Jetstack's secret store is an encrypted tenant secret manager backed by a dedicated table and key-based encryption model.
It is the correct place to store sensitive runtime values for:
- API integrations
- AI provider credentials
- refresh tokens
- external service secrets used by automations or tools
A secret record includes:
- type
- system name
- title
- encrypted value
- nonce
- key identifier
- update timestamp
The secret manager:
- reads key material from
APP_SECRET_KEYS_JSON
- uses the highest configured key id for new writes
- encrypts values with XChaCha20-Poly1305
- supports legacy plaintext fallback behavior if old data exists without nonce or key metadata
This matters operationally because secret storage depends on deployment configuration, not only tenant data.
At minimum, the platform distinguishes:
stringoauth_refresh_token
Additional semantic conventions may be introduced operationally even when the technical storage model remains simple.
Secrets can be:
- managed through the Secrets UI
- read by code processor functions
- used by automations
- used by canvases
- used by AI and provider tooling
- Keep secret names stable and descriptive.
- Restrict who can manage secrets.
- Use secret references rather than embedding sensitive values directly into implementation config.
- Document which automations, agents, or integrations depend on each secret.