---
tags: [tech-patterns, auto-generated]
source: cinema-studio-pro-kling
created: 2026-04-29
---

# Runtime Credential Rotation with Admin Panel

## When to use
When you need to allow administrators to update time-sensitive API credentials (like monthly token rotation) without redeploying the application, and credentials must persist across server restarts.

## Prerequisites
- Application with admin user concept (authenticated via SSO like Azure AD)
- Backend environment file system (`.env` files)
- Admin users identified by email address in authentication system
- API that requires periodic credential rotation (e.g., monthly token refresh)

## Steps
1. Define admin users by adding their email addresses to the server's `.env` file:
   ```bash
   echo "ADMIN_EMAILS=user@example.com,another@example.com" >> backend/.env.optical
   ```
   (Use emails that match your SSO system, e.g., Azure AD login emails)

2. Create an admin panel endpoint that:
   - Verifies the requesting user's email is in `ADMIN_EMAILS`
   - Accepts new credential values (API key, secret, tokens)
   - Updates the server's `.env` file directly
   - Reloads/restarts the application service to apply changes

3. When deploying updates that might overwrite credentials:
   ```bash
   git stash              # Save local .env changes (real credentials)
   git pull               # Get latest from repository
   git stash pop          # Restore credentials
   ```

## Key Configuration
```bash
# In backend/.env.optical (server-side only, not in git)
ADMIN_EMAILS=vadym.samoilenko@oliver.agency
API_KEY=<current-valid-key>
API_SECRET=<current-valid-secret>
```

Environment-specific configuration:
- **With Kling integration** (playground branch): `FRONTEND_URL=https://optical-prod.oliver.solutions/lux-studio`
- **Without Kling** (main branch): `FRONTEND_URL=https://ai-sandbox.oliver.solutions/lux-studio`

## Gotchas
- **Git conflicts on pull**: Always `stash` local `.env` changes before pulling, then `stash pop` after. Never commit real credentials to git.
- **Service restart required**: Changes to `.env` don't apply automatically; the backend service must be restarted (systemd, docker, etc.)
- **Email case sensitivity**: Ensure email addresses in `ADMIN_EMAILS` exactly match the SSO system's output (test in auth logs)
- **Multiple admins**: Use comma-separated list without spaces: `ADMIN_EMAILS=user1@example.com,user2@example.com`

## Source
Project: cinema-studio-pro-kling