Settings
System configuration and security information.
Cryptographic Keys
Keys are loaded from environment variables at startup and are never stored on disk in production.
They are only accessible inside the Docker container at runtime.
| ENVKEEPER_MASTER_KEY | AES-256-GCM encryption key for all config item values | base64(32 bytes) |
| JWT_ED25519_SEED | Ed25519 seed for signing SDK short-lived tokens | base64(32 bytes) |
| ADMIN_BEARER_TOKEN | Static bearer token for this admin API | hex(32 bytes) |
Network Security
SDK routes (
/sdk/*, /api/v1/env) are not exposed via Traefik.
They are only reachable inside the ultra_config_internal Docker network.
Only /admin/v1 and /health are publicly routed.Row Level Security
PostgreSQL RLS is enforced on all config tables with FORCE ROW LEVEL SECURITY. Each SDK request sets a per-transaction GUC
(config.current_app) to isolate application data at the database layer.
Generate New Keys
Run these commands to generate fresh secrets (do this once, store securely):
openssl rand -base64 32 # ENVKEEPER_MASTER_KEY openssl rand -base64 32 # JWT_ED25519_SEED openssl rand -hex 32 # ADMIN_BEARER_TOKEN