bash
8 lines · 1 tab
Kai Nakamura
Apr 2026
1 tab
#!/usr/bin/env bash
set -euo pipefail
export VAULT_ADDR="https://vault.internal:8200"
export VAULT_TOKEN="${VAULT_TOKEN:?missing VAULT_TOKEN}"
DB_PASSWORD=$(vault kv get -field=password secret/production/database)
export DATABASE_URL="postgres://app:${DB_PASSWORD}@db.internal/app_production"
1 file · bash
Explain with highlit
The rule is simple: secrets should not live in source control, logs, or chat transcripts. I keep local development ergonomic with env files that never leave the machine, and I use a real secret manager in shared environments. Retrieval should be audited and rotation should be possible without rewriting the app.
Related snips
ruby
payload = {
sub: user.id,
iss: 'https://auth.example.com',
aud: 'codesnips-api',
exp: 15.minutes.from_now.to_i,
iat: Time.now.to_i,
JWT issuance and verification without common footguns
jwt
authentication
api
by Kai Nakamura
2 tabs
typescript
import crypto from 'node:crypto';
import jwt from 'jsonwebtoken';
export function signAccessToken(payload: object) {
return jwt.sign(payload, process.env.JWT_SECRET!, { expiresIn: '15m' });
}
JWT access + refresh token rotation (conceptual)
auth
security
node
by Mateo Rodriguez
1 tab
go
package files
import (
"context"
"time"
Presigned S3 upload URLs (AWS SDK v2)
go
aws
s3
by Leah Thompson
1 tab
erb
<%# private stream: turbo signs the serialized record name %>
<%= turbo_stream_from current_user %>
<section class="notifications">
<h1>Notifications</h1>
Turbo Streams + authorization: signed per-user stream name
rails
turbo
hotwire
by codesnips
3 tabs
go
package api
import (
"io"
"net/http"
"os"
Safe multipart uploads using temp files (bounded memory)
go
http
uploads
by Leah Thompson
1 tab
go
package deps
import (
"crypto/tls"
"crypto/x509"
"net/http"
mTLS client configuration with custom root CA pool
go
security
tls
by Leah Thompson
1 tab
Share this code
Here's the card — post it anywhere.