Secret Management

In Zerq, treat credentials as managed objects with clear ownership, short rotation windows, and no secret literals in proxies or workflow nodes.

Practical rules

• Store secrets in credential records or env-var-backed sources, never in route definitions.
• Scope credentials per environment (dev, staging, prod) and per integration.
• Restrict who can view, edit, or bind credentials through role policy.
• Require an audit event for every create, rotate, or revoke action.

Validation commands

# Positive path
curl -i "https://gateway.example.com/internal/payments" \
  -H "Authorization: Bearer $OPS_TOKEN" \
  -H "X-Client-ID: billing-service" \
  -H "X-Profile-ID: prod-internal"

# Negative path: missing token should fail
curl -i "https://gateway.example.com/internal/payments" \
  -H "X-Client-ID: billing-service" \
  -H "X-Profile-ID: prod-internal"

Expected security outcomes

• 401: caller is unauthenticated.
• 403: caller authenticated but not authorized for this profile or resource.
• 405: request method blocked by proxy method policy.
• 429: caller exceeds profile/client quota after auth passes.

Operational checklist

1. Rotate non-human credentials on a fixed schedule.
2. Verify one success request and one deny request after every rotation.
3. Revoke stale credentials immediately when owner or system changes.
4. Review audit trail weekly for direct edits and emergency exceptions.

Related docs

• Access Control Overview
• Credentials Overview
• Audit Logs