Secrets Management
NMT uses GitHub Secrets as the source of truth for all sensitive configuration. Secrets are injected into the Kubernetes deployment via Helm --set-string flags.
Backend Secrets
| Secret | Purpose | Service |
|---|---|---|
STAGE_DATABASE_URL |
PostgreSQL connection string | PostgreSQL |
STAGE_REDIS_URL |
Redis connection string | Redis (staged) |
STAGE_CLICKHOUSE_URL |
ClickHouse connection string | ClickHouse (staged) |
STAGE_CLICKHOUSE_USERNAME |
ClickHouse auth | ClickHouse (staged) |
STAGE_CLICKHOUSE_PASSWORD |
ClickHouse auth | ClickHouse (staged) |
RPC_ENDPOINTS |
Multi-chain HTTPS RPC URLs | dRPC |
WS_ENDPOINTS |
Multi-chain WebSocket RPC URLs | Alchemy |
MORPHO_API_TOKEN |
The Graph access token | Morpho |
KRYSTAL_API_KEY |
DEX aggregation API key | Krystal |
KRYSTAL_USER_AGENT |
API identification | Krystal |
GELATO_API_KEY |
Transaction relay key | Gelato |
COINGECKO_API_KEY |
Price data API key | CoinGecko |
KUBE_CONFIG |
K8s cluster access (base64) | Digital Ocean DOKS |
Frontend Secrets
| Secret | Purpose | Service |
|---|---|---|
NEXT_PUBLIC_DYNAMIC_ENVIRONMENT_ID |
Dynamic Labs project ID | Dynamic Labs |
NEXT_PUBLIC_COMETCHAT_APP_ID |
CometChat app ID | CometChat |
NEXT_PUBLIC_IMAGEKIT_URL_ENDPOINT |
ImageKit public endpoint | ImageKit |
IMAGEKIT_PRIVATE_KEY |
ImageKit server-side auth | ImageKit |
DATABASE_URL |
Prisma database connection | PostgreSQL |
DIRECT_URL |
Prisma direct connection | PostgreSQL |
COOKIE_PASSWORD |
iron-session encryption key | Auth |
ETHERSCAN_API_KEY |
Block explorer data | Etherscan |
MORALIS_API_KEY |
Web3 data API | Moralis |
NEXT_PUBLIC_SUPABASE_URL |
Supabase project URL | Supabase |
NEXT_PUBLIC_SUPABASE_ANON_KEY |
Supabase public key | Supabase |
SUPABASE_JWT_SECRET |
JWT validation | Supabase |
SUPABASE_SERVICE_ROLE_KEY |
Admin access | Supabase |
HELIUS_API_KEY |
Solana RPC | Helius |
HYPERSPEED_TOKEN |
CMS access | Hyperspeed |
NEXT_PUBLIC_ Prefix
Secrets prefixed with NEXT_PUBLIC_ are exposed to the browser. They must only contain non-sensitive values (project IDs, public endpoints). Sensitive keys (private keys, service role keys) should never have this prefix.
Secret Flow
GitHub Secrets
|
| Referenced in GitHub Actions workflow
v
Helm --set-string flags
|
| Injected as environment variables
v
Kubernetes Pod
|
| Read by application via config crate / process.env
v
Application runtime
Best Practices
- Never commit secrets to the repository
- Use
NEXT_PUBLIC_prefix only for truly public values - API keys should be scoped to minimum necessary permissions
- Rotate keys periodically (rotation policy to be established)