Secrets and configuration
Related: cognito-and-auth · deployment-pypi-s3 · troubleshooting-decisions
Environment variables
| Variable | Secret? | Notes |
|---|---|---|
VILLA_COGNITO_CLIENT_SECRET | **Yes** | Value from Cognito → **Show client secret** |
VILLA_COGNITO_CLIENT_ID | No | 6k932iah7v1hgnd33a53c3v1mj |
VILLA_COGNITO_USER_POOL_ID | No | ap-southeast-1_bul3MgmNE |
VILLA_COGNITO_REGION | No | ap-southeast-1 |
VILLA_BASE_URL | No | Default https://shop.villamarket.com |
VILLA_ENV | No | dev or prod |
PYPI_KEY | **Yes** | PyPI API token (local publish only) |
Copy .env.example → .env (gitignored).
Where to store secrets
| Context | Where |
|---|---|
| Local dev | .env or ~/.env |
| Cursor Cloud Agent | Dashboard → **Secrets** → Runtime Secret |
| GitHub CI | Repository secrets (VILLA_COGNITO_CLIENT_SECRET, AWS_*) |
| Never | Git commits, chat, issues |
git-secrets
git-secrets **blocks** accidental commits — it is not a secret store.
./scripts/setup-git-secrets.sh "$VILLA_COGNITO_CLIENT_SECRET"Common mistake
**Client Secret ID** (6k932iah7v1hgnd33a53c3v1mj--1779672734505) ≠ **client secret** (from Show client secret). Wrong value → Unable to verify secret hash.