SEQN Auth Operations

Environments

Production base URL:

https://accounts.seqn.in

Local service default:

http://127.0.0.1:4080

Use local HTTP only for development. Non-localhost targets should use HTTPS.

Operations map

• Monitoring and alerts - daily synthetic checks and non-email alert destinations.
• Rate-limit policy - app limiter behavior, proxy tuning, and abuse triage.
• Key rotation - safe credential rotation order and blast radius.
• Support/admin runbook - common support and admin actions.
• Backup and restore - local and offsite backup automation.
• Hardening - pre-launch and recurring security controls.
• Pricing and limits - public Free, Pro, and Scale package limits.
• Docs hosting - docs.seqn.in DNS, static hosting, and Caddy route.

Smoke check

The SDK package includes a non-mutating smoke check:

cd D:\sil\packages\seqn-auth-js
$env:SEQN_AUTH_BASE_URL="https://accounts.seqn.in"
$env:SEQN_AUTH_PUBLISHABLE_KEY="pk_live_..."
$env:SEQN_AUTH_SECRET_KEY="sk_live_..."
npm run smoke

The check validates:

• The publishable key can load public client config from /v1/client/config.
• The secret key can verify backend application health from /v1/backend/application.
• Returned application records are active.

The smoke check does not deploy, create applications, rotate secrets, or write service data.

Daily operations loop

• Confirm external /healthz and /v1/config checks are green.
• Confirm /auth/console redirects anonymous users into hosted login instead of exposing admin data.
• Confirm https://docs.seqn.in/ loads if the public docs route is enabled.
• Check backup freshness and that the newest backup contains MANIFEST.sha256.
• Check offsite backup age if backup-offsite.sh is enabled.
• Review 429 rate_limited, 401, 402, and 5xx trends before changing limits or plans.
• Review webhook delivery retries and failed deliveries from the hosted console.
• Review admin audit logs for unexpected project, user, role, subscription, or secret-rotation events.

Key handling

• pk_live_ keys can appear in browser code and frontend configuration.
• sk_live_ keys must stay server-side or in short-lived operations shells.
• whsec_ webhook signing secrets must stay server-side in webhook consumers.
• Authentik API tokens and OIDC client secrets must stay in deployment secrets, never browser storage.
• Store secret keys in the deployment secret store, not in repo files or docs.
• Rotate keys after accidental disclosure or when moving an application between environments.

Rollout order

1. Deploy the Silver Auth API endpoint implementation for /v1/client/config and /v1/backend/application. 2. Run the SDK unit tests locally. 3. Run the smoke check against staging with staging keys. 4. Run the smoke check against production with production keys. 5. Wire app frontend config to loadPublicConfig(). 6. Wire backend boot checks to verifyBackendKeyHealth(). 7. Enable monitoring checks and non-email alerts before public onboarding. 8. Enable local backups, then offsite encrypted backups.

Failure triage

• invalid_base_url: the SDK rejected the configured endpoint before making a request.
• seqn_auth_http_error: the API returned a non-2xx response. Check status, code, and message.
• seqn_auth_network_error: the request failed before the API response was available. Check DNS, TLS, and proxy routes.
• application_disabled: the key is valid but the app should not accept traffic.
• rate_limited: the app limiter rejected the request. Check traffic source, route, and Retry-After.
• subscription_inactive: the org subscription state blocks mutations.
• subscription_limit_exceeded: the org reached a plan limit for projects, users, or webhooks.