Operations Guide
Operational reference — secret rotation, version history and rollback, key management, audit events, retention, exports, and incident response.
Day-two operations for teams running on varsafe: rotating secrets, recovering from bad changes, managing keys and tokens, and getting audit data out. Procedures assume the role required for the action (roles reference).
Secret Rotation
Why Rotate?
- Compromised credentials
- Employee departure
- Regular security hygiene
- Compliance requirements
Rotation via Dashboard
Requires: developer role or above (owner/admin in protected environments).
- Navigate to Secrets
- Select the project and environment
- Click the rotate icon next to the secret
- Either let varsafe auto-generate a new value or enter one manually
- Review the preview step
- Confirm rotation
The old value is immediately replaced, and a secret.rotated audit event is recorded. Applications using varsafe run receive the new value on their next start.
Rotation via CLI
For scripted rotation, set the new value directly:
varsafe set DATABASE_URL "postgres://new-value" -p my-api -e production
Rotation Best Practices
CSV Export
- Navigate to Audit Log
- Apply any filters needed
- Click Export CSV
Alert-Worthy Events
Configurable alerting is not currently exposed in the dashboard — review the audit log (or feed exports into your SIEM) and watch for:
Monitor your audit logs for these events
| Event | Concern |
|---|---|
Multiple auth.login_failed |
Brute force attempt |
secret.accessed (production) |
Verify authorized access |
team.member_invited (admin role) |
Privilege escalation |
auth.2fa_disabled |
Security downgrade |
environment.key_access_denied |
Unauthorized key access attempt |
| Unfamiliar IP addresses | Unauthorized access |
| ::: |
Compliance Exports
Structured JSON exports of the audit trail, formatted for common review frameworks. Requires the Team plan and owner/admin role. These exports support your compliance program — they are not certifications.
SOC 2
- Navigate to Audit Log
- Set the date range (audit period)
- Click Export → SOC 2
- Download the JSON file
Includes security-relevant events, authentication events, secret access logs, and a member access matrix.
GDPR Article 30
- Navigate to Audit Log
- Click Export → GDPR
- Download the JSON file
Formats the audit trail as a processing-activities record.
HIPAA
- Navigate to Audit Log
- Click Export → HIPAA
- Download the JSON file
Formats access events and authentication events for access-control review.
Access Reviews
Quarterly Access Review
-
List team members:
- Dashboard → Teams → expand each team
- Note members and their roles
-
Review for:
- Departed employees (should be removed)
- Role appropriateness (least privilege — see roles)
- Deactivated or inactive accounts
-
Take action:
- Remove departed members (this auto-rotates environment keypairs they had key access to)
- Downgrade excessive roles
- Document review completion
Reviewing API Tokens
- Go to team settings → API Tokens
- For each token, check: is it still needed, who created it, when was it last used (timestamp, IP, and user agent are tracked)
- Revoke unused tokens
Incident Response
Compromised Secret
Immediate actions required
- Rotate immediately — Dashboard → Secrets → rotate, or
varsafe setfor automation - Review audit logs — who had access? When? From which IP addresses?
- Assess impact — which systems use this secret? Was there unauthorized access?
- Document the incident — timeline, actions taken, lessons learned
Compromised Account
Immediate actions required
- Revoke sessions immediately — Profile → Security → revoke all sessions
- Reset the password — or enable passkey-only mode
- Review audit logs — what did the account access? Were any secrets exported?
- Rotate affected secrets — assume compromise; rotate everything the account could read
- Report to the team — notify security, document for compliance
Compromised API Token
Immediate actions required
- Revoke immediately — team settings → API Tokens → Revoke
- Create a new token — scoped at least as tightly as the old one
- Update configurations — CI/CD systems, automated scripts
- Review token usage — check audit logs and the token’s last-used IP/user agent for unauthorized access
Troubleshooting
Authentication required
varsafe loginPermission denied
Check:
- Team membership exists (and is not deactivated)
- The role permits the action (roles reference)
- The environment is not protected (developers get read-only access there; viewers none)
Project not found
Either:
- Create the project in the dashboard
- Use
varsafe useto set context - Specify with the
-pflag
Rate limited
Wait and retry. If persistent:
- Check for automation running too frequently
- Contact support for a limit increase