DocumentationAPI ReferenceCLI Reference

Secrets Management

How Syntropic137 handles secrets — file-based storage, Docker secrets, and 1Password integration.

View as MarkdownEdit on GitHub

Syntropic137 stores infrastructure secrets (database, Redis, and MinIO credentials) as file-based secrets with strict permissions, mounted into containers via Docker Compose's secrets mechanism. Application-level API keys (such as ANTHROPIC_API_KEY) are supplied via environment variables or .env files and injected only into the processes that need them.

How Secrets Work

Generation

During npx @syntropic137/setup init, three cryptographically random passwords are generated:

SecretFilePurpose
Database password~/.syntropic137/secrets/db-password.secretPostgreSQL (TimescaleDB)
Redis password~/.syntropic137/secrets/redis-password.secretRedis cache and pub/sub
MinIO password~/.syntropic137/secrets/minio-password.secretS3-compatible artifact storage

All secret files are created with chmod 600 — readable only by the file owner.

Docker Secrets

The Docker Compose stack mounts secrets under /run/secrets/ in each container via Compose's secrets mechanism. The entrypoint script reads these files at startup and constructs connection URLs:

/run/secrets/db-password.secret → POSTGRES_PASSWORD → connection URL
/run/secrets/redis-password.secret → REDIS_URL with password
/run/secrets/minio-password.secret → MINIO_SECRET_KEY

This means infrastructure secrets are:

  • Never visible in docker inspect output
  • Never stored in container image layers
  • Isolated from the application environment

GitHub App Secrets

If you created a GitHub App during setup, additional secrets are stored:

  • ~/.syntropic137/secrets/github-app-private-key.pem — App private key
  • ~/.syntropic137/secrets/github-webhook-secret.txt — Webhook verification secret
  • ~/.syntropic137/secrets/github-client-secret.txt — OAuth client secret

All chmod 600.

1Password Integration

Syntropic137 supports 1Password Service Accounts for resolving secrets at runtime.

1Password Service Accounts require a 1Password Business or Enterprise plan. They are not available on personal or family plans.

Setup

  1. Create a Service Account in your 1Password account
  2. Add the token to your .env:
OP_SERVICE_ACCOUNT_TOKEN=your-service-account-token
  1. The API service reads op:// references and resolves them at startup

Using op:// References

In your .env or configuration, use 1Password references instead of raw values:

ANTHROPIC_API_KEY=op://Engineering/Anthropic/api-key
GITHUB_APP_PRIVATE_KEY=op://Engineering/SyntropicGitHub/private-key

Coming soon: 1Password CLI (op) integration for personal and family plans — resolve secrets locally without a Service Account. See syntropic137/syntropic137#421 for progress.

Anthropic API Key

The ANTHROPIC_API_KEY is the one secret that agents need at runtime. It's handled separately from infrastructure secrets:

  • Stored in .env (or resolved via 1Password)
  • Injected into agent workspaces during execution
  • The only secret visible to the agent process
  • All other credentials (Git tokens, etc.) are configured during the workspace setup phase and cleared before the agent starts

See Core Concepts — Workspaces for details on the two-phase security model.

Syntropic137 Docs v0.18.0 · Last updated March 2026

Tunnels

Expose Syntropic137 to the internet for GitHub webhooks and remote access.

Event Ingestion

How Syntropic137 receives GitHub events through webhooks and polling.

On this page

How Secrets WorkGenerationDocker SecretsGitHub App Secrets1Password IntegrationSetupUsing op:// ReferencesAnthropic API Key