Infisical Secrets Structure
Jetta infrastructure uses Infisical for secrets management. Secrets are organized across multiple projects and environments. This guide documents which secrets live where.
Projects
jetta-tools (Primary Infrastructure Secrets)
Contains secrets used by infrastructure and backend services.
| Secret | Used By | Description |
|---|---|---|
JETTA_APPS_DB | jetta-status, jetta-sso | PostgreSQL connection string for jetta_apps database |
AWS_ACCESS_KEY_ID | DNS management | Route53 access for DNS automation |
AWS_SECRET_ACCESS_KEY | DNS management | Route53 secret key |
AWS_HOSTED_ZONE_ID | DNS management | Route53 zone ID for jettaintelligence.com |
COOLIFY_API_TOKEN | mcpammer, deployments | Coolify API access token |
SUPABASE_DB_PASSWORD | jetta-sso | Supabase database password |
UPTIME_KUMA_URL | jetta-status | Uptime Kuma instance URL |
UPTIME_KUMA_USERNAME | mcpammer | Uptime Kuma login |
UPTIME_KUMA_PASSWORD | mcpammer | Uptime Kuma password |
JETTA_STATUS_API_KEY | All services | API key for jetta-status API access |
Default Project (Service-Specific)
Contains secrets for individual services.
| Secret | Used By | Description |
|---|---|---|
BROWSY_DAEMON_API_KEY | browsy-daemon | API key for browsy daemon |
BROWSY_HQ_API_KEY | browsy-hq | API key for browsy HQ |
JETTA_STATUS_TOTP_ENCRYPTION_KEY | jetta-status | TOTP secret encryption |
Environments
Each project has three environments:
- Development - Local development and testing
- Staging - Pre-production testing (often empty)
- Production - Live production secrets
Important: Most secrets only exist in Development environment currently. Production/Staging need to be populated for proper environment separation.
How Secrets Are Injected
Coolify Integration
Coolify apps can connect to Infisical to automatically inject secrets as environment variables at runtime.
Configuration in Coolify:
- Go to app settings > Environment Variables
- Enable Infisical integration
- Set project ID and environment
Manual (Current State)
Currently, most apps have secrets manually set in Coolify env vars. The Infisical integration exists but isn't fully utilized.
Service to Secret Mapping
jetta-status
Required:
- JETTA_APPS_DB (jetta-tools)
- JETTA_STATUS_API_KEY (jetta-tools)
Optional:
- JETTA_SSO_URL
- UPTIME_KUMA_URL (jetta-tools)
- COOLIFY_API_TOKEN (jetta-tools)
jetta-sso
Required:
- SUPABASE_URL
- SUPABASE_KEY
- SUPABASE_SERVICE_ROLE
- JETTA_APPS_DB (jetta-tools)
mcpammer
Required:
- COOLIFY_API_TOKEN (jetta-tools)
- JETTA_STATUS_API_KEY (jetta-tools)
- UPTIME_KUMA credentials (jetta-tools)
Troubleshooting
Secret not found when using mcpammer_secrets_get
Check which project the secret is in. Default project vs jetta-tools.
Coolify shows env var but app says it is not set
- Check if the value is actually empty in Coolify
- Verify Infisical integration is configured
- Rebuild (not restart) the app to pick up new env vars
Adding a new secret
- Add to appropriate Infisical project
- Add to Coolify env vars (or configure Infisical integration)
- Document in this guide
- Update service startup validation if required
Best Practices
- Hub services (jetta-status) should not use Infisical SDK - They monitor other services and need to work even if Infisical is down
- Use env var injection - Infisical injects via Coolify, apps read from process.env
- Document every secret - Update this guide when adding new secrets
- Separate environments - Do not use dev secrets in production