Credentials
The ledger reaches THREE external systems on the India book and TWO on the UAE
book. None of the secrets live in the repo — they come from .env.uae.local or
.env.ind.local (both gitignored) or from the deploy platform's secret store.
UAE (.env.uae.local)
| Env var | What |
|---|---|
LEDGER_DB_URL | UAE Postgres (asyncpg dsn) |
LEDGER_TOKEN | read token |
LEDGER_ADMIN_TOKEN | write / job token (falls back to read token if unset) |
ENTITY_ID | VALURA_UAE |
GTN_BASE_URL | GTN API host |
GTN_THROTTLE_KEY | throttle-key header |
GTN_BASIC_AUTH | pre-encoded Basic … |
GTN_ASSERTION | signed JWT for token exchange |
ZAG_API_URL | Aldar GetAllTransactions |
ZAG_BALANCES_URL | Aldar balances |
ZAG_ACCESS_TOKEN | ZAG token |
AED_PER_USD | peg (default 3.6725) |
India (.env.ind.local)
| Env var | What |
|---|---|
LEDGER_DB_URL | India Postgres |
LEDGER_TOKEN / LEDGER_ADMIN_TOKEN | tokens |
ENTITY_ID | VALURA_IND_IFSC |
VIEWTRADE_API_KEY / _API_SECRET | firm creds |
VIEWTRADE_UMA_URL | UMA user-auth gateway |
VTIFSC_DATA_URL | watchman host (default https://api.vtifsc.in) |
VTIFSC_REPORTS_URL | Daily Ledger reports host |
VTIFSC_REPORTS_API_KEY / _API_SECRET | Daily Ledger creds |
VTIFSC_REPORTS_FIRM_CODE | firm code for the CSV |
GLOMOPAY_BASE_URL | https://api.glomopay.com (or test host in stg) |
GLOMOPAY_TOKEN | Bearer secret key |
GLOMOPAY_FX_SPREAD_BPS | assumed FX accrual bps (default 0) |
GLOMOPAY_WEBHOOK_SECRET | HMAC-SHA256 secret |
VIEWTRADE_BROKERAGE_CHARGE_BPS | customer charge (default 22) |
VIEWTRADE_BROKERAGE_COST_BPS | ViewTrade cost (default 4) |
LRS_ANNUAL_CAP_USD | default 250000 |
LRS_TCS_THRESHOLD_INR | default 700000 |
LRS_TCS_RATE_BPS | default 2000 (20%) |
LRS_CAP_WARN_PCT | default 0.8 |
CAPITAL_GAINS_LTCG_DAYS | default 730 (24 months) |
API_GLOBAL_BASE_URL / _TOKEN | provisioning only, never data path |
Rotating a secret
- Update the secret (Coolify prod /
.env.*.localfor local). - Redeploy / restart the affected backend.
- Probe with a known-cheap endpoint (
/v1/india/treasuryfor GlomoPay,/v1/india/compliancefor ViewTrade). - If the old secret was exposed anywhere, notify security and coordinate with the upstream to invalidate.
Never in commits, never in chat
Every value above is redacted in every doc. Test values (localdev token,
sample webhook secret) exist only for local smoke tests.