Secret Store

What It Is

Jetstack's secret store is an encrypted tenant secret manager backed by a dedicated table and key-based encryption model.

Why It Matters

It is the correct place to store sensitive runtime values for:

  • API integrations
  • AI provider credentials
  • refresh tokens
  • external service secrets used by automations or tools

Stored Secret Shape

A secret record includes:

  • type
  • system name
  • title
  • encrypted value
  • nonce
  • key identifier
  • update timestamp

Encryption Model

The secret manager:

  • reads key material from APP_SECRET_KEYS_JSON
  • uses the highest configured key id for new writes
  • encrypts values with XChaCha20-Poly1305
  • supports legacy plaintext fallback behavior if old data exists without nonce or key metadata

This matters operationally because secret storage depends on deployment configuration, not only tenant data.

Secret Types

At minimum, the platform distinguishes:

  • string
  • oauth_refresh_token

Additional semantic conventions may be introduced operationally even when the technical storage model remains simple.

Access Patterns

Secrets can be:

  • managed through the Secrets UI
  • read by code processor functions
  • used by automations
  • used by canvases
  • used by AI and provider tooling

Best Practices

  • Keep secret names stable and descriptive.
  • Restrict who can manage secrets.
  • Use secret references rather than embedding sensitive values directly into implementation config.
  • Document which automations, agents, or integrations depend on each secret.
PreviousRoles And PermissionsNextTenant Synchronization