Fulcrum Production Credentials Setup Guide

Complete checklist of accounts, credentials, and where to configure them

Created: January 15, 2026

---

Quick Summary

Service	Account Needed	Credentials Count	Priority
PostgreSQL (Railway/Supabase/Neon)	Yes	1 connection string	Critical
Redis (Upstash/Railway)	Yes	1 connection string	Critical
NATS (Self-hosted/Railway)	Optional	1 connection string	Critical
Clerk	Yes	2 keys	Critical
Stripe	Yes	4 keys/IDs	Required
Vercel	Yes	3 values	Required
Railway	Yes	1 token	Required
GitHub	Yes	6 secrets	Required
Ollama	No account	Local only	Optional
PostHog	Optional	2 values	Optional
Sentry	Optional	2 DSNs	Optional

---

1. Database: PostgreSQL

Account Setup

• Provider Options: Railway, Supabase, Neon
• Recommended: Railway (included with backend) or Supabase/Neon based on cost/region needs

Credentials Needed

Credential	Format	Example
POSTGRES_CONN_STR	Connection string	postgresql://user:pass@host:5432/fulcrum?sslmode=require

Setup Steps

1. Create account at chosen provider
2. Create new PostgreSQL database named fulcrum
3. Copy the connection string from dashboard
4. Important: Ensure sslmode=require for production

Where to Store

Environment	Location
Local Dev	.env file (root)
Railway Backend	Railway Dashboard → Service → Variables
Vercel Dashboard	Vercel Dashboard → Project → Environment Variables

---

2. Cache: Redis

Account Setup

• Provider Options: Upstash (recommended), Railway, Redis Cloud
• Recommended: Upstash (generous free tier, serverless)

Credentials Needed

Credential	Format	Example
REDIS_URL	Connection string	redis://default:password@host:6379

Setup Steps

1. Create account at Upstash or Railway
2. Create new Redis database
3. Copy the Redis URL from dashboard
4. For Upstash: Enable TLS (default)

Where to Store

Environment	Location
Local Dev	.env file
Railway Backend	Railway Dashboard → Variables

---

3. Message Queue: NATS JetStream

Account Setup

• Self-hosted: Included in Docker Compose for local dev
• Production: Railway service or Synadia Cloud

Credentials Needed

Credential	Format	Example
NATS_URL	Connection string	nats://host:4222

Setup Steps

1. For Railway: Add NATS as a service from template
2. Or deploy the NATS Docker image
3. Note: Local dev uses Docker Compose (no account needed)

Where to Store

Environment	Location
Local Dev	.env file (default: nats://localhost:4222)
Railway Backend	Railway Dashboard → Variables

---

4. Authentication: Clerk

Account Setup

• URL: dashboard.clerk.com
• Plan: Free tier supports 10,000 MAU

Credentials Needed

Credential	Format	Where Used
CLERK_SECRET_KEY	sk_live_... or sk_test_...	Backend (server-side)
NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY	pk_live_... or pk_test_...	Frontend (client-side)
CLERK_WEBHOOK_SECRET	whsec_...	Webhook verification

Setup Steps

1. Create account at clerk.com
2. Create new application named "Fulcrum"
3. Go to API Keys section
4. Copy Publishable key and Secret key
5. Go to Webhooks → Create endpoint:
6. URL: https://fulcrumlayer.io/api/webhooks/clerk
7. Events: user.created, user.deleted, session.created
8. Copy the signing secret

Where to Store

Environment	Location
Local Dev	dashboard/.env.local
Vercel Dashboard	Vercel → Environment Variables

---

5. Billing: Stripe

Account Setup

• URL: dashboard.stripe.com
• Mode: Start with Test mode, switch to Live for production

Credentials Needed

Credential	Format	Where Used
STRIPE_SECRET_KEY	sk_live_... or sk_test_...	Backend API calls
NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY	pk_live_... or pk_test_...	Frontend Stripe.js
STRIPE_WEBHOOK_SECRET	whsec_...	Webhook verification
STRIPE_PRICE_PRO	price_...	Pro plan subscription
STRIPE_PRICE_TEAM	price_...	Team plan subscription

Setup Steps

1. Create Stripe account
2. Go to Developers → API keys
3. Copy publishable and secret keys
4. Create Products:
5. Go to Products → Add product
6. Create "Fulcrum Pro" ($299/month) → copy price ID
7. Create "Fulcrum Team" ($999/month) → copy price ID
8. Create Webhook:
9. Go to Developers → Webhooks → Add endpoint
10. URL: https://fulcrumlayer.io/api/billing/webhook
11. Events: checkout.session.completed, customer.subscription.*, invoice.*
12. Copy signing secret

Where to Store

Environment	Location
Local Dev	dashboard/.env.local
Vercel Dashboard	Vercel → Environment Variables

---

6. Hosting: Vercel (Dashboard)

Account Setup

• URL: vercel.com
• Connect: Link to GitHub repo

Credentials Needed

Credential	Where to Get
VERCEL_TOKEN	Vercel → Settings → Tokens → Create
VERCEL_ORG_ID	Vercel → Settings → General → Team ID
VERCEL_PROJECT_ID	Vercel → Project → Settings → General

Setup Steps

1. Create Vercel account
2. Import GitHub repository (Fulcrum)
3. Set root directory to dashboard
4. Add all environment variables (Clerk, Stripe, API URLs)
5. For CI/CD: Create access token in Settings → Tokens

Environment Variables to Set in Vercel

NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY=pk_live_xxx
CLERK_SECRET_KEY=sk_live_xxx
CLERK_WEBHOOK_SECRET=whsec_xxx
STRIPE_SECRET_KEY=sk_live_xxx
NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=pk_live_xxx
STRIPE_WEBHOOK_SECRET=whsec_xxx
STRIPE_PRICE_PRO=price_xxx
STRIPE_PRICE_TEAM=price_xxx
NEXT_PUBLIC_FULCRUM_API_URL=https://your-railway-url.railway.app
NEXT_PUBLIC_APP_URL=https://fulcrumlayer.io
FULCRUM_GRPC_ENDPOINT=your-railway-url.railway.app:443
POSTGRES_CONN_STR=postgresql://...
METRICS_CONN_STR=postgresql://...
NATS_URL=nats://...

---

7. Hosting: Railway (Backend)

Account Setup

• URL: railway.app
• Connect: Link to GitHub repo

Credentials Needed

Credential	Where to Get
RAILWAY_TOKEN	Railway → Account → Tokens → Create

Setup Steps

1. Create Railway account
2. Create new project
3. Add services:
4. fulcrum-server (from Dockerfile.server)
5. event-processor (from Dockerfile.eventprocessor)
6. PostgreSQL (Railway template)
7. Redis (Railway template or Upstash)
8. NATS (custom Dockerfile or template)
9. Set environment variables per service
10. For CI/CD: Create project token

Environment Variables to Set in Railway (Backend Services)

POSTGRES_CONN_STR=${{Postgres.DATABASE_URL}}
REDIS_URL=${{Redis.REDIS_URL}}
NATS_URL=nats://nats:4222
GRPC_PORT=50051
HTTP_PORT=8080
ENVIRONMENT=production
LOG_LEVEL=info
COGNITIVE_ENABLED=true
OLLAMA_HOST=http://ollama:11434

---

8. CI/CD: GitHub Secrets

Setup Location

• GitHub → Repository → Settings → Secrets and variables → Actions

Secrets Needed

Secret	Purpose	Where to Get
VERCEL_TOKEN	Deploy dashboard	Vercel → Settings → Tokens
VERCEL_ORG_ID	Identify org	Vercel → Settings → General
VERCEL_PROJECT_ID	Identify project	Vercel → Project → Settings
RAILWAY_TOKEN	Deploy backend	Railway → Account → Tokens
PYPI_TOKEN	Publish Python SDK	PyPI → Account → API tokens
NPM_TOKEN	Publish TypeScript SDK	npm → Access Tokens
SLACK_WEBHOOK_URL	CI notifications	Slack → Apps → Webhooks

Optional Secrets

Secret	Purpose
TESTPYPI_TOKEN	Test PyPI publishing
ANTHROPIC_API	Claude for testing
CLERK_PUBLISHABLE_KEY	E2E auth tests

---

9. SDK Publishing

PyPI (Python SDK)

1. Create account at pypi.org
2. Go to Account → API tokens
3. Create token with scope "Entire account" (first time) or project-specific
4. Add to GitHub Secrets as PYPI_TOKEN

npm (TypeScript SDK)

1. Create account at npmjs.com
2. Create organization @fulcrum-governance
3. Go to Access Tokens → Generate New Token (Automation)
4. Add to GitHub Secrets as NPM_TOKEN

---

10. Optional Services

PostHog (Analytics)

Credential	Where to Get
NEXT_PUBLIC_POSTHOG_KEY	PostHog → Project → Settings
NEXT_PUBLIC_POSTHOG_HOST	Usually https://app.posthog.com

Sentry (Error Tracking)

Credential	Where to Get
SENTRY_DSN_BACKEND	Sentry → Project → Client Keys
SENTRY_DSN_FRONTEND	Sentry → Project → Client Keys
SENTRY_AUTH_TOKEN	Sentry → Account → API Keys

---

Production Checklist

Before Launch

• [ ] PostgreSQL database created with production credentials
• [ ] Redis instance provisioned
• [ ] NATS JetStream configured
• [ ] Clerk application in Production mode (not Development)
• [ ] Stripe in Live mode (not Test)
• [ ] All Vercel environment variables set
• [ ] All Railway environment variables set
• [ ] GitHub Secrets configured for CI/CD
• [ ] Webhooks configured (Clerk, Stripe)
• [ ] Custom domain configured (fulcrumlayer.io)
• [ ] SSL certificates active

Security Checklist

• [ ] All .env files in .gitignore
• [ ] No secrets in git history (rotate if found)
• [ ] Database has sslmode=require
• [ ] Webhook signatures verified
• [ ] API keys use least-privilege scope

---

Credential Rotation

When to Rotate

• Every 90 days (scheduled)
• Immediately if compromised
• After team member offboarding

Rotation Order

1. Generate new credential in provider dashboard
2. Update Railway/Vercel environment variables
3. Verify services work with new credential
4. Revoke old credential

---

Emergency Contacts

Service	Support URL
Railway	railway.app/help
Vercel	vercel.com/support
Clerk	clerk.com/support
Stripe	support.stripe.com

---

Back to Runbooks | MANIFEST