ReferenceSecrets
Secrets catalog
17 cryptographic secrets in Olympus
Every secret material in an Olympus deployment, with its purpose and rotation path.
| Secret | Purpose | Critical |
|---|---|---|
ENCRYPTION_KEY | Master key for SDK settings encryption. | yes |
SESSION_SIGNING_KEY | HMAC for Athena session cookies. | yes |
CIAM_RELOAD_API_KEY | Auth for CIAM Kratos schema reload sidecar. | - |
IAM_RELOAD_API_KEY | Auth for IAM Kratos schema reload sidecar. | - |
CIAM_KRATOS_COOKIE_SECRET | Kratos session cookie HMAC. | - |
IAM_KRATOS_COOKIE_SECRET | Kratos IAM session cookie HMAC. | - |
CIAM_KRATOS_CIPHER_SECRET | Kratos recovery/verification token cipher. | - |
IAM_KRATOS_CIPHER_SECRET | Kratos IAM cipher. | - |
CIAM_HYDRA_SYSTEM_SECRET | Hydra encrypts client secrets and JWKs with this. | yes |
IAM_HYDRA_SYSTEM_SECRET | Hydra IAM system secret. | yes |
SMTP_USER / SMTP_PASSWORD | Email provider credentials. | - |
TURNSTILE_SECRET_KEY | Cloudflare Turnstile verification. | - |
DATABASE_URL | Postgres connection string with password. | - |
Postgres CA certificate | TLS verify-full root cert. | - |
DEPLOY_SSH_KEY | GitHub Actions deploy SSH key for the VPS. | - |
GHCR pull token | Pull private images from GHCR. | - |
Daedalus provider tokens | DigitalOcean / Hostinger / Neon API keys. | - |
See Security, Secrets management for the architectural overview.