Credentials & Access Map
What exists, where the real value lives, and how AI tools may safely use it — never the secrets themselves.
No raw secrets are stored here.
This is a map: locations, env var names, MFA status and AI-access rules. Real passwords, API keys and recovery codes live in your password manager. Each card has copyable AI-safe handover text.
Cloudflare account
Cloudflare · Login
- Account
- robconverge@googlemail.com
- Secret location
- Password manager › RobOS vault › Cloudflare
- MFA
- Enabled
- Recovery
- Password manager › RobOS vault › Cloudflare › recovery
- Last reviewed
- 2026-06-13
Account login — rotate if exposed. Holds DNS + email routing for rob-os.com.
AI-safe handover: Cloudflare manages rob-os.com DNS and email routing (rob@rob-os.com → hotmail). Do not request or print the login. Assume I make DNS/email changes manually in the Cloudflare dashboard.
GitHub login
GitHub · Login
- Account
- rob@rob-os.com
- Secret location
- Password manager › RobOS vault › GitHub
- MFA
- Enabled
- Recovery
- Password manager › RobOS vault › GitHub › recovery
- Last reviewed
- 2026-06-13
Shared in a chat transcript on 2026-06-13 — ROTATE soon and enable a passkey. Vercel & Supabase log in via this GitHub account.
AI-safe handover: GitHub is the identity hub — Vercel and Supabase authenticate via 'Continue with GitHub'. Never request or print the GitHub password. Use a fine-grained Personal Access Token in CI via the GITHUB_TOKEN env var instead.
Vercel (via GitHub SSO)
Vercel · Oauth App
- Account
- rob@rob-os.com (GitHub SSO)
- Secret location
- No separate password — logs in via GitHub
- MFA
- Enabled
- Last reviewed
- 2026-06-13
No standalone secret; secured by the GitHub account. Use VERCEL_TOKEN for API automation later.
AI-safe handover: Vercel logs in with GitHub SSO — there is no separate Vercel password. For future API automation use a VERCEL_TOKEN env var; do not request it inline.
Supabase database password
Supabase · Login
- Account
- postgres (per project)
- Secret location
- Password manager › RobOS vault › Supabase DB; also in Supabase project settings
- MFA
- Off
- Last reviewed
- 2026-06-13
Shared in a chat transcript on 2026-06-13 — ROTATE in Supabase project settings. Dashboard login itself is via GitHub SSO.
AI-safe handover: The Supabase Postgres password is a secret. Never request, print or hardcode it. Connect using the pooled connection string from process.env (e.g. DATABASE_URL / SUPABASE_DB_URL) which I configure manually.
Supabase service role key
Supabase · Env Var
- Secret location
- Supabase project › Settings › API; injected via Vercel env (server only)
- Env var
SUPABASE_SERVICE_ROLE_KEY- MFA
- Off
- Last reviewed
- 2026-06-13
Rotate from Supabase API settings if leaked. Server-side only — never in client bundles.
AI-safe handover: Use process.env.SUPABASE_SERVICE_ROLE_KEY on the server only. Do not hardcode, print, expose to the client, or request the value. Assume I configure it manually in Vercel.
Supabase anon / publishable key
Supabase · Env Var
- Secret location
- Supabase project › Settings › API; injected via Vercel env
- Env var
NEXT_PUBLIC_SUPABASE_ANON_KEY- MFA
- Off
- Last reviewed
- 2026-06-13
Public by design but still use the env var, not a literal.
AI-safe handover: Use process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY. It is a public client key, but still reference it via the env var rather than pasting a literal.
rob@rob-os.com (primary identity)
Email · Cloudflare routing · Login
- Account
- rob@rob-os.com
- Secret location
- Cloudflare Email Routing (forward-only) › password manager for any linked mailbox
- MFA
- Enabled
- Last reviewed
- 2026-06-13
Forwarding identity via Cloudflare → rob.owen89@hotmail.co.uk.
AI-safe handover: rob@rob-os.com is my primary identity and forwards (via Cloudflare) to a hotmail inbox. Refer to it as my email; never request inbox access.
Hotmail forwarding inbox
Microsoft / Hotmail · Login
- Account
- rob.owen89@hotmail.co.uk
- Secret location
- Password manager › RobOS vault › Hotmail
- MFA
- Enabled
- Recovery
- Password manager › RobOS vault › Hotmail › recovery
- Last reviewed
- 2026-06-13
Receives all rob@rob-os.com mail. Protect — it's effectively account recovery for everything.
AI-safe handover: rob.owen89@hotmail.co.uk receives forwarded rob@rob-os.com mail and is effectively my recovery inbox. Never request access or codes from it.
Anthropic / Claude API key (future)
Anthropic Claude · Api Key
- Secret location
- Not created yet — will live in Vercel env + password manager
- Env var
ANTHROPIC_API_KEY- MFA
- Off
For the future Native AI mode. Not needed for MVP copy/launch mode.
AI-safe handover: For the future native Claude mode, use process.env.ANTHROPIC_API_KEY on the server. Not required for the MVP, which is copy/launch only.
OpenAI API key (future)
OpenAI / GPT · Api Key
- Secret location
- Not created yet — will live in Vercel env + password manager
- Env var
OPENAI_API_KEY- MFA
- Off
For the future Native AI mode (GPT + Codex workflows). Not needed for MVP.
AI-safe handover: For the future native GPT/Codex mode, use process.env.OPENAI_API_KEY on the server. Not required for the MVP.
Stripe (future billing)
Stripe · Api Key
- Secret location
- Stripe dashboard › API keys; Vercel env when used
- Env var
STRIPE_SECRET_KEY- MFA
- Enabled
Use restricted keys per project. Webhook secret separate.
AI-safe handover: Use process.env.STRIPE_SECRET_KEY on the server and STRIPE_WEBHOOK_SECRET for webhooks. Never log or expose secret keys; prefer restricted keys.
PayPal
PayPal · Login
- Account
- rob@rob-os.com
- Secret location
- Password manager › RobOS vault › PayPal
- MFA
- Enabled
AI-safe handover: PayPal is a financial account. Never request or handle its credentials in any AI workflow.
Domain registrar (Cloudflare Registrar)
Cloudflare Registrar · Login
- Account
- robconverge@googlemail.com
- Secret location
- Same as Cloudflare account › password manager
- MFA
- Enabled
AI-safe handover: Domains (rob-os.com etc.) are managed in Cloudflare. Domain transfers/DNS are done by me manually; never request registrar access.
Password manager (RobOS vault)
Password Manager · Login
- Account
- (your master account)
- Secret location
- Master password — memorised only; never stored digitally
- MFA
- Enabled
- Recovery
- Offline / secure physical location
AI-safe handover: The password manager is the root of trust for all RobOS secrets. Its master password is never stored or shared with any tool. All other credentials reference locations inside it.
Vercel access token (new account)
Vercel · Api Key
- Secret location
- RobOS vault — CLI/CI deploys to the new rob@rob-os.com Vercel account
- Env var
VERCEL_TOKEN- MFA
- Off
Created 2026-06-13; appeared in a chat transcript — revoke/rotate when convenient at vercel.com/account/tokens.
AI-safe handover: Use process.env.VERCEL_TOKEN for Vercel CLI/API deploys to the new account. Never print or hardcode it. Belongs to rob@rob-os.com's Vercel, NOT the old robconverge-cpu login.
GitHub fine-grained PAT (new account)
GitHub · Api Key
- Secret location
- RobOS vault — rob@rob-os.com, Contents + Administration r/w
- Env var
GH_TOKEN- MFA
- Off
Created 2026-06-13; appeared in a chat transcript — revoke/rotate when convenient at github.com/settings/tokens.
AI-safe handover: Use process.env.GH_TOKEN for git push / gh CLI / repo creation under the new rob@rob-os.com GitHub. Never print or hardcode it. The machine's gh CLI is the OLD GoToGrowTVC account — override with this token.
Supabase access token (new account)
Supabase · Api Key
- Secret location
- RobOS vault — management API / Supabase CLI / MCP for the new account
- Env var
SUPABASE_ACCESS_TOKEN- MFA
- Off
Created 2026-06-13; appeared in a chat transcript — revoke/rotate when convenient at supabase.com/dashboard/account/tokens.
AI-safe handover: Use process.env.SUPABASE_ACCESS_TOKEN for the Supabase CLI/management API/MCP under the new account. It is NOT a project anon/service key. Never print or hardcode it.