Secrets Management
All secrets are managed through Infisical, a self-hosted secrets manager. MCPammer provides a unified interface to manage secrets across environments.
Infisical Structure
/ # Root path
├── /jetta-tools # MCPammer's own credentials
├── /myservice # Per-service secrets
├── /shared # Shared across services
└── /infrastructure # AWS, Coolify tokens, etc.
Environments
dev- Development environmentprod- Production environment
Common Operations
List Secrets
# List all secrets in root
mcpammer secrets list
# List secrets in specific path
mcpammer secrets list --path /myservice
# List in production
mcpammer secrets list --env prod
Get a Secret
# Get secret (value masked by default)
mcpammer secrets get API_KEY
# Show actual value
mcpammer secrets get API_KEY --show
# From specific path
mcpammer secrets get DB_PASSWORD --path /myservice
Set a Secret
# Create or update
mcpammer secrets set API_KEY "my-secret-value"
# In specific path
mcpammer secrets set DB_PASSWORD "password123" --path /myservice
# In production
mcpammer secrets set API_KEY "prod-value" --env prod
Delete a Secret
mcpammer secrets delete OLD_KEY --path /myservice
Using Secrets in Services
In Coolify
Reference secrets as environment variables:
# Set env var on Coolify app
mcpammer deploy env set APP_UUID API_KEY "${API_KEY}"
Or use Infisical SDK directly in your app.
Python SDK
from infisical_sdk import InfisicalSDKClient
client = InfisicalSDKClient(host="http://infisical.internal")
client.auth.universal_auth.login(client_id, client_secret)
secrets = client.secrets.list_secrets(
project_id="...",
environment_slug="dev",
secret_path="/myservice"
)
MCPammer's Own Secrets
MCPammer pulls its credentials from /jetta-tools:
| Secret | Purpose |
|---|---|
| COOLIFY_API_TOKEN | Coolify API access |
| AWS_ACCESS_KEY_ID | Route53 DNS |
| AWS_SECRET_ACCESS_KEY | Route53 DNS |
| AWS_HOSTED_ZONE_ID | DNS zone |
| SUPABASE_DB_PASSWORD | Service catalog |
| JETTA_STATUS_API_KEY | Status page API |
Best Practices
- Path per service - Keep secrets organized by service
- Never commit secrets - Use
.env.examplewith placeholders - Rotate regularly - Update secrets periodically
- Least privilege - Only give services the secrets they need
- Use environment separation - Different values for dev/prod
Troubleshooting
Authentication failed
Check INFISICAL_CLIENT_ID and INFISICAL_CLIENT_SECRET in your environment.
Secret not found
Verify the path and environment: mcpammer secrets list --path /myservice --env dev
Permission denied
Ensure your Infisical service account has access to the path.