Overview

Operating an identity platform is a different shape of work from building one. This section is the runbook collection, the things you do on a Tuesday afternoon when something breaks, when a key needs to rotate, when an account is locked.

When you are paged

• Incident Response, the on-call playbook.
• Health Endpoints, what each service's /health does and doesn't tell you.
• Network Topology, which ports must be firewalled, and which exist for in-cluster traffic only.

Scheduled rotations

• Certificate rotation, Caddy + database TLS certs.
• Session signing key rotation, zero-downtime.
• Encryption key rotation, for the SDK settings vault.
• Reload API key rotation, for the Kratos schema reload sidecar.
• Secrets audit, quarterly inventory.

User support

• Locked account unlock, diagnose and unlock a customer or employee.
• pgAdmin DBA offboarding, remove a departing DBA's database access cleanly.

Observability

• Monitoring, PKCE analytics, PKCE-protected OAuth2 traffic.
• Monitoring, MFA stats, second-factor enrollment and challenge rates.
• Logs and observability, what's logged, where it goes, retention.

Capacity

• Backups, Postgres
• Backups, Caddy data
• Email deliverability
• Rate limiting, tuning
• Captcha, tuning
• Audit log retention