Secret

Encrypted key-value store for sensitive configuration values (API keys, tokens, credentials). Secrets are encrypted at rest using AES-256 and scoped to organizations via a qualified naming convention (org/{organizationId}/{secretName}).

Fields

Field Name	Type	Display Name
Id	Int32	Id
SecretName	String	Secret name
EncryptedValue	String	Encrypted value
CreatedAt	DateTime	Created at
UpdatedAt	DateTime	Updated at

Database Configuration

• Table: secrets
• Primary Key: id
• Unique Index: ix_secrets_secret_name on secret_name
• Column Mapping: snake_case (secret_name, encrypted_value, created_at, updated_at)
• Encryption: AES-256 with per-value random IV prepended to ciphertext, stored as base64

Naming Convention

Secrets use a qualified name format for organization scoping:

org/{organizationId}/{secretName}

For example: org/42/CARRIER_API_KEY

Secret Manager Providers

The system supports pluggable secret manager backends configured via SecretManager:Provider:

Provider	Description
Postgres	PostgreSQL-backed encrypted storage (default)
AzureKeyVault	Azure Key Vault integration
None	Falls back to Postgres provider

PostgreSQL Provider Configuration

{
  "SecretManager": {
    "Provider": "Postgres",
    "Postgres": {
      "EncryptionKey": "<base64-encoded 32-byte key>"
    }
  }
}

GraphQL API

See Secrets Mutations for the GraphQL API reference.

Related Entities

• Used by OrganizationConfigService to resolve secret references in organization configuration values