@@ -614,31 +614,42 @@ The CloudSync server needs to validate tokens from your auth server. Configurati
614614
615615### Option A: HS256 (shared secret)
616616
617- Configure these environment variables on the CloudSync server:
617+ In the CloudSync dashboard, go to your PostgreSQL project → ** Configuration** → ** Edit connection settings** :
618+ - Under ** JWT secret** , enter your ` JWT_SECRET ` value from ` .env `
619+ - Click ** Save**
618620
619- ``` env
620- # Use the same JWT_SECRET as your auth server (base64-encoded)
621- JWT_SECRET=<your-jwt-secret>
622-
623- # For development/testing, set the development issuer override
624- JWT_DEVELOPMENT_ISSUER_PROJECT_ID=cloudsync-postgres-flyio
625- ```
626-
627- Both the auth server and CloudSync must use the secret as the same raw string (not base64-decoded).
621+ Both the auth server and CloudSync must use the same raw secret string (not base64-decoded).
628622
629623### Option B: RS256 (JWKS)
630624
631- Configure the CloudSync server to fetch the public key from your JWKS endpoint:
625+ Configure the JWKS auth server and CloudSync to use asymmetric key verification.
632626
633- ``` env
634- # JWKS endpoint URL — CloudSync fetches public keys from here to verify RS256 tokens
635- JWKS_URL=http://cloudsync-postgres-test.internal:3002/.well-known/jwks.json
627+ ** 1. Update docker-compose.yml - JWKS auth server ISSUER:**
636628
637- # Must match the ISSUER env var on the JWKS auth server
638- JWT_ISSUER=cloudsync-auth-jwks
629+ ``` yaml
630+ auth-jwks :
631+ environment :
632+ ISSUER : http://cloudsync-auth-jwks.<your-app-name>.internal:3002
639633` ` `
640634
641- No shared secret is needed — the CloudSync server fetches the public key from the JWKS endpoint and uses it to verify token signatures. This is how production auth systems (Auth0, Supabase, Firebase) work.
635+ The issuer is the **base URL** (CloudSync automatically appends ` /.well-known/jwks.json`).
636+
637+ **2. Configure CloudSync to accept this issuer:**
638+
639+ In the CloudSync dashboard for this PostgreSQL project :
640+ - Go to **Configuration** tab → **Edit connection settings**
641+ - Under **JWT allowed issuers**, enter :
642+ ` ` `
643+ http://cloudsync-auth-jwks.<your-app-name>.internal:3002
644+ ` ` `
645+
646+ CloudSync will :
647+ 1. Receive JWT tokens with `iss : http://cloudsync-auth-jwks.<your-app-name>.internal:3002`
648+ 2. Validate the issuer matches the allowed list
649+ 3. Fetch the public key from `http://cloudsync-auth-jwks.<your-app-name>.internal:3002/.well-known/jwks.json`
650+ 4. Verify the token signature
651+
652+ This is how production auth systems (Auth0, Supabase, Firebase) work — no shared secrets needed.
642653
643654---
644655
@@ -661,6 +672,47 @@ fly proxy 3002:3002 -a <your-app-name> # Auth server (JWKS)
661672
662673---
663674
675+ # # Reference: CloudSync Configuration
676+
677+ After deployment, use these values to configure CloudSync dashboard :
678+
679+ # ## Database Connection
680+
681+ ```
682+ postgresql://postgres:<POSTGRES_PASSWORD>@<your-app-name >.internal:5432/postgres
683+ ```
684+
685+ Replace:
686+ - `<POSTGRES_PASSWORD>`: from `.env` file
687+ - `<your-app-name>`: your Fly.io app name
688+
689+ ### JWT Secret (HS256)
690+
691+ For simple/development setups using shared secrets:
692+
693+ ```env
694+ JWT_SECRET=<your-jwt-secret>
695+ ```
696+
697+ Enter this in CloudSync dashboard → ** Configuration** → ** JWT secret**
698+
699+ ### JWT Issuer (RS256 with JWKS)
700+
701+ For production setups using asymmetric keys:
702+
703+ ```
704+ http://cloudsync-auth-jwks.<your-app-name>.internal:3002
705+ ```
706+
707+ Enter this in CloudSync dashboard → ** Configuration** → ** JWT allowed issuers**
708+
709+ CloudSync will automatically fetch the public key from:
710+ ```
711+ http://cloudsync-auth-jwks.<your-app-name>.internal:3002/.well-known/jwks.json
712+ ```
713+
714+ ---
715+
664716## Maintenance
665717
666718### Startup script (survives VM restarts)
0 commit comments