Vadym/obsidian
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
obsidian/wiki/tech-patterns/runtime-credential-rotation-admin-panel.md
Vadym Samoilenko 9febc32f2c vault backup: 2026-04-29 16:53:34
2026-04-29 16:53:34 +01:00

2.4 KiB
Raw Permalink Blame History

tags source created
tech-patterns
auto-generated
cinema-studio-pro-kling 2026-04-29

Runtime Credential Rotation with Admin Panel

When to use

When you need to allow administrators to update time-sensitive API credentials (like monthly token rotation) without redeploying the application, and credentials must persist across server restarts.

Prerequisites

  • Application with admin user concept (authenticated via SSO like Azure AD)
  • Backend environment file system (.env files)
  • Admin users identified by email address in authentication system
  • API that requires periodic credential rotation (e.g., monthly token refresh)

Steps

  1. Define admin users by adding their email addresses to the server's .env file:

    echo "ADMIN_EMAILS=user@example.com,another@example.com" >> backend/.env.optical

    (Use emails that match your SSO system, e.g., Azure AD login emails)

  2. Create an admin panel endpoint that:

    • Verifies the requesting user's email is in ADMIN_EMAILS
    • Accepts new credential values (API key, secret, tokens)
    • Updates the server's .env file directly
    • Reloads/restarts the application service to apply changes

  3. When deploying updates that might overwrite credentials:

    git stash              # Save local .env changes (real credentials)
git pull               # Get latest from repository
git stash pop          # Restore credentials

Key Configuration

# In backend/.env.optical (server-side only, not in git)
ADMIN_EMAILS=vadym.samoilenko@oliver.agency
API_KEY=<current-valid-key>
API_SECRET=<current-valid-secret>

Environment-specific configuration:

  • With Kling integration (playground branch): FRONTEND_URL=https://optical-prod.oliver.solutions/lux-studio
  • Without Kling (main branch): FRONTEND_URL=https://ai-sandbox.oliver.solutions/lux-studio

Gotchas

  • Git conflicts on pull: Always stash local .env changes before pulling, then stash pop after. Never commit real credentials to git.
  • Service restart required: Changes to .env don't apply automatically; the backend service must be restarted (systemd, docker, etc.)
  • Email case sensitivity: Ensure email addresses in ADMIN_EMAILS exactly match the SSO system's output (test in auth logs)
  • Multiple admins: Use comma-separated list without spaces: ADMIN_EMAILS=user1@example.com,user2@example.com

Source

Project: cinema-studio-pro-kling