Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.remlo.xyz/llms.txt

Use this file to discover all available pages before exploring further.

This page is the canonical inventory of server-side secrets. Anything Remlo expects in env that isn’t a public config value lives here. Every entry describes:
  • What it is — the actual secret format and source.
  • Used by — which code paths read it.
  • If lost / rotated — operator-side blast radius.

Authentication & identity

PRIVY_VERIFICATION_KEY

PEM-format public key used to verify Privy JWTs.
  • Used bylib/jwt.ts:verifyPrivyToken. Every authenticated API request and the middleware admin check.
  • If rotated by Privy — every existing Privy session token fails verification until users re-sign-in. Rotate by updating env + redeploy. No on-chain impact.

PRIVY_APP_SECRET / PRIVY_APP_ID

Server-side Privy admin credentials.
  • Used bylib/privy-server.ts for admin lookups (e.g. fetching a user’s email by ID).
  • If lost — Privy admin operations fail. Server-rendered emails that look up by user ID degrade to “Employee” placeholders.

ADMIN_USER_IDS

Comma-separated Privy user IDs (did:privy:...) authorized to access /admin/* routes.
  • Used bylib/auth.ts:isPlatformAdminUserId, middleware.ts admin gate, every /api/admin/* endpoint.
  • If unset — nobody is admin. The middleware redirects all /admin/* requests to user role homes. The API endpoints return 403.
  • Rotation — update env, redeploy. Existing admin sessions remain authenticated as users (they had real Privy tokens) but lose admin privileges immediately.

Database & cron

NEXT_PUBLIC_SUPABASE_URL / SUPABASE_SERVICE_KEY

Supabase API endpoint + service-role key for server-side queries.
  • Used by — every server-side DB read/write in lib/supabase-server.ts.
  • If lost — every database operation fails. Total outage.

CRON_SECRET

Shared secret for /api/cron/* endpoints.
  • Used bylib/cron-auth.ts:authorizeCronRequest. Every cron handler checks it via Authorization: Bearer <CRON_SECRET> (Vercel Cron format) or X-Cron-Secret.
  • If unset — cron handlers return 501 and skip work. Crons silently stop firing useful work — Vercel still hits them but they no-op.

Tempo

TEMPO_NETWORK

Selects which Tempo network the server runs against — mainnet | testnet | devnet. Default testnet.

TEMPO_RPC_URL_FALLBACK

Optional. Second RPC URL for viem’s fallback transport on rate limits / 5xx.
  • Used bylib/reputation/erc8004-client.ts:buildTempoTransport.
  • If unset — single RPC. A spike on the public /agents page can saturate the primary.

REMLO_AGENT_PRIVATE_KEY

Hex private key (0x..., 32 bytes) for the Remlo agent EOA. Used to sign on-chain payroll txs, ERC-8004 reputation writes, virtual-address master registration, and TIP-403 whitelist mutations.
  • Used bylib/contracts.ts:getServerWalletClient, lib/reputation/erc8004.ts, lib/tempo/policy-admin.ts, app/api/employers/[id]/virtual-master/route.ts.
  • If lost — every server-side on-chain write breaks. Manual payroll runs fail. Auto-Payroll cron fails on every row. KYC → TIP-403 whitelist promotion silently skips.
  • Rotation — generate a new key, fund it, transfer admin rights for the contracts that recognize the old key (PayrollBatcher access roles, TIP-403 policy admin), then swap env + redeploy.

AUTOPAYROLL_ENCRYPTION_KEY

32-byte hex key (no 0x prefix needed, but accepted). Used to AES-256-GCM encrypt the Remlo-generated access-key private keys at rest in autopayroll_authorizations.access_key_encrypted. Generate with openssl rand -hex 32 per environment. NEVER commit. NEVER reuse across environments (so a testnet leak can’t decrypt mainnet rows).
  • Used bylib/tempo/access-keys.ts:encryptAccessKey / decryptAccessKey. The Auto-Payroll create endpoint (encrypt) and the autopayroll-tick cron (decrypt).
  • If unset — Auto-Payroll create returns 503; cron tick fails on any encrypted row.
  • If lost / rotated — every encrypted access key becomes unusable. Cron fails on every active row. Operator should mark all rows failed and notify employers to revoke + re-create. No funds at risk — the chain still recognizes the access-key public address; the employer’s revoke is independent of Remlo’s encryption key.

Email

RESEND_API_KEY

Resend API key. Required at boot — lib/env.ts validates.
  • Used bylib/email/client.ts.
  • If unset — boot fails in production.

RESEND_WEBHOOK_SECRET

Svix-style HMAC secret for verifying Resend webhook events (bounces, complaints).
  • Used byapp/api/webhooks/resend/route.ts.
  • If unset in prod — webhooks return 401. Suppression list stops growing. Bounces still hard-fail at send time but we lose the audit trail.

Bridge (KYC + off-ramp)

BRIDGE_API_KEY

Bridge sandbox or production API key.
  • Used bylib/employee-onboarding.ts:ensureEmployeeKycLink, off-ramp flows.

BRIDGE_WEBHOOK_SECRET

PEM-format RSA public key for verifying Bridge webhooks (KYC link, customer, transfer, card transaction events).
  • Used byapp/api/webhooks/bridge/route.ts.
  • If unset — webhooks return 500. KYC status updates from Bridge stop propagating to Remlo’s DB. KYC emails to employees stop firing.

Tempo webhooks

TEMPO_WEBHOOK_SECRET

Used to verify Tempo’s payroll-settlement webhooks.
  • Used by — Tempo webhook handler (if wired).

ERC-8004 (optional overrides)

NEXT_PUBLIC_ERC8004_IDENTITY_REGISTRY / _REPUTATION_REGISTRY / _VALIDATION_REGISTRY

Override the enshrined Tempo registries. Defaults are the predeployed system contracts (0x8004A1… / 0x8004BA…); the validation registry is not enshrined and must be set explicitly if used.

REMLO_PAYROLL_AGENT_ID / REMLO_VALIDATOR_AGENT_ID

Bigint strings — Remlo’s own ERC-8004 agent IDs.

Solana

SOLANA_AGENT_KEYPAIR

JSON array of bytes (Solana keypair format). Used for SAS reputation attestations.

SMTP / fall-back transports

None today. Resend handles all delivery.

Rotation principles

  • Per-environment isolation — every secret is unique per environment (testnet / staging / mainnet). Never copy a key across.
  • Generate locally, store in vendor vault — Vercel for Vercel-deployed values; Supabase secrets for service keys. Plain-text in .env.local is OK for development; never check it in.
  • Audit log on rotation — when an admin-impacting key (ADMIN_USER_IDS, REMLO_AGENT_PRIVATE_KEY, AUTOPAYROLL_ENCRYPTION_KEY) rotates, log the date and reason in internal/SECURITY_FIX_LOG.md.

See also