Skip to main content

Credentials

The ledger reaches THREE external systems on the India book and TWO on the UAE book. None of the secrets live in the repo — they come from .env.uae.local or .env.ind.local (both gitignored) or from the deploy platform's secret store.

UAE (.env.uae.local)

Env varWhat
LEDGER_DB_URLUAE Postgres (asyncpg dsn)
LEDGER_TOKENread token
LEDGER_ADMIN_TOKENwrite / job token (falls back to read token if unset)
ENTITY_IDVALURA_UAE
GTN_BASE_URLGTN API host
GTN_THROTTLE_KEYthrottle-key header
GTN_BASIC_AUTHpre-encoded Basic …
GTN_ASSERTIONsigned JWT for token exchange
ZAG_API_URLAldar GetAllTransactions
ZAG_BALANCES_URLAldar balances
ZAG_ACCESS_TOKENZAG token
AED_PER_USDpeg (default 3.6725)

India (.env.ind.local)

Env varWhat
LEDGER_DB_URLIndia Postgres
LEDGER_TOKEN / LEDGER_ADMIN_TOKENtokens
ENTITY_IDVALURA_IND_IFSC
VIEWTRADE_API_KEY / _API_SECRETfirm creds
VIEWTRADE_UMA_URLUMA user-auth gateway
VTIFSC_DATA_URLwatchman host (default https://api.vtifsc.in)
VTIFSC_REPORTS_URLDaily Ledger reports host
VTIFSC_REPORTS_API_KEY / _API_SECRETDaily Ledger creds
VTIFSC_REPORTS_FIRM_CODEfirm code for the CSV
GLOMOPAY_BASE_URLhttps://api.glomopay.com (or test host in stg)
GLOMOPAY_TOKENBearer secret key
GLOMOPAY_FX_SPREAD_BPSassumed FX accrual bps (default 0)
GLOMOPAY_WEBHOOK_SECRETHMAC-SHA256 secret
VIEWTRADE_BROKERAGE_CHARGE_BPScustomer charge (default 22)
VIEWTRADE_BROKERAGE_COST_BPSViewTrade cost (default 4)
LRS_ANNUAL_CAP_USDdefault 250000
LRS_TCS_THRESHOLD_INRdefault 700000
LRS_TCS_RATE_BPSdefault 2000 (20%)
LRS_CAP_WARN_PCTdefault 0.8
CAPITAL_GAINS_LTCG_DAYSdefault 730 (24 months)
API_GLOBAL_BASE_URL / _TOKENprovisioning only, never data path

Rotating a secret

  1. Update the secret (Coolify prod / .env.*.local for local).
  2. Redeploy / restart the affected backend.
  3. Probe with a known-cheap endpoint (/v1/india/treasury for GlomoPay, /v1/india/compliance for ViewTrade).
  4. If the old secret was exposed anywhere, notify security and coordinate with the upstream to invalidate.

Never in commits, never in chat

Every value above is redacted in every doc. Test values (localdev token, sample webhook secret) exist only for local smoke tests.