Furries PH Docs
Dashboard
Platform adoption docs

Security

Secrets and Environment Access

How adopter teams should handle secrets, credentials, and environment access without exposing them.

AudiencePartner administrators, Event leads, Adoption leads, Integration owners
Dashboard surfacespartners.furries.ph, rego.furries.ph, EMS LAN integrations
Records touchedAPI service expectations, Auth state, Platform records

Protect The Sensitive Part First

Use this guide when a route, request, response, permission model, integration, or deployment behavior needs to be understood before people rely on it. In this guide, Secrets and Environment Access narrows that work to how to document and use Worker secrets without leaking them. Because this is a security page, read it as part of the Platform adoption learning path rather than as an isolated checklist.

An API is a contract between systems. Even technical changes can affect attendee records, dashboard behavior, notifications, payments, files, or staff tools. Read the page for the decision it helps a person make, then use the steps and checks as a steady path from context to action to proof.

What Needs Protection

This page is about reducing harm before a route, secret, record, or browser behavior is used. Read it slowly when privacy, credentials, cookies, audit trails, or public exposure are involved. The intended readers are partner administrators, event leads, adoption leads, and integration owners. If the guide names a dashboard screen, service area, export, or record type, treat that name as a pointer to real operational responsibility.

  • Primary surface or service: partners-api.
  • Records or contracts involved: API service expectations, Auth state, and Platform records.
  • Main care point: Watch for using a service route with the wrong actor, changing a response another app depends on, leaking a secret, or triggering the same side effect twice.
  • Proof worth keeping: route inventory, method and path, auth model, request and response shape, platform owner confirmation, test result, consumer note, and deployment evidence.

Check The Boundary Before The Action

  1. Name the sensitive value or boundary: Begin by naming the Platform adoption situation, the owner, and the exact item involved in Secrets and Environment Access.
  2. Check who can see or change it: Use partners-api to connect the words on the page to the screen, file, route, or service trail that people actually use.
  3. Look for logging, sharing, retry, or browser exposure: Keep API service expectations, Auth state, and Platform records in view so the work stays tied to the records or contracts it can affect.
  4. Verify the safer behavior with a concrete test: Before handing off, save proof such as route inventory, method and path, auth model, request and response shape, platform owner confirmation, test result, consumer note, and deployment evidence so an adoption lead and a non-specialist reviewer can understand what the route does and how it was verified.

Protection Is In Place When

You are ready to use the rest of this page when the purpose, owner, affected information, and proof are all clear enough for a second person to review.

  1. Scope is named: The work is tied to the correct page, event, report, route, file, person, or record.
  2. Impact is understood: The operator can explain the effect on callers, records, permissions, secrets, side effects, and downstream apps.
  3. Proof is findable: The handoff points to evidence that an adoption lead and a non-specialist reviewer can understand what the route does and how it was verified.

End-to-end adoption runbook

  1. Step 1 - Name the API workflow and owner: Identify the product area, organization owner, service path, and relying team before adopting a workflow or integration.
  2. Step 2 - Read the contract in human terms: Check who can use it, what information is exchanged, what can fail, what records change, and what proof the adopting team must keep.
  3. Step 3 - Prepare auth and input deliberately: Confirm the right role, account, partner, event, and approved data before depending on the workflow.
  4. Step 4 - Use or request the route in the right environment: Use the approved dashboard, rego, LAN, or integration environment and keep credentials out of notes, screenshots, and exports.
  5. Step 5 - Check returned data and real side effects: Confirm the visible result, affected records, external action, and review evidence in plain language.
  6. Step 6 - Record tests, docs, and handoff notes: Record the owner, expected behavior, adoption evidence, and escalation path before relying on it in production.

Secret workflow

  1. Action 1 - Name the binding: Document the environment variable name and purpose.
  2. Action 2 - Classify the secret: Database, auth, mail, social, wallet, LAN release, cron, test, encryption, or CMS.
  3. Action 3 - Identify routes that use it: Link capability reference pages and service owners.
  4. Action 4 - Define local setup: Explain how an adopter obtains a safe development value without exposing production.
  5. Action 5 - Verify deployment binding: Check Wrangler and Cloudflare environment configuration before release.

All docs