# Secrets Management
> How Syntropic137 handles secrets — file-based storage, Docker secrets, and 1Password integration.

Syntropic137 stores infrastructure secrets (database, Redis, and MinIO credentials) as file-based secrets with strict permissions, mounted into containers via Docker Compose's secrets mechanism. Application-level API keys (such as `ANTHROPIC_API_KEY`) are supplied via environment variables or `.env` files and injected only into the processes that need them.

## How Secrets Work

### Generation

During `npx @syntropic137/setup init`, three cryptographically random passwords are generated:

| Secret | File | Purpose |
|--------|------|---------|
| Database password | `~/.syntropic137/secrets/db-password.secret` | PostgreSQL (TimescaleDB) |
| Redis password | `~/.syntropic137/secrets/redis-password.secret` | Redis cache and pub/sub |
| MinIO password | `~/.syntropic137/secrets/minio-password.secret` | S3-compatible artifact storage |

All secret files are created with `chmod 600` — readable only by the file owner.

### Docker Secrets

The Docker Compose stack mounts secrets under `/run/secrets/` in each container via Compose's secrets mechanism. The entrypoint script reads these files at startup and constructs connection URLs:

```
/run/secrets/db-password.secret → POSTGRES_PASSWORD → connection URL
/run/secrets/redis-password.secret → REDIS_URL with password
/run/secrets/minio-password.secret → MINIO_SECRET_KEY
```

This means infrastructure secrets are:
- Never visible in `docker inspect` output
- Never stored in container image layers
- Isolated from the application environment

### GitHub App Secrets

If you created a GitHub App during setup, additional secrets are stored:

- `~/.syntropic137/secrets/github-app-private-key.pem` — App private key
- `~/.syntropic137/secrets/github-webhook-secret.txt` — Webhook verification secret
- `~/.syntropic137/secrets/github-client-secret.txt` — OAuth client secret

All `chmod 600`.

## 1Password Integration

Syntropic137 supports 1Password Service Accounts for resolving secrets at runtime.

<Callout type="warn">
1Password Service Accounts require a **1Password Business or Enterprise** plan. They are not available on personal or family plans.
</Callout>

### Setup

1. Create a Service Account in your 1Password account
2. Add the token to your `.env`:

```bash
OP_SERVICE_ACCOUNT_TOKEN=your-service-account-token
```

3. The API service reads `op://` references and resolves them at startup

### Using `op://` References

In your `.env` or configuration, use 1Password references instead of raw values:

```bash
ANTHROPIC_API_KEY=op://Engineering/Anthropic/api-key
GITHUB_APP_PRIVATE_KEY=op://Engineering/SyntropicGitHub/private-key
```

<Callout type="idea">
**Coming soon:** 1Password CLI (`op`) integration for personal and family plans — resolve secrets locally without a Service Account. See [syntropic137/syntropic137#421](https://github.com/syntropic137/syntropic137/issues/421) for progress.
</Callout>

## Anthropic API Key

The `ANTHROPIC_API_KEY` is the one secret that agents need at runtime. It's handled separately from infrastructure secrets:

- Stored in `.env` (or resolved via 1Password)
- Injected into agent workspaces during execution
- The only secret visible to the agent process
- All other credentials (Git tokens, etc.) are configured during the workspace setup phase and cleared before the agent starts

See [Core Concepts — Workspaces](/docs/guide/core-concepts#workspaces) for details on the two-phase security model.