# Internal Credentials Security

## Face Engine Credentials

**Environment Variables:**
```env
FACE_ENGINE_URL=http://127.0.0.1:8000
FACE_ENGINE_API_KEY=your_secret_internal_key
```

## Security Rules

### ✅ DO
- Store credentials in `.env` file only
- Keep `.env` out of version control (already in `.gitignore`)
- Use `config('services.face.key')` to access credentials
- Rotate `FACE_ENGINE_API_KEY` periodically

### ❌ DON'T
- Never expose these credentials to clients
- Never return them in API responses
- Never log them in plain text
- Never commit them to Git

## Access Pattern

**Correct:**
```php
// In controller/service only
$response = Http::withHeaders([
    'X-API-KEY' => config('services.face.key'),
])->post(config('services.face.url') . '/face/verify', $data);
```

**Wrong:**
```php
// Never do this
return response()->json([
    'engine_key' => config('services.face.key') // ❌ EXPOSED!
]);
```

## Credential Separation

| Credential | Purpose | Exposed to Clients |
|------------|---------|-------------------|
| Client API Key (`face_xxx`) | Client authentication | ✅ Yes (on creation only) |
| `FACE_ENGINE_API_KEY` | Internal service auth | ❌ Never |

## Configuration Location

- **Environment:** `.env` (not in Git)
- **Config:** `config/services.php`
- **Usage:** `config('services.face.key')`

## Verification

```bash
# Check config is loaded correctly (in production)
php artisan tinker
>>> config('services.face.url')
=> "http://127.0.0.1:8000"

>>> config('services.face.key')
=> "your_secret_key"  # Should show value, never expose to clients
```