Skip to main content

Documentation Index

Fetch the complete documentation index at: https://enterprise-docs.crewai.com/llms.txt

Use this file to discover all available pages before exploring further.

Direct secret values (used when externalSecret.enabled: false).
Never commit actual secret values to version control. Use secure secret management practices:
  • Store in separate, gitignored values file
  • Use Helm --set flags from CI/CD secrets
  • Use encrypted secret management (SOPS, sealed-secrets, etc.)
  • Prefer external secret stores for production

Automatic Pod Restarts

When you update secret values in your Helm values file and run helm upgrade, all affected pods (web, worker, OAuth, registry, MinIO) automatically restart to pick up the new credentials. This ensures your deployment always uses the latest secret values without requiring manual intervention. What triggers automatic restarts:
  • Changes to any value in the secrets section
  • Changes to OAuth provider credentials in oauth.secrets
  • Changes to Replicated license fields (if using Replicated distribution)
Example workflow: 
# 1. Update secrets in your values file
vim my-values.yaml  # Change DB_PASSWORD or other secrets

# 2. Apply the changes
helm upgrade crewai-platform oci://registry.crewai.com/crewai/stable/crewai-platform \
  --values my-values.yaml

# 3. Pods automatically restart with new credentials (rolling restart - no downtime)
kubectl get pods -w  # Watch pods restart
This behavior ensures credential rotation and secret updates are applied automatically without manual pod deletions.

Database Secrets

secrets.DB_USER
string
default:""
Database username (optional override).Default Behavior: If not set, the value from envVars.DB_USER is used (default: "postgres").When to Use: Set this when the database username should be treated as sensitive information, or when you need to override the username configured in envVars.DB_USER.Special Characters: Usernames can safely contain special characters. The chart automatically handles URL encoding when constructing database connection strings.Example:
secrets:
  DB_USER: "crewai_prod_user"
  DB_PASSWORD: "your-secure-password"
Related Configuration: See envVars.DB_USER in Environment Variables - Database Configuration for the non-sensitive username configuration.
secrets.DB_PASSWORD
string
default:""
Database password.Required: Yes (for database access)Security: Use strong, unique passwords. Rotate regularly.Special Characters: Passwords can safely contain special characters (e.g., @, :, /, ?, #, %). The chart automatically handles URL encoding when constructing database connection strings, so you don’t need to manually escape or encode special characters.

GitHub Integration Secrets

secrets.GITHUB_TOKEN
string
default:""
GitHub personal access token or OAuth token.Auto-Populated: From Replicated license fieldPurpose: Required to pull crewai enterprise repositories.
secrets.GITHUB_CREW_STUDIO_TOKEN
string
default:""
GitHub token for Crew Studio integration.
secrets.GITHUB_CLIENT_SECRET
string
default:""
GitHub App client secret for user authorization during installation.Required For: GitHub App OAuth flow.Obtaining: GitHub App Settings > Generate a new client secret.Related Configuration:
  • Configure envVars.GITHUB_CLIENT_ID with your GitHub App client ID
  • Configure envVars.GITHUB_APP_ID with your GitHub App ID
  • Configure envVars.GITHUB_APP_URL with your GitHub App installation URL
  • Configure secrets.GITHUB_APP_PRIVATE_KEY with your GitHub App private key
Setup Guide: See GitHub App Setup Guide for detailed instructions.
secrets.GITHUB_WEBHOOK_SECRET_TOKEN
string
default:""
Secret token for validating GitHub webhook payloads.Purpose: Ensures webhooks are from GitHub.
secrets.GITHUB_APP_PRIVATE_KEY
string
default:""
Private key for GitHub App server-to-server authentication.Format: PEM-encoded RSA private key as a single-line string with literal \n characters replacing each line break. The value must start with -----BEGIN RSA PRIVATE KEY----- — do not use the key fingerprint (the short hex string shown in the GitHub UI).Obtaining: GitHub App Settings > Private keys > Generate a private key. The .pem key file downloads automatically and cannot be retrieved again.Required For: GitHub App API authentication and operations.Security: Store securely and never commit to version control.Converting the .pem file to single-line format:
openssl rsa -in /path/to/your-key.pem -check -noout && \
  awk 'NF {sub(/\r/, ""); printf "%s\\n", $0}' /path/to/your-key.pem
Example:
secrets:
  GITHUB_APP_PRIVATE_KEY: "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEA...\n...\n-----END RSA PRIVATE KEY-----\n"
Setup Guide: See GitHub App Setup Guide for detailed instructions.

Rails Application Secrets

Do not set RAILS_MASTER_KEY: The chart uses a different Rails configuration approach and does not require RAILS_MASTER_KEY. If you include this in your configuration, you will receive a warning during installation. Remove RAILS_MASTER_KEY from both envVars and secrets sections.
secrets.SECRET_KEY_BASE
string
Rails secret key base for session signing and encryption.Default: Auto-generatedAuto-Generation: If not provided, automatically generated using randAlphaNum 64 and persisted across upgrades via lookup function.Manual Generation:
openssl rand -base64 48 | tr -d '\n'
ArgoCD Users: Must be set explicitly — see ArgoCD Deployment Guide.Upgrade Behavior: Once generated, the value persists across Helm upgrades to maintain session continuity.
secrets.CREWAI_PLUS_INTERNAL_API_KEY
string
default:""
Internal API key for service-to-service authentication.Auto-Generation: If not provided, automatically generated using randAlphaNum 64 and persisted across upgrades via lookup function.Manual Generation:
openssl rand -base64 48 | tr -d '\n'
ArgoCD Users: Must be set explicitly — see ArgoCD Deployment Guide.
secrets.ENCRYPTION_KEY
string
default:""
Application-level encryption key for sensitive data at rest.Auto-Generation: If not provided, automatically generated and persisted across upgrades via lookup function.Format: Hexadecimal string (recommended: 64 characters).Manual Generation:
openssl rand -hex 32
ArgoCD Users: Must be set explicitly — see ArgoCD Deployment Guide.
secrets.ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
string
default:""
Primary encryption key for Rails Active Record Encryption.Auto-Generation: If not provided, automatically generated using randAlphaNum 64 and persisted across upgrades via lookup function.Manual Generation:
openssl rand -base64 48 | tr -d '\n'
ArgoCD Users: Must be set explicitly — see ArgoCD Deployment Guide.
secrets.ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY
string
default:""
Deterministic encryption key for Rails Active Record Encryption. Used for attributes that need to be queried by encrypted value.Auto-Generation: If not provided, automatically generated using randAlphaNum 64 and persisted across upgrades via lookup function.Manual Generation:
openssl rand -base64 48 | tr -d '\n'
ArgoCD Users: Must be set explicitly — see ArgoCD Deployment Guide.
secrets.ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
string
default:""
Salt used for key derivation in Rails Active Record Encryption.Auto-Generation: If not provided, automatically generated using randAlphaNum 64 and persisted across upgrades via lookup function.Manual Generation:
openssl rand -base64 48 | tr -d '\n'
ArgoCD Users: Must be set explicitly — see ArgoCD Deployment Guide.
secrets.FACTORY_DEBUG_TOKEN
string
default:""
Token that authorizes GET /health/debug via the X-Factory-Debug-Token header. The endpoint returns 404 Not Found to any caller without a valid token or a signed-in factory-admin session — the probe does not run for unauthorized requests. This prevents anonymous amplification of LLM-provider, Kubernetes API, and in-cluster service probes.Auto-Generation: If not provided, automatically generated using randAlphaNum 64 and persisted across upgrades via lookup function.Manual Generation:
openssl rand -base64 48 | tr -d '\n'
Retrieve the current value:
kubectl get secret <release-name>-secrets -n <namespace> \
  -o jsonpath='{.data.FACTORY_DEBUG_TOKEN}' | base64 -d
ArgoCD Users: Must be set explicitly — see ArgoCD Deployment Guide.Operational Guide: See Factory Health & Debug for how the token is used and how to verify OAuth key consistency across pods.
secrets.REGISTRY_HTTP_SECRET
string
default:""
Shared secret for the internal container registry’s HTTP authentication.Auto-Generation: If not provided, automatically generated using randAlphaNum 32 and persisted across upgrades via lookup function.Manual Generation:
openssl rand -base64 24 | tr -d '\n'
ArgoCD Users: Must be set explicitly — see ArgoCD Deployment Guide.
secrets.OIDC_PRIVATE_KEY
string
default:""
RSA private key (PEM) used to sign OIDC tokens issued by the platform’s built-in IdP. The corresponding public key is published at /oauth2/jwks for cloud-provider workload-identity federation.Auto-Generation: If not provided, an RSA key is generated via Helm’s genPrivateKey "rsa" and persisted across upgrades via lookup function.Stability requirement: Cloud-provider trust policies (AWS IAM, GCP Workload Identity, Azure federated credentials) verify tokens against the public key served at the JWKS endpoint. Rotating this key invalidates all federated trust until the public key is republished and clients refresh.Manual Generation:
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048
ArgoCD Users: Must be set explicitly — see ArgoCD Deployment Guide.
secrets.OIDC_KEY_ID
string
default:""
Identifier (kid) advertised in the JWKS document and embedded in the JOSE header of every OIDC token. Cloud providers use it to look up the matching public key.Auto-Generation: If not provided, generated as crewai-oidc-<random> and persisted across upgrades via lookup function.Stability requirement: Must be stable for the lifetime of the signing key. Changing OIDC_KEY_ID without rotating OIDC_PRIVATE_KEY (or vice versa) breaks token verification.ArgoCD Users: Must be set explicitly — see ArgoCD Deployment Guide.

SSL/TLS Secrets

secrets.SSL_PRIVATE_KEY
string
PEM-encoded private key for application-level TLS.Default: Auto-generated (if web.tls.autoGenerate: true)Auto-Generation: When web.tls.autoGenerate: true, a self-signed certificate and key are generated and persisted across upgrades.Manual Provision:
secrets:
  SSL_PRIVATE_KEY: |
    -----BEGIN PRIVATE KEY-----
    ...
    -----END PRIVATE KEY-----
secrets.SSL_CERTIFICATE
string
PEM-encoded certificate for application-level TLS.Default: Auto-generated (if web.tls.autoGenerate: true)Format: Can include certificate chain (server cert + intermediates).
secrets.CREW_SSL_CERT
string
SSL certificate for crew service communication.Default: Auto-generated (if web.tls.autoGenerate: true)
secrets.CREW_SSL_KEY
string
SSL private key for crew service communication.Default: Auto-generated (if web.tls.autoGenerate: true)

AWS Secrets (Optional)

secrets.AWS_ACCESS_KEY_ID
string
default:""
AWS access key ID for S3 and other AWS services.When Required:
  • STORAGE_SERVICE: amazon with static credentials
  • Not using IAM roles (IRSA)
Production Recommendation: Use IAM roles (IRSA) instead of static credentials.
secrets.AWS_SECRET_ACCESS_KEY
string
default:""
AWS secret access key.

Azure Secrets (Optional)

secrets.AZURE_STORAGE_ACCESS_KEY
string
default:""
Azure Storage account access key.When Required: STORAGE_SERVICE: microsoft
secrets.AZURE_CLIENT_SECRET
string
default:""
Azure service principal client secret.

Built-in LLM Secrets (Optional)

secrets.BUILT_IN_LLM_API_KEY
string
default:""
API key for built-in LLM provider.Purpose: Provides authentication for internal LLM calls used by the CrewAI Platform, including:
  • Improving Studio prompts
  • Generating automation descriptions
  • Chatting with flows
  • Other platform AI-assisted features
When Required: When using built-in LLM features (optional)Provider-Specific Requirements:OpenAI:Anthropic:Related Configuration:
  • Configure envVars.BUILT_IN_LLM_PROVIDER to specify the LLM provider
  • Configure envVars.BUILT_IN_LLM_MODEL to specify the model
Example:
secrets:
  BUILT_IN_LLM_API_KEY: "sk-proj-abc123..."

envVars:
  BUILT_IN_LLM_PROVIDER: "openai"
  BUILT_IN_LLM_MODEL: "gpt-4o-mini"

Python Package Registry

secrets.UV_DEFAULT_INDEX
string
PyPI registry URL for enterprise Python packages.Default: Auto-generated (in Replicated deployments)Priority: Manual configuration takes precedence over auto-generation. When secrets.UV_DEFAULT_INDEX is explicitly set, it overrides the auto-generated value from Replicated license credentials.Auto-Generation (Replicated): Automatically built from license credentials:
  • Customer ID from: global.replicated.licenseFields.replicated_customer_id
  • Password from: global.replicated.dockerconfigjson (registry.crewai.com entry)
  • Generated URL format: https://customer_id:password@pypi.crewaifactory.com/simple/
Manual Configuration:
secrets:
  UV_DEFAULT_INDEX: "https://username:password@pypi.your-registry.com/simple/"
Common Use Cases:
  • Private PyPI Mirror: Point to a private registry mirror for air-gapped environments (see Private PyPI Registry Mirror Guide)
  • Non-Replicated Deployments: Provide direct access credentials when not using Replicated
  • Custom Registry: Use a different PyPI-compatible registry
Requirements:
  • Must use HTTPS protocol
  • Must include authentication credentials in format username:password@host
  • Must end with /simple/ for PyPI compatibility
  • Automatically base64-encoded by the chart
Purpose: Provides access to CrewAI Enterprise Python packages for crew execution and platform functionality.Validation: The Helm test suite verifies proper URL format and structure.

Authentication Provider Secrets

Most authentication provider configuration values have moved to envVars (non-sensitive). Client secrets and API keys remain in secrets for authentication providers.For complete authentication setup, see the Environment Variables Authentication Configuration section.
secrets.ENTRA_ID_CLIENT_SECRET
string
default:""
Microsoft Entra ID (Azure AD) application client secret for web application authentication.When Required: AUTH_PROVIDER: entra_idObtaining: Azure Portal > App Registrations > Your App > Certificates & Secrets > Client secrets.Example:
envVars:
  AUTH_PROVIDER: "entra_id"
  ENTRA_ID_CLIENT_ID: "12345678-1234-1234-1234-123456789012"
  ENTRA_ID_TENANT_ID: "87654321-4321-4321-4321-210987654321"

secrets:
  ENTRA_ID_CLIENT_SECRET: "your-client-secret"
Security: Keep this value secure. Rotate regularly according to your organization’s security policy.
secrets.OKTA_CLIENT_SECRET
string
default:""
Okta application client secret for web application authentication.When Required: AUTH_PROVIDER: oktaObtaining: Okta Admin Console > Applications > Your App > General Settings > Client Credentials.Example:
envVars:
  AUTH_PROVIDER: "okta"
  OKTA_SITE: "https://company.okta.com"
  OKTA_CLIENT_ID: "0oa1234567890abcdef"
  OKTA_AUTHORIZATION_SERVER: "default"
  OKTA_AUDIENCE: "api://default"

secrets:
  OKTA_CLIENT_SECRET: "your-client-secret"
Security: Keep this value secure. Rotate regularly according to your organization’s security policy.
secrets.WORKOS_API_KEY
string
default:""
WorkOS API key for authentication.When Required: AUTH_PROVIDER: workosObtaining: WorkOS Dashboard > Main Page > API Keys.Format: Typically starts with sk_live_ for production or sk_test_ for testing.Example:
envVars:
  AUTH_PROVIDER: "workos"
  WORKOS_CLIENT_ID: "client_01HXYZ123ABC456"
  WORKOS_AUTHKIT_DOMAIN: "company.authkit.com"
  WORKOS_COOKIE_PASSWORD: "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6"

secrets:
  WORKOS_API_KEY: "sk_live_abc123..."
Security: Keep this value secure. Rotate regularly according to your organization’s security policy.
secrets.KEYCLOAK_CLIENT_SECRET
string
default:""
Keycloak client secret for web application authentication.When Required: AUTH_PROVIDER: keycloakObtaining: Keycloak Admin Console > Clients > Your Client > Credentials tab.Example:
envVars:
  AUTH_PROVIDER: "keycloak"
  KEYCLOAK_CLIENT_ID: "crewai-factory"
  KEYCLOAK_SITE: "https://keycloak.company.com"
  KEYCLOAK_REALM: "crewai"

secrets:
  KEYCLOAK_CLIENT_SECRET: "55oahEeruNQGWxqzleWy02cRfW3wLf2c"
Security: Keep this value secure. Rotate regularly according to your organization’s security policy.Setup Guide: See Keycloak SSO Configuration Guide for detailed setup instructions.

Built-in Integrations Secrets

OAuth secrets are used when oauth.enabled: true. These secrets enable secure communication between the Built-in Integrations service and the Rails application for third-party integrations (Gmail, Google Calendar, Microsoft Outlook, etc.).
secrets.OAUTH_COOKIE_SECRET
string
default:""
Secret key for signing OAuth session cookies.Auto-Generation: If not provided, automatically generated using randAlphaNum 64 and persisted across upgrades via lookup function.Purpose: Secures OAuth flow session data.Manual Generation:
openssl rand -base64 64
secrets.OAUTH_DB_ENCRYPTION_KEY
string
default:""
Encryption key for OAuth tokens stored in the database.Auto-Generation: If not provided, automatically generated as a 64-character hexadecimal string and persisted across upgrades.Format: Hexadecimal string (64 characters).Purpose: Encrypts sensitive OAuth tokens (access tokens, refresh tokens) at rest.Manual Generation:
openssl rand -hex 32
secrets.OAUTH_INTERNAL_API_KEY
string
default:""
Internal API key for authentication between the Built-in Integrations service and Rails application.Auto-Generation: If not provided, automatically generated using randAlphaNum 64 and persisted across upgrades.Important: This value is automatically duplicated as CREWAI_OAUTH_API_KEY for the Rails application. Both keys will always have the same value.Purpose: Enables secure service-to-service communication for OAuth operations.Manual Generation:
openssl rand -base64 64 | tr -d '\n'
Note: When set manually, both OAUTH_INTERNAL_API_KEY (used by Built-in Integrations service) and CREWAI_OAUTH_API_KEY (used by Rails) will use this value automatically.

OAuth Provider Secrets

OAuth provider secrets are optional and only required if you want to enable specific OAuth integrations. Each provider requires a client ID and client secret obtained from the provider’s developer console.
Configuration: OAuth provider credentials are configured via oauth.secrets.* values in your Helm values file, which support provider-level defaults and product-specific overrides. See the CrewAI Built-in Integrations Reference - OAuth Secrets Configuration for detailed configuration examples.For example, to configure Google OAuth for all Google products:
oauth:
  secrets:
    google:
      clientId: "123456789-abcdefg.apps.googleusercontent.com"
      clientSecret: "GOCSPX-abc123..."
The secrets documented below are the Kubernetes secret keys that are automatically generated from your oauth.secrets.* configuration.
Google OAuth Providers:
secrets.GOOGLE_GMAIL_CLIENT_ID
string
default:""
Google OAuth client ID for Gmail integration.
secrets.GOOGLE_GMAIL_CLIENT_SECRET
string
default:""
Google OAuth client secret for Gmail integration.
secrets.GOOGLE_CAL_CLIENT_ID
string
default:""
Google OAuth client ID for Google Calendar integration.
secrets.GOOGLE_CAL_CLIENT_SECRET
string
default:""
Google OAuth client secret for Google Calendar integration.
secrets.GOOGLE_DRIVE_CLIENT_ID
string
default:""
Google OAuth client ID for Google Drive integration.
secrets.GOOGLE_DRIVE_CLIENT_SECRET
string
default:""
Google OAuth client secret for Google Drive integration.
secrets.GOOGLE_CONTACTS_CLIENT_ID
string
default:""
Google OAuth client ID for Google Contacts integration.
secrets.GOOGLE_CONTACTS_CLIENT_SECRET
string
default:""
Google OAuth client secret for Google Contacts integration.
secrets.GOOGLE_SHEETS_CLIENT_ID
string
default:""
Google OAuth client ID for Google Sheets integration.
secrets.GOOGLE_SHEETS_CLIENT_SECRET
string
default:""
Google OAuth client secret for Google Sheets integration.
secrets.GOOGLE_SLIDES_CLIENT_ID
string
default:""
Google OAuth client ID for Google Slides integration.
secrets.GOOGLE_SLIDES_CLIENT_SECRET
string
default:""
Google OAuth client secret for Google Slides integration.
secrets.GOOGLE_DOCS_CLIENT_ID
string
default:""
Google OAuth client ID for Google Docs integration.
secrets.GOOGLE_DOCS_CLIENT_SECRET
string
default:""
Google OAuth client secret for Google Docs integration.
Microsoft OAuth Providers:
secrets.MICROSOFT_OUTLOOK_CLIENT_ID
string
default:""
Microsoft OAuth client ID for Outlook integration.
secrets.MICROSOFT_OUTLOOK_CLIENT_SECRET
string
default:""
Microsoft OAuth client secret for Outlook integration.
secrets.MICROSOFT_ONEDRIVE_CLIENT_ID
string
default:""
Microsoft OAuth client ID for OneDrive integration.
secrets.MICROSOFT_ONEDRIVE_CLIENT_SECRET
string
default:""
Microsoft OAuth client secret for OneDrive integration.
secrets.MICROSOFT_TEAMS_CLIENT_ID
string
default:""
Microsoft OAuth client ID for Teams integration.
secrets.MICROSOFT_TEAMS_CLIENT_SECRET
string
default:""
Microsoft OAuth client secret for Teams integration.
secrets.MICROSOFT_SHAREPOINT_CLIENT_ID
string
default:""
Microsoft OAuth client ID for SharePoint integration.
secrets.MICROSOFT_SHAREPOINT_CLIENT_SECRET
string
default:""
Microsoft OAuth client secret for SharePoint integration.
secrets.MICROSOFT_EXCEL_CLIENT_ID
string
default:""
Microsoft OAuth client ID for Excel integration.
secrets.MICROSOFT_EXCEL_CLIENT_SECRET
string
default:""
Microsoft OAuth client secret for Excel integration.
secrets.MICROSOFT_WORD_CLIENT_ID
string
default:""
Microsoft OAuth client ID for Word integration.
secrets.MICROSOFT_WORD_CLIENT_SECRET
string
default:""
Microsoft OAuth client secret for Word integration.
Other OAuth Providers:
secrets.HUBSPOT_CLIENT_ID
string
default:""
HubSpot OAuth client ID.
secrets.HUBSPOT_CLIENT_SECRET
string
default:""
HubSpot OAuth client secret.
secrets.NOTION_CLIENT_ID
string
default:""
Notion OAuth client ID.
secrets.NOTION_CLIENT_SECRET
string
default:""
Notion OAuth client secret.

Wharf Secrets

Wharf secrets are used when wharf.enabled: true. These secrets enable secure communication between the Wharf OTLP trace collector and the Rails application for distributed tracing.
secrets.WHARF_JWT_SECRET
string
default:""
JWT secret for authenticating trace submissions to the Wharf service.Auto-Generation: If not provided, automatically generated using randAlphaNum 64 and persisted across upgrades via lookup function.Purpose: Shared secret between the Wharf service and Rails application for authenticating OTLP trace submissions.Manual Generation:
openssl rand -base64 48 | tr -d '\n'
ArgoCD Users: Must be set explicitly — see ArgoCD Deployment Guide.Important: This value is automatically shared with both the Wharf service and the Rails application. Both components will use the same value for authentication.Related Configuration:
secrets.WHARF_POSTGRES_URL
string
default:""
PostgreSQL connection string for the Wharf OTLP trace collector database.Auto-Generated: Automatically constructed from database configuration values and not directly user-configurable.Format: postgres://username:password@host:port/databaseComponents Used:
  • Host: envVars.DB_HOST or postgres.fullnameOverride (if internal PostgreSQL enabled)
  • Port: envVars.DB_PORT (default: “5432”)
  • User: envVars.DB_USER
  • Password: secrets.DB_PASSWORD
  • Database: postgres.wharfDatabase (default: “wharf”)
Special Character Handling: Username and password values are automatically URL-encoded when constructing the connection string. This ensures database credentials containing special characters (e.g., @, :, /, ?, #, %) work correctly without manual escaping.SSL Mode: Uses PostgreSQL default SSL mode (prefer). To enforce SSL connections on external databases, configure SSL enforcement at the database server level (e.g., AWS RDS parameter rds.force_ssl=1).Purpose: Provides Wharf service with connection credentials to its dedicated PostgreSQL database for storing OTLP trace data.Related Configuration:

Deployment Instance Secrets

The deployment instance JWT secret signs the access and refresh tokens the platform mints for each crew instance it provisions. Deployed crews (BUILDKIT_KUBERNETES, ECS, etc.) attach these tokens when calling back into the platform’s internal API for execution status, refresh, and configuration.
secrets.DEPLOYMENT_INSTANCE_JWT_SECRET
string
default:""
HMAC-SHA256 signing key for the JWT access and refresh tokens issued to deployed crew instances.Auto-Generation: If not provided, automatically generated using randAlphaNum 64 and persisted across upgrades via lookup function.Purpose: Signs short-lived access tokens (24h) and long-lived refresh tokens (1 year on factory installs) that deployed crews use to call back into the platform’s internal API. When unset, the platform refuses to mint refresh tokens and falls back to access-token-only auth — deployed crews stop working once their access token expires.Manual Generation:
openssl rand -hex 32
Or, to match the chart’s auto-generation format exactly:
ruby -rsecurerandom -e 'puts SecureRandom.alphanumeric(64)'
Rotation Warning: Rotating this secret invalidates every refresh token already handed out to a deployed crew — they are signed with the previous key and will fail verification on the next refresh. The daily ScanExpiringDeploymentTokensJob only re-mints tokens within 48h of expiring, so it does not recover crews on its own. To rotate safely, redeploy every active automation after the change so each instance picks up a token signed with the new key. Treat rotation as a deliberate operation.ArgoCD Users: Must be set explicitly — see ArgoCD Deployment Guide.Upgrade Behavior: Once generated, the value persists across Helm upgrades via the lookup function so existing deployment refresh tokens remain valid.

Cube Analytics Secrets

Cube secrets are used when cube.enabled: true. These secrets enable authentication between the Cube analytics service and the Rails application for cost tracking and execution analytics.
secrets.CUBE_JWT_SECRET
string
default:""
JWT secret for authenticating requests between the Cube analytics service and the Rails application.Auto-Generation: If not provided, automatically generated using randAlphaNum 64 and persisted across upgrades via lookup function.Purpose: Shared secret between the Cube service and Rails application for authenticating analytics queries and data access.Manual Generation:
openssl rand -base64 48 | tr -d '\n'
ArgoCD Users: Must be set explicitly — see ArgoCD Deployment Guide.Important: This value is automatically shared with both the Cube service and the Rails application. Both components will use the same value for authentication.Related Configuration: