{"id":"ops/auth-credential-rotation","relativePath":"ops/auth-credential-rotation.md","title":"Auth credential rotation runbook","markdown":"# Auth credential rotation runbook\n\nThis runbook is the authoritative process for rotating `AUTH_SECRET` and `AUTH_GITHUB_SECRET`.\n\n## Why this exists\n\n- Prevent long-lived session-signing keys.\n- Keep GitHub OAuth secrets out of stale environments.\n- Preserve a stable evidence trail for operational sign-off and incident recovery.\n\n## Rotation steps\n\n- Generate a fresh local auth secret:\n\n```bash\nopenssl rand -base64 32\n```\n\n- Update `AUTH_SECRET` in platform secret store and the target deployment environment.\n- Generate/rotate `AUTH_GITHUB_SECRET` in the linked GitHub OAuth app dashboard.\n- Roll the app deployment so all instances consume the new secrets.\n- Validate a non-admin protected write path and a public read path (e.g., sign in, then call a write route with the correct role).\n- Confirm old secret values are removed from:\n - `.env*` files checked into source control,\n - CI cache/snapshot artifacts,\n - local shell histories and docs.\n\n## Evidence required for closeout\n\n- Date of change:\n- Owner:\n- Deployment target:\n- Verification command(s):\n - `pnpm session:closeout --summary \"AUTH credential rotation completed\"`\n - `/api/health` (manual smoke to confirm auth-gated paths are healthy)\n- Evidence artifact:\n - Roadmap operational sign-off section entry (`docs/roadmap.md` → `Pre-Era-C Operational Sign-Off`)\n - Runbook completion record in release notes/runbook (this file + execution log in your normal runbook location)\n\n## Recurring check\n\n- Re-run this runbook at or before each major operational checkpoint and record date/owner in the operational sign-off section.\n","sections":[{"level":2,"heading":"Why this exists","anchor":"why-this-exists"},{"level":2,"heading":"Rotation steps","anchor":"rotation-steps"},{"level":2,"heading":"Evidence required for closeout","anchor":"evidence-required-for-closeout"},{"level":2,"heading":"Recurring check","anchor":"recurring-check"}],"html":"
Auth credential rotation runbook
\n
This runbook is the authoritative process for rotating `AUTH_SECRET` and `AUTH_GITHUB_SECRET`.
\n
Why this exists
\n
Prevent long-lived session-signing keys.
Keep GitHub OAuth secrets out of stale environments.
Preserve a stable evidence trail for operational sign-off and incident recovery.
\n
Rotation steps
\n
Generate a fresh local auth secret:
\n
\nopenssl rand -base64 32\n
\n
Update `AUTH_SECRET` in platform secret store and the target deployment environment.
Generate/rotate `AUTH_GITHUB_SECRET` in the linked GitHub OAuth app dashboard.
Roll the app deployment so all instances consume the new secrets.
Validate a non-admin protected write path and a public read path (e.g., sign in, then call a write route with the correct role).