Credentials Map
Purpose: Where secrets live (NOT the secrets themselves)
Audience: DevOps, Backend Engineers
Source of Truth: TRUTH_MAP.md Section B.3
Last Updated: February 2, 2026
Secret Storage Hierarchy
Primary Secret Store: Doppler
All production secrets are managed via Doppler. Platform-specific variables (Railway, Vercel) should reference Doppler or be synced from it.
| Priority |
Storage |
Purpose |
Access |
| 1 |
Doppler (prd) |
Master secrets store |
Doppler dashboard |
| 2 |
Railway Secrets |
Runtime config (references Doppler) |
Railway dashboard |
| 3 |
Vercel Environment |
Dashboard-specific (NEXT_PUBLIC_*) |
Vercel dashboard |
| 4 |
GitHub Secrets |
CI/CD only |
GitHub repo settings |
| - |
.env files |
Local dev only |
Developer machine |
Rule: Never change Railway/Vercel env vars directly without updating Doppler first.
Secret Storage Locations (Legacy Reference)
| Environment |
Storage |
Access |
| Local Dev |
.env files |
Developer machine |
| Railway |
Railway Secrets |
Railway dashboard |
| Vercel |
Vercel Environment Variables |
Vercel dashboard |
| CI/CD |
GitHub Secrets |
GitHub repo settings |
Credential Categories
Database Credentials
| Credential |
Local Source |
Production Source |
Used By |
POSTGRES_CONN_STR |
.env |
Railway Secrets (via Doppler) |
Backend |
DATABASE_URL |
.env |
Railway Secrets (via Doppler) |
Backend |
METRICS_CONN_STR |
.env |
Railway Secrets (via Doppler) |
Backend |
Cache Credentials
| Credential |
Local Source |
Production Source |
Used By |
REDIS_URL |
.env |
Railway Secrets (via Doppler) |
Backend |
Message Queue Credentials
| Credential |
Local Source |
Production Source |
Used By |
NATS_URL |
.env |
Railway Secrets (via Doppler) |
Backend |
Authentication Credentials
| Credential |
Local Source |
Production Source |
Used By |
CLERK_SECRET_KEY |
.env.local |
Doppler → Vercel Env |
Dashboard |
NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY |
.env.local |
Vercel Env |
Dashboard |
FULCRUM_API_KEY |
.env |
Doppler → Railway Secrets |
Backend/SDKs |
Billing Credentials
| Credential |
Local Source |
Production Source |
Used By |
STRIPE_SECRET_KEY |
.env.local |
Doppler → Vercel Env |
Dashboard |
STRIPE_WEBHOOK_SECRET |
.env.local |
Doppler → Vercel Env |
Dashboard |
CI/CD Credentials
| Credential |
Source |
Used By |
GITHUB_TOKEN |
GitHub Actions (automatic) |
CI workflows |
DOCKER_USERNAME |
GitHub Secrets |
Image push |
DOCKER_PASSWORD |
GitHub Secrets |
Image push |
ENDOR_API_CREDENTIALS |
GitHub Secrets |
Security scanning |
Secret Rotation Schedule
| Credential Type |
Rotation Period |
Last Rotated |
Next Rotation |
| Database passwords |
90 days |
- |
TBD |
| API keys |
90 days |
- |
TBD |
| Clerk keys |
Never (managed) |
N/A |
N/A |
| Stripe keys |
Never (managed) |
N/A |
N/A |
Emergency Access
Lost Railway Access
- Contact Railway support
- Use backup credentials from 1Password (if configured)
- Rotate all credentials after recovery
Lost Vercel Access
- Contact Vercel support
- Re-deploy with new environment variables
Lost Clerk Access
- Contact Clerk support
- Generate new API keys
- Update all environments
Credential Checklist for New Environments
- [ ]
POSTGRES_CONN_STR - Database connection
- [ ]
REDIS_URL - Cache connection
- [ ]
NATS_URL - Event bus connection
- [ ]
CLERK_SECRET_KEY - Auth backend
- [ ]
NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY - Auth frontend
- [ ]
FULCRUM_API_KEY - API authentication
- [ ]
STRIPE_SECRET_KEY - Billing (if enabled)
Security Notes
- Never commit secrets - Use
.env files (gitignored)
- Use secret managers - Railway/Vercel native or Doppler
- Least privilege - Each service gets only needed secrets
- Audit access - Review who has access quarterly
- Rotate on breach - Immediate rotation if compromised
Back to Documentation
Evidence sources: TRUTH_MAP.md, Doppler configuration