Zum Inhalt

🔐 Secrets & Configuration

Wo und wie werden API Keys verwaltet?

🎯 Empfehlung: Cloudflare Dashboard

✅ RICHTIG: Cloudflare Secrets Manager

Cloudflare Dashboard → Workers & Pages → Settings → Environment Variables

Vorteile: - ✅ Sicher (niemals im Git) - ✅ Pro Environment (dev, staging, prod) - ✅ Verschlüsselt - ✅ Versioniert - ✅ Access Control

❌ FALSCH: .env Datei

# ❌ NICHT committen!
.env
.env.local
.env.production

Warum nicht? - ❌ Leak-Gefahr (Git) - ❌ Keine Verschlüsselung - ❌ Schwer zu rotieren - ❌ Kein Audit Log

📋 ALLE SECRETS ÜBERSICHT

1. Adobe Express API

Wofür: Automatische PDF/Exposé-Erstellung

Benötigte Secrets:

Secret Name Wo zu bekommen Beschreibung
ADOBE_CLIENT_ID Adobe Developer Console OAuth Client ID
ADOBE_CLIENT_SECRET Adobe Developer Console OAuth Client Secret
ADOBE_API_KEY Adobe Developer Console API Key

Setup Schritte:

  1. Gehe zu https://developer.adobe.com/console
  2. Create new project: "ContractPlattform"
  3. Add API: Adobe Express API
  4. Generate credentials:
  5. Client ID: abc123...
  6. Client Secret: xyz789...
  7. API Key: def456...

Scopes benötigt: 

adobe_sign:account:read
adobe_sign:library_documents:read
adobe_sign:library_documents:write

Kosten: Free Tier: 1000 API calls/month

2. Microsoft Graph API

Wofür: MS Bookings, Outlook, Teams Integration

Benötigte Secrets:

Secret Name Wo zu bekommen Beschreibung
MS_CLIENT_ID Azure Portal → App Registrations Application (client) ID
MS_CLIENT_SECRET Azure Portal → Certificates & secrets Client Secret Value
MS_TENANT_ID Azure Portal → Overview Directory (tenant) ID

Setup Schritte:

  1. Azure Portal: https://portal.azure.com
  2. App Registrations → New registration
  3. Name: ContractPlattform API
  4. Supported account types: Multitenant
  5. Redirect URI: https://api.contractplattform.dev/auth/callback
  6. Certificates & secrets → New client secret
  7. Description: ContractPlattform Production
  8. Expires: 24 months (empfohlen)
  9. Copy Value (nur einmal sichtbar!)
  10. API permissions → Add permission:
  11. Microsoft Graph → Delegated permissions: 
    Bookings.Read.All
Bookings.ReadWrite.All
Calendars.ReadWrite
Mail.Send
User.Read

Kosten: Kostenlos (Teil von Microsoft 365)

3. Salesforce API

Wofür: CRM Integration (MORELO Leads, Opportunities)

Benötigte Secrets:

Secret Name Wo zu bekommen Beschreibung
SALESFORCE_CLIENT_ID Salesforce Setup → Apps → App Manager Consumer Key
SALESFORCE_CLIENT_SECRET Salesforce App Manager Consumer Secret
SALESFORCE_USERNAME Salesforce Admin API User Email
SALESFORCE_PASSWORD Salesforce Admin API User Password
SALESFORCE_SECURITY_TOKEN Salesforce → Settings → Reset Security Token Email Token
SALESFORCE_INSTANCE_URL Nach Login z.B. https://na1.salesforce.com

Setup Schritte:

  1. Salesforce Setup: https://login.salesforce.com
  2. Apps → App Manager → New Connected App
  3. Connected App Name: ContractPlattform API
  4. Contact Email: admin@contractplattform.dev
  5. Enable OAuth Settings:
  6. Callback URL: https://api.contractplattform.dev/auth/salesforce/callback
  7. Selected OAuth Scopes: 
    Access and manage your data (api)
Perform requests on your behalf at any time (refresh_token, offline_access)
  8. Consumer Key/Secret kopieren
  9. API User erstellen:
  10. Setup → Users → New User
  11. Profile: System Administrator (oder custom API profile)
  12. Generate Password
  13. Email Security Token anfordern

Kosten: - Developer Edition: Kostenlos - Production: Teil von Salesforce Lizenz

4. sevDesk API

Wofür: Buchhaltung & Rechnungsstellung

Benötigte Secrets:

Secret Name Wo zu bekommen Beschreibung
SEVDESK_API_TOKEN sevDesk → Einstellungen → API API Token

Setup Schritte:

  1. sevDesk Login: https://my.sevdesk.de
  2. EinstellungenSchnittstellenAPI
  3. API-Token erstellen
  4. Name: ContractPlattform API
  5. Berechtigungen: Lesen und Schreiben
  6. Token kopieren (nur einmal sichtbar!)

API Dokumentation: https://api.sevdesk.de/

Kosten: - Basis: Kostenlos - Pro: €9/Monat (mehr API calls)

5. Stripe Payment API

Wofür: Zahlungsabwicklung (Deposits, Leasing)

Benötigte Secrets:

Secret Name Wo zu bekommen Beschreibung
STRIPE_SECRET_KEY Stripe Dashboard Secret key (sk_live_...)
STRIPE_PUBLISHABLE_KEY Stripe Dashboard Publishable key (pk_live_...)
STRIPE_WEBHOOK_SECRET Stripe Dashboard → Webhooks Webhook signing secret

Setup Schritte:

  1. Stripe Dashboard: https://dashboard.stripe.com
  2. Developers → API keys
  3. Secret key: sk_live_... (für Server)
  4. Publishable key: pk_live_... (für Frontend)
  5. Webhooks → Add endpoint
  6. Endpoint URL: https://api.contractplattform.dev/webhooks/stripe
  7. Events to send: 
    payment_intent.succeeded
payment_intent.payment_failed
customer.created
invoice.paid
  8. Signing secret: whsec_...

Test Mode: - sk_test_... (kostenlos) - pk_test_...

Kosten: - 1.4% + €0.25 pro Transaktion (EU Cards) - Keine monatliche Gebühr

6. Cloudflare D1 Database

Wofür: Contract Storage, User Management

Benötigte Secrets:

Secret Name Wo zu bekommen Beschreibung
D1_DATABASE_ID Cloudflare Dashboard → D1 Database ID

Setup Schritte:

  1. Cloudflare Dashboard: https://dash.cloudflare.com/edeaf72f08c3145711f257893d9ddab1
  2. Workers & Pages → D1
  3. Create database
  4. Name: contractplattform-prod
  5. Location: Western Europe
  6. Copy Database ID

In wrangler.toml: 

[[d1_databases]]
binding = "DB"
database_name = "contractplattform-prod"
database_id = "YOUR_DATABASE_ID_HERE"

Kosten: - Free Tier: 5 GB storage - Paid: $5/10GB

7. Cloudflare KV (Cache)

Wofür: Session Storage, API Response Cache

Benötigte Secrets:

Secret Name Wo zu bekommen Beschreibung
KV_NAMESPACE_ID Cloudflare Dashboard → KV Namespace ID

Setup Schritte:

  1. Cloudflare Dashboard → Workers & Pages → KV
  2. Create namespace
  3. Name: contractplattform-cache-prod
  4. Copy Namespace ID

In wrangler.toml: 

[[kv_namespaces]]
binding = "CACHE"
id = "YOUR_NAMESPACE_ID_HERE"

Kosten: - Free Tier: 100k reads/day - Paid: $0.50/GB storage

8. Polygon Blockchain (NFT)

Wofür: NFT Minting (MORELO Ownership)

Benötigte Secrets:

Secret Name Wo zu bekommen Beschreibung
POLYGON_RPC_URL Alchemy oder Infura RPC Endpoint
POLYGON_PRIVATE_KEY Wallet (MetaMask) Private Key (SICHER!)
NFT_CONTRACT_ADDRESS Nach Deployment Smart Contract Address

Setup Schritte:

  1. Alchemy Account: https://www.alchemy.com/
  2. Create App
  3. Chain: Polygon
  4. Network: Polygon Mainnet (oder Mumbai Testnet)
  5. Copy HTTPS RPC URL: 
    https://polygon-mainnet.g.alchemy.com/v2/YOUR_API_KEY
  6. MetaMask Wallet:
  7. Erstelle neuen Account für API
  8. Export Private Key (⚠️ NIEMALS teilen!)
  9. Fund with MATIC (für Gas Fees)

Kosten: - Alchemy Free Tier: 300M compute units/month - MATIC Gas Fees: ~$0.01-0.10 pro Transaction

9. IPFS (NFT Metadata Storage)

Wofür: NFT Metadata & Images (dezentral)

Benötigte Secrets:

Secret Name Wo zu bekommen Beschreibung
PINATA_API_KEY Pinata API Key
PINATA_SECRET_KEY Pinata Dashboard Secret API Key

Setup Schritte:

  1. Pinata Account: https://www.pinata.cloud/
  2. API Keys → New Key
  3. Name: ContractPlattform API
  4. Permissions: pinFileToIPFS, pinJSONToIPFS
  5. Copy API Key + Secret

Alternative: NFT.Storage (kostenlos)

Kosten: - Pinata Free: 1GB storage - Paid: $20/month (1TB)

10. Plane.so (Project Management)

Wofür: Probefahrt-Termine, Dealer Workflows

Benötigte Secrets:

Secret Name Wo zu bekommen Beschreibung
PLANE_API_KEY Plane.so → Settings API Token
PLANE_WORKSPACE_ID Plane Dashboard Workspace Slug

Setup Schritte:

  1. Plane.so Account: https://plane.so/
  2. Settings → API Tokens → Generate Token
  3. Copy Workspace ID aus URL: 
    https://app.plane.so/YOUR_WORKSPACE_ID/projects

Self-Hosted Option: https://github.com/makeplane/plane

Kosten: - Free Tier: 5 users - Paid: $8/user/month

🔧 Cloudflare Dashboard Setup

Secrets hinzufügen

  1. Gehe zu: https://dash.cloudflare.com/edeaf72f08c3145711f257893d9ddab1/workers
  2. Wähle dein Worker/Page Projekt
  3. Settings → Variables and Secrets
  4. Add Variable:
Production Environment:
├─ ADOBE_CLIENT_ID = abc123...
├─ ADOBE_CLIENT_SECRET = [Encrypted]
├─ MS_CLIENT_ID = def456...
├─ MS_CLIENT_SECRET = [Encrypted]
├─ SALESFORCE_CLIENT_ID = ghi789...
├─ SALESFORCE_CLIENT_SECRET = [Encrypted]
├─ SEVDESK_API_TOKEN = [Encrypted]
├─ STRIPE_SECRET_KEY = [Encrypted]
├─ STRIPE_WEBHOOK_SECRET = [Encrypted]
├─ POLYGON_PRIVATE_KEY = [Encrypted] ⚠️
├─ PINATA_API_KEY = jkl012...
└─ PINATA_SECRET_KEY = [Encrypted]

Preview Environment:
├─ (Same keys but _TEST_ versions)
└─ STRIPE_SECRET_KEY = sk_test_...

📄 .env.example (für lokale Entwicklung)

# Adobe Express API
ADOBE_CLIENT_ID=your_adobe_client_id_here
ADOBE_CLIENT_SECRET=your_adobe_client_secret_here
ADOBE_API_KEY=your_adobe_api_key_here

# Microsoft Graph API
MS_CLIENT_ID=your_ms_client_id_here
MS_CLIENT_SECRET=your_ms_client_secret_here
MS_TENANT_ID=your_ms_tenant_id_here

# Salesforce API
SALESFORCE_CLIENT_ID=your_salesforce_consumer_key_here
SALESFORCE_CLIENT_SECRET=your_salesforce_consumer_secret_here
SALESFORCE_USERNAME=your_salesforce_api_user@example.com
SALESFORCE_PASSWORD=your_salesforce_password_here
SALESFORCE_SECURITY_TOKEN=your_salesforce_security_token_here
SALESFORCE_INSTANCE_URL=https://na1.salesforce.com

# sevDesk API
SEVDESK_API_TOKEN=your_sevdesk_api_token_here

# Stripe Payment API
STRIPE_SECRET_KEY=sk_test_your_stripe_secret_key_here
STRIPE_PUBLISHABLE_KEY=pk_test_your_stripe_publishable_key_here
STRIPE_WEBHOOK_SECRET=whsec_your_webhook_secret_here

# Cloudflare D1 (automatically injected by Wrangler)
# D1_DATABASE_ID=configured_in_wrangler_toml

# Cloudflare KV (automatically injected by Wrangler)
# KV_NAMESPACE_ID=configured_in_wrangler_toml

# Polygon Blockchain
POLYGON_RPC_URL=https://polygon-mainnet.g.alchemy.com/v2/YOUR_ALCHEMY_KEY
POLYGON_PRIVATE_KEY=0xYOUR_PRIVATE_KEY_HERE
NFT_CONTRACT_ADDRESS=0xYOUR_CONTRACT_ADDRESS_HERE

# IPFS (Pinata)
PINATA_API_KEY=your_pinata_api_key_here
PINATA_SECRET_KEY=your_pinata_secret_key_here

# Plane.so
PLANE_API_KEY=your_plane_api_token_here
PLANE_WORKSPACE_ID=your_workspace_slug_here

# JWT Secret (generate with: openssl rand -base64 32)
JWT_SECRET=your_random_32_char_secret_here

✅ Setup Checklist

Phase 1: Accounts erstellen

  • [ ] Adobe Developer Account
  • [ ] Azure/Microsoft 365 Account
  • [ ] Salesforce Developer Account
  • [ ] sevDesk Account
  • [ ] Stripe Account
  • [ ] Alchemy Account (Blockchain)
  • [ ] Pinata Account (IPFS)
  • [ ] Plane.so Account

Phase 2: API Keys generieren

  • [ ] Adobe: Client ID + Secret + API Key
  • [ ] Microsoft: Client ID + Secret + Tenant ID
  • [ ] Salesforce: Consumer Key + Secret + User Credentials
  • [ ] sevDesk: API Token
  • [ ] Stripe: Secret Key + Publishable Key + Webhook Secret
  • [ ] Polygon: RPC URL + Private Key
  • [ ] Pinata: API Key + Secret
  • [ ] Plane: API Token

Phase 3: Cloudflare konfigurieren

  • [ ] D1 Database erstellt
  • [ ] KV Namespace erstellt
  • [ ] Secrets in Dashboard eingetragen
  • [ ] Preview Environment konfiguriert

Phase 4: Testen

  • [ ] Lokale Development mit .env
  • [ ] API Endpoints testen
  • [ ] Cloudflare Deployment testen

🔒 Security Best Practices

DO ✅

  • ✅ Secrets im Cloudflare Dashboard speichern
  • ✅ Separate Keys für dev/staging/prod
  • ✅ API Keys regelmäßig rotieren (alle 90 Tage)
  • ✅ Audit Logs aktivieren
  • ✅ IP Whitelisting (wo möglich)
  • ✅ Rate Limiting aktivieren

DON'T ❌

  • ❌ Secrets in Git committen
  • ❌ Secrets in Slack/Email teilen
  • ❌ Production Keys für Tests verwenden
  • ❌ Private Keys im Frontend
  • ❌ Hardcoded Secrets im Code

� XPipe Integration (Team Collaboration)

Was ist XPipe?

XPipe ist ein Connection Hub, der: - ✅ SSH Keys & Server-Zugriffe verwaltet - ✅ Password Manager integriert (1Password, KeePass, etc.) - ✅ Git-basiertes Team Vault bietet - ✅ MCP Server für AI Agents hat - ✅ Cloudflare Worker Scripts ausführen kann

Use Case: Team Secret Rotation

# XPipe Script: "Rotate Stripe Keys"
#!/bin/bash

# 1. Fetch new key from password manager (via XPipe)
NEW_KEY=$(security find-generic-password -a "stripe-secret-key" -w)

# 2. Update on all Cloudflare instances
wrangler secret put STRIPE_SECRET_KEY --env morelo <<< "$NEW_KEY"
wrangler secret put STRIPE_SECRET_KEY --env flo <<< "$NEW_KEY"

echo "✅ Stripe key rotated across all instances"

XPipe für Infrastructure Secrets

Was XPipe verwalten sollte: - ✅ SSH Private Keys zu Production Servern - ✅ Docker Registry Credentials - ✅ Kubernetes Cluster Access - ✅ AWS/Cloud Provider Credentials - ✅ Database Connection Strings

Was NICHT in XPipe: - ❌ Cloudflare Worker Runtime Secrets (→ Cloudflare Dashboard) - ❌ API Keys für Drittanbieter (→ Cloudflare Dashboard)

Setup

  1. XPipe installieren: 

    brew install --cask xpipe-io/tap/xpipe

  2. Git Vault konfigurieren:

  3. Settings → Sync → Git Repository
  4. URL: git@github.com:your-org/xpipe-vault.git

  5. Auto-Commit: ✅

  6. Password Manager verbinden:

  7. Settings → Password Manager
  8. Wähle: 1Password, KeePass, Bitwarden, etc.

Mehr Details: XPipe Integration →

�📊 Kosten Übersicht

Service Free Tier Paid (ca.)
Adobe Express 1000 calls/mo $0.10/call
MS Graph Unlimited Inkl. M365
Salesforce Dev Edition Ab €25/user/mo
sevDesk Basis €9/mo
Stripe 1.4% + €0.25
Cloudflare D1 5 GB $5/10GB
Cloudflare KV 100k reads/day $0.50/GB
Alchemy (Polygon) 300M units/mo $49/mo
Pinata (IPFS) 1 GB $20/mo (1TB)
Plane.so 5 users $8/user/mo

Total (Free Tier): €0/Monat
Total (Paid): ~€100-200/Monat (je nach Usage)

Next: API Deployment →