Secrets Rotation
All secrets are stored in Coolify's environment configuration — never in git. After rotating any secret, update the Coolify env var and restart the container.
Viva Webhook Key (VIVA_WEBHOOK_KEY)
This key signs webhook payloads sent from Viva to the API.
How to rotate:
-
Call the Viva API to get a new webhook key:
# Democurl -u "<merchant_id>:<api_key>" \"https://demo.vivapayments.com/api/messages/config/token"# Productioncurl -u "<merchant_id>:<api_key>" \"https://www.vivapayments.com/api/messages/config/token"Returns
{ "Key": "new-key-value" } -
Update
VIVA_WEBHOOK_KEYin Coolify UI for the API container -
Restart the API container
-
Re-verify the webhook URL in the Viva dashboard (the
GET /payments/webhookhandshake):- Viva dashboard → Web Payments → Webhooks → verify URL
- This triggers Viva to call
GET /payments/webhook, which returns{ Key: VIVA_WEBHOOK_KEY } - If verification passes, Viva will use the new key for signatures
Why re-verify? Viva caches the expected signature key. Changing VIVA_WEBHOOK_KEY without re-verifying means Viva will still send webhooks signed with the old key, and your signature verification will reject them.
SMTP Password (Zoho)
- Log in to the Zoho SMTP account at
mail.zoho.eu - Navigate to Account Security → App Passwords (if using app-specific password)
- Generate a new password / change the account password
- Update
SMTP_PASSin Coolify for the API container - Restart the API container
- Verify by checking that the next email (e.g., next warranty cron, or trigger a test) is delivered
Google OAuth Credentials
Used for customer Google sign-in.
- Go to Google Cloud Console → APIs & Services → Credentials
- Find the OAuth 2.0 Client ID for pcmr.gr
- Rotate the client secret (create new, then delete old after verifying)
- Update
GOOGLE_CLIENT_IDandGOOGLE_CLIENT_SECRETin Coolify API - Restart the API container
- Test Google sign-in on staging first
Hetzner Object Storage Keys
Hetzner Storage Box access credentials.
- Log in to Hetzner Cloud Console
- Navigate to Object Storage → Access Keys
- Create a new access key pair
- Update
STORAGE_ACCESS_KEYandSTORAGE_SECRET_KEYin Coolify API - Restart the API container
- Verify by uploading a test file through the staff portal (e.g., add an attachment to an order)
- Delete the old access key from Hetzner Console
Do production and staging separately — they use different key pairs.
BETTER_AUTH_SECRET
This key signs all session tokens. Rotating this secret will invalidate all existing sessions — all users will be logged out.
- Generate a new secret:
openssl rand -hex 32
- Update
BETTER_AUTH_SECRETin Coolify for both the API and web containers (must match) - Restart both containers
- All sessions are now invalidated — users must log in again
- Notify staff before rotating (they will be logged out)
Only rotate if: The secret is compromised, or you suspect session forgery.
Coolify API Token
Used by GitHub Actions to trigger deploys.
- Log in to Coolify (
coolify.ctsolutions.gr) - Settings → API Tokens → Create new token
- Update
COOLIFY_API_TOKENin GitHub repository secrets:github.com/<org>/<repo>→ Settings → Secrets and variables → Actions
- Verify by pushing an empty commit and confirming the deploy triggers
- Revoke the old token in Coolify
Cloudflare Access
Cloudflare Access OTP codes are ephemeral — no rotation needed. If an email address should be removed from access:
- Log in to Cloudflare Zero Trust dashboard
- Access → Applications → find the relevant app (Coolify, Staff Portal, Docs)
- Policies → remove the email or email domain
Post-Rotation Checklist
After rotating any secret:
- Secret updated in Coolify UI
- Container restarted
- Functionality verified (sign-in, file upload, payment, email)
- Old secret revoked/deleted from the source system
- Any dependent systems notified (e.g., staff about
BETTER_AUTH_SECRETrotation)