This guide details security procedures, key/secret rotation policies, and vulnerability scanning operations for JobFlow.
JobFlow supports programmatic API Key rotation to minimize risks from compromised keys.
Rotation Endpoint: POST /api/v1/tenants/:tenantId/keys/:keyId/rotate
- Call the rotate endpoint using the old key ID and specify expiration days (optional):
curl -X POST http://localhost:5000/api/v1/tenants/<tenantId>/keys/<keyId>/rotate \ -H "Authorization: Bearer <user_token>" \ -H "Content-Type: application/json" \ -d '{"expiresDays": 30}'
- The old API Key is instantly deleted and revoked.
- A new raw API key string is generated and returned in the JSON response. Update client systems immediately.
All environment secrets must be rotated periodically (e.g. every 90 days).
- Generate a secure, cryptographically random string (e.g. 64 characters).
- Update the
JWT_SECRETvariable inside.envor Kubernetes secret manifests. - Perform a rolling restart of the API server. Note: Rotating JWT secrets will invalidate all active user sessions, requiring users to log in again.
- Update password inside PostgreSQL database:
ALTER USER postgres WITH PASSWORD 'new_secure_password_here';
- Update the
DATABASE_URLconnection string inside JobFlow.envconfig. - Perform rolling deployments of both API servers and Background Workers.
To maintain a secure software supply chain:
Before checking in code, run:
npm auditThis scans dependencies for known CVEs and updates package-lock.json. To automatically resolve non-breaking issues:
npm audit fixWe recommend integrating Snyk or GitHub Dependabot in the workflow repository:
- Add
.github/dependabot.ymlto trigger daily security scans ofnpmpackages. - Integrate a build step in the CI pipeline:
Builds will fail if high or critical vulnerabilities are introduced.
- name: Run Snyk Security Scan run: npx snyk test --all-projects env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}