICALITY: LOW
- Primary request authentication
- Rate limiting identification
- Access control management
- Usage tracking and monitoring
- Database field encryption
- Sensitive data protection
- Secure storage of PII
- End-to-end message encryption
- Webhook payload encryption
- Third-party integration security
- Event notification security
- Request tampering prevention
- Message integrity verification
- Man-in-the-middle attack prevention
- Webhook source verification
- Event delivery authentication
- Integration security
# Using Node.js crypto module
node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"# Using Node.js crypto module
node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"# Using Node.js crypto module
node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"# Using Node.js crypto to generate 32-byte (256-bit) key
node -e "console.log(crypto.randomBytes(32).toString('hex'))"# Using Node.js crypto to generate 32-byte (256-bit) key
node -e "console.log(crypto.randomBytes(32).toString('hex'))"# Generate and add these keys
API_KEY=generated_api_key
SECURITY_SIGNATURE_SECRET=generated_signature_key
WEBHOOK_SECRET=generated_webhook_secret
ENCRYPTION_KEY=your_generated_key
WEBHOOK_ENCRYPTION_KEY=your_generated_key# PMS Frontend (.env)
VITE_API_KEY=generated_api_key
VITE_SECURITY_SIGNATURE_SECRET=generated_signature_key
# Storefront Frontend (.env)
NEXT_PUBLIC_API_KEY=generated_api_key
NEXT_PUBLIC_SECURITY_SIGNATURE_SECRET=generated_signature_key# Run these commands in your terminal
ENCRYPTION_KEY=$(node -e "console.log(crypto.randomBytes(32).toString('hex'))")
WEBHOOK_KEY=$(node -e "console.log(crypto.randomBytes(32).toString('hex'))")
echo "Generated Keys:"
echo "ENCRYPTION_KEY=$ENCRYPTION_KEY"
echo "WEBHOOK_ENCRYPTION_KEY=$WEBHOOK_KEY"- Add to Render environment variables
- Keep a secure backup of the keys
- Never commit these keys to version control
- API Keys: Every 90 days
- Security Signature: Every 30 days
- Webhook Secrets: Every 60 days
- Rotate encryption keys every 90 days
- Generate new keys before rotating
- Maintain old keys for 24 hours during rotation
- Document all key rotations in secure log
All API requests must include:
headers: {
'X-API-Key': process.env.API_KEY,
'X-Request-Signature': generateSignature(payload),
'X-Request-Timestamp': Date.now().toString(),
'X-Request-Nonce': generateNonce()
}- Never commit keys to version control
- Use different keys for development/production
- Share keys securely (password manager)
- Monitor key usage in logs
- Implement key rotation alerts
- Limit key access to senior developers only
- Monitor key usage in application logs
- Set up alerts for failed decryption attempts
# Full encryption keys required
ENCRYPTION_KEY=your_generated_key
WEBHOOK_ENCRYPTION_KEY=your_generated_key# Only verification parts needed
VITE_VERIFY_KEY=public_verification_part
# Does NOT need ENCRYPTION_KEY or WEBHOOK_ENCRYPTION_KEY# Only verification parts needed
NEXT_PUBLIC_VERIFY_KEY=public_verification_part
# Does NOT need ENCRYPTION_KEY or WEBHOOK_ENCRYPTION_KEY-
Encryption Keys
- ENCRYPTION_KEY
- WEBHOOK_ENCRYPTION_KEY
- These are for backend encryption only
-
Database Credentials
- All database connection strings
- Service role keys
- Redis URLs
-
Internal Secrets
- SECURITY_SIGNATURE_SECRET
- WEBHOOK_SECRET
- Private keys
-
Public Keys Only
- API_KEY (restricted version)
- Public verification keys
- Public endpoints
-
Public Configurations
- API URLs
- WebSocket URLs
- Public environment indicators
- Encryption keys remain ONLY on backend
- Frontend apps only receive verification parts
- Never expose full encryption keys to frontend
- Use asymmetric encryption for frontend-backend communication
- Webhook encryption keys stay exclusively on backend